Threat signatures overview

Signature-based threat detection is one of the most commonly used mechanisms to identify malicious behavior, and is therefore widely used to prevent network attacks. Cloud Next Generation Firewall's threat detection capabilities are powered by Palo Alto Networks threat prevention technologies.

This section lists the default threat signatures, supported threat severity levels, and threat exceptions provided by Cloud NGFW in partnership with Palo Alto Networks.

Default signature set

Cloud NGFW provides a default set of threat signatures that help you to safeguard your network workloads from threats. The signatures are used to detect vulnerabilities and spyware. To view all the threat signatures configured in Cloud NGFW, go to the threat vault. If you don't already have an account, sign-up for a new account.

  • Vulnerability detection signatures detect attempts to exploit system flaws or gain unauthorized access to systems. While anti-spyware signatures help identify infected hosts when traffic leaves the network, vulnerability detection signatures safeguard against threats that penetrate the network.

    For example, vulnerability detection signatures help protect against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. The default vulnerability detection signatures provide detection for clients and servers from all known critical-, high-, and medium-severity threats along with any low- and informational-severity threats.

  • Anti-spyware signatures detect spyware on compromised hosts. Such spyware might try to contact external command-and-control (C2) servers.

  • Antivirus signatures detect viruses and malware found in executables and file types.

  • DNS signatures detect DNS requests to connect to malicious domains.

Each threat signature also has a default action associated with it. You can use security profiles to override the actions for these signatures, and reference these profiles as part of a security profile group in a firewall policy rule. If any configured threat signature is detected in the intercepted traffic, the firewall endpoint performs the corresponding action specified in the security profile on the matched packets.

Threat severity levels

A threat signature's severity indicates the risk of the detected event, and Cloud NGFW generates alerts for matching traffic. The following table summarizes the threat severity levels.

Severity Description
Critical Serious threats cause root compromise of servers. For example, threats that affect default installations of widely deployed software and where exploit code is widely available to the attackers. The attacker usually does not need any special authentication credentials or knowledge about the individual victims, and the target does not need to be manipulated into performing any special functions.
High Threats that have the ability to become critical but there are mitigating factors. For example, they might be difficult to exploit, don't result in elevated privileges, or don't have a large victim pool.
Medium Minor threats in which impact is minimized and that don't compromise the target, or exploits that require an attacker to reside on the same local network as the victim. Such attacks affect only non-standard configurations or obscure applications, or they provide very limited access.
Low Warning-level threats that have very little impact on an organization's infrastructure. Such threats usually require local or physical system access and can often result in victim privacy issues and information leaks.
Informational Suspicious events that don't pose an immediate threat, but that are reported to indicate deeper problems that could possibly exist.

Threat exceptions

If you want to suppress or increase alerts on specific threat signature IDs, you can use security profiles to override the default actions associated with threats. You can find the threat signature IDs of existing threats detected by Cloud NGFW in your threat logs.

Cloud NGFW provides visibility on threats that are detected in your environment. To view threats detected in your network, see View threats.

Content update frequency

Cloud NGFW automatically updates all signatures without any user intervention, enabling you to focus on analyzing and resolving threats without managing or updating signatures.

Updates from Palo Alto Networks are picked up by Cloud NGFW and pushed to all the existing firewall endpoints. Update latency is estimated to be up to 48 hours.

View logs

Several features of Cloud NGFW generate alerts, which are sent to the threat log. For more information about logging, see Cloud Logging.

What's next