Learn how to use the WildFire report on SaaS Security
API to investigate potentially malicious threats on your network.
SaaS Security API leverages the WildFire service
to detect known and unknown malware by file type. The WildFire service and
AutoFocus threat intelligence service together provide more
visibility into security risks; however, if your SOC team does not
currently have an AutoFocus subscription, use the WildFire Report
on SaaS Security API to track down threats. Before SaaS Security
API can display a WildFire Report, you must configure WildFire
analysis on SaaS Security API.
If an asset in one of
your monitored SaaS applications matches the
WildFire identifies the asset as malicious. SaaS Security API reports
this information in a WildFire Report, which includes:
—file information, including the
hash, file, type, and size.
WildFire static analysis
—results of machine learning
capabilities of WildFire to display samples that contain characteristics
of known malware.
WildFire dynamic analysis
—details about the malicious
host and network activity the file exhibited in the different WildFire
WildFire Report displays only for assets with a WildFire
Analysis rule violation.
Review the WildFire Report to get context into the malware
Download the report in XML or PDF format. This report contains
the following sections:
—Displays details about
the file, including the hash (SHA256), file type, and size. Additionally:
Report Incorrect Verdict
—If you disagree
with a WildFire verdict, send Palo Alto Networks a request for further
analysis. If research indicates that the verdict is benign, your
related incidents automatically close without notification. Such
a change to a verdict can take up to 2 days. SaaS Security API receives
daily verdict updates from the WildFire service.
—Displays a link to
malware analysis. If the malware has never been discovered before,
file not found
—Leverages the machine
learning capabilities of WildFire to display samples that contain
characteristics of known malware.