Palo Alto Networks Knowledgebase: Threat content 555 new features: exploit kit and phishing vulnerability profile categories

Threat content 555 new features: exploit kit and phishing vulnerability profile categories

(297 Views)
Created On 09/26/18 19:12 PM - Last Updated 09/26/18 20:38 PM
Categories: 

Issue:


Solution:


Content 555 released on February 3rd, 2016, has introduced two new categories to help categorize phishing attacks and exploits kits (like Angler, Rig, Nuclear, Magnitude, and Fiesta).

 

Please note that querying by these added categories only functions in PAN OS 7.0.x +.

 

When creating a new Vulnerability Profile, it is now possible to select the category "exploit-kit" and "phishing" to limit the profile to detect and enforce only threats within these categories.

 

Let's go through creating a vulnerability profile for only preventing exploit kits and phishing signature triggers, with an action of Reset Both.

 

  1. Log in to the PAN-OS WebGUI.
  2. Navigate to Objects.1.PNG
  3. Navigate to Security Profiles > Vulnerability Protection.
    5.PNG
  4. Click Add in the bottom left corner.
  5. Name the profile in the Name box.
  6. Click Add to create a new rule.
  7. Name the rule. Let's use "Exploit Kits" for the example.
  8. Set the Action to "Reset Both."
  9. Set the category to "exploit-kit."
  10. Set packet capture to "extended-capture." Exploit kits represent an extreme threat to any customer, and it's critical to see as much data as possible related to the signature triggers.
  11. The rule should look like this.2.PNG
  12. Click OK to save the rule.
  13. Click Add to create a new rule, which we will use for Phishing.
  14. Name the rule. Let's use, "Phishing" for the example.
  15. Set the Action to Reset Both.
  16. Set the category to "phishing."
  17. The rule should appear similar to the below screenshot:3.PNG
    The profile should look like this:4.PNGTo gain visibility into which signatures any specific rule within the profile relates to, check the box next to the rule name and click Find Matching Signatures; this will display a list of all signatures that match that rule. This will help to lend confidence that the profile is only applying the reset-both action to the signatures desired.
  18. Click OK.

 

There is now a vulnerability protection profile named "Exploit Kit and Phishing" that can be applied to any security policy on which it is applicable.

 

When investigating signature triggers in the future, querying the Threat log by category type can be useful:

 

q1.PNG

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm2rCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: