Palo Alto Networks Threat Vault

Use the Palo Alto Networks Threat Vault to research the latest threats (vulnerabilities/exploits, viruses, and spyware) that Palo Alto Networks next-generation firewalls can detect and prevent. This integration was integrated and tested with version xx of Palo Alto Networks Threat Vault

Configure Palo Alto Networks Threat Vault on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Palo Alto Networks Threat Vault.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
api_keyAPI KeyTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

threatvault-antivirus-signature-get


Gets the antivirus signature.

Base Command

threatvault-antivirus-signature-get

Input

Argument NameDescriptionRequired
sha256The SHA256 hash of the antivirus signature.Optional
signature_idThe signature ID of the antivirus.Optional

Context Output

PathTypeDescription
ThreatVault.Antivirus.activeBoolWhether the antivirus signature is active.
ThreatVault.Antivirus.categoryStringThe category of the antivirus signature.
ThreatVault.Antivirus.createTimeStringThe time the antivirus signature was created.
ThreatVault.Antivirus.releaseUnknownThe release details of the antivirus signature.
ThreatVault.Antivirus.sha256StringThe sha256 hash of the antivirus signature.
ThreatVault.Antivirus.signatureIdNumberThe ID of the antivirus signature.
ThreatVault.Antivirus.signatureNameStringThe name of the antivirus signature.

Command Example

!threatvault-antivirus-signature-get signature_id=93534285

Context Example

{
"ThreatVault": {
"Antivirus": {
"active": true,
"createTime": "2010-10-01 10:28:57 (UTC)",
"release": {
"antivirus": {
"firstReleaseTime": "2010-10-03 15:04:58 UTC",
"firstReleaseVersion": 334,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"sha256": [
"7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"9e12c5cdb069f74487c11758e732d72047b72bedf4373aa9e3a58e8e158380f8"
],
"signatureId": 93534285,
"signatureName": "Worm/Win32.autorun.crck"
}
}
}

Human Readable Output

Antivirus:

activecreateTimereleasesha256signatureIdsignatureName
true2010-10-01 10:28:57 (UTC)wildfire: {"latestReleaseVersion": 0, "firstReleaseVersion": 0}
antivirus: {"latestReleaseVersion": 0, "firstReleaseVersion": 334, "firstReleaseTime": "2010-10-03 15:04:58 UTC"}
7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8,
9e12c5cdb069f74487c11758e732d72047b72bedf4373aa9e3a58e8e158380f8
93534285Worm/Win32.autorun.crck

file


Checks the reputation of an antivirus in Threat Vault.

Base Command

file

Input

Argument NameDescriptionRequired
fileThe SHA256 hash of the antivirus signature.Optional

Context Output

PathTypeDescription
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.Malicious.VendorStringFor malicious files, the vendor that made the decision.

Command Example

!file file= 7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8

Context Example

{
"DBotScore": [
{
"Indicator": "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"Score": 0,
"Type": "file",
"Vendor": "Zimperium"
},
{
"Indicator": "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"Score": 3,
"Type": "file",
"Vendor": "ThreatVault"
},
{
"Indicator": "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"Score": 3,
"Type": "hash",
"Vendor": "WildFire"
},
{
"Indicator": "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"Score": 3,
"Type": "file",
"Vendor": "WildFire"
}
],
"File": {
"MD5": "7e8d3744c0a06d3c7ca7f6dbfce3d576",
"Malicious": {
"Vendor": "WildFire"
},
"Name": null,
"SHA1": null,
"SHA256": "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"Size": "117760",
"Type": "PE"
},
"ThreatVault": {
"Antivirus": {
"active": true,
"createTime": "2010-10-01 10:28:57 (UTC)",
"release": {
"antivirus": {
"firstReleaseTime": "2010-10-03 15:04:58 UTC",
"firstReleaseVersion": 334,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"sha256": [
"7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"9e12c5cdb069f74487c11758e732d72047b72bedf4373aa9e3a58e8e158380f8"
],
"signatureId": 93534285,
"signatureName": "Worm/Win32.autorun.crck"
}
},
"WildFire": {
"Report": {
"SHA256": "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8",
"Status": "Success"
}
},
"Zimperium": {
"Application": null
}
}

Human Readable Output

WildFire File Report

FileTypeMD5SHA256SizeStatus
PE7e8d3744c0a06d3c7ca7f6dbfce3d5767a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8117760Completed

threatvault-dns-signature-get-by-id


Gets the DNS signature. For more information about getting the IDs, see: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/learn-more-about-and-assess-threats/learn-more-about-threat-signatures.html

Base Command

threatvault-dns-signature-get-by-id

Input

Argument NameDescriptionRequired
dns_signature_idThe ID of the DNS signature.Optional

Context Output

PathTypeDescription
ThreatVault.DNS.activeBoolWhether the DNS signature is active.
ThreatVault.DNS.categoryStringThe category of the DNS signature.
ThreatVault.DNS.createTimeStringThe time the DNS signature was created.
ThreatVault.DNS.domainNameStringThe domain name of the DNS signature.
ThreatVault.DNS.releaseUnknownThe release details of the DNS signature.
ThreatVault.DNS.signatureIdNumberThe ID of the DNS signature.
ThreatVault.DNS.signatureNameStringThe name of the DNS signature.

