Palo Alto Networks Knowledgebase: Threat content 555 new features: exploit kit and phishing vulnerability profile categories
Threat content 555 new features: exploit kit and phishing vulnerability profile categories
Created On 09/26/18 19:12 PM - Last Updated 09/26/18 20:38 PM
Content 555 released on February 3rd, 2016, has introduced two new categories to help categorize phishing attacks and exploits kits (like Angler, Rig, Nuclear, Magnitude, and Fiesta).
Please note that querying by these added categories only functions in PAN OS 7.0.x +.
When creating a new Vulnerability Profile, it is now possible to select the category "exploit-kit" and "phishing" to limit the profile to detect and enforce only threats within these categories.
Let's go through creating a vulnerability profile for only preventing exploit kits and phishing signature triggers, with an action of Reset Both.
Log in to the PAN-OS WebGUI.
Navigate to Objects.
Navigate to Security Profiles > Vulnerability Protection.
Click Add in the bottom left corner.
Name the profile in the Name box.
Click Add to create a new rule.
Name the rule. Let's use "Exploit Kits" for the example.
Set the Action to "Reset Both."
Set the category to "exploit-kit."
Set packet capture to "extended-capture." Exploit kits represent an extreme threat to any customer, and it's critical to see as much data as possible related to the signature triggers.
The rule should look like this.
Click OK to save the rule.
Click Add to create a new rule, which we will use for Phishing.
Name the rule. Let's use, "Phishing" for the example.
Set the Action to Reset Both.
Set the category to "phishing."
The rule should appear similar to the below screenshot: The profile should look like this:To gain visibility into which signatures any specific rule within the profile relates to, check the box next to the rule name and click Find Matching Signatures; this will display a list of all signatures that match that rule. This will help to lend confidence that the profile is only applying the reset-both action to the signatures desired.
There is now a vulnerability protection profile named "Exploit Kit and Phishing" that can be applied to any security policy on which it is applicable.
When investigating signature triggers in the future, querying the Threat log by category type can be useful: