- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-07-2017 01:46 AM
Hello all,
Once upon a time, I stumbled across a page with all the threat ID's used for Data Filtering.
From what I remember"PKG File Detected(52152)" is the threat name and ID used when the firewall sees a PKG file. Windows Executable (EXE) (52020) is when the firewall detects a windows executable.
I am slightly puzzled to see this threat ID used for a wildfire report in Splunk. From my previous experience, wildfire alerts had a different set of threat ID. I would like to know the following:
1. Does anybody know where is the list of threat ID used for the DATA Filtering events?
2. Why would the wildfire report have the threat ID of a DATA Filtering event?
Thanks,
Weng Seng.
04-07-2017 02:33 AM - edited 04-07-2017 02:52 AM
I couldn't find a list via Google, but if it helps any, you can at least add the ID field to the Monitor -> Data Filtering logs to see the threat IDs for the entries.
and the Wildfire log does have a field for Threat ID (not to be confused with ID), which appears to mesh with the data filtering ID
if you feel like putting in the work, you can use the 'show threat id' command in the CLI, but you have to specify the ID, so you basically need to manually scan each number, tho I suppose there could be some level of automation if it was really worth the investment to you
04-07-2017 02:33 AM - edited 04-07-2017 02:52 AM
I couldn't find a list via Google, but if it helps any, you can at least add the ID field to the Monitor -> Data Filtering logs to see the threat IDs for the entries.
and the Wildfire log does have a field for Threat ID (not to be confused with ID), which appears to mesh with the data filtering ID
if you feel like putting in the work, you can use the 'show threat id' command in the CLI, but you have to specify the ID, so you basically need to manually scan each number, tho I suppose there could be some level of automation if it was really worth the investment to you
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!