Palo Alto Networks now provides improved URL analysis capabilities in the WildFire global cloud, which can deliver standardized web page verdicts and reports through the API, as well as enhanced malicious email link detection on the firewall. Not only does this generate a more accurate verdict by aggregating threat analysis details from all Palo Alto Networks services, but it also provides consistent URL analysis data, regardless of which Palo Alto Networks products you rely on to protect your network.
The WildFire global cloud operates a series of URL analyzers that process various URL feeds, correlated URL sources (such as email links), NRD (newly registered domain) lists, PAN-DB content, and manually uploaded URLs. After a URL has been processed, you can retrieve the WildFire URL analysis report, which includes the verdict, detection reasons with evidence, screenshots, and analysis data generated for the web request. You can also retrieve web page artifacts (downloaded files and screenshots) seen during URL analysis to further investigate anomalous activity. The new enhancements found in the URL analysis service enables WildFire to play a larger role in defending your network by supporting your SOC and incident response teams with more accurate verdicts and better visibility into URL analysis.
No additional configuration is necessary to take advantage of this feature, however, if you want to automatically submit email links for analysis (which are now analyzed through this service), you must configure your firewall to forward email links.
Verdicts that you suspect are either false positives or false negatives can be submitted to the Palo Alto Networks threat team for additional analysis.
Important information about WildFire URL Analysis.
- URL analysis is currently operational only in the WildFire global (U.S.) cloud and will be rolled out to other regional WildFire clouds in the future. As a result, URL verdicts and reports may differ if they are retrieved from other regional clouds.
- WildFire reports are not currently available on the firewall.
You can use the WildFire API to retrieve URL analysis reports, verdicts, and related web artifacts. The following table describes the new and updated API endpoints that are now available.
XML Response or Additional Info
Updated API Endpoints
* Updates do not apply to the
Get a verdict for a specified web page
Using a hash value to retrieve a web page verdict, instead of the new
urlparameter, can yield inaccurate results. This is because API requests using the
urlparameter retrieve verdicts that have been processed using URL analysis, while hash requests retrieve verdicts through the legacy analyzer. Palo Alto Networks recommends using the
urlparameter when retrieving web page verdicts for the most accurate and up to date information.
The verdict ID number is as follows:
WildFire Submissions that have been classified with the newly introduced verdict of C2 are currently only displayed in WildFire API reports and verdict queries. The firewall does not currently support the C2 verdict; consequently, URLs classified with the C2 verdict are shown as malware.
validentry in the response indicates whether or not the verdict is up-to-date. URLs that have not been analyzed recently are considered obsolete and are designated as being no longer valid.
Get a JSON report of analysis results for a specified
When using the new
urlparameter, the API attempts to find an exact match of the specified
url. If none is found, WildFire delivers a best guess match. The match is indicated by the
url_typeentry in the XML response.
originalindicates an exact match, while
best_matchis shown for the closest match found by URL analysis.
Using a hash value to retrieve a web page report, instead of a URL, can yield differing results. This is because API requests using the
urlparameter retrieve reports that have been processed using URL analysis, while hash requests retrieve verdicts through the legacy analyzer service. Palo Alto Networks recommends using the
urlparameter when retrieving web page reports for the most accurate information.
Submit website link(s) to WildFire for URL analysis.
The XML response no longer returns the hash values if the URL was processed using URL analysis. Regional WildFire clouds operating the legacy elink analyzer will continue to return the hash values.
The following API endpoints do not support URL analysis functionality at this time:
New API Endpoints
Get web artifacts associated with a specified URL.
The XML response downloads a .tgz file package which includes all of the requested web artifacts. A field in the response header displays the time and date of the last URL analysis execution:
Last-Modified: Fri Apr 3 19:18:09 2020
Recommended For You
Recommended videos not found.