Use the WildFire Report to Track Down Threats

If an asset in one of your monitored SaaS applications matches the WildFire Analysis rule, it means that WildFire has identified the asset as malicious. You can use the information in the corresponding WildFire Report to investigate the malware and the activities of the associated user on your network to determine whether the malware has taken hold within your network. Use the WildFire Report to track down potential threats on your network.
po-wildfire-report.png
  1. In the matching data pattern section of the View Asset Details or Security Controls Incident Details, click WildFire Report (displays only for incidents that detail a WildFire Analysis rule violation).
    po-wildfire-match-data-pattern.png
  2. Review the WildFire Report to get context into the malware findings. You can download the report in XML or PDF format. This report contains the following sections:
    • WildFire Verdict—Displays details about the file, including the hash (SHA256), file type, and size. Additionally, the report provides a link to the VirusTotal Verdict, if available (this link displays a file not found error if the malware was not discovered by any other anti-malware vendor). If you disagree with a WildFire verdict, click Report Incorrect Verdict and send Palo Alto Networks a request for further analysis.
    • Static Analysis—Leverages the machine learning capabilities of WildFire to display samples that contain characteristics of known malware.
    • WildFire Dynamic Analysis—Displays details about the malicious host and network activity the file exhibited in the different WildFire sandbox environments.
    wildfire-report-exported.png
  3. If you have an AutoFocus subscription, you can use the hash (SHA256) in the WildFire report to search AutoFocus for any existing threat intelligence about the malware. This will give you context into whether firewalls within your organization have detected the file and whether the file is prevalent in your industry or globally. Additionally, AutoFocus highlights high-risk WildFire report artifacts (such as a URL or filename), which enables you to quickly find and investigate the artifacts that are frequently associated with malware. In AutoFocus, you can also:
    • Search based on any artifact found in a WildFire report.
    • Set up alerts based on a hash or an artifact. You will then be notified whenever that hash or artifact is detected by WildFire (you can set the alert to trigger only for samples submitted from your network, only for global submissions, or for both).
  4. If you configured User-ID on your firewalls, you can generate a user activity report for the file owner or filter the logs by the file owner’s user name to see if you can identify any suspicious Traffic logs or Threat logs that might indicate that the malware has propagated.

Related Documentation