Get WildFire Data Enrichment Flow

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 3 minutes to read

    • When the Security Operations Palo Alto Networks - Get WildFire Data Enrichment flow is executed, a hash file is uploaded to WildFire. The data is enriched, and reports are downloaded to the instance to aid in processing potential malware attacks.

    Before you begin

    Role required: sn_si.analyst

    About this task

    The Security Operations Palo Alto Networks - Get WildFire Data Enrichment flow is executed when a security incident is created from an alert received from the Palo Alto Network Firewall application. A malware hash from the email notification received from Firewall is entered on the IoC tab of the security incident, and the record is updated.
    Figure 1. Security Operations Palo Alto Networks - Get WildFire Data Enrichment flow
    Wildfire data enrichment flow

    Procedure

    1. Navigate to All > Security Incident > Show Open Incidents.
    2. Based on the email notification received from Firewall, locate and open the security incident that was created.
    3. Click the Indicators of Compromise tab and populate the Malware hash with the hash you received in the alert.
    4. Click Update.
      The flow causes the hash file to be uploaded to WildFire where the data is enriched. Reports in the PDF and XML formats are attached to the record (security incident or IoC) in your instance to aid in processing potential malware attacks.
      Note:
      If the enriched data includes packet capture information, PCAP information is also downloaded. PCAP data captures what actions the file was performing. For example, it can report on what servers the file was contacting. To view PCAP files, you need a packet analyzer, such as Wireshark.
      Figure 2. Sample PDF generated by Wildfire
      Sample PDF report

    WildFire- get PCAP action

    The WildFire: Get PCAP flow action gets the packet capture (PCAP) information generated during the analysis of a specified file hash on WildFire. The result of this action is attached to a specific record as identified by the TableName and RecordId.

    Input variables

    Input variables determine the initial behavior of the action.

    Table 1. Input variables
    Variable Description
    FileSHA256Hash [string] The hash of the file received from the Palo Alto Network Firewall application.
    TableName [string] The affected table.
    RecordId [string] The security incident or IoC being updated.

    Output variables

    The output variables contain data that can be used in subsequent actions.

    Table 2. Output variables
    Variable Description
    commandStatus [Boolean] True if a result is obtained and attached successfully.
    errorMessage The error, if any, that occurred in the action.

    WildFire- get PDF report action

    The WildFire: Get PDF Report flow action gets the report generated during the analysis of a specified file hash on WildFire in PDF format. The result of this action is attached to a specific record as identified by the TableName and RecordId.

    Input variables

    Input variables determine the initial behavior of the action.

    Table 3. Input variables
    Variable Description
    TableName [string] The affected table.
    FileSHA256Hash [string] The hash of the file received from the Palo Alto Network Firewall application.
    RecordId [string] The security incident or IoC being updated.

    Output variables

    The output variables contain data that can be used in subsequent actions.

    Table 4. Output variables
    Variable Description
    commandStatus [Boolean] True if a result is obtained and attached successfully.
    errorMessage The error, if any, that occurred in the action.

    WildFire- get XML report action

    The WildFire: Get XML Report flow action gets the report generated during the analysis of a specified file hash on WildFire in XML format. The result of this action is attached to a specific record as identified by the TableName and RecordId.

    Input variables

    Input variables determine the initial behavior of the action.

    Table 5. Input variables
    Variable Description
    TableName [string] The affected table.
    FileSHA256Hash [string] The hash of the file received from the Palo Alto Network Firewall application.
    RecordId [string] The security incident or IoC being updated.

    Output variables

    The output variables contain data that can be used in subsequent actions.

    Table 6. Output variables
    Variable Description
    commandStatus [Boolean] True if a result is obtained and attached successfully.
    errorMessage The error, if any, that occurred in the action.

    Write content to record as attachment action

    This action writes the content passed in from an input and creates a designated attachment to a given record.

    The Write content to record as attachment action can be used with any flow to write content and attach it to a record.

    Input variables

    Input variables determine the initial behavior of the action.

    Table 7. Input variables
    Variable Description
    tablename [string] The table name for the record. This input field is mandatory.
    sysid [string] The system identifier (sys_id) of a task record. This input field is mandatory.
    payload The plain text content to be written as an attachment. This input field is mandatory.
    filename The attachment file name.

    Output variables

    The output variables contain data that can be used in subsequent actions.

    Table 8. Output variables
    Variable Description
    result [string] Indicates whether the update was successful.