Track Down Threats with WildFire Report

Learn how to use the WildFire report on SaaS Security API to investigate potentially malicious threats on your network.
SaaS Security API leverages the WildFire service to detect known and unknown malware by file type. The WildFire service and AutoFocus threat intelligence service together provide more visibility into security risks; however, if your SOC team does not currently have an AutoFocus subscription, use the WildFire Report on SaaS Security API to track down threats. Before SaaS Security API can display a WildFire Report, you must configure WildFire analysis on SaaS Security API.
If an asset in one of your monitored SaaS applications matches the
rule, WildFire identifies the asset as malicious. SaaS Security API reports this information in a WildFire Report, which includes:
  • Asset information
    —file information, including the hash, file, type, and size.
  • WildFire static analysis
    —results of machine learning capabilities of WildFire to display samples that contain characteristics of known malware.
  • WildFire dynamic analysis
    —details about the malicious host and network activity the file exhibited in the different WildFire sandbox environments.
    1. Select
    2. Locate and click on an
      Item Name
      for the asset.
    3. Select
      Matching Data Patterns
      WildFire Report
      WildFire Report displays only for assets with a WildFire Analysis rule violation.
  1. Review the WildFire Report to get context into the malware findings.
    Download the report in XML or PDF format. This report contains the following sections:
    • WildFire Verdict
      —Displays details about the file, including the hash (SHA256), file type, and size. Additionally:
      • Report Incorrect Verdict
        —If you disagree with a WildFire verdict, send the WildFire team a request for further analysis. You will receive an email notification directly from the WildFire team with the results. If applicable, the verdict will be updated on WildFire. However, the SaaS Security web interface does not currently reflect such verdict updates. Contact SaaS Security Technical Support to manually refresh the verdict in the SaaS Security web interface pending an integration to automatically refresh verdict updates.
      • VirusTotal Verdict
        —Displays a link to malware analysis. If the malware has never been discovered before, a
        file not found
        error displays.
    • Static Analysis
      —Leverages the machine learning capabilities of WildFire to display samples that contain characteristics of known malware.
    • Dynamic Analysis
      —Displays details about the malicious host and network activity that the file exhibited in different WildFire sandbox environments.
  2. (
    AutoFocus Only
    ) Retrieve additional malware threat intelligence using AutoFocus.
    If you enabled AutoFocus integration on SaaS Security API, work with your global administrator on your SOC team to search for the asset (artifact) identified in the WildFire report.

Recommended For You