Focus

Strata Cloud Manager

Monitor: IOC Search

Table of Contents

Monitor: IOC Search

You can search on a security artifact to interact with data just for that artifact.

Where Can I Use This?	What Do I Need?
`Prisma Access (Cloud Management)` `Prisma Access` license `NGFW (PAN-OS or Panorama Managed)` `NGFW (Cloud Managed)` `VM-Series, funded with Software NGFW Credits`	`AIOps for NGFW Free (use the AIOps for NGFW Free app)` or `AIOps for NGFW Premium license (use the Strata Cloud Manager app)` license `Prisma Access` Licenses required to view certain data points in Search results.

You can search on a security artifact to interact with data just for that artifact. Search results include:

The artifact’s history and activity in your network. Assess how prevalent the artifact is in your network and compare to industry peers.

Palo Alto Networks threat intelligence on the artifact, based on analysis of all the traffic Palo Alto Networks processes and analyzes.

Consolidated third-party analysis findings for the artifact.

Click

Monitor

IOC Search

to get started.

To get started, search for one of these types of artifacts: a file hash
, a URL
, a domain
, or an IP address
(IPv4 or IPv6).

IP Address

You can look for an IP address to analyze the threat information related to IP address activities in your network. The following data is displayed in the search result:

Total number of times an IP address was detected in your network over the past 30 days.

Graphical representation of action taken (allow or block) on IP address.

List of DNS requests that contain the IP address based on the Palo Alto Networks threat intelligence and third-party sources.

Domain

View a summary of the activities associated with the domain in your network. The search results include :

Classification of the domain in your network based on the WildFire sample analysis.

Total number of activities associated with the domain over the past 30 days.

Enforcement applied to each activity in a graphical format.

Information from WildFire analysis that supports the data used to assign the verdict for the domain.

DNS activity collected from across all WildFire submissions that contain instances of this domain.

URL

Learn about the URL’s activity across all traffic Palo Alto Networks analyzes. The search results include :

Summary - Review a summary of the URL's activity in your network. Data includes: DNS Security findings for the URL and the PAN-DB Categorization.
Screenshot - Shows a snapshot of the website when you search on a URL artifact.
Analysis - See the file analysis data that includes the requests made globally for this URL, and files detected with this URL. You can use the file hash value or the file view to know more.

File Hash

File hash search summarizes the file’s activity, analysis of file properties, and details from WildFire sample analysis. You can drill down on the search result to review the following data:

Summary - View the file hash verdict and the history of the file’s activity in your network. Click the tag name to view the details of the tag. Tags can help you understand if the file is part of any threat families, campaigns, or actors.
WildFire Analysis - Assess how the sample (file) behaved during WildFire analysis. You can view the information on the sample verdict, threat indicators detected during sample analysis, and behavior while processing the sample in the analysis environment. You can also view the screenshots of the various process milestones captured during the WildFire sample analysis.
File Analysis - Compare the analysis before and after the execution of the sample (file) in the WildFire analysis environment.
Overview - Check the verdict of the sample here. If the verdict is classified incorrectly, request for a verdict change. The Palo Alto Networks threat team investigates further on the sample and updates the verdict if found incorrect.
Static Analysis - Static analysis looks at the contents of a specific file before the file is executed in the WildFire analysis environment. The search also shows the suspicious file properties found during static analysis. The search result varies depending on the file type. The screenshot here shows a static analysis for an archive file.
Observed Behavior - Review the WildFire behavior analysis of the sample in a particular environment.
Dynamic Analysis - Inspects the file in detail extracting additional information and indicators for a compromised network. You can check the process activities involved, and the sequence of events that took place in your system while executing the file.
Advanced Dynamic Analysis - View the analysis results of samples analyzed by Advanced WildFire techniques (Intelligent Run-time Memory Analysis analysis, hypervisor Dynamic Analysis, Dependency Emulation, etc.), a cloud-based engine that detects and prevents highly evasive malware threats. You can view the observed behaviors and use this information for post execution analysis.
Network Sessions - Learn about the network session for a sample. Use this data to learn more about the context of the threat, know the affected hosts and clients, and the applications used to deliver the malware.
Coverage - Check the signature coverage for a sample to assess the level of protection against threats. You can view the signatures tagged to the domains from where the sample was downloaded and the URLs that are accessed by the sample.
Indicators - View the artifacts that are indicators for a comprised network. The indicators are categorized based on the artifact types; domain, IP address, URL, user agent headers, and mutual exclusion objects. High-risk artifacts are labeled as Suspicious or Highly Suspicious.