What are the Unique Threat ID's that map to the different DNS Security Categories?
15626
Created On 02/02/21 22:19 PM - Last Modified 03/09/23 17:00 PM
Question
What are the Unique Threat ID's that map to the different DNS Security Categories?
Environment
- PAN-OS >= 9.0
- Valid DNS Security license
Answer
UTID | DNS Security Category |
---|---|
109000001 |
DGA |
109001001 |
DNS Tunneling |
109001002 |
DNS Tunneling |
109001003 |
DNS Infiltration |
109010001 |
Phishing |
109010002 |
Generic Grayware |
109010003 |
Parked |
109010004 |
Proxy |
109010005 |
Fastflux |
109010006 |
Malicious NRD |
109010007 |
NXNSAttack |
109010008 |
Dangling Domain |
109010009 |
DNS Rebinding |
109020001 |
Newly Registered Domains |
109020002 |
Dynamic DNS |
109010004 | Real-Time DNS Detection: Proxy |
109004000 | Real-Time DNS Detection: AdTracking (benign, informational) |
109000001 | Real-Time DNS Detection: CNAME Cloaking( benign, informational) |
109010001 | Real-Time DNS Detection: Phishing |
109002001 | Real-Time DNS Detection: Wildcard Abuse |
109002002 | Real-Time DNS Detection: Strategically Aged |
Additional Information
- Threat Exceptions for DNS Security Categories should never be placed for the Universal Threat IDs (UTID's)
- Exceptions for DNS Security spyware detections need to be added by FQDN (fully qualified domain name).
See Also:
What are the threat IDs 109000001, 109001001 and 109001002? Why different DGA domains[spyware] threat logs have identical threat ID 109000001?https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPd1CAG