The threat log shows the threat ID 12000000

The threat log shows the threat ID 12000000 - What does this mean?

23892

Created On 10/29/20 13:43 PM - Last Modified 07/29/25 21:30 PM

Anti-spyware

Dynamic Block List

Threat Log

External Dynamic List

Reporting and Logging

Threat Intelligence

Threat Prevention

Investigation and Response

8.1

9.0

9.1

10.0

Cortex Data Lake

PAN-OS

Symptom

Lookup information in the Threat Vault for threat ID 12000000 returns empty with the message "No data is found based on your search, please search for something else".
Threat exceptions for threat ID 12000000 cannot be created.
The Firewall Anti-spyware profile blocks DNS queries to resolve suspicious domains, therefore, access to the intended URL is not granted.

Threat logs will show action "Sinkhole" when that action is selected for DNS Signatures in the Anti-spyware profile.

Environment

Palo Alto Firewall.
Any PAN-OS.
Threat Signature.

Cause

Threat ID 12000000 is a reserved TID number that will globally identify any domains that make their way in through a custom EDL (External Dynamic List) of type domain that is not sourced from a Palo Alto device. This means that there is an External Dynamic List (EDL) of type domain added to the Anti-spyware profile that is listing the domain for which the signature was triggered.

Resolution

If you have access to edit the contents of the external dynamic list, remove the blocked domain entry reported in the logs
If there is no access to modify the EDL because it comes from a third-party source, you can create a local exclusion in the firewall. This gives you the option to enforce policy on some (but not all) of the entries in the list.
Identify the Anti-spyware profile attached to the security rule enforcing the DNS traffic being blocked.
Identify the EDLs added in the Anti-spyware profile. GUI: Objects >Security Profiles >Anti-spyware >DNS signatures >External Dynamic Lists
Exclude the required entries from the external dynamic list.

Additional Information