AutoFocus Prototypes

Question 1

Describe the Samples Miner

Answer 1

The samples miner extracts Threat Indicators from samples that meet the conditions of an AutoFocus search.

(
The samples miner extracts Threat Indicators from samples that meet the conditions of an AutoFocus search. You must set the search conditions when you create this miner node.
The samples miner does not extract all sample artifacts; it only extracts statistically important artifacts that AutoFocus has determined to be indicators based on their tendency to be seen with malware.)

Question 2

What are some Default Behaviors of the Samples Miner

Answer 2

Accepts all Indicators

Initially extracts indicators from samples that meet the criteria of a the search based on the last 24 hours

Each time this miner extracts indicators, it only extracts indicators from the first 10,000 samples

Only forwards indicators that it has not seen previously

Ages out indicators 24 hours after the last time they were seen in the sample search result

Question 3

Describe the Artifacts Miner

Answer 3

The artifacts miner extracts indicators from external sources that are currently stored in the AutoFocus Indicator Store

(You must connect this miner to a processor and output node to forward the indicators to a destination outside of AutoFocus, such as a Palo Alto Networks firewall or other SIEM platforms.)

Question 4

What are some Default Behaviors of the Artifacts Miner

Answer 4

accepts all indicator types

initially extracts indicators that were added to the indicator store in the last 24 hours

after the initial poll for indicators, extracts indicators from the store every hour

only forwards indicators that it has not seen previously

Ages out indicators 30 days after the last time they were added or updated in the indicator store, or as soon as an indicator is marked as expired in the store.