- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-18-2018 09:06 AM - edited 06-18-2018 09:08 AM
My understanding is that wildfire autoupdates some URL categories within 5 minutes if you have the correct licensing. With a current wildfire/URL filtering subscription, and without traps on our network, what is the real advantage to autofocus? My understanding is that it lists malicious IP's/domains/URL's, but if you have wildfire updating, and domains listed through sinkhole, what is the real advantage of autofocus, as most of these should be listed already in your "malware"/dns sinkhole from Palo shouldn't they?
Also, does anyone know the update/withdraw timing on the indicators listed through some of these campaigns/tags within autofocus? I'm wondering if/when they get add to "withdraw" on the miners, as wildfire updates categories of URL's?
06-18-2018 09:28 AM
So are we talking strictly about what the advantage of MineMeld is (which is included in Autofocus or standalone) or the advantage of having access too Autofocus in general?
AutoFocus:
This is primarily (at least to me) a research tool that gives you insight into any threat that you see come across the network. Where Wildfire may block or allow the connection and identify the basics of anything it identifies AutoFocus is really meant to give you insight into what the attack is and helps you categorize which identified threats actually need to be looked into and which ones you can simply ignore.
MineMeld:
While MineMeld is certaintly most widely used to aggregate different indicator lists that help one build something like a blacklist, it is also highly customizable and can be used to build a number of EDLs that can be used anywhere in the configuration. For example, I have a list of 'Possible Infection' and a list of 'Infected Machines' that build automatically that are used within the Security rulebase to block the Possible Infections indicators from accessing any Server resource; and the Infected Machines are simply cut off from the network all-together.
The MineMeld instance within AutoFocus simply allows you to build lists directly within AutoFocus instead of building them out with the API or manually. This makes tagging an endpoint as 'Possible Infection' or 'Infected Machine' vastly easier than running the standalone MineMeld instance.
Hopefully that helps, but I may have missed your actual question as well?
06-18-2018 11:24 AM
That is a pretty decent explanation for sure. So really, once wildfire has seen a threat elswhere, you are pretty much covered, as it's autoupdating. Adding a list from indicators such as URL's is redundant then? I guess maybe the list of IP's/sinkholing domains comes in useful from Autofocus research? In your case, you are taking the list of indicators/URL/domains, and use them in a group that get's effectively shut off from your important servers? Interesting.
06-20-2018 11:15 AM
Right, once wildfire sees a threat somewhere then that files hash is known by anything with the latest wildfire listings. Adding a list of inidcators would be if you want to self manage; for example if you wanted to block addresses that were scanning your network, it would also work for links in spam that you get if they aren't already classified as malicious in URL Filtering results.
I have a bunch of EDLs that get fed from MineMeld that do anything from blocking hosts from getting to my public server, blocking possibly infected internal clients access to our servers, blocking infected clients from getting to anything, and a list of other things.
06-20-2018 03:03 PM
Thank you!
How do you dynamically populate your miners with IP's? I see the DAG pusher node, but I only see the manual entry of indicators into that node. If you don't mind me asking, how are you dynamically populating those groups?
06-21-2018 10:21 AM
You can do it through Syslog or by enabling triggers depending on your antivirus solution that feeds this information into a .lst used to feed in the indicators via the API. Almost everything I do is through the API and using another product to build the .lst.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!