XDM_CONST.THREAT_CATEGORY

Cortex Data Model Schema Guide

Product
Cortex XSIAM
Last date published
2024-11-27
Category
XSIAM Data Model Schema

The threat's category, see https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/threat-signatures.html

Original

Mapped

Description

apk

XDM_CONST.THREAT_CATEGORY_APK

Malicious Android Application (APK) files.

dmg

XDM_CONST.THREAT_CATEGORY_DMG

Malicious Apple disk image (DMG) files, that are used with Mac OS X.

flash

XDM_CONST.THREAT_CATEGORY_FLASH

Adobe Flash applets and Flash content embedded in web pages.

java-class

XDM_CONST.THREAT_CATEGORY_JAVA_CLASS

Java applets (JAR/class file types).

macho

XDM_CONST.THREAT_CATEGORY_MACHO

Mach object files (Mach-O) are executables, libraries, and object code that are native to Mac OS X.

office

XDM_CONST.THREAT_CATEGORY_OFFICE

Microsoft Office files, including documents (DOC, DOCX, RTF), workbooks (XLS, XLSX), and PowerPoint presentations (PPT, PPTX).

openoffice

XDM_CONST.THREAT_CATEGORY_OPENOFFICE

Office Open XML (OOXML) 2007+ documents.

pdf

XDM_CONST.THREAT_CATEGORY_PDF

Portable Document Format (PDF) files.

pe

XDM_CONST.THREAT_CATEGORY_PE

Portable executable (PE) files can automatically execute on a Microsoft Windows system and should be only allowed when authorized. These files types include: Object code, Fonts (FONs), System files (SYS), Driver files (DRV), Windows control panel items (CPLs), DLLs (dynamic-link libraries), OCXs (libraries for OLE custom controls, or ActiveX controls), SCRs (scripts that can be used to execute other files), Extensible Firmware Interface (EFI) files, which run between an OS and firmware in order to facilitate, device updates and boot operations, Program information files (PIFs).

pkg

XDM_CONST.THREAT_CATEGORY_PKG

Apple software installer packages (PKGs), used with Mac OS X.

adware

XDM_CONST.THREAT_CATEGORY_ADWARE

Detects programs that display potentially unwanted advertisements. Some adware modifies browsers to highlight and hyperlink the most frequently searched keywords on web pages-these links redirect users to advertising websites. Adware can also retrieve updates from a command-and-control (C2) server and install those updates in a browser or onto a client system. Newly-released protections in this category are rare.

autogen

XDM_CONST.THREAT_CATEGORY_AUTOGEN

These payload-based signatures detect command-and-control (C2) traffic and are automatically-generated. Importantly, autogen signatures can detect C2 traffic even when the C2 host is unknown or changes rapidly.

backdoor

XDM_CONST.THREAT_CATEGORY_BACKDOOR

Detects a program that allows an attacker to gain unauthorized remote access to a system.

botnet

XDM_CONST.THREAT_CATEGORY_BOTNET

Indicates botnet activity. A botnet is a network of malware-infected computers (“bots”) that an attacker controls. The attacker can centrally command every computer in a botnet to simultaneously carry out a coordinated action (like launching a DoS attack, for example).

browser-hijack

XDM_CONST.THREAT_CATEGORY_BROWSER_HIJACK

Detects a plugin or software that is modifying browser settings. A browser hijacker might take over auto search or track users’ web activity and send this information to a C2 server. Newly-released protections in this category are rare.

cryptominer

XDM_CONST.THREAT_CATEGORY_CRYPTOMINER

(Sometimes known as cryptojacking or miners) Detects the download attempt or network traffic generated from malicious programs designed to use computing resources to mine cryptocurrencies without the user's knowledge. Cryptominer binaries are frequently delivered by a shell script downloader that attempts to determine system architecture and kill other miner processes on the system. Some miners execute within other processes, such as a web browser rendering a malicious web page.

data-theft

XDM_CONST.THREAT_CATEGORY_DATA_THEFT

Detects a system sending information to a known C2 server. Newly-released protections in this category are rare.

