This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Full location of affected threat URL/filename?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Full location of affected threat URL/filename?

Khang_Than-Trong
L1 Bithead

‎06-25-2015 12:51 PM

Troubleshooting what I think is a false positive but the Detailed Log View (under Threats monitoring) only shows the filename and not its full location on the HD of the machine. Is there any way to find out the full location?

Labels:
0 Likes Likes
7 REPLIES 7

Raido_Rattameister
Cyber Elite
Cyber Elite

‎06-26-2015 12:11 AM

Data filtering log.

Click on magnifying glass and bottom right there is url column where you can see full url.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Khang_Than-Trong
L1 Bithead
In response to Raido_Rattameister

‎06-26-2015 08:23 AM

Thanks for the reply. Do you mean the magnifying glass that brings up the "Detailed Log View?" Its URL column only indicates "setup.exe" in this example, and not the full disk path. I wonder if that's available anywhere?

0 Likes Likes

Raido_Rattameister
Cyber Elite
Cyber Elite

‎06-26-2015 08:45 AM

Yes

It depends on application.

Go and browse the web.

Download some pdf or doc from internet for example.

Go and find log entry for this file.

And you should see referer link there.

If not then copy ip of other side and paste it to URL filtering log.

Probably as destination. For example

( addr.dst in 194.106.121.19 )

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Khang_Than-Trong
L1 Bithead
In response to Raido_Rattameister

‎06-26-2015 08:48 AM

In this case, it is *originating* from an internal machine to another, and the only URL listed is the filename without its fixed disk location. I am guessing the filename + the originating machine is as much information as it will have since that info isn't on the network info without some sort of agent on the originating machine. I'm trying to find out where on that originating machine it is located.

0 Likes Likes

Raido_Rattameister
Cyber Elite
Cyber Elite

‎06-26-2015 08:53 AM

So it is SMB traffic (Windows file share)?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Khang_Than-Trong
L1 Bithead
In response to Raido_Rattameister

‎06-26-2015 08:54 AM

Yes, it's SMB traffic. Whoops forgot to mention that.

0 Likes Likes

Raido_Rattameister
Cyber Elite
Cyber Elite

‎06-26-2015 10:30 PM

I doubt that you see UNC path anywhere.

For example you can't block traffic based on UNC path Dynamic Block Lists and UNC Server Path

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes
  • 4287 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks