Get WildFire Data Enrichment Flow
When the Security Operations Palo Alto Networks - Get WildFire Data Enrichment flow is executed, a hash file is uploaded to WildFire. The data is enriched, and reports are downloaded to the instance to aid in processing potential malware attacks.
Before you begin
Role required: sn_si.analyst
About this task
Procedure
-
Click Update.
The flow causes the hash file to be uploaded to WildFire where the data is enriched. Reports in the PDF and XML formats are attached to the record (security incident or IoC) in your instance to aid in processing potential malware attacks.Note:If the enriched data includes packet capture information, PCAP information is also downloaded. PCAP data captures what actions the file was performing. For example, it can report on what servers the file was contacting. To view PCAP files, you need a packet analyzer, such as Wireshark.
Figure 2. Sample PDF generated by Wildfire
WildFire- get PCAP action
The WildFire: Get PCAP flow action gets the packet capture (PCAP) information generated during the analysis of a specified file hash on WildFire. The result of this action is attached to a specific record as identified by the TableName and RecordId.
Input variables
Input variables determine the initial behavior of the action.
| Variable | Description |
|---|---|
| FileSHA256Hash [string] | The hash of the file received from the Palo Alto Network Firewall application. |
| TableName [string] | The affected table. |
| RecordId [string] | The security incident or IoC being updated. |
Output variables
The output variables contain data that can be used in subsequent actions.
| Variable | Description |
|---|---|
| commandStatus [Boolean] | True if a result is obtained and attached successfully. |
| errorMessage | The error, if any, that occurred in the action. |
WildFire- get PDF report action
The WildFire: Get PDF Report flow action gets the report generated during the analysis of a specified file hash on WildFire in PDF format. The result of this action is attached to a specific record as identified by the TableName and RecordId.
Input variables
Input variables determine the initial behavior of the action.
| Variable | Description |
|---|---|
| TableName [string] | The affected table. |
| FileSHA256Hash [string] | The hash of the file received from the Palo Alto Network Firewall application. |
| RecordId [string] | The security incident or IoC being updated. |
Output variables
The output variables contain data that can be used in subsequent actions.
| Variable | Description |
|---|---|
| commandStatus [Boolean] | True if a result is obtained and attached successfully. |
| errorMessage | The error, if any, that occurred in the action. |
WildFire- get XML report action
The WildFire: Get XML Report flow action gets the report generated during the analysis of a specified file hash on WildFire in XML format. The result of this action is attached to a specific record as identified by the TableName and RecordId.
Input variables
Input variables determine the initial behavior of the action.
| Variable | Description |
|---|---|
| TableName [string] | The affected table. |
| FileSHA256Hash [string] | The hash of the file received from the Palo Alto Network Firewall application. |
| RecordId [string] | The security incident or IoC being updated. |
Output variables
The output variables contain data that can be used in subsequent actions.
| Variable | Description |
|---|---|
| commandStatus [Boolean] | True if a result is obtained and attached successfully. |
| errorMessage | The error, if any, that occurred in the action. |