: Track Down Threats with WildFire Report
Focus
Focus

Track Down Threats with WildFire Report

Table of Contents

Track Down Threats with WildFire Report

Learn how to use the WildFire report on
Data Security
to investigate potentially malicious threats on your network.
Data Security
leverages the WildFire service to detect known and unknown malware by file type. The WildFire service and AutoFocus threat intelligence service together provide more visibility into security risks; however, if your SOC team does not currently have an AutoFocus subscription, use the WildFire Report on
Data Security
to track down threats. Before
Data Security
can display a WildFire Report, you must configure WildFire analysis on
Data Security
.
If an asset in one of your monitored SaaS applications matches the
WildFire
rule, WildFire identifies the asset as malicious.
Data Security
reports this information in a WildFire Report, which includes:
  • Asset information
    —file information, including the hash, file, type, and size.
  • WildFire static analysis
    —results of machine learning capabilities of WildFire to display samples that contain characteristics of known malware.
  • WildFire dynamic analysis
    —details about the malicious host and network activity the file exhibited in the different WildFire sandbox environments.
    1. Select
      Explore
      Assets
      .
    2. Locate and click on an
      Item Name
      for the asset.
    3. Select
      Matching Data Patterns
      WildFire Report
      WildFire Report displays only for assets with a WildFire Analysis rule violation.
  1. Review the WildFire Report to get context into the malware findings.
    Download the report in XML or PDF format. This report contains the following sections:
    • WildFire Verdict
      —Displays details about the file, including the hash (SHA256), file type, and size. Additionally:
      • Report Incorrect Verdict
        —If you disagree with a WildFire verdict, send the WildFire team a request for further analysis. You will receive an email notification directly from the WildFire team with the results. If applicable, the verdict will be updated on WildFire. However, the SaaS Security web interface does not currently reflect such verdict updates. Contact SaaS Security Technical Support to manually refresh the verdict in the SaaS Security web interface pending an integration to automatically refresh verdict updates.
      • VirusTotal Verdict
        —Displays a link to malware analysis. If the malware has never been discovered before, a
        file not found
        error displays.
    • Static Analysis
      —Leverages the machine learning capabilities of WildFire to display samples that contain characteristics of known malware.
    • Dynamic Analysis
      —Displays details about the malicious host and network activity that the file exhibited in different WildFire sandbox environments.
  2. (
    AutoFocus Only
    ) Retrieve additional malware threat intelligence using AutoFocus.
    If you enabled AutoFocus integration on
    Data Security
    , work with your global administrator on your SOC team to search for the asset (artifact) identified in the WildFire report.

Recommended For You