Monitor: IOC Search

Table of Contents

You can search on a security artifact to interact with data just for that artifact.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Panorama or Strata Cloud Manager) NGFW, including those funded by Software NGFW Credits Prisma SD-WAN	Each of these licenses include access to Strata Cloud Manager: Prisma Access AIOps for NGFW Premium license (use the Strata Cloud Manager app) Strata Cloud Manager Essentials Strata Cloud Manager Pro Prisma SD-WAN The other licenses and prerequisites needed for visibility are: ADEM Observability Autonomous DEM for Remote Networks AI-Powered ADEM WAN Clarity Reporting A role that has permission to view the dashboard → The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are using.

You can search on a security artifact to interact with data just for that artifact. Search results include:

The artifact’s history and activity in your network. Assess how prevalent the artifact is in your network and compare to industry peers.
Palo Alto Networks threat intelligence on the artifact, based on analysis of all the traffic Palo Alto Networks processes and analyzes.
Consolidated third-party analysis findings for the artifact.

Click MonitorIOC Search to get started.

To get started, search for one of these types of artifacts: a file hash, a URL, a domain, or an IP address (IPv4 or IPv6).

IP Address

You can look for an IP address to analyze the threat information related to IP address activities in your network. The following data is displayed in the search result:

Total number of times an IP address was detected in your network over the past 30 days.
Graphical representation of action taken (allow or block) on IP address.
List of DNS requests that contain the IP address based on the Palo Alto Networks threat intelligence and third-party sources.

Domain

View a summary of the activities associated with the domain in your network. The search results include :

Classification of the domain in your network based on the WildFire sample analysis.
Total number of activities associated with the domain over the past 30 days.
Enforcement applied to each activity in a graphical format.
Information from WildFire analysis that supports the data used to assign the verdict for the domain.
DNS activity collected from across all WildFire submissions that contain instances of this domain.

URL

Learn about the URL’s activity across all traffic Palo Alto Networks analyzes. The search results include :

Summary - Review a summary of the URL's activity in your network. Data includes: DNS Security findings for the URL and the PAN-DB Categorization.
Screenshot - Shows a snapshot of the website when you search on a URL artifact.
Analysis - See the file analysis data that includes the requests made globally for this URL, and files detected with this URL. You can use the file hash value or the file view to know more.

File Hash

File hash search summarizes the file details in a report based on data generated during WildFire analysis. You can download the report as a PDF or MAEC file in cases where the sample is determined to be malicious, phishing, grayware, or benign. Unknown samples do not generate a report.

WildFire samples that generate a verdict provide file information and session information at a minimum; while samples that have undergone additional analysis produce specific analysis data that is relevant to actions taken by the sample. You can drill down on the search results to review the following information categories:

File Information - View general file information, including the file hash, size, and type, as categorized by WildFire. You can also the see the verdict of the sample here. Alternatively, you can search directly on VirusTotal for additional infomration about suspicious files, domains, URLs, IP addresses using the supplied hash value. If the verdict is classified incorrectly, request for a verdict change. The Palo Alto Networks threat team investigates further on the sample and updates the verdict if found incorrect. You can also download the WildFire report of the selected sample hash as a PDF or MAEC file.
Session Information - Learn about the network session for a sample. Use this data to learn more about the context of the threat, know the affected hosts and clients, and the applications used to deliver the malware.
Static Analysis - Static analysis looks at the contents of a specific file before the file is executed in the WildFire analysis environment. This also shows the suspicious file properties, processes, and behaviors detected during static analysis. The search result varies depending on the file type.
Dynamic Analysis - When WildFire encounters a sample that requires additional analysis, such as an unknown sample, the file is forwarded to the Advanced WildFire cloud an is inspected in detail using WildFire dynamic analysis. You can pivot between the various analysis environments used to view the specific analysis results generated by each. This can include samples analyzed by Advanced WildFire techniques (Intelligent Run-time Memory Analysis analysis, hypervisor Dynamic Analysis, Dependency Emulation, etc.), a cloud-based engine that detects and prevents highly evasive malware threats. You can view the observed behaviors and use this information for post execution analysis. You can check the process activities involved, and the sequence of events that took place in your system while executing the file.
Actions Monitored - Review various sample process activity details that WildFire recorded during sample analysis.