Search for Security Artifacts

In Activity, you can search on a security artifact to interact with data just for that artifact.
In Activity, you can search on a security artifact to interact with data just for that artifact. Search results include:
  • The artifact’s history and activity in your network.
    Assess how prevalent the artifact is in your network and compare to industry peers.
    In some cases, search results might depend on the licenses your using; DNS Security, WildFire, URL Filtering, or Cortex Data Lake might be required for certain data points.
  • Palo Alto Networks threat intelligence on the artifact, based on analysis of all the traffic Palo Alto Networks processes and analyzes.
  • Consolidated third-party analysis findings for the artifact.
You can find the Search menu on the left navigation pane.
To get started, search for one of these types of artifacts: a
file hash
, a
, a
, or an
IP address
(IPv4 or IPv6).

IP Address

You can look for an IP address to analyze the threat information related to IP address activities in your network. The following data is shown in the search result:
  • Total number of times IP address was detected in your network over the past 30 days.
  • Graphical representation of action taken (allow or block) on IP address.
  • List of DNS requests that contain the IP address based on the Palo Alto Network’s threat intelligence and third-party sources.


View a summary of the activities associated with the domain in your network. The search result includes:
  • Classification of the domain in your network based on the WildFire sample analysis.
  • Total number of activities associated with the domain over the past 30 days.
  • Enforcement applied to each activity in a graphical format.
  • Information from WildFire analysis that supports the data used to assign the verdict for the domain.
  • DNS activity collected from across all WildFire submissions that contain instances of this domain.


Learn about the URL’s activity across all traffic Palo Alto Network analyzes. The search result includes:
- Review a summary of the URL's activity in your network. Data includes: DNS Security findings for the URL and the PAN-DB Categorization.
- See the file analysis data that includes the requests made globally for this URL, and files detected with this URL. You can use the file hash value or the file view to know more.

File Hash

File hash search summarizes the file’s activity, analysis of file properties, and details from WildFire sample analysis. You can drill down on the search result to review the following data:
- View the file hash verdict and the history of the file’s activity in your network. Click the tag name to view the details of the tag. Tags can help you understand if the file is part of any threat families, campaigns, or actors.
WildFire Analysis
- Assess how the sample (file) behaved during WildFire analysis. You can view the information on the sample verdict, threat indicators detected during sample analysis, and behavior while processing the sample in the analysis environment, and screenshots of the various process milestones captured during the WildFire sample analysis.
File Analysis
- Compare the analysis before and after the execution of the sample (file) in the WildFire analysis environment.
- Check the verdict of the sample here. If the verdict is classified incorrectly, request for a verdict change. The Palo Alto Network threat team investigates further on the sample and updates the verdict if found incorrect.
Static Analysis
- Static analysis looks at the contents of a specific file before the file is executed in the WildFire analysis environment. The search also shows the suspicious file properties found during static analysis. The search result varies depending on the file type. The screenshot here shows a static analysis for an archive file.
Observed Behavior
- Review the WildFire behavior analysis of the sample in a particular environment.
WildFire Dynamic Analysis
- Inspects the file in detail extracting additional information and indicators for a compromised network. You can check the process activities involved, and the sequence of events that took place in your system while executing the file.
Network Sessions
- Learn about the network session for a sample. Use this data to learn more about the context of the threat, know the affected hosts and clients, and the applications used to deliver the malware.
- Check the signature coverage for a sample to assess the level of protection against threats. You can view the signatures tagged to the domains from where the sample was downloaded and the URLs that are accessed by the sample.
- View the artifacts that are indicators for a comprised network. The indicators are categorized based on the artifact types; domain, IP address, URL, user agent headers, and mutual exclusion objects. High-risk artifacts are labeled as Suspicious or Highly Suspicious.

Recommended For You