AutoFocus Prototypes Flashcards
Describe the Samples Miner
The samples miner extracts Threat Indicators from samples that meet the conditions of an AutoFocus search.
(
The samples miner extracts Threat Indicators from samples that meet the conditions of an AutoFocus search. You must set the search conditions when you create this miner node.
The samples miner does not extract all sample artifacts; it only extracts statistically important artifacts that AutoFocus has determined to be indicators based on their tendency to be seen with malware.)
What are some Default Behaviors of the Samples Miner
Accepts all Indicators
Initially extracts indicators from samples that meet the criteria of a the search based on the last 24 hours
Each time this miner extracts indicators, it only extracts indicators from the first 10,000 samples
Only forwards indicators that it has not seen previously
Ages out indicators 24 hours after the last time they were seen in the sample search result
Describe the Artifacts Miner
The artifacts miner extracts indicators from external sources that are currently stored in the AutoFocus Indicator Store
(You must connect this miner to a processor and output node to forward the indicators to a destination outside of AutoFocus, such as a Palo Alto Networks firewall or other SIEM platforms.)
What are some Default Behaviors of the Artifacts Miner
accepts all indicator types
initially extracts indicators that were added to the indicator store in the last 24 hours
after the initial poll for indicators, extracts indicators from the store every hour
only forwards indicators that it has not seen previously
Ages out indicators 30 days after the last time they were added or updated in the indicator store, or as soon as an indicator is marked as expired in the store.