Indicators

The Indicators tab provides a summary of threat intelligence data that Palo Alto Networks has on a particular threat indicator — URLs, domains, IP addresses (IPv4 and IPv6), and hashes. The threat intelligence summary data, depending on the type of indicator, can include the WildFire verdict, detection reasons, associated metadata (including the indicator source(s)), WHOIS information, tags, logs of DNS activity from all samples analyzed with WildFire, active/passive DNS history where AutoFocus detected instances of the artifact, and other related information. This can help you assess whether a specific hash, domain, URL, or IP address is associated with suspicious behavior and analyze the nature of a threat.
Indicators List Details
indicator-drilldown.png
postit1.png Threat Indicator Overview
The threat indicator summary provides a breakdown of the properties, behaviors, and activities reported by various Palo Alto Networks analytics services. URL entries can include additional context provided by analysis data derived from the improved URL analysis capabilities found in the WildFire global cloud. This content is categorized into three categories: Summary, Evidence, and Analyst. The summary provides a high level overview of the URL, including PAN-DB categorization details, detection reasons with verdict, Whois information, accompanied by a screenshot. Evidence shows details regarding why and how the verdict was reached. Analyst describes various insights into the operational details of the web page, including network traffic and file transfers. For all other indicators, the threat indicator summary provides a breakdown of the general properties, behaviors, and activities reported by various Palo Alto Networks analytics services.The following list shows some of the threat data that can populate the threat indicator overview.
  • WildFire Verdict—The verdict of the sample based on the WildFire analysis of the file or email link.
  • Tags—Lists the tags or tag groups associated with the threat indicator.
  • Upload Source—Lists which of your connected Palo Alto Networks services or appliances uploaded the threat indicator.
  • First/Last Seen Date—Displays when the threat indicator was first and last sent to WildFire for analysis.
  • WHOIS—Shows general domain information.
  • PAN-DB Categorization—View URLs associated with the domain, URL, or IP address through PAN-DB and the PAN-DB category for each URL.
  • WildFire DNS History—View a log of domain to IP address mappings based on all samples that launched a request to connect to a domain during Wildfire Analysis.
  • DNS Security Results— Domains that have been analyzed by DNS Security are listed here.
  • Passive DNS History—View a passive history of domain to IP address mappings that contain matches to the artifact your searched for.
  • Active DNS History—View active domain to IP address mappings that contain matches to the artifact your searched for.
postit2.png VirusTotal
A direct link to the VirusTotal analysis of the specified file hash.
This options is only available for file hashes.
postit3.png Sample and Session Details
You can pivot to a sample or session search on the specified indicator. This automatically initiates a search based off of the initial query and can provide a wider context and additional details.

Recommended For You