Interpret
Botnet Report Output
The botnet report displays a line for each host that
is associated with traffic you defined as suspicious when configuring
the report. For each host, the report displays a confidence score
of 1 to 5 to indicate the likelihood of botnet infection, where
5 indicates the highest likelihood. The scores correspond to threat
severity levels: 1 is informational, 2 is low, 3 is medium, 4 is
high, and 5 is critical. The firewall bases the scores on:
Traffic type—Certain HTTP traffic types are more
likely to involve botnet activity. For example, the report assigns
a higher confidence to hosts that visit known malware URLs than
to hosts that browse to IP domains instead of URLs, assuming you
defined both those activities as suspicious.
Number of events—Hosts that are associated with a
higher number of suspicious events will have higher confidence scores
based on the thresholds (
Count values) you
define when you
Configure a Botnet Report.
Executable downloads—The report assigns a higher confidence
to hosts that download executable files. Executable files are a
part of many infections and, when combined with the other types
of suspicious traffic, can help you prioritize your investigations of
compromised hosts.
When reviewing the report output, you might find that the sources
the firewall uses to evaluate botnet activity (for example, the
list of malware URLs in PAN-DB) have gaps. You might also find that
these sources identify traffic that you consider safe. To compensate
in both cases, you can add query filters when you
Configure a Botnet Report.
