Skip to main content

Palo Alto Networks Threat Vault (Deprecated)

This Integration is part of the Threat Vault by Palo Alto Networks Pack.#

Deprecated

Use Threat Vault v2 instead.

Use the Palo Alto Networks Threat Vault to research the latest threats (vulnerabilities/exploits, viruses, and spyware) that Palo Alto Networks next-generation firewalls can detect and prevent. TIM customers that upgraded to version 6.2 or above, can have the API Key pre-configured in their main account so no additional input is needed. To use this feature, upgrade your license so it includes the license key.

Configure Palo Alto Networks Threat Vault in Cortex#

ParameterDescriptionRequired
api_keyAPI KeyTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

threatvault-antivirus-signature-get#


Gets the antivirus signature.

Base Command#

threatvault-antivirus-signature-get

Input#

Argument NameDescriptionRequired
sha256The SHA256 hash of the antivirus signature.Optional
signature_idThe signature ID of the antivirus.Optional

Context Output#

PathTypeDescription
ThreatVault.Antivirus.activeBoolWhether the antivirus signature is active.
ThreatVault.Antivirus.categoryStringThe category of the antivirus signature.
ThreatVault.Antivirus.createTimeStringThe time the antivirus signature was created.
ThreatVault.Antivirus.releaseUnknownThe release details of the antivirus signature.
ThreatVault.Antivirus.sha256StringThe sha256 hash of the antivirus signature.
ThreatVault.Antivirus.signatureIdNumberThe ID of the antivirus signature.
ThreatVault.Antivirus.signatureNameStringThe name of the antivirus signature.

Command Example#

!threatvault-antivirus-signature-get signature_id=93534285

Context Example#

{
"ThreatVault": {
"Antivirus": {
"active": true,
"createTime": "2010-10-01 10:28:57 (UTC)",
"release": {
"antivirus": {
"firstReleaseTime": "2010-10-03 15:04:58 UTC",
"firstReleaseVersion": 334,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"sha256": [
"7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"9e12c5cdb069f74487c11758e732d72047b72bedf4373aa9e3a58e8e158380f8"
],
"signatureId": 93534285,
"signatureName": "Worm/Win32.autorun.crck"
}
}
}

Human Readable Output#

Antivirus:#

activecreateTimereleasesha256signatureIdsignatureName
true2010-10-01 10:28:57 (UTC)wildfire: {"latestReleaseVersion": 0, "firstReleaseVersion": 0}
antivirus: {"latestReleaseVersion": 0, "firstReleaseVersion": 334, "firstReleaseTime": "2010-10-03 15:04:58 UTC"}
7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8,
9e12c5cdb069f74487c11758e732d72047b72bedf4373aa9e3a58e8e158380f8
93534285Worm/Win32.autorun.crck

file#


Checks the reputation of an antivirus in Threat Vault.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileThe SHA256 hash of the antivirus signature.Optional

Context Output#

PathTypeDescription
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.Malicious.VendorStringFor malicious files, the vendor that made the decision.

Command Example#

!file file= 7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8

Context Example#

{
"DBotScore": [
{
"Indicator": "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"Score": 0,
"Type": "file",
"Vendor": "Zimperium"
},
{
"Indicator": "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"Score": 3,
"Type": "file",
"Vendor": "ThreatVault"
},
{
"Indicator": "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"Score": 3,
"Type": "hash",
"Vendor": "WildFire"
},
{
"Indicator": "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"Score": 3,
"Type": "file",
"Vendor": "WildFire"
}
],
"File": {
"MD5": "7e8d3744c0a06d3c7ca7f6dbfce3d576",
"Malicious": {
"Vendor": "WildFire"
},
"Name": null,
"SHA1": null,
"SHA256": "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"Size": "117760",
"Type": "PE"
},
"ThreatVault": {
"Antivirus": {
"active": true,
"createTime": "2010-10-01 10:28:57 (UTC)",
"release": {
"antivirus": {
"firstReleaseTime": "2010-10-03 15:04:58 UTC",
"firstReleaseVersion": 334,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"sha256": [
"7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"9e12c5cdb069f74487c11758e732d72047b72bedf4373aa9e3a58e8e158380f8"
],
"signatureId": 93534285,
"signatureName": "Worm/Win32.autorun.crck"
}
},
"WildFire": {
"Report": {
"SHA256": "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"Status": "Success"
}
},
"Zimperium": {
"Application": null
}
}

