I write SIEM content (Mostly Arcsight and Q1), I have found PAN to be very effective in identifying adverse traffic. One thing that would be great, that in addition to recognizing the file type such as "file Microsoft PE File(52060)" which is useful as a poor mans DLP, with which I can track whats coming and going, it's only so effective by just having the file name. It would be much more effective if the md5 hash value of the file was written to the log file. Then I can correlate the log file md5 hash with my known bad hash database....Can this be done, is it there and I have missed it?
Problem will be to capture all the file's stream. With the palo, you're only be able to capture stream if threat is indentify in it and only on a the "infected" part of stream.
the SHA256 hash is calculate when creating a forwarding profile for wildfire. May be possible to retrieve it through the API ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!