WildFire Incidents

Table of Contents

WildFire Incidents

Learn about the WildFire Incidents in Strata Cloud Manager.

Where Can I Use This?	What Do I Need?
NGFW, including those funded by Software NGFW Credits Prisma Access	One of the following licenses: AIOps for NGFW Free (use the AIOps for NGFW Free app) or AIOps for NGFW Premium license (use the Strata Cloud Manager app) Prisma Access Strata Cloud Manager Essentials Strata Cloud Manager Pro

The WildFire® incidents integration for the Unified Incidents Framework surfaces findings from WildFire analysis as incidents that you can monitor and track from a single view. The integration with the Unified Incidents Framework allows WildFire to publish informational alerts through a centralized pipeline while giving you granular control over which objects trigger notifications. Within this framework, clients do not publish incidents directly; instead, the Unified Incidents Framework consumes these alerts and converts them into incidents, often aggregating multiple related alerts into a single, comprehensive incident to streamline visibility and response. By default, Strata Cloud Manager suppresses WildFire incident codes to ensure your queue remains relevant until you explicitly raise alerts for specific resources.

WildFire incidents use a suppress-by-default model. Strata Cloud Manager does not raise alerts or generate incidents for any WildFire incident code until you explicitly configure it to do so, preventing your incident queue from populating with irrelevant findings. Each incident code carries specific metadata that defines available configuration options, meaning default behavior and supported actions can vary across incident codes.

To receive incidents for a specific WildFire finding, you must create a custom setting for that incident code that defines the following:

Explicit object selection—You must select specific objects (such as devices, zones, or other managed resources) for which you want the system to raise incidents. Unlike incident settings for other products, the WildFire integration does not support object wildcards, ensuring alerting remains scoped to your identified resources.
Notification profiles—You can attach a notification profile to a custom setting so your team receives alerts through email or other configured channels when a new incident is raised.

Here are the WildFire incidents codes supported on Strata Cloud Manager:

INC_WF_NOTIFICATION_BENIGN: This incident is triggered when a report sent from a registered device detects benign.
INC_WF_NOTIFICATION_GRAYWARE: This incident is triggered when a report sent from a registered device detects grayware.
INC_WF_NOTIFICATION_MALWARE: This incident is triggered when a report sent from a registered device detects malware.
INC_WF_NOTIFICATION_PHISHING: This incident is triggered when a report sent from a registered device detects phishing.

Alert Processing and Correlation

When WildFire identifies a condition matching an active custom setting, it publishes an alert containing the relevant resource keys and the identifier of the applicable custom setting. The correlation engine uses these resource keys alongside unified incidents framework metadata to resolve the correct custom or default setting before generating the incident. This ensures each incident is associated with the appropriate configuration, even in environments where multiple custom settings exist for the same incident code across different sets of objects.

Incident Lifecycle and Auto-Clear Behavior

WildFire informational incidents are observations, not ongoing issues that require remediation. Consequently, they are managed through a distinct lifecycle.

Automated clearing—After a defined period, WildFire automatically clears the alert, which subsequently clears the corresponding incident in Strata Cloud Manager.
Manual clearing disabled—The metadata for informational incident codes dictates that you cannot manually clear WildFire informational incidents.
Notification behavior—When an incident is autocleared, the system does not send a notification for the clear event. However, if a new alert associates with an existing incident before it clears, the system triggers notifications for the new alert.

Custom Settings Dialog and Notifications

WildFire informational incidents are temporary, so their configurations within the unified incidents framework are simplified; for instance, options like time-range suppression are not available in the custom settings dialog. Furthermore, email notifications for WildFire incidents use tailored templates that reflect the specific content and context of the WildFire findings, resulting in a format distinct from notifications generated by other products within the unified incidents framework.

Incident Categories and Subcategories

NGFW Health and Software Management

Strata Cloud Manager Docs

WildFire Incidents

Strata Cloud Manager Docs

WildFire Incidents

Alert Processing and Correlation

Incident Lifecycle and Auto-Clear Behavior

Custom Settings Dialog and Notifications

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner