Video Tutorial: In-Depth Look at Threat Vault

Video Tutorial: In-Depth Look at Threat Vault

Created On 09/26/18 13:44 PM - Last Modified 01/07/20 21:26 PM


To access the Palo Alto Networks Threat Vault, go to
(A valid support login account is required to access Threat Vault)

Screenshot of Threat Vault homepage


 Tour the Threat Vault by watching the video below.

Threat Vault source type list.
Screenshot of Threat Vault Source Type

The list of source types has been increased from three (spyware/vulnerability/antivirus) and now features the ability to search in the following source types:

  • Anti-spyware Signatures
  • Antivirus Signatures
  • DNS Signatures
  • PAN-DB URL Classifications
  • Vulnerability Protection Signatures
  • WildFire Signatures

No need to select a single source unless you want to limit the search results to only one source type. Default search (All Source Types) will search within all source types.

Other new features have been introduced, including:

  • Unified Search
  • AntiVirus Search
  • PAN-DB search


Unified search for more relevant results

The new unified search can search through all types listed above so you no longer need to choose spyware/vulnerability/antivirus in the drop down. Query returns all relevant results as long as you leave the source type set to 'All Source Types.'

Your searches will no longer be limited to just the type that was selected, which means you can see the same query return results from every type, if available. It is possible that you could get search results for every source type, if it matches. A good example is 'ssl,' as it will return Anti-spyware, DNS, as well as Vulnerability Protection Signatures.
Screenshot of Treat Vault Search Results for SSL

Search results with Anti-spyware, DNS as well as Vulnerability Protection Signatures in the search results.

Antivirus search for hashes and more

The Antivirus search now includes the ability to search SHA256/SHA1/MD5 hashes.
You can search on those new or old Threat ID numbers to get more information.

Screenshot of Anitvirus Signatures

Antivirus search results showing name, Unique Threat ID , release and hash info.
You can see, in the above pic, the different sections returned from the Antivirus search:

  1. Name - lists the virus name.
  2. Unique Threat ID - ID specifically used to identify the virus.
  3. First Release - shows what Antivirus release was able to detect this virus.
  4. Hashes - An option to view the md5, sha1, or sha256 hash to this virus, all of which are searchable to find this virus.


PAN-DB search for URL classifications with subdomains

In this new version of Threat Vault, you now have the ability to search on host/domain/subdomain categories (URL Classifications).

Not sure what the domain results are for Search and find out. Because the search engine searches the entire database for the information, you will also get subdomain information.

Example: Search for and you will see,,, etc. You get the idea. See the following example.

Screenshot of PAN-DB URL Classifications

Threat Vault search results for '' Notice how many results are listed because of all the subdomains.

Anti-spyware signatures tell you all that?

The Anti-spyware search is a handy tool that allows you to get a lot of valuable information when it comes to learning more about spyware.

Screenshot of Anti-spyware Signatures

Anti-spyware search results after searching on 'initial.' In the search results above, you will notice the name, severity, first release, and latest apps and threats update that detects these spywares. 

To get even more information on each threat, click on the name.

Screenshot of Signature Details for Bionet4_0_3 2 initial connection

The Signature Details window shows more detailed information, including the threat ID, severity, action, first release, latest update, reference, and status.

In the example, you see detailed information about this threat. We see that it is considered Adware, the default action is to alert, in which releases it was first addressed, and the latest update that detects this threat.

We also have a Reference link for more information and Status that tells us whether this has been released yet or not.

Another handy feature is the Previous/Next/Close at the bottom right. If you have multiple results you'd like to look at, it's much easier to click on Previous or Next rather than close and have to click on the next name.

DNS signatures search are PAN-OS version specific

 The DNS Signatures search is a nice addition to the Threat Vault, because it can help fill in the blanks when it comes to Threat Protection. 

Screenshot of DNS Signatures pre and post 7.1

DNS Signatures results after searching on

Inside the DNS signatures results, we see the standard results: Name, Unique Threat ID, the release it is covered in, the Domain name that is associated with this threat, as well as the type, which is listed as AntiVirus.

Starting with PAN-OS 7.1, Palo Alto Networks has included Unique Threat IDs that are only for PAN-OS 7.1.
An additional feature is a section for 'Pre-7.1' or Post-7.1,' which shows different information about the release that is covered if pre PAN-OS 7.1 or post PAN-OS 7.1. 

Vulnerability protection signatures deliver the numbers

The Vulnerability Protection Signatures section is a nice section that will come in very handy, especially when searching on specific CVE numbers or vulnerability names. 

Screenshot of Vulnerability Protection Signatures

Vulnerability Protection search results for ‘cipher’ as a search term.

In the screenshot above, we can see what results are shown when 'cipher' is used for the search in the Vulnerability Protection area. As always, to get more detailed information, click on the name to get the details (see below).

Screenshot of Signature Details of IPMI Cipher Zero Authentication Bypass Vulnerability

Signature details showing more information about a specific vulnerability.

The details window shows the same as the details in the Anti-Spyware search results, but usually shows more information about the description.  The same options for Previous/Next/Close are still there for multiple results.


WildFire signatures are searchable

The ability to search within WildFire Signatures is a feature that I know that many have been wanting, and now it is available for everyone to use. Screenshot of WildFire Signatures

WildFire search results for 'null.'

You will see the same information as in the other categories, with the Name, Unique Threat ID, as well as the release information and different hashes. The same Pre-7.1/Post-7.1 as well as the md5/sha1/sha256 are available here as well.

Extra features 

Release dates/versions and update times available with Threat IDs has already been discussed in detail above.

Ability to 'minimize' different source types.
If you get many different content type results after performing a search, but only want to look at the results from a single source, you can click on the source 'title' to 'minimize' results under that source. The icon next to the source type will change from a down arrow to an up arrow.
Screenshot of Anti-spyware Signatures ascending and descending

Minimize the Anti-spyware signatures on any content type to see fewer search results.

  • Print
  • Copy Link

Choose Language