WildfirePaloAlto 1.1.0
  • 22 Jan 2023
  • 1 Minute to read
  • Dark
    Light
  • PDF

WildfirePaloAlto 1.1.0

  • Dark
    Light
  • PDF

Article summary

tags: Enrichment | Python | Wildfire Analysis Report | Palo Alto


Description

Integration with PaloAlto Wildfire supports CDC users by providing enrichments for the file hash. This enables CDC users to make informed decisions regarding incident response.

The WildFire Analysis Environment identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls can use to then detect and block the malware. When a Palo Alto Networks firewall detects an unknown sample (a file or a link included in an email), the firewall can automatically forward the sample for WildFire analysis. Based on the properties, behaviors, and activities the sample displays when analyzed and executed in the WildFire sandbox, WildFire determines the sample to be benign, grayware, phishing, or malicious. WildFire then generates signatures to recognize the newly-discovered malware, and makes the latest signatures globally available for retrieval in real time. All Palo Alto Networks firewalls can then compare incoming samples against these signatures to automatically block the malware first detected by a single firewall.

This integration downloads a scanned report from Wildfire for the specified hash file in either XML or PDF format.

Integration Type:Threat Intelligence Enrichment
Information read:Scanned report from Wildfire
API Supported:Wildfire API 2.0
Input:File hash of the report to be downloaded
Output:WildFire analysis report in either XML or PDF format

Customer Configuration

No customer configuration


CDC Command Lines

* **download_report_cli**
Download a scanned report from Wildfire on the given hash file (MD5 or SHA256).

OptionTypeDescriptionRequired
file_hashstringHash value - md5 or sha256.True

* **download_report_cli_wrapper**
Download a scanned report from Wildfire on the given hash file (MD5 or SHA256).

OptionTypeDescriptionRequired
file_hashstringHash value - md5 or sha256.True
scopeTypestringscope id eg alert , incident , channelTrue
scopeIdstringid of respective scope typeTrue

Workflows

No workflows


Rules

No rules


Sensors

No sensors


Triggers

No triggers


Known Issues

No known issues


Was this article helpful?