Review WildFire Logs
In addition to the Threat logs, use the victim IP address to filter through the WildFire
Submissions logs. The WildFire Submissions logs contain information on files uploaded to
the WildFire service for analysis. Because spyware typically embeds itself covertly,
reviewing the WildFire Submissions logs tells you whether the victim recently downloaded
a suspicious file. The WildFire forensics report displays information on the URL from
which the file or .exe was obtained, and the behavior of the content. It informs you if
the file is malicious, if it modified registry keys, read/wrote into files, created new
files, opened network communication channels, caused application crashes, spawned
processes, downloaded files, or exhibited other malicious behavior. Use this information
to determine whether to block the application that caused the infection (web-browsing,
SMTP, FTP), make more stringent URL Filtering rules, or restrict some
applications/actions (for example, file downloads to specific user groups).
Access to the WildFire logs from Panorama
requires the following: a WildFire subscription, a File Blocking
profile that is attached to a Security rule, and Threat log forwarding
to Panorama.
If Panorama will manage firewalls running software
versions earlier than PAN-OS 7.0, specify a WildFire server from
which Panorama can gather analysis information for WildFire samples
that those firewalls submit. Panorama uses the information to complete
WildFire Submissions logs that are missing field values introduced
in PAN-OS 7.0. Firewalls running earlier releases won’t populate
those fields. To specify the server, select ,
edit the General Settings, and enter the WildFire Private
Cloud name. The default is wildfire-public-cloud,
which is the WildFire cloud hosted in the United States.
If WildFire determines that a file is malicious, a new antivirus
signature is created within 24-48 hours and made available to you.
If you have a WildFire subscription, the signature is made available
within 30-60 minutes as part of the next WildFire signature update.
As soon as the Palo Alto Networks next-generation firewall has received
a signature for it, if your configuration is configured to block
malware, the file will be blocked and the information on the blocked
file will be visible in your threat logs. This process is tightly integrated
to protect you from this threat and stems the spread of malware
on your network.