View Advanced Threat Prevention Report
Focus
Focus
Advanced Threat Prevention Powered by Precision AI™

View Advanced Threat Prevention Report

Table of Contents

View Advanced Threat Prevention Report

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series
  • CN-Series
  • Advanced Threat Prevention (for enhanced feature support) or Threat Prevention License
The Advanced Threat Prevention Report is available though the Threat Vault API and provides detailed analysis and detection information, as well as information about the transaction, session, and other related processes. The report contain some or all of the information described in the following table based on the session information configured on the firewall that processed the file and the analysis details for the file in a JSON format.
NGFWs do not have direct access to reports through PAN-OS; instead, you must reference the cloud_reportid associated with the threat log and use the Threat Vault API to search and retrieve the report.
For Prisma Access (through the Strata Cloud Manager), the report is viewable from the log viewer (View Threat Logs). Log entries with a generated Advanced Threat Prevention report have a download link next to the report ID value under the Cloud ReportID column.
Report Heading
Description
General Information
Contains information about the firewall/security platform that processed the threat.
  • The cloud report ID number containing the Advanced Threat report data.
  • Error messages that might have been generated during creation of the report.
PAN-OS Information
Contains information about the firewall/security platform that processed the threat.
  • Firewall interface (IPv4/IPv6)
  • Content package version
  • Firewall Hostname
  • Firewall model
  • Serial Number
  • PAN-OS version
Session Information
Contains session information based on the traffic as it traversed the firewall/security platform that forwarded the threat.
The following options are available:
  • Source IP
  • Source Port
  • Destination IP
  • Destination Port
  • Session ID
  • Session Timestamp
  • Payload Type
Transaction Data
The transaction data provides an overview of the payload details and contains the detection service report(s).
The following options are available:
  • Transaction ID
  • SHA256 hash of the payload
Detection Service Results
When threat analysis is performed by the Advanced Threat Prevention cloud, this section contains entries showing the analysis results. This includes the detection service report(s), which additionally provides the MITRE ATT&CK® classified techniques employed, as well as the payload details.
Command and control detections for the Empire C2 framework show additional contextual information. This includes reports generated from both the staging and command (post exploitation) phase of an attack that occurs in separate sessions.
The following information entries are available:
  • Attack Description—describes the nature of the C2 attack.
  • Attack Details—indicates the phase of the Empire C2 attack as well as describe the exchanges between the server and client.
  • Attack Evidences—lists behavior and actions consistent with known Empire C2.
Empire-based C2 is detected using a sub-module detector contained within the Inline Cloud Analyzed HTTP Command and Control Traffic Detection analysis engine with a unique threat ID of 89958.
CVE Mapping Information
Advanced Threat Prevention can associate detected vulnerabilities and map them to a CVE, if one exists. In cases where a CVE is available after the initial detection is made by Advanced Threat Prevention, the report is typically updated within 24 hours of the change.
The following information entries are available:
In cases where multiple CVEs match, the exact match is listed first, followed by the high confidence matches.
  • CVE ID—a unique identifier value for a CVE, using the following formatting: CVE-YYYY-NNNNN, whereby CVE is the prefix, YYYY is the year the vulnerability was released, and NNNNN the number assigned by the CNA.
  • Name—name of the CVE.
  • Description—description of the CVE.
  • Category—indicates the type of vulnerability for the CVE, e.g. SQL injection.
  • Severity—indicates the severity level of the CVE:
    • Critical
    • High
    • Medium
    • Low
  • Score—the score number, as determined by the CVSS (Common Vulnerability Scoring System):
    • Critical—9.0-10.0
    • High—7.0-8.9
    • Medium—4.0-6.9
    • Low—0.1-3.9
    • None—0
  • First Published Date—the date when the CVE was initially published.
  • Confidence Level—indicates the degree of certainty that Advanced Threat Prevention has estimated for the CVE mapping information:
    • 3: high confidence
    • 4: exact match