dns

XDM_CONST.THREAT_CATEGORY_DNS

Detects DNS requests to connect to malicious domains. dns and dns-wildfire signatures detect the same malicious domains; however, dns signatures are included in the daily Antivirus content update and dns-wildfire signatures are included in the WildFire updates that release protections every 5 minutes.

dns-security

XDM_CONST.THREAT_CATEGORY_DNS_SECURITY

Detects DNS requests to connect to malicious domains. dns-security includes signatures from dns and dns-wildfire in addition to the unique signatures generated by the DNS Security service.

dns-wildfire

XDM_CONST.THREAT_CATEGORY_DNS_WILDFIRE

Detects DNS requests to connect to malicious domains.dns and dns-wildfire signatures detect the same malicious domains; however, dns signatures are included in the daily Antivirus content update and dns-wildfire signatures are included in the WildFire updates that release protections every 5 minutes.

downloader

XDM_CONST.THREAT_CATEGORY_DOWNLOADER

(Also known as droppers, stagers, or loaders) Detects programs that use an internet connection to connect to a remote server to download and execute malware on the compromised system. The most common use case is for a downloader to be deployed as the culmination of stage one of a cyber attack, where the downloader’s fetched payload execution is considered second stage. Shell scripts (Bash, PowerShell, etc.), trojans, and malicious lure documents (also known as maldocs) such as PDFs and Word files are common downloader types.

fraud

XDM_CONST.THREAT_CATEGORY_FRAUD

(Including form-jacking, phishing, and scams) Detects access to compromised websites that have been determined to be injected with malicious JavaScript code to collect sensitive user information. (for example, Name, address, email, credit card number, CVV, expiration date) from payment forms that are captured on the checkout pages of e-commerce websites.

hacktool

XDM_CONST.THREAT_CATEGORY_HACKTOOL

Detects traffic generated by software tools that are used by malicious actors to conduct reconnaissance, attack or gain access to vulnerable systems, exfiltrate data, or create a command and control channel to surreptitiously control a computer system without authorization. These programs are strongly associated with malware and cyber attacks. Hacking tools might be deployed in a benign manner when used in Red and Blue Team operations, penetration tests, and R&D. The use or possession of these tools may be illegal in some countries, regardless of intent.

keylogger

XDM_CONST.THREAT_CATEGORY_KEYLOGGER

Detects programs that allow attackers to secretly track user activity, by logging keystrokes and capturing screenshots. Keyloggers use various C2 methods to periodically sends logs and reports to a predefined e-mail address or a C2 server. Through keylogger surveillance, an attacker could retrieve credentials that would enable network access.

networm

XDM_CONST.THREAT_CATEGORY_NETWORM

Detects a program that self-replicates and spreads from system to system. Net-worms might use shared resources or leverage security failures to access target systems.

phishing-kit

XDM_CONST.THREAT_CATEGORY_PHISHING_KIT

Detects when a user attempts to connect to a phishing kit landing page (likely after receiving an email with a link to the malicious site). A phishing website tricks users into submitting credentials that an attacker can steal to gain access to the network. in addition to blocking access to phishing kit landing pages, enable Multi-Factor Authentication and Prevent Credential Phishing to prevent phishing attacks at all stages.

post-exploitation

XDM_CONST.THREAT_CATEGORY_POST_EXPLOITATION

Detects activity that indicates the post-exploitation phase of an attack, where an attacker attempts to assess the value of a compromised system. This might include evaluating the sensitivity of the data stored on the system, and the system’s usefulness in further compromising the network.

webshell

XDM_CONST.THREAT_CATEGORY_WEBSHELL

Detects web shells and web shell traffic, including implant detection and command and control interaction. Web shells must first be implanted by a malicious actor onto the compromised host, most often targeting a web server or framework. Subsequent communication with the web shell file frequently enables a malicious actor to establish a foothold in the system, conduct service and network enumeration, data exfiltration, and remote code execution in the context of the web server user. The most common web shell types are PHP, .NET, and Perl markup scripts. Attackers can also use web shell-infected web servers (the web servers can be both internet-facing or internal systems) to target other internal systems.

spyware

XDM_CONST.THREAT_CATEGORY_SPYWARE

Detect outbound C2 communication. These signatures are either auto-generated or are manually created by Palo Alto Networks researchers. Spyware and autogen signatures both detect outbound C2 communication; however, autogen signatures are payload-based and can uniquely detect C2 communications with C2 hosts that are unknown or change rapidly.

brute force

XDM_CONST.THREAT_CATEGORY_BRUTE_FORCE

A brute-force signature detects multiple occurrences of a condition in a particular time frame. While the activity in isolation might be benign, the brute-force signature indicates that the frequency and rate at which the activity occurred is suspect. For example, a single FTP login failure does not indicate malicious activity. However, many failed FTP logins in a short period likely indicate an attacker attempting password combinations to access an FTP server. You can tune the action and trigger conditions for brute force signatures.

code execution

XDM_CONST.THREAT_CATEGORY_CODE_EXECUTION

Detects a code execution vulnerability that an attacker can leverage to run code on a system with the privileges of the logged-in user.

code-obfuscation

XDM_CONST.THREAT_CATEGORY_CODE_OBFUSCATION

Detects code that has been transformed to conceal certain data while retaining its function. Obfuscated code is difficult or impossible to read, so it’s not apparent what commands the code is executing or with which programs its designed to interact. Most commonly, malicious actors obfuscate code to conceal malware. More rarely, legitimate developers might obfuscate code to protect privacy, intellectual property, or to improve user experience. For example, certain types of obfuscation (like minification) reduce file size, which decreases website load times and bandwidth usage.

dos

XDM_CONST.THREAT_CATEGORY_DOS

Detects a denial-of-service (DoS) attack, where an attacker attempts to render a targeted system unavailable, temporarily disrupting the system and dependent applications and services. To perform a DoS attack, an attacker might flood a targeted system with traffic or send information that causes it to fail. DoS attacks deprive legitimate users (like employees, members, and account holders) of the service or resource to which they expect access.

exploit-kit

XDM_CONST.THREAT_CATEGORY_EXPLOIT_KIT

Detects an exploit kit landing page. Exploit kit landing pages often contain several exploits that target one or many common vulnerabilities and exposures (CVEs), for multiple browsers and plugins. Because the targeted CVEs change quickly, exploit-kit signatures trigger based on the exploit kit landing page, and not the CVEs. When a user visits a website with an exploit kit, the exploit kit scans for the targeted CVEs and attempts to silently deliver a malicious payload to the victim’s computer.

info-leak

XDM_CONST.THREAT_CATEGORY_INFO_LEAK

Detects a software vulnerability that an attacker could exploit to steal sensitive or proprietary information. Often, an info-leak might exist because comprehensive checks do not exist to guard the data, and attackers can exploit info-leaks by sending crafted requests.

insecure-credentials

XDM_CONST.THREAT_CATEGORY_INSECURE_CREDENTIALS

Detects the use of weak, compromised, and manufacturer default passwords for software, network appliances, and IoT devices.

overflow

XDM_CONST.THREAT_CATEGORY_OVERFLOW

Detects an overflow vulnerability, where a lack of proper checks on requests could be exploited by an attacker. A successful attack could lead to remote code execution with the privileges of the application, server or operating system.

phishing

XDM_CONST.THREAT_CATEGORY_PHISHING

Detects when a user attempts to connect to a phishing kit landing page (likely after receiving an email with a link to the malicious site). A phishing website tricks users into submitting credentials that an attacker can steal to gain access to the network. In addition to blocking access to phishing kit landing pages, enable Multi-Factor Authentication and Prevent Credential Phishing to prevent phishing attacks at all stages.

protocol-anomaly

XDM_CONST.THREAT_CATEGORY_PROTOCOL_ANOMALY

Detects protocol anomalies, where a protocol behavior deviates from standard and compliant usage. For example, a malformed packet, poorly-written application, or an application running on a non-standard port would all be considered protocol anomalies, and could be used as evasion tools. It is a best practice to block protocol anomalies of any severity.

sql-injection

XDM_CONST.THREAT_CATEGORY_SQL_INJECTION

Detects a common hacking technique where an attacker inserts SQL queries into an application’s requests, in order to read from or modify a database. This type of technique is often used on websites that do not comprehensively sanitize user input.