Palo Alto Networks WildFire v2
Use the Palo Alto Networks Wildfire integration to automatically identify unknown threats and stop attackers in their tracks.
Palo Alto Networks WildFire v2 Playbooks
- WildFire - Detonate File
- Detonate URL - WildFire-v2
Use Cases
- Send a File sample to WildFire.
- Upload a file hosted on a website to WildFire.
- Submit a webpage to WildFire.
- Get a report regarding the sent samples using file hash.
- Get sample file from WildFire.
- Get verdict regarding multiple hashes(up to 500) using the wildfire-get-verdicts command.
Configure Palo Alto Networks WildFire v2 on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for Palo Alto Networks WildFire v2.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g., https://192.168.0.1/publicapi)
- API Key
- Return warning entry for unsupported file types
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get results for a file hash: file
- Upload a file for analysis: wildfire-upload
- Upload the URL of a remote file for analysis: wildfire-upload-file-url
- Get results of a file hash analysis wildfire-report
- Get the verdict of a file hash: wildfire-get-verdict
- Get the verdicts for multiple file hashes: wildfire-get-verdicts
- Upload a URL for analysis: wildfire-upload-url
- Get a sample: wildfire-get-sample
1. Get results for a file hash
Retrieves results for a file hash using WildFire.
Base Command
file
Input
Argument Name | Description | Required |
---|---|---|
file | File hash to check. | Optional |
md5 | MD5 hash to check. | Optional |
sha256 | SHA256 hash to check. | Optional |
Context Output
Path | Type | Description |
---|---|---|
File.Name | string | Name of the file. |
File.Type | string | File type, for example: “PE”. |
File.Size | string | Size of the file. |
File.MD5 | string | MD5 hash of the file. |
File.SHA1 | string | SHA1 hash of the file. |
File.SHA256 | string | SHA256 hash of the file. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | Vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
WildFire.Report.Status | string | The status of the submission. |
WildFire.Report.SHA256 | string | SHA256 hash of the submission. |
InfoFile.EntryID | Unknown | The EntryID of the report file. |
InfoFile.Extension | string | Extension of the report file. |
InfoFile.Name | string | Name of the report file. |
InfoFile.Info | string | Details of the report file. |
InfoFile.Size | number | Size of the report file. |
InfoFile.Type | string | The report file type. |
Command Example
!file file=1d457069cb511af47a587287d59817148d404a2a7f39e1032d16094811f648e3
Human Readable Output

2. Upload a file for analysis
Uploads a file to WildFire for analysis.
Base Command
wildfire-upload
Input
Argument Name | Description | Required |
---|---|---|
upload | ID of the entry containing the file to upload | Required |
Context Output
Path | Type | Description |
---|---|---|
WildFire.Report.MD5 | string | MD5 hash of the submission. |
WildFire.Report.SHA256 | string | SHA256 hash of the submission. |
WildFire.Report.FileType | string | The submission type. |
WildFire.Report.Size | number | The size of the submission. |
WildFire.Report.Status | string | The status of the submission. |
Command Example
!wildfire-upload upload="1740@24"
Human Readable Output

3. Upload the URL of a remote file for analysis
Uploads the URL of a remote file to WildFire for analysis.
Base Command
wildfire-upload-file-url
Input
Argument Name | Description | Required |
---|---|---|
upload | URL of the remote file to upload. | Required |
Context Output
Path | Type | Description |
---|---|---|
WildFire.Report.MD5 | string | MD5 hash of the submission. |
WildFire.Report.SHA256 | string | SHA256 hash of the submission. |
WildFire.Report.Status | string | The status of the submission. |
WildFire.Report.URL | string | URL of the submission. |
Command Example
!wildfire-upload-file-url upload="http://www.pdf995.com/samples/pdf.pdf"
Human Readable Output

