>
    View Advanced Threat Prevention Report
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced Threat Prevention
    3. Monitor Advanced Threat Prevention
    4. View Advanced Threat Prevention Report
    Download PDF
    Advanced Threat Prevention

    View Advanced Threat Prevention Report

    Table of Contents

    View Advanced Threat Prevention Report

    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS or Panorama Managed)
    • VM-Series
    • CN-Series
    • Advanced Threat Prevention or Threat Prevention License
    The Advanced Threat Prevention Report is available though the Threat Vault API and provides detailed analysis and detection information, as well as information about the transaction, session, and other related processes. The report contain some or all of the information described in the following table based on the session information configured on the firewall that processed the file and the analysis details for the file in a JSON format.
    NGFWs do not have direct access to reports through PAN-OS; instead, you must reference the cloud_reportid associated with the threat log and use the Threat Vault API to search and retrieve the report.
    For
    Prisma Access
     (through the Strata Cloud Manager), the report is viewable from the log viewer (View Threat Logs). Log entries with a generated Advanced Threat Prevention report have a download link next to the report ID value under the
    Cloud ReportID
     column.
    Report Heading
    Description
    General Information
    Contains information about the firewall/security platform that processed the threat.
    • The cloud report ID number containing the Advanced Threat report data.
    • Error messages that might have been generated during creation of the report.
    PAN-OS Information
    Contains information about the firewall/security platform that processed the threat.
    • Firewall interface (IPv4/IPv6)
    • Content package version
    • Firewall Hostname
    • Firewall model
    • Serial Number
    • PAN-OS version
    Session Information
    Contains session information based on the traffic as it traversed the firewall/security platform that forwarded the threat.
    The following options are available:
    • Source IP
    • Source Port
    • Destination IP
    • Destination Port
    • Session ID
    • Session Timestamp
    • Payload Type
    Transaction Data
    The transaction data provides an overview of the payload details and contains the detection service report(s).
    The following options are available:
    • Transaction ID
    • SHA256 hash of the payload
    Detection Service Results
    When threat analysis is performed by the Advanced Threat Prevention cloud, this section contains entries showing the analysis results. This includes the detection service report(s), which additionally provides the MITRE ATT&CK® classified techniques employed, as well as the payload details.
    Command and control detections for the Empire C2 framework show additional contextual information. This includes reports generated from both the staging and command (post exploitation) phase of an attack that occurs in separate sessions.
    The following information entries are available:
    • Attack Description—describes the nature of the C2 attack.
    • Attack Details—indicates the phase of the Empire C2 attack as well as describe the exchanges between the server and client.
    • Attack Evidences—lists behavior and actions consistent with known Empire C2.
    Empire-based C2 is detected using a sub-module detector contained within the
    Inline Cloud Analyzed HTTP Command and Control Traffic Detection
     analysis engine with a unique threat ID of 89958.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.