Advanced Threat Prevention
View Threat Logs
Table of Contents
View Threat Logs
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
Threat categories classify different types of threat signatures
to help you understand and draw connections between events threat
signatures detect. Threat categories are subsets of the more broad
threat signature types: spyware, vulnerability, and antivirus. Threat
log entries display the
Threat Category
for
each recorded event.You can browse, search, and view Advanced Threat
Prevention logs that are automatically generated when a threat is
detected. Typically, this includes any qualifying threat signature
match that a Threat Prevention feature, including Inline ML, analyzes
unless it is specifically configured with a log severity level of
none. Log entries provide numerous details about the event, including
the threat level and, if applicable, the nature of threat.
Cloud Management
Cloud Management
- Use the credentials associated with your Palo Alto Networks support account and log in to theStrata Cloud Manageron the hub.For more information on using Activity dashboards, refer to the Log Viewer.
- Filter threat logs based on theThreat CategoryorSubtypeinPrisma Access.
- Select.Incidents & AlertsLog Viewer
- Change the log type to be searched toThreat.
- Create a search filter using one the threat signature subtypes used by the Antivirus, Anti-spyware, or Vulnerability Protection profiles (antivirus,spyware, andvulnerability, respectively) or based on the threat category using the query builder. For example, you can usesub_type.value = 'spyware'to view logs for threats that have been determined to be spyware. To search for other subtypes, replace spyware in the above example with another supported subtype (vulnerabilityorspyware). You can also search based on a specificThreat Category, such as an info-leak vulnerability by using the following querythreat_category.value = 'info-leak'. For a list of valid categories you can use, refer to Threat Signature Categories. Adjust the search criteria as necessary for your search, including additional query parameters (such as the severity level and action) along with a date range.
- Run the query after you have finished assembling your filters.
- Select a log entry from the results to view the log details.
- The threatCategoryis displayed in theDetailspane of the detailed log view. Other relevant details about the threat are displayed in their corresponding windows.
- Filter Threat logs by threat [categories] that have been detected using inline cloud analysis (spyware).HTTP-based C2 traffic that was originally categorized with the threat nameInline Cloud Analyzed HTTP Command and Control Traffic Detectionand is associated with multiple Threat IDs, is now separated into three unique threat names to correspond to the unique Threat IDs and more accurately describe the detections made by Advanced Threat Prevention:Evasive HTTP C2 Traffic Detection(Threat ID: 89950),Evasive Cobalt Strike C2 Traffic Detection(Threat ID: 89955, 89956, and 89957), andEvasive Empire C2 Traffic Detection(Threat ID: 89958).HTTP-based C2 traffic logs generated prior to December 11, 2023 will continue to be categorized with the threat nameInline Cloud Analyzed HTTP Command and Control Traffic Detection.
- Select.Incidents & AlertsLog Viewer
- Change the log type to be searched toThreat.
- Create a search filter using a threat category used exclusively by Inline Cloud Analysis (spyware):threat_category.value = 'inline-cloud-c2'. You can further constrain the search by cross-referencing a Threat-ID value that corresponds to a specific C2 type. For example,threat_category.value = 'inline-cloud-c2' AND Threat ID = 89958, whereby 89958 indicates the Threat ID of evasive empire C2 traffic.
- Select a log entry to view the details of a detected C2 threat.
- The threatCategoryis displayed under theGeneralpane of the log details. C2 threats that have been detected using inline cloud analysis have a threat category of inline-cloud-c2. You can cross-reference the ThreatIDvalue in theDetailspane to determine the specific type of C2 that has been detected.
- Filter Threat logs by threat [categories] that have been detected using inline cloud analysis (vulnerability).
- Select.Incidents & AlertsLog Viewer
- Change the log type to be searched toThreat.
- Create a search filter using a threat category used exclusively by Inline Cloud Analysis (vulnerability):threat_category.value = 'inline-cloud-exploit'.
- Select a log entry to view the details of the detected command injection and SQL injection vulnerabilities. Inline exploit (SQL injection) threats have an ID of 99950 while inline exploit (command injection) threats have an ID of 99951.
PAN-OS & Panorama
- Filter Threat logs by threat category.
- Select.MonitorLogsThreat
- Add the Threat Category column so you can view the Threat Category for each log entry:
- To filter based on Threat Category:
- Use the log query builder to add a filter with theAttributeThreat Category and in theValuefield, enter a Threat Category.
- Select the Threat Category of any log entry to add that category to the filter:
- Filter Threat logs by threat signature type.
- Select.MonitorLogsThreat
- Add theTypecolumn, if it is not present, so you can view the threat signature category for each log entry:
- To filter based on the signature type:
- Use the log query builder to add a filter with theAttributeof the threat signature category and in theValuefield, enter a threat signature type. You can select fromvulnerability,virus, andspyware, which corresponds to the signatures handled by your Vulnerability Protection, Antivirus, and Anti-Spyware security profiles.
- Select theTypeof any log entry to add that threat signature type to the filter. You can also manually build your query using the filter and threat signature type.
- Filter Threat logs by threat [categories] that have been detected using inline cloud analysis (spyware).HTTP-based C2 traffic that was originally categorized with the threat nameInline Cloud Analyzed HTTP Command and Control Traffic Detectionand is associated with multiple Threat IDs, is now separated into three unique threat names to correspond to the unique Threat IDs and more accurately describe the detections made by Advanced Threat Prevention:Evasive HTTP C2 Traffic Detection(Threat ID: 89950),Evasive Cobalt Strike C2 Traffic Detection(Threat ID: 89955, 89956, and 89957), andEvasive Empire C2 Traffic Detection(Threat ID: 89958).If you do not install the update content or are reviewing HTTP-based C2 traffic logs generated prior to December 11, 2023 (the release date of the content update), all HTTP-based C2 traffic will continue to be categorized with the threat nameInline Cloud Analyzed HTTP Command and Control Traffic Detection.
- Selectand filter byMonitorLogsThreat( category-of-threatid eq inline-cloud-c2 )(for C2 threats) to view logs that have been analyzed using the inline cloud analysis mechanism of Advanced Threat Prevention. You can further constrain the search by cross-referencing a Threat-ID value that corresponds to a specific C2 type. For example,( category-of-threatid eq inline-cloud-c2 ) and (name-of-threatid eq 89958), whereby 89958 indicates the Threat ID of evasive empire C2 traffic.
- Select a log entry to view the details of a detected C2 threat.
- The threatCategoryis displayed under theDetailspane of the detailed log view. C2 threats that have been detected using inline cloud analysis have a threat category of inline-cloud-c2. You can cross-reference the ThreatIDvalue to determine the specific type of C2 that has been detected.
- Monitor activity on the firewall for vulnerability exploits that have been detected using inline cloud analysis (vulnerability).
- Selectand filter byMonitorLogsThreat( category-of-threatid eq inline-cloud-exploit )to view logs that have been analyzed using the inline cloud analysis mechanism of Advanced Threat Prevention. Inline exploit (SQL injection) threats have an ID of 99950 while inline exploit (command injection) threats have an ID of 99951.
- Select a log entry to view the details of a vulnerability exploit.
- The threatCategoryis displayed under theDetailspane of the detailed log view. Vulnerability exploits that have been detected using inline cloud analysis have a threat category of inline-cloud-exploit.
- Filter ACC activity by threat category.
- SelectACCand add Threat Category as a global filter:
- Select the Threat Category to filter all ACC tabs.