Palo Alto Networks Knowledgebase: New Threat Vault

New Threat Vault

Created On 08/05/19 19:21 PM - Last Updated 08/05/19 19:48 PM
Anti-spyware Antivirus DNS PAN-DB Signatures Threat Log URL Category Vulnerability Protection Threat Intelligence Threat Prevention 8.1 8.0 7.1 7.0 9.0 PAN-OS WildFire

Palo Alto Networks has been listening to your requirements for the Threat Vault and has responded with a new and improved Threat Vault that will address many of your requests and suggestions.

The new Threat Vault includes more features and functions, and is redesigned to allow for better use,  search and display to help you find what you need.


Find the Palo Alto Networks Threat Vault  here:

(A valid support login account is required to access Threat Vault)

Screenshot of Threat Vault homepage

Here's what the new Threat Vault site looks like. Even more functionality awaits you inside.

Video Overview



 Let's tour the new Threat Vault by watching the video above.

Source types now expanded

Screenshot of Threat Vault Source Type

Threat Vault source type list.

The list of source types has been increased from three (spyware/vulnerability/antivirus) and now features the ability to search in the following source types:


  • Anti-spyware Signatures
  • Antivirus Signatures
  • DNS Signatures
  • PAN-DB URL Classifications
  • Vulnerability Protection Signatures
  • WildFire Signatures

No need to select a single source unless you want to limit the search results to only one source type. Default search (All Source Types) will search within all source types.


Other new features have been introduced, including:

• Unified Search
• AntiVirus Search
• PAN-DB search


Unified search for more relevant results

The new unified search can search through all types listed above so you no longer need to choose spyware/vulnerability/antivirus in the dropdown. Query returns all relevant results as long as you leave the source type set to 'All Source Types.'


Your searches will no longer be limited to just the type that was selected, which means you can see the same query return results from every type, if available. It is possible that you could get search results for every source type, if it matches. A good example is 'ssl,' as it will return Anti-spyware, DNS, as well as Vulnerability Protection Signatures.


Screenshot of Treat Vault Search Results for SSL


Search results with Anti-spyware, DNS as well as Vulnerability Protection Signatures in the search results.


Antivirus search for hashes and more

The Antivirus search now includes the ability to search SHA256/SHA1/MD5 hashes.

You can search on those new or old Threat ID numbers to get more information.


Screenshot of Anitvirus Signatures

Antivirus search results showing name, Unique Threat ID , release and hash info.

You can see, in the above pic, the different sections returned from the Antivirus search:

  1. Name - lists the virus name.
  2. Unique Threat ID - ID specifically used to identify the virus.
  3. First Release - shows what Antivirus release was able to detect this virus.
  4. Hashes - An option to view the md5, sha1, or sha256 hash to this virus, all of which are searchable to find this virus.


PAN-DB search for URL classifications with subdomains

In this new version of Threat Vault, you now have the ability to search on host/domain/subdomain categories (URL Classifications).

Not sure what the domain results are for Search and find out. Because the search engine searches the entire database for the information, you will also get subdomain information.


Example: Search for and you will see,,, etc. You get the idea. See the following example.

Screenshot of PAN-DB URL Classifications

Threat Vault search results for '' Notice how many results are listed because of all the subdomains.

Here are some examples of results for each of the other search types available in the Threat Vault:


Anti-spyware signatures tell you all that?

The Anti-spyware search is a  handy tool that allows you to get a lot of valuable information when it comes to learning more about spyware.

Screenshot of Anti-spyware Signatures

Anti-spyware search results after searching on 'initial.'

In the search results above, you will notice the name, severity, first release, and latest apps and threats update that detects these spywares. 


To get even more information on each threat, click on the name.


Screenshot of Signature Details for Bionet4_0_3 2 initial connection

The Signature Details window shows more detailed information, including the threat ID, severity, action, first release, latest update, reference, and status.

In the example, you see detailed information about this threat. We see that it is considered Adware, the default action is to alert, in which releases it was first addressed, and the latest update that detects this threat.


We also have a Reference link for more information and Status that tells us whether this has been released yet or not.


Another handy feature is the Previous/Next/Close at the bottom right. If you have multiple results you'd like to look at, it's much easier to click on Previous or Next rather than close and have to click on the next name.


DNS signatures search are PAN-OS version specific

 The DNS Signatures search is a nice addition to the Threat Vault, because it can help fill in the blanks when it comes to Threat Protection. 


Screenshot of DNS Signatures pre and post 7.1


DNS Signatures results after searching on


Inside the DNS signatures results, we see the standard results: Name, Unique Threat ID, the release it is covered in, the Domain name that is associated with this threat, as well as the type, which is listed as AntiVirus.


Starting with PAN-OS 7.1, Palo Alto Networks has included Unique Threat IDs that are only for PAN-OS 7.1.

An additional feature is a section for 'Pre-7.1' or Post-7.1,' which shows different information about the release that is covered if pre PAN-OS 7.1 or post PAN-OS 7.1. 


Vulnerability protection signatures deliver the numbers

The Vulnerability Protection Signatures section is a nice section that will come in very handy, especially when searching on specific CVE numbers or vulnerability names. 


Screenshot of Vulnerability Protection Signatures

Vulnerability Protection search results for ‘cipher’ as a search term.

In the screenshot above, we can see what results are shown when 'cipher' is used for the search in the Vulnerability Protection area. As always, to get more detailed information, click on the name to get the details (see below).


Screenshot of Signature Details of IPMI Cipher Zero Authentication Bypass Vulnerability

Signature details showing more information about a specific vulnerability.

The details window shows the same as the details in the Anti-Spyware search results, but usually shows more information about the description.  The same options for Previous/Next/Close are still there for multiple results.


WildFire signatures are searchable

The ability to search within WildFire Signatures is a feature that I know that many have been wanting, and now it is available for everyone to use. Screenshot of WildFire Signatures

WildFire search results for 'null.'

You will see the same information as in the other categories, with the Name, Unique Threat ID, as well as the release information and different hashes. The same Pre-7.1/Post-7.1 as well as the md5/sha1/sha256 are available here as well.


Extra features round out the updated Threat Vault

Release dates/versions and update times available with Threat IDs has already been discussed in detail above.


Ability to 'minimize' different source types.
If you get many different content type results after performing a search, but only want to look at the results from a single source, you can click on the source 'title' to 'minimize' results under that source. The icon next to the source type will change from a down arrow to an up arrow.

Screenshot of Anti-spyware Signatures ascending and descending

Minimize the Anti-spyware signatures on any content type to see fewer search results.


All of the new features of the Threat Vault it helps make it easier to correlate searches and make your job that much easier. Tell us what you think.


Please be sure to visit the Threat Vault site at


I hope this article has helped you understand the new Threat Vault.


As always, we welcome all feedback, comments and questions in the comment section below.


Stay secure!
Joe Delio


  • Print
  • Copy Link

Choose Language