4. Get results of a file hash analysis
Retrieves results for a file hash using WildFire.
Base Command
wildfire-report
Input
Argument Name | Description | Required |
---|---|---|
md5 | MD5 hash to check. | Optional |
sha256 | SHA256 hash to check | Optional |
hash | Deprecated - Use the sha256 argument instead. | Optional |
format | Request a structured report (XML PDF). | Optional |
verbose | Receive extended information from WildFire. | Optional |
Context Output
Path | Type | Description |
---|---|---|
File.Name | string | Name of the file. |
File.Type | string | File type, for example: “PE” |
File.Size | number | Size of the file. |
File.MD5 | string | MD5 hash of the file. |
File.SHA1 | string | SHA1 hash of the file. |
File.SHA256 | string | SHA256 hash of the file. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | Vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
WildFire.Report.Status | string | The status of the submission. |
WildFire.Report.SHA256 | string | SHA256 hash of the submission. |
InfoFile.EntryID | string | The EntryID of the report file. |
InfoFile.Extension | string | The extension of the report file. |
InfoFile.Name | string | The name of the report file. |
InfoFile.Info | string | Details of the report file. |
InfoFile.Size | number | The size of the report file. |
InfoFile.Type | string | The report file type. |
WildFire.Report.Network.UDP.IP | string | Submission related IPs, in UDP protocol. |
WildFire.Report.Network.UDP.Port | string | Submission related ports, in UDP protocol. |
WildFire.Report.Network.TCP.IP | string | Submission related IPs, in TCP protocol. |
WildFire.Report.Network.TCP.Port | string | Submission related ports, in TCP protocol. |
WildFire.Report.Network.DNS.Query | string | Submission DNS queries. |
WildFire.Report.Network.DNS.Response | string | Submission DNS responses. |
WildFire.Report.Evidence.md5 | string | Submission evidence MD5 hash. |
WildFire.Report.Evidence.Text | string | Submission evidence text. |
Command Example
!wildfire-report hash="ebb031c3945e884e695dbc63c52a5efcd075375046c49729980073585ee13c52"
Human Readable Output

5. Get the verdict of a file hash
Returns a verdict for a hash.
Base Command
wildfire-get-verdict
Input
Argument Name | Description | Required |
---|---|---|
hash | Hash to get the verdict for. | Required |
Context Output
Path | Type | Description |
---|---|---|
WildFire.Verdicts.MD5 | string | MD5 hash of the file. |
WildFire.Verdicts.SHA256 | string | SHA256 hash of the file. |
WildFire.Verdicts.Verdict | number | Verdict of the file. |
WildFire.Verdicts.VerdictDescription | string | Description of the file verdict. |
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | Vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
Command Example
!wildfire-get-verdict hash="afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc"
Human Readable Output

6. Get the verdicts for multiple file hashes
Returns a verdict regarding multiple hashes, stored in a TXT file or given as list. The maximum number of verdicts is 500, and can be given as an EntryID of a file in the specified format, or in the hash_list argument. For more information, see the WildFire documentation .
Base Command
wildfire-get-verdicts
Input
Argument Name | Description | Required |
---|---|---|
EntryID | EntryID of the text file that contains multiple hashes. Limit is 500 hashes. | Optional |
hash_list | A list of hashes to get verdicts for. | Optional |
Context Output
Path | Type | Description |
---|---|---|
WildFire.Verdicts.MD5 | string | MD5 hash of the file. |
WildFire.Verdicts.SHA256 | string | SHA256 hash of the file. |
WildFire.Verdicts.Verdict | number | Verdict of the file. |
WildFire.Verdicts.VerdictDescription | string | Description of the file verdict. |
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | Vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
Command Example
!wildfire-get-verdicts EntryID="1770@24"
Human Readable Output

7. Upload a URL for analysis
Uploads a URL to WildFire for analysis.
Note : Only malicious URLs will be included and displayed in the report. There will be no record of non-malicious URLs.
Base Command
wildfire-upload-url
Input
Argument Name | Description | Required |
---|---|---|
upload | URL to submit to WildFire. | Required |
Context Output
Path | Type | Description |
---|---|---|
WildFire.Report.MD5 | string | MD5 of the submission. |
WildFire.Report.SHA256 | string | SHA256 of the submission. |
WildFire.Report.Status | string | The status of the submission. |
WildFire.Report.URL | string | URL of the submission. |
Command Example
!wildfire-upload-url upload=https://moviepropit.com/eas/chase/home/
Human Readable Output

8. Get a sample
Retrieves a sample. Malicious files are saved indefinitely. Non-malicious files are saved for 14 days.
Base Command
wildfire-get-sample
Input
Argument Name | Description | Required |
---|---|---|
md5 | MD5 hash of the sample. | Optional |
sha256 | SHA256 hash of the sample. | Optional |
Context Output
There is no context output for this command.
Command Example
!wildfire-get-sample md5=5af84a3db5883627bfdff909e210634e
Human Readable Output
