Analyze, Investigate and Instantly Respond to Critical Threats with DFLabs and Palo Alto AutoFocus

Back to all articles

critical threats

The influx of network and security tools which have flooded the market over the last few years has offered a solution to some of our IT and security woes, but has also created a type of isolation between toolsets and the information gathered from them. Of these tools, data rich threat intelligence feeds have become commonplace for adoption in every organization. However, threat intelligence feeds also have a limitation of its own.

The Problem

The highest reported dissatisfaction of threat intelligence services is their lack of context. Without context, organizations and their security staff become even more inundated with information which can lead to missed indicators of compromise and an inability to operationalize the intelligence gained. Without the ability to operationalize the data received, everything from prioritization to staffing will become affected.

Within a typical security operations center (SOC) environment, where this information and intelligence can play an integral role in the triage and investigation process, security managers are trying to overcome these common problems.

  • How can we better utilize our network and security toolsets to perform our jobs more quickly and efficiently?

  • How can we get the most out of our threat intelligence services?

  • How can we further operationalize our threat intelligence data?

DFLabs and Palo Alto AutoFocus Solution

The DFLabs and Palo Alto AutoFocus solution allows organizations to get the most out of their threat intelligence services by utilizing DFLabs IncMan SOAR solution to quickly automate decisions based off findings from Palo Alto AutoFocus’ contextualized incident data. This automated decision making enables security teams to quickly operationalize the data received by incorporating their full security stack through the use of security orchestration.

By automating the decision-making process and utilizing the incident data received through enrichment practices to drive remediation steps, the DFLabs and Palo Alto integration provides security professionals with the tools necessary to not only quickly and efficiently perform their job duties, but to also prevent an intrusion from becoming an ongoing persistent threat.

About Palo Alto AutoFocus

Palo Alto Networks AutoFocus contextual threat intelligence service makes threat analytics, with full context, available to every security organization, not just those with specialized security staff. This hosted security service arms security operations professionals with the high-fidelity intelligence, correlation, context and automated prevention workflows needed to identify and respond to events in real time.

AutoFocus extends the Palo Alto Networks Security Operating Platform with local, industry and global threat intelligence with attack context to accelerate analysis, forensics and prevention workflows. Together, the platform and AutoFocus allow security teams to move away from legacy approaches that rely on aggregating detection-focused alerts and post-event mitigation. Now, the majority of attacks will be automatically prevented, with proactive threat analytics and hunting enabled through AutoFocus.

Use Case in Action

Now, let’s look at a simple use case in action.

A user forwards a suspicious email to the SOC for investigation. The SOC receives the email and the User Reported Suspicious Email R3 Rapid Response Runbook is executed within IncMan SOAR. Once executed the Runbook begins by splitting its tasks into two separate paths which examine both the sender and the received attachment.

The R3 Rapid Response Runbook gathers information on the email’s sender, extracts the attachment, and detonates it in their EDR solution’s sandbox. Once detonated, the resulting data gathered is passed through Palo Alto AutoFocus to determine if either piece of evidence have previously been observed by Palo Alto’s threat intelligence services.

If either piece of evidence has been observed, the Runbook will automatically query the organization’s SIEM and email service for historical data to ensure no other user or host had interacted with the malicious actor in the past. If additional assets were involved, the R3 Rapid Response Runbook will take containment actions to block either the file hash, sender, or both and check to see if the incident has already been elevated to a higher priority incident. If the incident has not been elevated, IncMan will elevate the priority and create a new ticket in the organization’s ticketing system for manual follow-up and eradication.

If during the initial information gathering on the suspected file and its sender finds that it is not believed to be malicious, a validation check is issued to ensure that two separate threat intelligence platforms are queried and both have found it to be benign before closing the incident and exiting the Runbook. However, if the revalidation check finds that either piece of evidence is believed to be malicious, the R3 Rapid Response Runbook will follow the above-mentioned remediation path to ensure all evidence is gathered before human interaction is needed.


With the vast number of toolsets being provided to today’s cybersecurity workforce, it can be overwhelming to manage and utilize them all effectively. Of these tools, threat intelligence feeds have become the most highly sought after. Unfortunately, threat intelligence feeds are not immune to these shortcomings and can also affect a security team’s ability to quickly and effectively perform the job duties necessary to keep our organizations and assets safe.

The integration between DFLabs’ IncMan SOAR platform and Palo Alto AutoFocus helps solve this issue by providing security professionals with the ability to not only manage their intelligence feeds, but also fully operationalize them. Through the use of automation and orchestration, the contextualized data received from Palo Alto AutoFocus can be applied to conditional statements often evaluated by security analysts to make automated decisions in a matter of seconds, to prevent a possible intrusion from turning into a full breach.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo