How to check the IoC coverage for Malware or Vulnerabilities prior to raising a support case
25657
Created On 01/24/22 00:47 AM - Last Modified 07/12/24 13:29 PM
Objective
Palo Alto Networks provides free security research tools to research newly published malware campaigns, vulnerabilities, or other already existing malware, hashes, URL, DNS signature, and more.
If the required information is not found by the tools, please open a support case.
Environment
- Any Palo Alto Networks products
- Any PAN-OS
Procedure
If you received a security report on new CVE or malware, please check the following.
- For the newly released CVEs, the process is explained here.
- In addition to the above link, for Vulnerability coverage, please review the associated CVE on which attack vector the vulnerability poses as some CVE's Attack Vector (AV) can be either Local (L) or Network (N). Should it be an attack vector Local(L), no coverage would be possible via the Strata appliances as the vulnerability is local to devices and does not traverse the firewall. However, Cortex XDR coverage might be possible. Please open a support case, should the CVE's attack vector be Network (N). You can confirm this by reviewing the NIST website such as below to confirm the attack vector. (ref. CVSS Scoring System link - section 2.1.1 Attack Vector (AV))
- For malware, you can google the malware name and find any related IoCs in the hash format (SHA256, SHA1, or MD5).
- Once you find the IoC for malware, you can use the free or paid tools Palo Alto Networks provides.
There are two free tools, and one paid tool available for Palo Alto Networks users to aid in malware threat campaign search.
- Free tools:
- Threat Vault
- Test-A-Site (https://urlfiltering.paloaltonetworks.com/query/)
- Paid tool:
A threat campaigning report contains the Indication of Compromise(IoCs): such as file hashes, URLs, IP addresses, and more.
1. Search external sources on the search engines (google, bing, etc) to find more information about the threat.
- Hashes: The hashes can be in the form of SHA256, SHA1, or MD5. Take that hash and search in Threat Vault.
- If there's no Antivirus signature associated with the hash, please open a support case to request coverage.
2. Threat Vault
a)Via Web GUI(User Friendly and when doing isolated research on small amount of IoCs)
- You can search by hash, keywords, CVE-IDs, etc.
- Threat Vault is a database that can be used to search the following types of signatures.
|
- The screenshot below is the example of the hash search.
- The screenshot below is the example of the keyword search.
|
b) Via Threat Vault API(Useful when doing batched IoC queries or when integrating with other tools)
- Get started from the use of Restful API documentation and examples which can be used for single queries an batch queries. Note that Batch limit is 100 entries as of now.
3. Test-A-Site
- Please search the IoC of URL or IP address on Test-A-Site (or Threat Vault).
|
- The screenshot below is the example of the URL search.
- The screenshot below is the example of the IP address search.
|
4. AutoFocus
- As for the indicator, please search by File hash, IP, Domain or URL.
Additional Information
In case you do not find any information about the IoC in Threat Vault, Test-a-Site or AutoFocus; please open a case with Support.
Requirements for support case:
- External research reports or any published report you have received from your security team.
- List the IoC you have received.