Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Get AutoFocus Session Info Enrichment workflow

Log in to subscribe to topics and get notified when content changes.

Get AutoFocus Session Info Enrichment workflow

When the Security Operations Palo Alto Networks - Get AutoFocus Session Info Enrichment workflow is executed, it queues a search query with AutoFocus for gathering information about a specified source IP. If AutoFocus has knowledge about previous sessions originating from that IP address, a JSON-formatted report is returned.

Before you begin

Role required: sn_si.analyst

About this task

The Security Operations Palo Alto Networks - Get AutoFocus Session Info Enrichment workflow is executed when the Source IP field in a security incident is modified and the record is updated. The workflow fetches the IP address and submits a query request to AutoFocus. If AutoFocus has previously identified sessions originating from the IP address, a JSON-formatted report is returned.
Figure 1. Security Operations Palo Alto Networks - Get Wildfire Data Enrichment workflow
AutoFocus workflow

Procedure

  1. Navigate to Security Incident > Show Open Incidents.
  2. Click the Indicators of Compromise tab and populate the Source IP field.
  3. Click Update.
    AutoFocus scans the information from the IP address and a text file in JSON format is attached to the security incident.
Feedback