Different Threat ID for Data Filtering and Wildfire

Reply
Highlighted
L0 Member

Different Threat ID for Data Filtering and Wildfire

Hello all,

 

Once upon a time, I stumbled across a page with all the threat ID's used for Data Filtering.

From what I remember"PKG File Detected(52152)"  is the threat name and ID used when the firewall sees a PKG file.  Windows Executable (EXE) (52020) is when the firewall detects a windows executable.

I am slightly puzzled to see this threat ID used for a wildfire report in Splunk. From my previous experience, wildfire alerts had a different set of threat ID. I would like to know the following:

1. Does anybody know where is the list of threat ID used for the DATA Filtering events?

2. Why would the wildfire report have the threat ID of a DATA Filtering event?

Thanks,

Weng Seng.


Accepted Solutions
Highlighted
L4 Transporter

I couldn't find a list via Google, but if it helps any, you can at least add the ID field to the Monitor -> Data Filtering logs to see the threat IDs for the entries.

Capture.JPG

 and the Wildfire log does have a field for Threat ID (not to be confused with ID), which appears to mesh with the data filtering ID

Capture.JPG

 

 if you feel like putting in the work, you can use the 'show threat id' command in the CLI, but you have to specify the ID, so you basically need to manually scan each number, tho I suppose there could be some level of automation if it was really worth the investment to you

 

 

 

 

 

 

 

 

--
CCNA Security, PCNSE7

View solution in original post


All Replies
Highlighted
L4 Transporter

I couldn't find a list via Google, but if it helps any, you can at least add the ID field to the Monitor -> Data Filtering logs to see the threat IDs for the entries.

Capture.JPG

 and the Wildfire log does have a field for Threat ID (not to be confused with ID), which appears to mesh with the data filtering ID

Capture.JPG

 

 if you feel like putting in the work, you can use the 'show threat id' command in the CLI, but you have to specify the ID, so you basically need to manually scan each number, tho I suppose there could be some level of automation if it was really worth the investment to you

 

 

 

 

 

 

 

 

--
CCNA Security, PCNSE7

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!