Configure WildFire Analysis

Learn how to configure WildFire analysis on which AutoFocus integration and WildFire Report depend.
Prisma SaaS leverages a WildFire service to detect known and unknown malware for supported file types. To provide you the visibility you need, Prisma SaaS integrates with WildFire by using a predefined data pattern. This process is known as
WildFire analysis
.
To enable WildFire Analysis:
After you configure WildFire analysis, if WildFire detects malware on an asset, WildFire informs both Prisma SaaS and AutoFocus and both solutions flag the asset as a risk. From there, you can track down threats using the following methods:
  • WildFire Report—If your SOC team does not have an AutoFocus subscription, use the WildFire Report on Prisma SaaS. Simply configure WildFire analysis to send files to WildFire, then analyze the report.
  • AutoFocus—If your SOC team has an AutoFocus subscription, your global administrator sees the threats in AutoFocus. Simply configure WildFire analysis to send files to WildFire and enable AutoFocus integration to enable WildFire to send the necessary contextual information, then analyze the data in AutoFocus.

Enable File Types

Prisma SaaS enables you to submit files of specific file type categories to WildFire for analysis, classification, and reporting. However, by default, Prisma SaaS does not submit any files for processing: you control which file type categories apply to the WildFire service.
If you have privacy concerns with sharing specific file type categories, don’t select that file category in Prisma SaaS. Prisma SaaS supports specific file type categories, and the file types listed in parenthesis in the Prisma SaaS web interface are examples.
If, after enabling file types, you do not see the assets you expect in AutoFocus, consider AutoFocus behaviors.
  1. Log in to Prisma SaaS.
  2. Select
    Settings
    WildFire Analysis
    .
  3. Locate the WildFire Analysis toggle and verify that WildFire is enabled.
    If any of your policies use the WildFire data pattern, you must remove the data pattern from those policies before you can disable WildFire analysis.
    By default, Prisma SaaS enables WildFire analysis data pattern, but it’s possible that your organization disabled it previously.
    wildfire-analysis-disable.png
  4. Select the
    Files to Submit
    .
    wildfire-analysis-data-pattern-toggle.png
  5. Save
    your changes.
    Prisma SaaS logs any changes to file type changes in the audit logs. If you want your changes to apply retroactively, initiate a rescan.
    wildfire-change-audit-log2.png

Enable Contextual Information

In addition to sending files to WildFire, Prisma SaaS enables you to send contextual information with the file so that your global administrator has the necessary context in AutoFocus, in addition to the WildFire verdict, to determine and investigate threats. By default, Prisma SaaS does not send contextual information to WildFire.
Palo Alto Networks recommends that you enable all contextual information whether or not you have an AutoFocus subscription: Prisma SaaS enables you to send your files to WildFire with contextual information—even if your SOC team does not currently have an AutoFocus subscription. If you later subscribe to AutoFocus, you’ll find context for all the Prisma SaaS files that WildFire scanned.
If, after enabling contextual information, you do not see the contextual information you expect in AutoFocus, consider AutoFocus behaviors.
  1. Before you begin: Enable File Types.
  2. Log in to Prisma SaaS.
  3. Select
    Settings
    WildFire Analysis
    .
  4. Specify the
    Contextual Information
    you want the WildFire service to send to AutoFocus.
    • Cloud App
      —Name of the SaaS application that you specified at the time of onboarding the app. For example,
      Box - HR
      or
      Box - HQ
      .
    • File URL
      —the file path in Prisma SaaS.
    • Timestamp
      —the latest update time on the file.
    • File Directory Path
      —parent folder level.
    • User ID
      —email address or username of file creator.
    wildfire-analysis-contextual-info.png
  5. Save
    your changes.
    Prisma SaaS logs any changes to contextual information in the audit logs. If you want your changes to apply retroactively, initiate a rescan.
    wildfire-change-audit-log1.png

Configure Policies for WildFire Analysis

Prisma SaaS integrates with WildFire by using a predefined data pattern and predefined policy rule (
WildFire
).
  1. Log in to Prisma SaaS.
  2. Specify the WildFire data pattern as match criteria in your policies.
    wildfire-configure-asset-rule.png

Monitor Malware Scanning

Prisma SaaS enables you to track malware scanning for all file types configured for WildFire analysis. When you View Asset Details for such files, Prisma SaaS displays a malware scan status.
  1. Log in to Prisma SaaS.
    1. Select
      Explore
      Assets
      .
    2. Locate and click on an
      Item Name
      for the asset you want to monitor.
    3. Observe the
      Malware Status
      .

Recommended For You