Command Example

!threatvault-dns-signature-get-by-id signature_id=325235352

Context Example

{
"ThreatVault": {
"DNS": {}
}
}

Human Readable Output

DNS signature was not found. Please try with a different dns_signature_id.

threatvault-antispyware-signature-get-by-id


Gets the antispyware signature. For more information about getting the IDs, see: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/learn-more-about-and-assess-threats/learn-more-about-threat-signatures.html

Base Command

threatvault-antispyware-signature-get-by-id

Input

Argument NameDescriptionRequired
signature_idID of the antispyware signature.Optional

Context Output

PathTypeDescription
ThreatVault.AntiSpyware.firstReleaseVersionNumberThe first released version of the antispyware.
ThreatVault.AntiSpyware.signatureNameStringThe name of the antispyware signature.
ThreatVault.AntiSpyware.firstReleaseTimeAntiSpywareThe time the antispyware was first released.
ThreatVault.AntiSpyware.vendorStringThe antispyware vendor.
ThreatVault.AntiSpyware.latestReleaseTimeStringThe latest release time of the antispyware.
ThreatVault.AntiSpyware.metadataUnknownThe metadata of the antispyware.
ThreatVault.AntiSpyware.signatureTypeStringThe signature type of the antispyware.
ThreatVault.AntiSpyware.cveStringThe status of the antispyware CVE.
ThreatVault.AntiSpyware.statusStringThe status of the antispyware.
ThreatVault.AntiSpyware.signatureIdNumberThe antispyware signature ID.
ThreatVault.AntiSpyware.latestReleaseVersionNumberThe latest released version of the antispyware.

Command Example

!threatvault-antispyware-signature-get-by-id signature_id=10001

Context Example

{
"ThreatVault": {
"AntiSpyware": {
"cve": "",
"firstReleaseTime": "2011-05-23 UTC",
"firstReleaseVersion": 248,
"latestReleaseTime": "2020-11-06 UTC",
"latestReleaseVersion": 8340,
"metadata": {
"action": "alert",
"category": "spyware",
"changeData": "",
"description": "This signature detects a variety of user-agents in HTTP request headers that have been known to be used by the Autorun family of malicious software, and not known to be used by legitimate clients. The request header should be inspected to investigate the suspect user-agent. If the user-agent is atypical or unexpected, the endpoint should be inspected to determine the user-agent used to generate the request on the machine (typically malware).",
"panOsMaximumVersion": "",
"panOsMinimumVersion": "6.1.0",
"reference": "http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Autorun,http://blogs.technet.com/b/mmpc/archive/2011/02/08/breaking-up-the-romance-between-malware-and-autorun.aspx,http://nakedsecurity.sophos.com/2011/06/15/usb-autorun-malware-on-the-wane/",
"severity": "medium"
},
"signatureId": 10001,
"signatureName": "Autorun User-Agent Traffic",
"signatureType": "spyware",
"status": "released",
"vendor": ""
}
}
}

Human Readable Output

Anti Spyware Signature:

signatureIdsignatureNamesignatureTypestatusfirstReleaseTimelatestReleaseTime
10001Autorun User-Agent Trafficspywarereleased2011-05-23 UTC2020-11-06 UTC

threatvault-ip-geo-get


Get the IP address geolocation.

Base Command

threatvault-ip-geo-get

Input

Argument NameDescriptionRequired
ipThe IP address to search.Optional

Context Output

PathTypeDescription
ThreatVault.IP.CountryCodeStringThe country code.
ThreatVault.IP.CountryNameStringThe country name.
ThreatVault.IP.ipAddressStringThe IP address.

Command Example

!threatvault-ip-geo-get ip=8.8.8.8

Context Example

{
"ThreatVault": {
"IP": {
"countryCode": "US",
"countryName": "United States",
"ipAddress": "8.8.8.8"
}
}
}

Human Readable Output

IP location:

countryCodecountryNameipAddress
USUnited States8.8.8.8

ip


Check IP location.

Base Command

ip

Input

Argument NameDescriptionRequired
ipIP address to query, e.g., !ip 1.1.1.1Optional

Context Output

PathTypeDescription
IP.AddressunknownThe IP address.
IP.Geo.CountryunknownThe country of the IP address.

