Get AutoFocus Session Info Enrichment Flow

Washington DC Security Management

Release

washingtondc

ft:locale

en-US

ft:publication_title

Washington DC Security Management

ft:clusterId

security

bundleId

security

workflow

Technology

Get AutoFocus Session Info Enrichment Flow

Release version: Washingtondc

Updated August 1, 2024

2 minutes to read

When the Security Operations Palo Alto Networks- Get AutoFocus Session Info Enrichment flow is executed, it queues a search query with AutoFocus for gathering information about a specified source IP. If AutoFocus has knowledge about previous sessions originating from that IP address, a JSON-formatted report is returned.

Before you begin

Role required: sn_si.analyst

About this task

The Security Operations Palo Alto Networks- Get AutoFocus Session Info Enrichment flow is executed when the Source IP field in a security incident is modified and the record is updated. The flow fetches the IP address and submits a query request to AutoFocus. If AutoFocus has previously identified sessions originating from the IP address, a JSON-formatted report is returned.

Get AutoFocus Session Flow — Figure 1. Security Operations Palo Alto Networks - Get Wildfire Data Enrichment Flow

Procedure

Navigate to All > Security Incident > Show Open Incidents.
Click the Indicators of Compromise tab and populate the Source IP field.
Click Update.
AutoFocus scans the information from the IP address and a text file in JSON format is attached to the security incident.
Actions specific to this integration are described here. For more information on other actions, see Common integration workflow activities.

AutoFocus Search Session action

The AutoFocus Search Session flow action uploads information from an IP address assigned to a security incident to AutoFocus and queues it for a search query.

Input variables

Note:

When the action executes, it queues a search query with AutoFocus for gathering information for a specified source IP. If AutoFocus has previously identified sessions originating from that IP address, a JSON-formatted report is returned.

Input variables determine the initial behavior of the action.

Table 1. Input variables
Variable	Description
searchSessionQuery [string]	The search query for session information.

Fetch Search Results action

The Fetch Search Results flow action fetches search results identified by a cookie to the search query initiated by the AutoFocus Search Session action.

Input variables

Input variables determine the initial behavior of the action.

Table 2. Input variables
Variable	Description
afcookie [string]	The AutoFocus cookie for the search request generated by the AutoFocus Search Session action.

Output variables

The output variables contain data that can be used in subsequent actions.

Table 3. Output variables
Variable	Description
searchPending [Boolean]	True if the search request is still processing in AutoFocus.
result [string]	The search results data.
status [Boolean]	True if the search is completed and results have been successfully generated.
error [string]	The error, if any, that occurred in the action.

Write content to record as attachment action

This action writes the content passed in from an input and creates a designated attachment to a given record.

The Write content to record as attachment action can be used with any flow to write content and attach it to a record.

Input variables

Input variables determine the initial behavior of the action.

Table 4. Input variables
Variable	Description
tablename [string]	The table name for the record. This input field is mandatory.
sysid [string]	The system identifier (sys_id) of a task record. This input field is mandatory.
payload	The plain text content to be written as an attachment. This input field is mandatory.
filename	The attachment file name.

Output variables

The output variables contain data that can be used in subsequent actions.

Table 5. Output variables
Variable	Description
result [string]	Indicates whether the update was successful.