Different Threat ID for Data Filtering and Wildfire

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Different Threat ID for Data Filtering and Wildfire

L0 Member

Hello all,

 

Once upon a time, I stumbled across a page with all the threat ID's used for Data Filtering.

From what I remember"PKG File Detected(52152)"  is the threat name and ID used when the firewall sees a PKG file.  Windows Executable (EXE) (52020) is when the firewall detects a windows executable.

I am slightly puzzled to see this threat ID used for a wildfire report in Splunk. From my previous experience, wildfire alerts had a different set of threat ID. I would like to know the following:

1. Does anybody know where is the list of threat ID used for the DATA Filtering events?

2. Why would the wildfire report have the threat ID of a DATA Filtering event?

Thanks,

Weng Seng.

1 accepted solution

Accepted Solutions

L4 Transporter

I couldn't find a list via Google, but if it helps any, you can at least add the ID field to the Monitor -> Data Filtering logs to see the threat IDs for the entries.

Capture.JPG

 and the Wildfire log does have a field for Threat ID (not to be confused with ID), which appears to mesh with the data filtering ID

Capture.JPG

 

 if you feel like putting in the work, you can use the 'show threat id' command in the CLI, but you have to specify the ID, so you basically need to manually scan each number, tho I suppose there could be some level of automation if it was really worth the investment to you

 

 

 

 

 

 

 

 

--
CCNA Security, PCNSE7

View solution in original post

1 REPLY 1

L4 Transporter

I couldn't find a list via Google, but if it helps any, you can at least add the ID field to the Monitor -> Data Filtering logs to see the threat IDs for the entries.

Capture.JPG

 and the Wildfire log does have a field for Threat ID (not to be confused with ID), which appears to mesh with the data filtering ID

Capture.JPG

 

 if you feel like putting in the work, you can use the 'show threat id' command in the CLI, but you have to specify the ID, so you basically need to manually scan each number, tho I suppose there could be some level of automation if it was really worth the investment to you

 

 

 

 

 

 

 

 

--
CCNA Security, PCNSE7
  • 1 accepted solution
  • 3935 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!