paloaltonetworks:logs:threat-logs
This is an old revision of the document!
Table of Contents
Threat Logs
Remember, Threat, URL and Data logs are all classified in the same 'pool'.
Threats
( subtype eq wildfire-virus ) and ( severity eq medium )
( subtype eq virus ) and ( severity eq medium )
( subtype eq spyware ) and ( action eq sinkhole )
( subtype eq spyware ) and ( name-of-threatid eq 344426259 ) and ( action eq sinkhole )
( subtype eq spyware ) and ( name-of-threatid eq 'generic:www.groupenci.com' ) and ( action eq sinkhole )
Possible False Positives
( subtype eq vulnerability ) and ( name-of-threatid eq 'HTTP Unauthorized Brute Force Attack' ) and ( severity eq high )
( subtype eq vulnerability ) and ( name-of-threatid eq 'HTTP: User Authentication Brute Force Attempt' ) and ( severity eq high )
( subtype eq vulnerability ) and ( name-of-threatid eq 'SMB: User Password Brute Force Attempt' ) and ( severity eq high )
( subtype eq spyware ) and ( name-of-threatid eq 'DNS Tunnel Data Infiltration Traffic' ) and ( severity eq informational )
Triggered by Zone Protection Profile
( subtype eq scan ) and ( name-of-threatid eq 'SCAN: Host Sweep' ) and ( severity eq medium)
( subtype eq scan ) and ( name-of-threatid eq 'SCAN: TCP Port Scan' ) and ( severity eq medium)
( subtype eq scan ) and ( name-of-threatid eq 'SCAN: UDP Port Scan' ) and ( severity eq medium)
( subtype eq packet ) and ( name-of-threatid eq 'TCP SYN with data' ) and ( severity eq informational )
( subtype eq packet ) and ( name-of-threatid eq 'TCP SYN with data' ) and ( severity eq informational )
( subtype eq packet ) and ( name-of-threatid eq 'TCP Fast Open' ) and ( severity eq informational )
( subtype eq packet ) and ( name-of-threatid eq 'IP Option Record Route' ) and ( severity eq informational )
Zone Protection Profile - Flood Protection - ALERT
( subtype eq flood ) and ( name-of-threatid eq 'UDP Flood' ) and ( action eq allow ) and ( severity eq critical )
( subtype eq flood ) and ( name-of-threatid eq 'TCP Flood' ) and ( action eq allow ) and ( severity eq critical )
( subtype eq flood ) and ( name-of-threatid eq 'ICMP Flood' ) and ( action eq allow ) and ( severity eq critical )
Zone Protection Profile - Flood Protection - DROP
( subtype eq flood ) and ( name-of-threatid eq 'UDP Flood' ) and ( action eq drop ) and ( severity eq critical )
( subtype eq flood ) and ( name-of-threatid eq 'TCP Flood' ) and ( action eq drop ) and ( severity eq critical )
( subtype eq flood ) and ( name-of-threatid eq 'ICMP Flood' ) and ( action eq drop ) and ( severity eq critical )
paloaltonetworks/logs/threat-logs.1597075789.txt.gz · Last modified: (external edit)