Human Readable Output#

WildFire File Report#

FileTypeMD5SHA256SizeStatus
PE7e8d3744c0a06d3c7ca7f6dbfce3d5767a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8117760Completed

threatvault-dns-signature-get-by-id#


Gets the DNS signature. For more information about getting the IDs, see: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/learn-more-about-and-assess-threats/learn-more-about-threat-signatures.html

Base Command#

threatvault-dns-signature-get-by-id

Input#

Argument NameDescriptionRequired
dns_signature_idThe ID of the DNS signature.Optional

Context Output#

PathTypeDescription
ThreatVault.DNS.activeBoolWhether the DNS signature is active.
ThreatVault.DNS.categoryStringThe category of the DNS signature.
ThreatVault.DNS.createTimeStringThe time the DNS signature was created.
ThreatVault.DNS.domainNameStringThe domain name of the DNS signature.
ThreatVault.DNS.releaseUnknownThe release details of the DNS signature.
ThreatVault.DNS.signatureIdNumberThe ID of the DNS signature.
ThreatVault.DNS.signatureNameStringThe name of the DNS signature.

Command Example#

!threatvault-dns-signature-get-by-id signature_id=325235352

Context Example#

{
"ThreatVault": {
"DNS": {}
}
}

Human Readable Output#

DNS signature was not found. Please try with a different dns_signature_id.

threatvault-antispyware-signature-get-by-id#


Gets the antispyware signature. For more information about getting the IDs, see: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/learn-more-about-and-assess-threats/learn-more-about-threat-signatures.html

Base Command#

threatvault-antispyware-signature-get-by-id

Input#

Argument NameDescriptionRequired
signature_idID of the antispyware signature.Optional

Context Output#

PathTypeDescription
ThreatVault.AntiSpyware.firstReleaseVersionNumberThe first released version of the antispyware.
ThreatVault.AntiSpyware.signatureNameStringThe name of the antispyware signature.
ThreatVault.AntiSpyware.firstReleaseTimeAntiSpywareThe time the antispyware was first released.
ThreatVault.AntiSpyware.vendorStringThe antispyware vendor.
ThreatVault.AntiSpyware.latestReleaseTimeStringThe latest release time of the antispyware.
ThreatVault.AntiSpyware.metadataUnknownThe metadata of the antispyware.
ThreatVault.AntiSpyware.signatureTypeStringThe signature type of the antispyware.
ThreatVault.AntiSpyware.cveStringThe status of the antispyware CVE.
ThreatVault.AntiSpyware.statusStringThe status of the antispyware.
ThreatVault.AntiSpyware.signatureIdNumberThe antispyware signature ID.
ThreatVault.AntiSpyware.latestReleaseVersionNumberThe latest released version of the antispyware.

