topic Re: Palo Alto Threat Logs in General Topics https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-logs/m-p/304692#M79206 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/129401">@miyaaccount</a> ,</P> <P>&nbsp;</P> <P>You can check all threat ID's in the threat vault : <A href="https://blog.paloaltonetworks.com/threat-vault/" target="_blank">https://blog.paloaltonetworks.com/threat-vault/</A></P> <P>&nbsp;</P> <P>As for TID 54469 this is the information :</P> <P>&nbsp;</P> <TABLE class="table table-bordered pan-property-grid" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1"> <TBODY data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0"> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.0"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.0.0">Name</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.0.1:0">Suspicious File Downloading Detection</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.1"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.1.0">Unique Threat ID</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.1.1:0">54469</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.2"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.2.0">Description</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.2.1:0"> <P data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.2.1:0.0.0"><SPAN data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.2.1:0.0.0.0">This signature detects WGET and CURL command execution in HTTP request URL parameters, which is pervasively exploited by attackers to get subsequent malicious payload.</SPAN><SPAN data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.2.1:0.0.0.1"> &nbsp;</SPAN></P> </TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.3"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.3.0">Category</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.3.1:0">code-execution</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.4"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.4.0">PanOS Minimum Version</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.4.1:0">7.1.0</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.5"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.5.0">PanOS Maximum Version</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.5.1:0">&nbsp;</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.6"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.6.0">Severity</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.6.1:0">low</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.7"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.7.0">Action</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.7.1:0">alert</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.8"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.8.0">CVE</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.8.1:0"> <P data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.8.1:0.0.0"><SPAN data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.8.1:0.0.0.1"> &nbsp;</SPAN></P> </TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.9"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.9.0">Vendor ID</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.9.1:0">&nbsp;</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.a"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.a.0">First Release</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.a.1:0">8058 (2018-08-28 UTC)</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.b"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.b.0">Last Update</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.b.1:0">8058 (2018-08-28 UTC)</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.c"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.c.0">Reference</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.c.1:0"> <P data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.c.1:0.0.0"><SPAN data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.c.1:0.0.0.1"> &nbsp;</SPAN></P> </TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.d"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.d.0">Status</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.d.1:0">released</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Cheers !</P> <P>-Kiwi.</P> <P>&nbsp;</P> Mon, 23 Dec 2019 09:15:29 GMT kiwi 2019-12-23T09:15:29Z Palo Alto Threat Logs https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-logs/m-p/304663#M79203 <P>Hello, I've been getting multiple code execute with a content type "Suspicious File Downloading (54469)". I'm not really sure if this is just normal browsing or a directory scan, I can't find any documentations about this content type. May I know what it does or what happens with the traffic?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 23 Dec 2019 03:03:26 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-logs/m-p/304663#M79203 miyaaccount 2019-12-23T03:03:26Z Re: Palo Alto Threat Logs https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-logs/m-p/304692#M79206 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/129401">@miyaaccount</a> ,</P> <P>&nbsp;</P> <P>You can check all threat ID's in the threat vault : <A href="https://blog.paloaltonetworks.com/threat-vault/" target="_blank">https://blog.paloaltonetworks.com/threat-vault/</A></P> <P>&nbsp;</P> <P>As for TID 54469 this is the information :</P> <P>&nbsp;</P> <TABLE class="table table-bordered pan-property-grid" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1"> <TBODY data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0"> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.0"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.0.0">Name</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.0.1:0">Suspicious File Downloading Detection</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.1"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.1.0">Unique Threat ID</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.1.1:0">54469</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.2"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.2.0">Description</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.2.1:0"> <P data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.2.1:0.0.0"><SPAN data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.2.1:0.0.0.0">This signature detects WGET and CURL command execution in HTTP request URL parameters, which is pervasively exploited by attackers to get subsequent malicious payload.</SPAN><SPAN data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.2.1:0.0.0.1"> &nbsp;</SPAN></P> </TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.3"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.3.0">Category</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.3.1:0">code-execution</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.4"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.4.0">PanOS Minimum Version</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.4.1:0">7.1.0</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.5"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.5.0">PanOS Maximum Version</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.5.1:0">&nbsp;</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.6"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.6.0">Severity</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.6.1:0">low</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.7"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.7.0">Action</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.7.1:0">alert</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.8"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.8.0">CVE</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.8.1:0"> <P data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.8.1:0.0.0"><SPAN data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.8.1:0.0.0.1"> &nbsp;</SPAN></P> </TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.9"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.9.0">Vendor ID</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.9.1:0">&nbsp;</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.a"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.a.0">First Release</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.a.1:0">8058 (2018-08-28 UTC)</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.b"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.b.0">Last Update</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.b.1:0">8058 (2018-08-28 UTC)</TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.c"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.c.0">Reference</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.c.1:0"> <P data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.c.1:0.0.0"><SPAN data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.c.1:0.0.0.1"> &nbsp;</SPAN></P> </TD> </TR> <TR data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.d"> <TD class="text-right control-label col-md-3" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.d.0">Status</TD> <TD class="data col-md-9" data-reactid=".0.1.1:$qchIw.2.0.0.1.0.1.0.d.1:0">released</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Cheers !</P> <P>-Kiwi.</P> <P>&nbsp;</P> Mon, 23 Dec 2019 09:15:29 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-logs/m-p/304692#M79206 kiwi 2019-12-23T09:15:29Z