: Configure WildFire Analysis
Focus
Focus

Configure WildFire Analysis

Table of Contents

Configure WildFire Analysis

Learn how to configure WildFire analysis on which AutoFocus integration and WildFire Report depend.
Data Security
leverages a WildFire service to detect known and unknown malware for supported file types. To provide you the visibility you need,
Data Security
integrates with WildFire by using a predefined data pattern. This process is known as WildFire analysis.
To enable WildFire analysis:
After you configure WildFire analysis, if WildFire detects malware on an asset, WildFire informs both
Data Security
and AutoFocus and both services flag the asset as a risk. From there, you can track down threats using the following methods:
  • WildFire Report—If your SOC team does not have an AutoFocus subscription, use the WildFire Report on
    Data Security
    . Simply configure WildFire analysis to send files to WildFire, then analyze the report.
  • AutoFocus—If your SOC team has an AutoFocus subscription, your global administrator sees threats in AutoFocus. Simply configure WildFire analysis to send files to WildFire and enable AutoFocus integration so WildFire is able to send the necessary contextual information, then analyze the data in AutoFocus.

Enable File Types

Data Security
enables you to submit files of specific file type categories to WildFire for analysis, classification, and reporting. However, by default,
Data Security
does not submit any files for processing: you control which file type categories apply to the WildFire service.
If you have privacy concerns with sharing specific file type categories, don’t select that file category in
Data Security
.
Data Security
supports specific file type categories, and the file types listed in parenthesis in the SaaS Security web interface are examples.
If, after enabling file types, you do not see the assets you expect in AutoFocus, consider AutoFocus behaviors.
  1. Log in to SaaS Security. Go to
    Settings
    Scan Settings
    WildFire Analysis
    .
  2. Locate the WildFire Analysis toggle and verify that WildFire is enabled.
    If any of your policies use the WildFire data pattern, you must remove the data pattern from those policies before you can disable WildFire analysis.
    By default,
    Data Security
    enables WildFire analysis data pattern, but it’s possible that your organization disabled it previously.
  3. Select the
    Files to Submit
    .
  4. After selecting the files, go to
    Action
    Enable
    .
    Data Security
    logs any changes to file type changes in the audit logs. If you want your changes to apply retroactively, initiate a rescan.

Enable Contextual Information

In addition to sending files to WildFire,
Data Security
enables you to send contextual information with the file so that your global administrator has the necessary context in AutoFocus, in addition to the WildFire verdict, to determine and investigate threats. By default,
Data Security
does not send contextual information to WildFire.
Palo Alto Networks recommends that you enable all contextual information whether or not you have an AutoFocus subscription:
Data Security
enables you to send your files to WildFire with contextual information—even if your SOC team does not currently have an AutoFocus subscription. If you later subscribe to AutoFocus, you’ll find context for all the
Data Security
files that WildFire scanned.
If, after enabling contextual information, you do not see the contextual information you expect in AutoFocus, consider AutoFocus behaviors.
  1. Before you begin: Enable File Types.
  2. Log in to SaaS Security. Go to
    Settings
    Scan Settings
    WildFire Analysis
    .
  3. Specify the
    Contextual Information
    you want the WildFire service to send to AutoFocus.
    • Cloud App
      —Name of the SaaS application that you specified at the time of onboarding the app. For example,
      Box - HR
      or
      Box - HQ
      .
    • File URL
      —the file path in
      Data Security
      .
    • Timestamp
      —the latest update time on the file.
    • File Directory Path
      —parent folder level.
    • User ID
      —email address or username of file creator.
  4. After selecting the files, go to
    Action
    Enable
    .
    Data Security
    logs any changes to contextual information in the audit logs. If you want your changes to apply retroactively, initiate a rescan.

Configure Policies for WildFire Analysis

This feature is currently not available in the Cloud Management Console.
Data Security
integrates with WildFire by using a predefined data pattern and predefined policy rule (
WildFire
).
  1. Log in to SaaS Security.
  2. Specify the WildFire
    Data Pattern
    or Malware
    Data Profile
    as match criteria in your policies for your DLP service.
    If you forget to specify the data pattern or data profile, your match results will not be accurate—they will include a large number of false positives.
    SaaS Security DLP and Enterprise DLP
    SaaS Security DLP (Classic)

Monitor Malware Scanning

Data Security
enables you to track malware scanning for all file types configured for WildFire analysis. When you View Asset Details for such files,
Data Security
displays a malware scan status.
  1. Log in to SaaS Security.
  2. To monitor malware scanning, go to
    Data Security
    Incidents
    .
  3. Click on the data asset you want to monitor. It is now displayed under the
    Data Assets
    tab.
  4. Select the asset you want to monitor. Observe the
    Malware Verdict
    in the Details pane.
    1. Observe the
      Malware Status
      .
      • Pending Analysis
        Data Security
        is waiting for WildFire to analyze the file and return a verdict.
      • Analyzed
        —WildFire analyzed the file and returned a verdict.
      • Not Analyzed
        —WildFire did not analyze the file and an information icon next to the status displays an explanation. The most common reason for
        Not Analyzed
        is the file type is within an unsupported file type category for WildFire analysis.
      • File Unavailable
        File unavailable to
        Data Security
        . For example, when a file is quarantined by the cloud app.
  5. If WildFire detected malware, do one of the following:

Recommended For You