PAN-OS

  • Filter Threat logs by threat category.
    1. Select
      Monitor
      Logs
      Threat
      .
    2. Add the Threat Category column so you can view the Threat Category for each log entry:
    3. To filter based on Threat Category:
      • Use the log query builder to add a filter with the
        Attribute
        Threat Category and in the
        Value
        field, enter a Threat Category.
      • Select the Threat Category of any log entry to add that category to the filter:
  • Filter Threat logs by threat signature type.
    1. Select
      Monitor
      Logs
      Threat
      .
    2. Add the
      Type
      column, if it is not present, so you can view the threat signature category for each log entry:
    3. To filter based on the signature type:
      • Use the log query builder to add a filter with the
        Attribute
        of the threat signature category and in the
        Value
        field, enter a threat signature type. You can select from
        vulnerability
        ,
        virus
        , and
        spyware
        , which corresponds to the signatures handled by your Vulnerability Protection, Antivirus, and Anti-Spyware security profiles.
      • Select the
        Type
        of any log entry to add that threat signature type to the filter. You can also manually build your query using the filter and threat signature type.
  • Filter Threat logs by threat [categories] that have been detected using inline cloud analysis (spyware).
    1. Select
      Monitor
      Logs
      Threat
      and filter by
      ( category-of-threatid eq inline-cloud-c2 )
      (for C2 threats) to view logs that have been analyzed using the inline cloud analysis mechanism of Advanced Threat Prevention.
    2. Select a log entry to view the details of a detected C2 threat.
    3. The threat
      Category
      is displayed under the
      Details
      pane of the detailed log view. C2 threats that have been detected using inline cloud analysis have a threat category of inline-cloud-c2.
  • Monitor activity on the firewall for vulnerability exploits that have been detected using inline cloud analysis (vulnerability).
    1. Select
      Monitor
      Logs
      Threat
      and filter by
      ( category-of-threatid eq inline-cloud-exploit )
      to view logs that have been analyzed using the inline cloud analysis mechanism of Advanced Threat Prevention. Inline exploit (SQL injection) threats have an ID of 99950 while inline exploit (command injection) threats have an ID of 99951.
    2. Select a log entry to view the details of a vulnerability exploit.
    3. The threat
      Category
      is displayed under the
      Details
      pane of the detailed log view. Vulnerability exploits that have been detected using inline cloud analysis have a threat category of inline-cloud-exploit.
  • Filter ACC activity by threat category.
    1. Select
      ACC
      and add Threat Category as a global filter:
    2. Select the Threat Category to filter all ACC tabs.

Recommended For You