Command Example#

!threatvault-antispyware-signature-get-by-id signature_id=10001

Context Example#

{
"ThreatVault": {
"AntiSpyware": {
"cve": "",
"firstReleaseTime": "2011-05-23 UTC",
"firstReleaseVersion": 248,
"latestReleaseTime": "2020-11-06 UTC",
"latestReleaseVersion": 8340,
"metadata": {
"action": "alert",
"category": "spyware",
"changeData": "",
"description": "This signature detects a variety of user-agents in HTTP request headers that have been known to be used by the Autorun family of malicious software, and not known to be used by legitimate clients. The request header should be inspected to investigate the suspect user-agent. If the user-agent is atypical or unexpected, the endpoint should be inspected to determine the user-agent used to generate the request on the machine (typically malware).",
"panOsMaximumVersion": "",
"panOsMinimumVersion": "6.1.0",
"reference": "http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Autorun,http://blogs.technet.com/b/mmpc/archive/2011/02/08/breaking-up-the-romance-between-malware-and-autorun.aspx,http://nakedsecurity.sophos.com/2011/06/15/usb-autorun-malware-on-the-wane/",
"severity": "medium"
},
"signatureId": 10001,
"signatureName": "Autorun User-Agent Traffic",
"signatureType": "spyware",
"status": "released",
"vendor": ""
}
}
}

Human Readable Output#

Anti Spyware Signature:#

signatureIdsignatureNamesignatureTypestatusfirstReleaseTimelatestReleaseTime
10001Autorun User-Agent Trafficspywarereleased2011-05-23 UTC2020-11-06 UTC

threatvault-ip-geo-get#


Get the IP address geolocation.

Base Command#

threatvault-ip-geo-get

Input#

Argument NameDescriptionRequired
ipThe IP address to search.Optional

Context Output#

PathTypeDescription
ThreatVault.IP.CountryCodeStringThe country code.
ThreatVault.IP.CountryNameStringThe country name.
ThreatVault.IP.ipAddressStringThe IP address.

Command Example#

!threatvault-ip-geo-get ip=8.8.8.8

Context Example#

{
"ThreatVault": {
"IP": {
"countryCode": "US",
"countryName": "United States",
"ipAddress": "8.8.8.8"
}
}
}

Human Readable Output#

IP location:#

countryCodecountryNameipAddress
USUnited States8.8.8.8

ip#


Check IP location.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP address to query, e.g., !ip 1.1.1.1Optional

Context Output#

PathTypeDescription
IP.AddressStringThe IP address.
IP.Geo.CountryStringThe country of the IP address.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.

Command Example#

!ip ip=1.1.1.1

Context Example#

{
"DBotScore": {
"Indicator": "1.1.1.1",
"Score": 0,
"Type": "ip",
"Vendor": "ThreatVault"
},
"IP": {
"Address": "1.1.1.1",
"Geo": {
"Country": "Australia"
}
},
"ThreatVault": {
"IP": {
"countryCode": "AU",
"countryName": "Australia",
"ipAddress": "1.1.1.1"
}
}
}

Human Readable Output#

IP location:#

countryCodecountryNameipAddress
AUAustralia1.1.1.1

threatvault-antivirus-signature-search#


Initiates an antivirus signature search.

Base Command#

threatvault-antivirus-signature-search

Input#

Argument NameDescriptionRequired
signature_nameThe signature name to search.Required
fromFrom which signature to return results. Default is 0.Optional
toTo which signature to return results. Default is from plus 10.Optional

Context Output#

PathTypeDescription
ThreatVault.Search.search_request_idStringThe ID that was searched.
ThreatVault.Search.statusStringThe status of the search.

Command Example#

!threatvault-antivirus-signature-search signature_name=Worm/Win32.autorun.crck

Context Example#

{
"ThreatVault": {
"Search": {
"from": 0,
"search_request_id": "5d10d1f1-2191-11eb-8c3b-396ee8360b80",
"search_type": "panav",
"status": "submitted",
"to": 10
}
}
}

Human Readable Output#

Antivirus Signature Search:#

fromsearch_request_idsearch_typestatusto
05d10d1f1-2191-11eb-8c3b-396ee8360b80panavsubmitted10

threatvault-dns-signature-search#


Initiates a DNS signature search.

