Different Threat ID for Data Filtering and Wildfire

wengsengtam — Fri, 07 Apr 2017 08:46:56 GMT

Hello all,

Once upon a time, I stumbled across a page with all the threat ID's used for Data Filtering.

From what I remember"PKG File Detected(52152)" is the threat name and ID used when the firewall sees a PKG file. Windows Executable (EXE) (52020) is when the firewall detects a windows executable.

I am slightly puzzled to see this threat ID used for a wildfire report in Splunk. From my previous experience, wildfire alerts had a different set of threat ID. I would like to know the following:

1. Does anybody know where is the list of threat ID used for the DATA Filtering events?

2. Why would the wildfire report have the threat ID of a DATA Filtering event?

Thanks,

Weng Seng.

Re: Different Threat ID for Data Filtering and Wildfire

bradk14 — Fri, 07 Apr 2017 09:52:04 GMT

I couldn't find a list via Google, but if it helps any, you can at least add the ID field to the Monitor -> Data Filtering logs to see the threat IDs for the entries.

and the Wildfire log does have a field for Threat ID (not to be confused with ID), which appears to mesh with the data filtering ID

if you feel like putting in the work, you can use the 'show threat id' command in the CLI, but you have to specify the ID, so you basically need to manually scan each number, tho I suppose there could be some level of automation if it was really worth the investment to you

topic Re: Different Threat ID for Data Filtering and Wildfire in General Topics

Different Threat ID for Data Filtering and Wildfire

Re: Different Threat ID for Data Filtering and Wildfire