Get AutoFocus Session Info Enrichment Flow

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 2 minutes de lecture

    • When the Security Operations Palo Alto Networks- Get AutoFocus Session Info Enrichment flow is executed, it queues a search query with AutoFocus for gathering information about a specified source IP. If AutoFocus has knowledge about previous sessions originating from that IP address, a JSON-formatted report is returned.

    Avant de commencer

    Role required: sn_si.analyst

    Pourquoi et quand exécuter cette tâche

    The Security Operations Palo Alto Networks- Get AutoFocus Session Info Enrichment flow is executed when the Source IP field in a security incident is modified and the record is updated. The flow fetches the IP address and submits a query request to AutoFocus. If AutoFocus has previously identified sessions originating from the IP address, a JSON-formatted report is returned.
    Figure 1. Security Operations Palo Alto Networks - Get Wildfire Data Enrichment Flow
    Get AutoFocus Session Flow

    Procédure

    1. Navigate to All > Security Incident > Show Open Incidents.
    2. Click the Indicators of Compromise tab and populate the Source IP field.
    3. Click Update.
      AutoFocus scans the information from the IP address and a text file in JSON format is attached to the security incident.

      Actions specific to this integration are described here. For more information on other actions, see Common Security Operations integration flows and orchestration activities.

    AutoFocus Search Session action

    The AutoFocus Search Session flow action uploads information from an IP address assigned to a security incident to AutoFocus and queues it for a search query.

    Input variables

    Remarque :

    When the action executes, it queues a search query with AutoFocus for gathering information for a specified source IP. If AutoFocus has previously identified sessions originating from that IP address, a JSON-formatted report is returned.

    Input variables determine the initial behavior of the action.

    Tableau 1. Input variables
    Variable Description
    searchSessionQuery [string] The search query for session information.

    Fetch Search Results action

    The Fetch Search Results flow action fetches search results identified by a cookie to the search query initiated by the AutoFocus Search Session action.

    Input variables

    Input variables determine the initial behavior of the action.

    Tableau 2. Input variables
    Variable Description
    afcookie [string] The AutoFocus cookie for the search request generated by the AutoFocus Search Session action.

    Output variables

    The output variables contain data that can be used in subsequent actions.

    Tableau 3. Output variables
    Variable Description
    searchPending [Boolean] True if the search request is still processing in AutoFocus.
    result [string] The search results data.
    status [Boolean] True if the search is completed and results have been successfully generated.
    error [string] The error, if any, that occurred in the action.