Command Example

!ip ip=1.1.1.1

Context Example

{
"DBotScore": {
"Indicator": "1.1.1.1",
"Score": 0,
"Type": "ip",
"Vendor": "ThreatVault"
},
"IP": {
"Address": "1.1.1.1",
"Geo": {
"Country": "Australia"
}
},
"ThreatVault": {
"IP": {
"countryCode": "AU",
"countryName": "Australia",
"ipAddress": "1.1.1.1"
}
}
}

Human Readable Output

IP location:

countryCodecountryNameipAddress
AUAustralia1.1.1.1

threatvault-antivirus-signature-search


Initiates an antivirus signature search.

Base Command

threatvault-antivirus-signature-search

Input

Argument NameDescriptionRequired
signature_nameThe signature name to search.Required
fromFrom which signature to return results. Default is 0.Optional
toTo which signature to return results. Default is from plus 10.Optional

Context Output

PathTypeDescription
ThreatVault.Search.search_request_idStringThe ID that was searched.
ThreatVault.Search.statusStringThe status of the search.

Command Example

!threatvault-antivirus-signature-search signature_name=Worm/Win32.autorun.crck

Context Example

{
"ThreatVault": {
"Search": {
"from": 0,
"search_request_id": "5d10d1f1-2191-11eb-8c3b-396ee8360b80",
"search_type": "panav",
"status": "submitted",
"to": 10
}
}
}

Human Readable Output

Antivirus Signature Search:

fromsearch_request_idsearch_typestatusto
05d10d1f1-2191-11eb-8c3b-396ee8360b80panavsubmitted10

threatvault-dns-signature-search


Initiates a DNS signature search.

Base Command

threatvault-dns-signature-search

Input

Argument NameDescriptionRequired
signature_nameThe signature name to search.Optional
domain_nameThe domain name to search.Optional
fromFrom which signature to return results. Default is 0.Optional
toTo which signature to return results. Default is from plus 10.Optional

Context Output

PathTypeDescription
ThreatVault.Search.search_request_idStringThe ID to search.
ThreatVault.Search.statusStringThe status of the search.

Command Example

!threatvault-dns-signature-search domain_name=google.com

Context Example

{
"ThreatVault": {
"Search": {
"from": 0,
"search_request_id": "5a2e4b67-2191-11eb-aaa0-476a91ad21a0",
"search_type": "dns",
"status": "submitted",
"to": 10
}
}
}

Human Readable Output

DNS Signature Search:

fromsearch_request_idsearch_typestatusto
05a2e4b67-2191-11eb-aaa0-476a91ad21a0dnssubmitted10

threatvault-antispyware-signature-search


Initiates an antispyware signature search.

Base Command

threatvault-antispyware-signature-search

Input

Argument NameDescriptionRequired
signature_nameThe signature name to search.Optional
vendorThe vendor name to search.Optional
cveThe CVE name to search.Optional
fromFrom which signature to return results. Default is 0.Optional
toTo which signature to return results. Default is from plus 10.Optional

Context Output

PathTypeDescription
ThreatVault.Search.search_request_idStringThe ID to search.
ThreatVault.Search.statusStringThe status of the search.

Command Example

!threatvault-antispyware-signature-search cve=CVE-2015-8650

Context Example

{
"ThreatVault": {
"Search": {
"from": 0,
"search_request_id": "5bb4285c-2191-11eb-b288-43f099eed11d",
"search_type": "ips",
"status": "submitted",
"to": 10
}
}
}

Human Readable Output

Anti Spyware Signature Search:

fromsearch_request_idsearch_typestatusto
05bb4285c-2191-11eb-b288-43f099eed11dipssubmitted10

threatvault-signature-search-results


Initiates an antispyware signature search.

Base Command

threatvault-signature-search-results

Input

Argument NameDescriptionRequired
search_request_idThe ID to search.Required
search_typeSearch type. "ips" for antispyware, "dns" for DNS, and "panav" for antivirus.Required

Context Output

PathTypeDescription
ThreatVault.Search.search_request_idStringThe ID that was searched.
ThreatVault.Search.statusStringThe status of the search.
ThreatVault.Search.page_countNumberThe number of results returned in this specific search.
ThreatVault.Search.total_countNumberThe number of results available for this specific search.
ThreatVault.Search.search_typeStringThe search type. Can be either "ips", "dns". or "panav".
ThreatVault.Searchf.signaturesUnknownA list of all the signatures found for this specific search.