Base Command#

threatvault-dns-signature-search

Input#

Argument NameDescriptionRequired
signature_nameThe signature name to search.Optional
domain_nameThe domain name to search.Optional
fromFrom which signature to return results. Default is 0.Optional
toTo which signature to return results. Default is from plus 10.Optional

Context Output#

PathTypeDescription
ThreatVault.Search.search_request_idStringThe ID to search.
ThreatVault.Search.statusStringThe status of the search.

Command Example#

!threatvault-dns-signature-search domain_name=google.com

Context Example#

{
"ThreatVault": {
"Search": {
"from": 0,
"search_request_id": "5a2e4b67-2191-11eb-aaa0-476a91ad21a0",
"search_type": "dns",
"status": "submitted",
"to": 10
}
}
}

Human Readable Output#

DNS Signature Search:#

fromsearch_request_idsearch_typestatusto
05a2e4b67-2191-11eb-aaa0-476a91ad21a0dnssubmitted10

threatvault-antispyware-signature-search#


Initiates an antispyware signature search.

Base Command#

threatvault-antispyware-signature-search

Input#

Argument NameDescriptionRequired
signature_nameThe signature name to search.Optional
vendorThe vendor name to search.Optional
cveThe CVE name to search.Optional
fromFrom which signature to return results. Default is 0.Optional
toTo which signature to return results. Default is from plus 10.Optional

Context Output#

PathTypeDescription
ThreatVault.Search.search_request_idStringThe ID to search.
ThreatVault.Search.statusStringThe status of the search.

Command Example#

!threatvault-antispyware-signature-search cve=CVE-2015-8650

Context Example#

{
"ThreatVault": {
"Search": {
"from": 0,
"search_request_id": "5bb4285c-2191-11eb-b288-43f099eed11d",
"search_type": "ips",
"status": "submitted",
"to": 10
}
}
}

Human Readable Output#

Anti Spyware Signature Search:#

fromsearch_request_idsearch_typestatusto
05bb4285c-2191-11eb-b288-43f099eed11dipssubmitted10

threatvault-signature-search-results#


Initiates an antispyware signature search.

Base Command#

threatvault-signature-search-results

Input#

Argument NameDescriptionRequired
search_request_idThe ID to search.Required
search_typeSearch type. "ips" for antispyware, "dns" for DNS, and "panav" for antivirus.Required

Context Output#

PathTypeDescription
ThreatVault.Search.search_request_idStringThe ID that was searched.
ThreatVault.Search.statusStringThe status of the search.
ThreatVault.Search.page_countNumberThe number of results returned in this specific search.
ThreatVault.Search.total_countNumberThe number of results available for this specific search.
ThreatVault.Search.search_typeStringThe search type. Can be either "ips", "dns". or "panav".
ThreatVault.Searchf.signaturesUnknownA list of all the signatures found for this specific search.

Command Example#

!threatvault-signature-search-results search_type=dns search_request_id=8e9e2289-218f-11eb-b876-aba382af19b4

