topic Re: Can I Obtain the CVE in the PA event Log in General Topics

Can I Obtain the CVE in the PA event Log

Chuck555555 — Fri, 13 May 2016 04:22:12 GMT

We have numerous PA firewalls that alert for vulnerabilities. I also have a product that scans for vulnerabilities in my network. The scanning device has CVE numbers in its events. The PA has PA's unique identifier in its event. Is there a way for me to pull in the CVE into the Pans threat event so I can correlate the PANs threat events to my existing vulnerability events based on CVE number?

Re: Can I Obtain the CVE in the PA event Log

rcole — Fri, 13 May 2016 12:46:12 GMT

Hello, Chuck, and good morning to you sir!

First, this appears to be a question better suited for the general discussion forum as it doesn't appear to pertain to custom signatures.

However, I would like to point out that if you click on a value populating the "NAME" column in the threat monitor, the metadata for that threat name should appear like so:

The CVE associated is part of this metadata. I don't believe a separate column can be created.

Respectfully,

rcole

Re: Can I Obtain the CVE in the PA event Log

Lucky — Fri, 13 May 2016 13:36:05 GMT

Hi Chuck,

Welcome to our community.

You can issue "configuration mode" command, like below:

admin@Luciano-PA-VM# show predefined threats vulnerability [press ENTER, don't press tab or ?]

and you will get json output where you will have CVE description:

vulnerability {
35931 {
threatname "HP Data Protector OmniInet Opcode Buffer Overflow Vulnerability";
cve CVE-2011-1865;
category overflow;
severity high;
affected-host {
server yes;
}
default-action alert;
}
35933 {
threatname "HP Data Protector OmniInet Opcode 27 Buffer Overflow Vulnerability";
cve CVE-2011-1865;
category overflow;
severity high;
affected-host {
server yes;
}
default-action alert;
}

I think this is the only way to get something usable/useful, you could prolly run a script once a day (because you don't get updates more often) and just populate your fields what is the threat ID vs. the CVE.

Hope it helps, AFAIK this is the only (remotely) functional way to do it.

BR

Luciano

Re: Can I Obtain the CVE in the PA event Log

bpappas — Fri, 13 May 2016 15:29:08 GMT

There is not currently a mechanism that I am aware of to see the CVE in the threat log of the PA Networks devices.

You might want to discuss this idea with your account team. They could tell you if a feature enhancement is in the system for this or not.

Re: Can I Obtain the CVE in the PA event Log

jdelio — Fri, 13 May 2016 18:18:58 GMT

Just to let you know, because this was not related to the Custom Signatures, so I moved it to General Topics.

Re: Can I Obtain the CVE in the PA event Log

clyde.franklin — Fri, 13 May 2016 23:26:45 GMT

Try gonig to Vulmerbiliites profile and click on default profiel or any one and the open it and then click exception tab than check boxshow signatures box like below