Command Example

!threatvault-signature-search-results search_type=dns search_request_id=8e9e2289-218f-11eb-b876-aba382af19b4

Context Example

{
"ThreatVault": {
"Search": {
"page_count": 10,
"search_request_id": "8e9e2289-218f-11eb-b876-aba382af19b4",
"signatures": [
{
"active": true,
"category": "malware",
"createTime": "2015-03-03 14:45:03 (UTC)",
"domainName": "mail-google.com.co",
"release": {
"antivirus": {
"firstReleaseTime": "2015-03-03 15:11:53 UTC",
"firstReleaseVersion": 1890,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 44101494,
"signatureName": "generic:mail-google.com.co"
},
{
"active": true,
"category": "malware",
"createTime": "2015-03-16 12:06:22 (UTC)",
"domainName": "www.google.com.shufaren.com.cn",
"release": {
"antivirus": {
"firstReleaseTime": "2015-03-16 15:13:36 UTC",
"firstReleaseVersion": 1903,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 45245562,
"signatureName": "generic:ogle.com.shufaren.com.cn"
},
{
"active": true,
"category": "malware",
"createTime": "2015-08-01 12:05:04 (UTC)",
"domainName": "verify.google.com.drive.viewdocument.buyers-exporters.com",
"release": {
"antivirus": {
"firstReleaseTime": "2015-08-01 15:12:15 UTC",
"firstReleaseVersion": 2055,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 60834054,
"signatureName": "generic:ent.buyers-exporters.com"
},
{
"active": true,
"category": "malware",
"createTime": "2015-08-01 12:05:05 (UTC)",
"domainName": "www.google.com-document-view.alibabatradegroup.com",
"release": {
"antivirus": {
"firstReleaseTime": "2015-08-01 15:12:15 UTC",
"firstReleaseVersion": 2055,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 60834216,
"signatureName": "generic:ew.alibabatradegroup.com"
},
{
"active": true,
"category": "malware",
"createTime": "2015-09-02 06:35:01 (UTC)",
"domainName": "accounts.google.com-sl.com",
"release": {
"antivirus": {
"firstReleaseTime": "2015-09-02 15:12:14 UTC",
"firstReleaseVersion": 2087,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 63218626,
"signatureName": "generic:counts.google.com-sl.com"
},
{
"active": true,
"category": "malware",
"createTime": "2015-10-10 23:06:14 (UTC)",
"domainName": "firstpagegoogle.com.au",
"release": {
"antivirus": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 69081944,
"signatureName": "None:firstpagegoogle.com.au"
},
{
"active": true,
"category": "malware",
"createTime": "2015-10-17 17:26:42 (UTC)",
"domainName": "plus.google.com.sxn.us",
"release": {
"antivirus": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 70722314,
"signatureName": "generic:plus.google.com.sxn.us"
},
{
"active": true,
"category": "malware",
"createTime": "2015-11-22 16:47:53 (UTC)",
"domainName": "chinagoogle.com.cn",
"release": {
"antivirus": {
"firstReleaseTime": "2015-11-22 15:10:51 UTC",
"firstReleaseVersion": 2178,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 82194404,
"signatureName": "generic:chinagoogle.com.cn"
},
{
"active": true,
"category": "malware",
"createTime": "2015-12-01 16:37:43 (UTC)",
"domainName": "google.com.im",
"release": {
"antivirus": {
"firstReleaseTime": "2015-12-01 15:11:36 UTC",
"firstReleaseVersion": 2191,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 83804135,
"signatureName": "generic:google.com.im"
},
{
"active": true,
"category": "malware",
"createTime": "2015-12-02 17:13:32 (UTC)",
"domainName": "documents.google.com.hjkeme3fxcncyygkfmsjvxsn.shhitmobil.com.ua",
"release": {
"antivirus": {
"firstReleaseTime": "2015-12-02 15:11:48 UTC",
"firstReleaseVersion": 2192,
"latestReleaseVersion": 0
},
"wildfire": {
"firstReleaseVersion": 0,
"latestReleaseVersion": 0
}
},
"signatureId": 84099818,
"signatureName": "generic:sjvxsn.shhitmobil.com.ua"
}
],
"status": "completed",
"total_count": 5385
}
}
}

Human Readable Output

Signature search are showing 10 of 5385 results:

signatureIdsignatureNamedomainNamecategory
44101494generic:mail-google.com.comail-google.com.comalware
45245562generic:ogle.com.shufaren.com.cnwww.google.com.shufaren.com.cnmalware
60834054generic:ent.buyers-exporters.comverify.google.com.drive.viewdocument.buyers-exporters.commalware
60834216generic:ew.alibabatradegroup.comwww.google.com-document-view.alibabatradegroup.commalware
63218626generic:counts.google.com-sl.comaccounts.google.com-sl.commalware
69081944None:firstpagegoogle.com.aufirstpagegoogle.com.aumalware
70722314generic:plus.google.com.sxn.usplus.google.com.sxn.usmalware
82194404generic:chinagoogle.com.cnchinagoogle.com.cnmalware
83804135generic:google.com.imgoogle.com.immalware
84099818generic:sjvxsn.shhitmobil.com.uadocuments.google.com.hjkeme3fxcncyygkfmsjvxsn.shhitmobil.com.uamalware