Context Example#

{
"ThreatVault": {
"Search": {
"page_count": 10,
"search_request_id": "8e9e2289-218f-11eb-b876-aba382af19b4",
"signatures": [
{
"active": true,
"category": "malware",
"createTime": "2015-03-03 14:45:03 (UTC)",
"domainName": "mail-google.com.co",
"release": {
"antivirus": {
"firstReleaseTime": "2015-03-03 15:11:53 UTC",
"firstReleaseVersion": 1890,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 44101494,
"signatureName": "generic:mail-google.com.co"
},
{
"active": true,
"category": "malware",
"createTime": "2015-03-16 12:06:22 (UTC)",
"domainName": "www.google.com.shufaren.com.cn",
"release": {
"antivirus": {
"firstReleaseTime": "2015-03-16 15:13:36 UTC",
"firstReleaseVersion": 1903,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 45245562,
"signatureName": "generic:ogle.com.shufaren.com.cn"
},
{
"active": true,
"category": "malware",
"createTime": "2015-08-01 12:05:04 (UTC)",
"domainName": "verify.google.com.drive.viewdocument.buyers-exporters.com",
"release": {
"antivirus": {
"firstReleaseTime": "2015-08-01 15:12:15 UTC",
"firstReleaseVersion": 2055,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 60834054,
"signatureName": "generic:ent.buyers-exporters.com"
},
{
"active": true,
"category": "malware",
"createTime": "2015-08-01 12:05:05 (UTC)",
"domainName": "www.google.com-document-view.alibabatradegroup.com",
"release": {
"antivirus": {
"firstReleaseTime": "2015-08-01 15:12:15 UTC",
"firstReleaseVersion": 2055,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 60834216,
"signatureName": "generic:ew.alibabatradegroup.com"
},
{
"active": true,
"category": "malware",
"createTime": "2015-09-02 06:35:01 (UTC)",
"domainName": "accounts.google.com-sl.com",
"release": {
"antivirus": {
"firstReleaseTime": "2015-09-02 15:12:14 UTC",
"firstReleaseVersion": 2087,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 63218626,
"signatureName": "generic:counts.google.com-sl.com"
},
{
"active": true,
"category": "malware",
"createTime": "2015-10-10 23:06:14 (UTC)",
"domainName": "firstpagegoogle.com.au",
"release": {
"antivirus": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 69081944,
"signatureName": "None:firstpagegoogle.com.au"
},
{
"active": true,
"category": "malware",
"createTime": "2015-10-17 17:26:42 (UTC)",
"domainName": "plus.google.com.sxn.us",
"release": {
"antivirus": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 70722314,
"signatureName": "generic:plus.google.com.sxn.us"
},
{
"active": true,
"category": "malware",
"createTime": "2015-11-22 16:47:53 (UTC)",
"domainName": "chinagoogle.com.cn",
"release": {
"antivirus": {
"firstReleaseTime": "2015-11-22 15:10:51 UTC",
"firstReleaseVersion": 2178,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 82194404,
"signatureName": "generic:chinagoogle.com.cn"
},
{
"active": true,
"category": "malware",
"createTime": "2015-12-01 16:37:43 (UTC)",
"domainName": "google.com.im",
"release": {
"antivirus": {
"firstReleaseTime": "2015-12-01 15:11:36 UTC",
"firstReleaseVersion": 2191,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 83804135,
"signatureName": "generic:google.com.im"
},
{
"active": true,
"category": "malware",
"createTime": "2015-12-02 17:13:32 (UTC)",
"domainName": "documents.google.com.hjkeme3fxcncyygkfmsjvxsn.shhitmobil.com.ua",
"release": {
"antivirus": {
"firstReleaseTime": "2015-12-02 15:11:48 UTC",
"firstReleaseVersion": 2192,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 84099818,
"signatureName": "generic:sjvxsn.shhitmobil.com.ua"
}
],
"status": "completed",
"total_count": 5385
}
}
}

Human Readable Output#

Signature search are showing 10 of 5385 results:#

signatureIdsignatureNamedomainNamecategory
44101494generic:mail-google.com.comail-google.com.comalware
45245562generic:ogle.com.shufaren.com.cnwww.google.com.shufaren.com.cnmalware
60834054generic:ent.buyers-exporters.comverify.google.com.drive.viewdocument.buyers-exporters.commalware
60834216generic:ew.alibabatradegroup.comwww.google.com-document-view.alibabatradegroup.commalware
63218626generic:counts.google.com-sl.comaccounts.google.com-sl.commalware
69081944None:firstpagegoogle.com.aufirstpagegoogle.com.aumalware
70722314generic:plus.google.com.sxn.usplus.google.com.sxn.usmalware
82194404generic:chinagoogle.com.cnchinagoogle.com.cnmalware
83804135generic:google.com.imgoogle.com.immalware
84099818generic:sjvxsn.shhitmobil.com.uadocuments.google.com.hjkeme3fxcncyygkfmsjvxsn.shhitmobil.com.uamalware