Partner Spotlight: Faster Threat Intelligence With Palo Alto Networks

December 7, 2016 • Glenn Wong

Assemble and deliver actionable threat intelligence from Palo Alto Networks and Recorded Future.

Editor’s Note

This is part of a series of blog posts on useful “all-source analysis” research and collaborative approaches using Recorded Future and our OMNI Intelligence Partners.


Recorded Future has completed an integration with the Palo Alto Networks AutoFocus threat intelligence service and MineMeld application to streamline the sharing and enforcement of threat intelligence. The integration enables mutual customers to ingest AutoFocus threat intelligence into Recorded Future Intel Cards, which can be used to help create and enforce new prevention-focused controls for Palo Alto Networks next-generation firewalls.

Now, security operations analysts can quickly gain full context of threat actors, their TTPs (tactics, techniques, and procedures), malware, and other IOCs (indicators of compromise) to intercept threats before they impact the business.


Enterprise networks are under constant attack. Adversaries use both automation and sophisticated techniques to attack your network and security analysts need actionable threat intelligence with context to make fast and accurate security decisions.

Once a verdict has been reached, security analysts must also be able to take immediate action without having to incur the delays associated with having to manually manage block lists.


Security analysts can combine threat intelligence from Palo Alto Networks AutoFocus with Recorded Future Intel Cards to expand the context around incidents and malcode-derived threat intelligence. This combination adds global sources of threat intelligence completely outside defended networks in the open, deep, and dark web.

Once a threat is identified, organizations can automatically enforce new security controls for Palo Alto Networks next-generation firewalls with the MineMeld application.

Threat Intelligence Cloud

Intel Card Extension
Hash Available

Additionally, Palo Alto Networks customers can use the Recorded Future browser extension to look up these IOCs directly in AutoFocus: IP address, domain, vulnerability, and hash.


There are many ways analysts can use threat intelligence from Recorded Future and Palo Alto Networks AutoFocus together. First, analysts can access instant web context on artifacts and sandbox results in AutoFocus with just a right-click to pull up a Recorded Future Intel Card on IP addresses, domains, hashes, and vulnerabilities.

Recorded Future and Palo Alto Networks AutoFocus

Recorded Future’s browser extension makes it easy to look up additional context on IOCs identified in AutoFocus.


Recorded Future Intel Card

Recorded Future Intel Card for an IP address identified as part of an AutoFocus investigation.

Conversely, analysts using Recorded Future can access AutoFocus content directly from within a Hash Intel Card. In the example below, an analyst researching a suspicious hash using Recorded Future finds a “malicious” risk score based on references in VirusTotal and; with a single click, additional data from AutoFocus can be appended to this context, including Unit 42’s assessment that this file hash is an example of the malware “Hancitor.”

AutoFocus Integration With Recorded Future

Recorded Future Hash Intel Card including a lookup to Palo Alto’s AutoFocus.

Using the Palo Alto Networks MineMeld application, analysts can automate processes to block malicious IPs/domains/URLs with external dynamic lists, dynamic address groups, and content from a variety of sources including Recorded Future. This centralizes threat intelligence management and delivery, simplifies maintenance such as the automated timeout of expired indicators, and speeds your organization’s ability to counter emerging threats.

Recorded Future and Palo Alto Networks MineMeld

Recorded Future and Palo Alto Networks MineMeld

Prototype information and a simple connection graph utilizing Recorded Future’s IP risk list within MineMeld.


With the integration between Palo Alto Networks and Recorded Future, security analysts can:

  • Combine intelligence from AutoFocus with real-time threat intelligence from Recorded Future to build protection rules with more confidence.
  • Gain instant context around an IOC with easy-to-read Intel Cards, giving security operations all relevant information in a consolidated view.
  • Reach faster verdicts with evidence-based risk scores for indicators, enabling security operations teams to reach quick decisions.
  • Speed prevention of malicious IPs/domains/URLs on the Palo Alto Networks next-generation firewalls with the MineMeld application.

In short, the integration enables security teams to consolidate threat intelligence easily and deliver protection rules faster with more confidence.

To see the Palo Alto Networks and Recorded Future integration in action, read the joint solution brief or watch a demo with Marc Benoit and Luigi Mori of Palo Alto Networks as they preview the MineMeld application, including native integration with Recorded Future, at Ignite 2016.

You can also directly contact the Palo Alto Networks sales team.

Palo Alto Networks

Palo Alto Networks is the next-generation security company, leading a new era in cyber security by safely enabling applications and preventing cyber breaches for thousands of organizations worldwide. Their game-changing security platform delivers security far superior to legacy or point products, safely enables daily business operations, and protects an organization’s most valuable assets.