General Information | Contains information about the firewall/security platform
that processed the threat. |
PAN-OS Information | Contains information about the firewall/security platform
that processed the threat. |
Session Information | Contains session information based on the
traffic as it traversed the firewall/security platform that forwarded
the threat. The following options are available: Source
IP Source Port Destination IP Destination Port Session ID Session Timestamp Payload Type
|
Transaction Data | The transaction data provides an overview
of the payload details and contains the detection service report(s). The
following options are available: |
Detection Service Results |
When threat analysis is performed by the Advanced Threat Prevention
cloud, this section contains entries showing the analysis results.
This includes the detection service report(s), which additionally
provides the MITRE ATT&CK® classified techniques employed, as
well as the payload details.
Command and control detections for the Empire C2 framework show
additional contextual information. This includes reports generated
from both the staging and command (post exploitation) phase of an
attack that occurs in separate sessions.
The following information entries are available:
Attack Description—describes the nature of the C2 attack.
Attack Details—indicates the phase of the Empire C2 attack
as well as describe the exchanges between the server and
client. Attack Evidences—lists behavior and actions consistent with
known Empire C2.
Empire-based C2 is detected using a
sub-module detector contained within the Inline Cloud
Analyzed HTTP Command and Control Traffic Detection
analysis engine with a unique threat ID of 89958.
|
CVE Mapping Information
|
Advanced Threat Prevention can associate detected vulnerabilities and
map them to a CVE, if one exists. In cases where a CVE is available
after the initial detection is made by Advanced Threat Prevention,
the report is typically updated within 24 hours of the change.
The following information entries are available:
In cases where multiple CVEs match, the exact match is listed
first, followed by the high confidence matches.
CVE ID—a unique identifier value for a CVE, using the
following formatting: CVE-YYYY-NNNNN, whereby CVE is the
prefix, YYYY is the year the vulnerability was released, and
NNNNN the number assigned by the CNA. Name—name of the CVE. Description—description of the CVE. Category—indicates the type of vulnerability for the CVE,
e.g. SQL injection. Severity—indicates the severity level of the CVE: Score—the score number, as determined by the CVSS (Common
Vulnerability Scoring System): Critical—9.0-10.0 High—7.0-8.9 Medium—4.0-6.9 Low—0.1-3.9 None—0
First Published Date—the date when the CVE was initially
published. Confidence Level—indicates the degree of certainty that
Advanced Threat Prevention has estimated for the CVE mapping
information: 3: high confidence 4: exact match
|