* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Cybersecurity](https://origin-researchcenter.paloaltonetworks.com/blog/category/cybersecurity-2/)
* AutoFocus: Actionable Thr...

# AutoFocus: Actionable Threat Intelligence Leads to Shorter Response Times

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F10%2Fautofocus-actionable-threat-intelligence-leads-shorter-response-times%2F)  
[](https://twitter.com/share?text=AutoFocus%3A+Actionable+Threat+Intelligence+Leads+to+Shorter+Response+Times&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F10%2Fautofocus-actionable-threat-intelligence-leads-shorter-response-times%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2016%2F10%2Fautofocus-actionable-threat-intelligence-leads-shorter-response-times%2F&title=AutoFocus%3A+Actionable+Threat+Intelligence+Leads+to+Shorter+Response+Times&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2016/10/autofocus-actionable-threat-intelligence-leads-shorter-response-times/&ts=markdown)  
\[\](mailto:?subject=AutoFocus: Actionable Threat Intelligence Leads to Shorter Response Times)  
Link copied  
By [Stephen Perciballi](https://www.paloaltonetworks.com/blog/author/stephen-perciballi/?ts=markdown "Posts by Stephen Perciballi")  
Oct 18, 2016  
2 minutes  
[Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)  
[AutoFocus](https://www.paloaltonetworks.com/blog/tag/autofocus/?ts=markdown)  
[threat intelligence](https://www.paloaltonetworks.com/blog/tag/threat-intelligence/?ts=markdown)

Following up on my initial post, [AutoFocus: Your Answer to Actionable Threat Intelligence](https://www.paloaltonetworks.com/blog/2016/08/autofocus-your-answer-to-actionable-threat-intelligence/), this second post in the series provides another daily use case.

### Searching From Firewalls

Something that happens from time to time is administrators will see remnants of malware coming from hosts inside the network but not the actual malware itself. This is a prime example of when administration teams should use actionable threat intelligence so they can arm themselves with information about what and whom they are up against, leading to shorter response times to an attack.

In this example we can see that there are beacon detections identified by the user "janet.fink." In the ACC she is identified as having a compromised host. The beacon detection correlation object indicates that we are seeing known command-and-control traffic coming from this host; however, we did not see any of the associated malware. The probable cause is that the user had her device outside of the corporate network, was infected with something, and then brought it back into the network. This makes a good case for always-on VPN for corporate devices.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/10/Actionable_1.png)  
[![actionable\_1](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/10/Actionable_1.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/10/Actionable_1.png)

Drilling down into the correlation object and navigating to the source logs, we can see that Janet's computer visited a known malicious domain over 100 times.

From here we can hover over any of these relevant attributes and query AutoFocus remotely.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/10/Actionable2.png)  
[![actionable2](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/10/Actionable2.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/10/Actionable2.png)

When AutoFocus is queried, a new results window opens. From here we can:

* Click the link to bring us directly to these results in AutoFocus to continue pivoting on the data.
* See that there is passive DNS information on this URL. The URL Janet visited does not actually match the previously identified URLs for this IP address, indicating that the attacker is maintaining the infrastructure and changing domains.
* See that the name of the malware family is Allaple. We are provided a description of the tag by Unit 42.
* See how many samples were identified in our network (0) and how many are globally viewable in AutoFocus (1).

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/10/Actionable3.png)  
[![actionable3](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/10/Actionable3.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/10/Actionable3.png)

This validates our initial suspicion that the user was likely infected outside of the network; otherwise, we would have data in WildFire to examine. Instead we are relying on the WildFire data from other organizations to determine from which malware this artifact comes.

Learn more about how [AutoFocus threat intelligence service](https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/autofocus) can help you accelerate analysis, threat hunting, and response workflows.

*** ** * ** ***

## Related Blogs

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Bringing High-Fidelity Threat Intelligence to Prisma Cloud](https://origin-researchcenter.paloaltonetworks.com/blog/2020/07/cloud-autofocus-prisma-integration/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### When Scripts Attack, WildFire Protects](https://origin-researchcenter.paloaltonetworks.com/blog/2019/01/scripts-attack-wildfire-protects/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### Why You Need Actionable Threat Intelligence](https://origin-researchcenter.paloaltonetworks.com/blog/2017/05/need-actionable-threat-intelligence/)

### [Technical Documentation](https://www.paloaltonetworks.com/blog/category/technical-documentation/?ts=markdown)

[#### Tech Docs: Collect and Refine Threat Intelligence with MineMeld](https://origin-researchcenter.paloaltonetworks.com/blog/2017/01/tech-docs-collect-refine-threat-intelligence-minemeld/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### The Data Digestion Revolution: Why Cortex XDL is the Foundation of Modern Security](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/the-data-digestion-revolution-why-cortex-xdl-is-the-foundation-of-modern-security/)

### [AI Governance](https://www.paloaltonetworks.com/blog/category/ai-governance/?ts=markdown), [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

[#### AI, Quantum Computing and Other Emerging Risks](https://origin-researchcenter.paloaltonetworks.com/blog/2025/10/ai-quantum-computing-emerging-risks/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language