View Advanced Threat Prevention Report
Focus
Focus
Advanced Threat Prevention Powered by Precision AI™

View Advanced Threat Prevention Report

Table of Contents

View Advanced Threat Prevention Report

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series
  • CN-Series
  • Advanced Threat Prevention (for enhanced feature support) or Threat Prevention License
The Advanced Threat Prevention Report is available though the Threat Vault API and provides detailed analysis and detection information, as well as information about the transaction, session, and other related processes. The report contain some or all of the information described in the following table based on the session information configured on the firewall that processed the file and the analysis details for the file in a JSON format.
NGFWs do not have direct access to reports through PAN-OS; instead, you must reference the cloud_reportid associated with the threat log and use the Threat Vault API to search and retrieve the report.
For Prisma Access (through the Strata Cloud Manager), the report is viewable from the log viewer (View Threat Logs). Log entries with a generated Advanced Threat Prevention report have a download link next to the report ID value under the Cloud ReportID column.
Report Heading
Description
General Information
Contains information about the firewall/security platform that processed the threat.
  • The cloud report ID number containing the Advanced Threat report data.
  • Error messages that might have been generated during creation of the report.
PAN-OS Information
Contains information about the firewall/security platform that processed the threat.
  • Firewall interface (IPv4/IPv6)
  • Content package version
  • Firewall Hostname
  • Firewall model
  • Serial Number
  • PAN-OS version
Session Information
Contains session information based on the traffic as it traversed the firewall/security platform that forwarded the threat.
The following options are available:
  • Source IP
  • Source Port
  • Destination IP
  • Destination Port
  • Session ID
  • Session Timestamp
  • Payload Type
Transaction Data
The transaction data provides an overview of the payload details and contains the detection service report(s).
The following options are available:
  • Transaction ID
  • SHA256 hash of the payload
Detection Service Results
When threat analysis is performed by the Advanced Threat Prevention cloud, this section contains entries showing the analysis results. This includes the detection service report(s), which additionally provides the MITRE ATT&CK® classified techniques employed, as well as the payload details.
Command and control detections for the Empire C2 framework show additional contextual information. This includes reports generated from both the staging and command (post exploitation) phase of an attack that occurs in separate sessions.
The following information entries are available:
  • Attack Description—describes the nature of the C2 attack.
  • Attack Details—indicates the phase of the Empire C2 attack as well as describe the exchanges between the server and client.
  • Attack Evidences—lists behavior and actions consistent with known Empire C2.
Empire-based C2 is detected using a sub-module detector contained within the Inline Cloud Analyzed HTTP Command and Control Traffic Detection analysis engine with a unique threat ID of 89958.