Track Down Threats with WildFire Report

Learn how to use the WildFire report on Prisma SaaS to investigate potentially malicious threats on your network.
Prisma SaaS leverages the WildFire service to detect known and unknown malware by file type. The WildFire service and AutoFocus threat intelligence service together provide more visibility into security risks; however, if your SOC team does not currently have an AutoFocus subscription, use the WildFire Report on Prisma SaaS to track down threats. Before Prisma SaaS can display a WildFire Report, you must configure WildFire analysis on Prisma SaaS.
If an asset in one of your monitored SaaS applications matches the
WildFire
rule, WildFire identifies the asset as malicious. Prisma SaaS reports this information in a WildFire Report, which includes:
  • Asset information
    —file information, including the hash, file, type, and size.
  • WildFire static analysis
    —results of machine learning capabilities of WildFire to display samples that contain characteristics of known malware.
  • WildFire dynamic analysis
    —details about the malicious host and network activity the file exhibited in the different WildFire sandbox environments.
wildfire-report-ui.png
    1. Select
      Explore
      Assets
      .
    2. Locate and click on an
      Item Name
      for the asset.
    3. Select
      Matching Data Patterns
      WildFire Report
      WildFire Report displays only for assets with a WildFire Analysis rule violation.
  1. Review the WildFire Report to get context into the malware findings.
    Download the report in XML or PDF format. This report contains the following sections:
    • WildFire Verdict
      —Displays details about the file, including the hash (SHA256), file type, and size. Additionally:
      • Report Incorrect Verdict
        —If you disagree with a WildFire verdict, send Palo Alto Networks a request for further analysis. You will receive an email notification with analysis results. A change to a verdict can take up to 2 days. Prisma SaaS receives daily verdict updates from the WildFire service.
      • VirusTotal Verdict
        —Displays a link to malware analysis. If the malware has never been discovered before, a
        file not found
        error displays.
      wildfire-verdict-incorrect.png
    • Static Analysis
      —Leverages the machine learning capabilities of WildFire to display samples that contain characteristics of known malware.
    • Dynamic Analysis
      —Displays details about the malicious host and network activity that the file exhibited in different WildFire sandbox environments.
    wildfire-analysis-report.png
  2. (
    AutoFocus Only
    ) Retrieve additional malware threat intelligence using AutoFocus.
    If you enabled AutoFocus integration on Prisma SaaS, work with your global administrator on your SOC team to search for the asset (artifact) identified in the WildFire report.
    autofocus-hash-search.png

Recommended For You