Sample Analysis
View static and dynamic analysis of file samples to identify
malware, investigate trends, and create reports.
Cortex XSOAR
Sample Analysis
tools
enable you to conduct in depth investigations and analyses of file
samples. File samples are run and analyzed using Palo Alto Networks’
WildFire cloud-based threat analysis service, and you can view dynamic
analysis of observed behavior, static analysis of the file contents,
and related sessions and submissions.For example, you have an incident with an extracted file indicator.
The
Unit 42 Intel
tab shows the file’s behavior.
You scroll through the sample's behavior and see a suspicious behavior:
Powershell.exe wrote to a file in the Administrator's User folder,
named 443.exe. You want to find other samples with the same behavior,
and to determine if they are related to a known adversary or malware
- so you add that specific behavior to your search. When you run
the search, you see that this behavior is associated with Emotet,
a known banking trojan (malware). You have identified your original
file sample as part of a larger threat campaign and you can now
take steps to remediate.
The
Unit 42 Intel
tab for a file sample
includes:- WildFire Dynamic Analysis - Observed BehaviorA high level overview of the behavior observed when the file was run in the WildFire sandbox. Examples might include potentially malicious behaviors such as connecting to a potentially vulnerable port or creating an executable file in the Windows folder, as well as behaviors frequently performed by legitimate software, such as scheduling a task in Windows Task Scheduler.
- WildFire Dynamic Analysis - SectionsDynamic analysis provides a granular view of file activity, process activity, registry activity, connection activity, etc. Files run in a custom built, evasion resistant virtual environment in which previously unknown submissions are detonated to determine real-world effects and behavior. Behavior can be observed in one or more operating system environments.
- WildFire Static AnalysisThe WildFire Static analysis detects known threats by analyzing the characteristics of a sample prior to execution in the sandbox. Static analysis can provide instant identification of malware variants and includes dynamic unpacking to analyze threats attempting to evade detection using packer tools.
- Related Sessions & SubmissionsShows any related sessions and submissions where the file was seen. Related sessions and submissions data is available if you have one of the following products: Palo Alto Networks Firewall, WildFire, Cortex XDR, Prisma SaaS, or Prisma Access.
In addition to viewing the file activities, properties, and behaviors
within the Cortex XSOAR Threat Intel page, you can also download
a PDF with a full report.
Sample Analysis Search
You can use Unit 42 Intel data to build complex searches
for file samples with similar characteristics. For example, in
WildFire
Dynamic Analysis - Sections
, you can add Parent
Process
, Action
, or Parameters
or
all characteristics of the file activity to a search. In WildFire
Static Analysis
, you can add Behavior
, Description
,
or both characteristics to a search.WildFire Dynamic Analysis - Sections
shows
not only the observed behavior of the file sample, but also how
many times the behavior was observed in other Unit 42 samples -
malicious samples, suspicious samples, and unknown samples. For
example, you see that the parent process sample.exe
wrote
to file data1.tmp
. The same behavior occurred
in 75 samples that had a verdict of malicious. To investigate further
you can build a new search that contains this specific behavior
and view the relevant samples. To add an entire row to a new Sample
Analysis search, hover the cursor over the last column on the right,
in the row that you want to add. 
- Add to Sample Analysis SearchAdds selected information from the row to a Sample Analysis search. After choosingAdd to Sample Analysis search, a pop up appears at the bottom of the screen:Your selected terms were added to Sample Analysis Search. Go to Sample Analysis tab to apply the added terms.. If you click on the link, you go to theSample Analysistab where you can edit or run your search for samples that exhibited the same behavior. You can alsoAdd to Saved Queries. If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to theThreat Intelpage and click on theSample Analysistab.Instead of adding the entire row, you can also add one or more items in the row to a search. For example, inWildfire Dynamic Analysis - Sections - File Activity, you can add the parent process and the action, without including the parameters, by clicking the drill-down search button to the right of each option you want to add.
- Create New Sample Analysis SearchClears any search characteristics you have already added and starts a new Sample Analysis search with the selected characteristic(s). After choosing this option, a pop up appears at the bottom of the screen:Your selected terms were added to Sample Analysis Search. Go to Sample Analysis tab to apply the added terms.. If you click on the link, you go to theSample Analysistab where you can edit or run your search for samples that exhibited the same behavior. You can alsoAdd to Saved Queries. If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to theThreat Intelpage and click on theSample Analysistab.
The Sample Analysis search page includes a drop-down for
Sample
Type
. Options include All Samples
, Public
Samples
, and My Samples
. The My
Samples
option is only available for customers with
a Palo Alto Networks Firewall, WildFire, Cortex XDR, Prisma SaaS, or
Prisma Access. My Samples
data is not available
for multi-tenant deployments.Known limitation: When searching on the
Sample Analysis
page
for relationships -relationships""
, some
results may appear without their specific relationships listed,
due to internal relationship permissions.