Configure WildFire Analysis

Learn how to configure WildFire analysis on which AutoFocus integration and WildFire Report depend.
SaaS Security API leverages a WildFire service to detect known and unknown malware for supported file types. To provide you the visibility you need, SaaS Security API integrates with WildFire by using a predefined data pattern. This process is known as WildFire analysis.
To enable WildFire analysis:
After you configure WildFire analysis, if WildFire detects malware on an asset, WildFire informs both SaaS Security API and AutoFocus and both services flag the asset as a risk. From there, you can track down threats using the following methods:
  • WildFire Report—If your SOC team does not have an AutoFocus subscription, use the WildFire Report on SaaS Security API. Simply configure WildFire analysis to send files to WildFire, then analyze the report.
  • AutoFocus—If your SOC team has an AutoFocus subscription, your global administrator sees threats in AutoFocus. Simply configure WildFire analysis to send files to WildFire and enable AutoFocus integration so WildFire is able to send the necessary contextual information, then analyze the data in AutoFocus.

Enable File Types

SaaS Security API enables you to submit files of specific file type categories to WildFire for analysis, classification, and reporting. However, by default, SaaS Security API does not submit any files for processing: you control which file type categories apply to the WildFire service.
If you have privacy concerns with sharing specific file type categories, don’t select that file category in SaaS Security API. SaaS Security API supports specific file type categories, and the file types listed in parenthesis in the SaaS Security web interface are examples.
If, after enabling file types, you do not see the assets you expect in AutoFocus, consider AutoFocus behaviors.
  1. Log in to SaaS Security.
  2. Select
    Settings
    WildFire Analysis
    .
  3. Locate the WildFire Analysis toggle and verify that WildFire is enabled.
    If any of your policies use the WildFire data pattern, you must remove the data pattern from those policies before you can disable WildFire analysis.
    By default, SaaS Security API enables WildFire analysis data pattern, but it’s possible that your organization disabled it previously.
  4. Select the
    Files to Submit
    .
  5. Save
    your changes.
    SaaS Security API logs any changes to file type changes in the audit logs. If you want your changes to apply retroactively, initiate a rescan.

Enable Contextual Information

In addition to sending files to WildFire, SaaS Security API enables you to send contextual information with the file so that your global administrator has the necessary context in AutoFocus, in addition to the WildFire verdict, to determine and investigate threats. By default, SaaS Security API does not send contextual information to WildFire.
Palo Alto Networks recommends that you enable all contextual information whether or not you have an AutoFocus subscription: SaaS Security API enables you to send your files to WildFire with contextual information—even if your SOC team does not currently have an AutoFocus subscription. If you later subscribe to AutoFocus, you’ll find context for all the SaaS Security API files that WildFire scanned.
If, after enabling contextual information, you do not see the contextual information you expect in AutoFocus, consider AutoFocus behaviors.
  1. Before you begin: Enable File Types.
  2. Log in to SaaS Security.
  3. Select
    Settings
    WildFire Analysis
    .
  4. Specify the
    Contextual Information
    you want the WildFire service to send to AutoFocus.
    • Cloud App
      —Name of the SaaS application that you specified at the time of onboarding the app. For example,
      Box - HR
      or
      Box - HQ
      .
    • File URL
      —the file path in SaaS Security API.
    • Timestamp
      —the latest update time on the file.
    • File Directory Path
      —parent folder level.
    • User ID
      —email address or username of file creator.
  5. Save
    your changes.
    SaaS Security API logs any changes to contextual information in the audit logs. If you want your changes to apply retroactively, initiate a rescan.

Configure Policies for WildFire Analysis

SaaS Security API integrates with WildFire by using a predefined data pattern and predefined policy rule (
WildFire
).
  1. Log in to SaaS Security.
  2. Specify the WildFire
    Data Pattern
    or Malware
    Data Profile
    as match criteria in your policies for your DLP service.
    If you forget to specify the data pattern or data profile, your match results will not be accurate—they will include a large number of false positives.
    SaaS Security DLP and Enterprise DLP
    SaaS Security DLP (Classic)

Monitor Malware Scanning

SaaS Security API enables you to track malware scanning for all file types configured for WildFire analysis. When you View Asset Details for such files, SaaS Security API displays a malware scan status.
  1. Log in to SaaS Security.
    1. Select
      Explore
      Assets
      .
    2. Locate and click on an
      Item Name
      for the asset you want to monitor.
    3. Observe the
      Malware Status
      .
      • Pending Analysis
        —SaaS Security API is waiting for WildFire to analyze the file and return a verdict.
      • Analyzed
        —WildFire analyzed the file and returned a verdict.
      • Not Analyzed
        —WildFire did not analyze the file and an information icon next to the status displays an explanation. The most common reason for
        Not Analyzed
        is the file type is within an unsupported file type category for WildFire analysis.
      • File Unavailable
        File unavailable to SaaS Security API. For example, when a file is quarantined by the cloud app.
  2. If WildFire detected malware, do one of the following:

Recommended For You