Cortex XSOAR for Developers (Formerly Demisto)

Palo Alto Networks WildFire v2

Use the Palo Alto Networks Wildfire integration to automatically identify unknown threats and stop attackers in their tracks.

Palo Alto Networks WildFire v2 Playbooks

  • WildFire - Detonate File
  • Detonate URL - WildFire-v2

Use Cases

  • Send a File sample to WildFire.
  • Upload a file hosted on a website to WildFire.
  • Submit a webpage to WildFire.
  • Get a report regarding the sent samples using file hash.
  • Get sample file from WildFire.
  • Get verdict regarding multiple hashes(up to 500) using the wildfire-get-verdicts command.

Configure Palo Alto Networks WildFire v2 on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Palo Alto Networks WildFire v2.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g., https://192.168.0.1/publicapi)
    • API Key
    • Return warning entry for unsupported file types
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get results for a file hash: file
  2. Upload a file for analysis: wildfire-upload
  3. Upload the URL of a remote file for analysis: wildfire-upload-file-url
  4. Get results of a file hash analysis wildfire-report
  5. Get the verdict of a file hash: wildfire-get-verdict
  6. Get the verdicts for multiple file hashes: wildfire-get-verdicts
  7. Upload a URL for analysis: wildfire-upload-url
  8. Get a sample: wildfire-get-sample

1. Get results for a file hash

Retrieves results for a file hash using WildFire.

Base Command

file

Input
Argument Name Description Required
file File hash to check. Optional
md5 MD5 hash to check. Optional
sha256 SHA256 hash to check. Optional

Context Output
Path Type Description
File.Name string Name of the file.
File.Type string File type, for example: “PE”.
File.Size string Size of the file.
File.MD5 string MD5 hash of the file.
File.SHA1 string SHA1 hash of the file.
File.SHA256 string SHA256 hash of the file.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
DBotScore.Indicator string The indicator that was tested.
DBotScore.Type string The indicator type.
DBotScore.Vendor string Vendor used to calculate the score.
DBotScore.Score number The actual score.
WildFire.Report.Status string The status of the submission.
WildFire.Report.SHA256 string SHA256 hash of the submission.
InfoFile.EntryID Unknown The EntryID of the report file.
InfoFile.Extension string Extension of the report file.
InfoFile.Name string Name of the report file.
InfoFile.Info string Details of the report file.
InfoFile.Size number Size of the report file.
InfoFile.Type string The report file type.

Command Example 
!file file=1d457069cb511af47a587287d59817148d404a2a7f39e1032d16094811f648e3
Human Readable Output
Screen Shot 2019-05-09 at 18 29 10

2. Upload a file for analysis

Uploads a file to WildFire for analysis.

Base Command

wildfire-upload

Input
Argument Name Description Required
upload ID of the entry containing the file to upload Required

Context Output
Path Type Description
WildFire.Report.MD5 string MD5 hash of the submission.
WildFire.Report.SHA256 string SHA256 hash of the submission.
WildFire.Report.FileType string The submission type.
WildFire.Report.Size number The size of the submission.
WildFire.Report.Status string The status of the submission.

Command Example 
!wildfire-upload upload="1740@24"
Human Readable Output
Screen Shot 2019-05-09 at 18 20 53

3. Upload the URL of a remote file for analysis

Uploads the URL of a remote file to WildFire for analysis.

Base Command

wildfire-upload-file-url

Input
Argument Name Description Required
upload URL of the remote file to upload. Required

Context Output
Path Type Description
WildFire.Report.MD5 string MD5 hash of the submission.
WildFire.Report.SHA256 string SHA256 hash of the submission.
WildFire.Report.Status string The status of the submission.
WildFire.Report.URL string URL of the submission.

Command Example 
!wildfire-upload-file-url upload="http://www.pdf995.com/samples/pdf.pdf"
Human Readable Output
Screen Shot 2019-05-09 at 18 19 31

4. Get results of a file hash analysis

Retrieves results for a file hash using WildFire.

Base Command

wildfire-report

Input
Argument Name Description Required
md5 MD5 hash to check. Optional
sha256 SHA256 hash to check Optional
hash Deprecated - Use the sha256 argument instead. Optional
format Request a structured report (XML PDF). Optional
verbose Receive extended information from WildFire. Optional

Context Output
Path Type Description
File.Name string Name of the file.
File.Type string File type, for example: “PE”
File.Size number Size of the file.
File.MD5 string MD5 hash of the file.
File.SHA1 string SHA1 hash of the file.
File.SHA256 string SHA256 hash of the file.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
DBotScore.Indicator string The indicator that was tested.
DBotScore.Type string The indicator type.
DBotScore.Vendor string Vendor used to calculate the score.
DBotScore.Score number The actual score.
WildFire.Report.Status string The status of the submission.
WildFire.Report.SHA256 string SHA256 hash of the submission.
InfoFile.EntryID string The EntryID of the report file.
InfoFile.Extension string The extension of the report file.
InfoFile.Name string The name of the report file.
InfoFile.Info string Details of the report file.
InfoFile.Size number The size of the report file.
InfoFile.Type string The report file type.
WildFire.Report.Network.UDP.IP string Submission related IPs, in UDP protocol.
WildFire.Report.Network.UDP.Port string Submission related ports, in UDP protocol.
WildFire.Report.Network.TCP.IP string Submission related IPs, in TCP protocol.
WildFire.Report.Network.TCP.Port string Submission related ports, in TCP protocol.
WildFire.Report.Network.DNS.Query string Submission DNS queries.
WildFire.Report.Network.DNS.Response string Submission DNS responses.
WildFire.Report.Evidence.md5 string Submission evidence MD5 hash.
WildFire.Report.Evidence.Text string Submission evidence text.

Command Example 
!wildfire-report hash="ebb031c3945e884e695dbc63c52a5efcd075375046c49729980073585ee13c52"
Human Readable Output
Screen Shot 2019-05-09 at 18 21 41

5. Get the verdict of a file hash

Returns a verdict for a hash.

Base Command

wildfire-get-verdict

Input
Argument Name Description Required
hash Hash to get the verdict for. Required

Context Output
Path Type Description
WildFire.Verdicts.MD5 string MD5 hash of the file.
WildFire.Verdicts.SHA256 string SHA256 hash of the file.
WildFire.Verdicts.Verdict number Verdict of the file.
WildFire.Verdicts.VerdictDescription string Description of the file verdict.
DBotScore.Indicator string The indicator that was tested.
DBotScore.Type string The indicator type.
DBotScore.Vendor string Vendor used to calculate the score.
DBotScore.Score number The actual score.

Command Example 
!wildfire-get-verdict hash="afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc"
Human Readable Output
Screen Shot 2019-05-09 at 18 23 30

6. Get the verdicts for multiple file hashes

Returns a verdict regarding multiple hashes, stored in a TXT file or given as list. The maximum number of verdicts is 500, and can be given as an EntryID of a file in the specified format, or in the hash_list argument. For more information, see the WildFire documentation .

Base Command

wildfire-get-verdicts

Input
Argument Name Description Required
EntryID EntryID of the text file that contains multiple hashes. Limit is 500 hashes. Optional
hash_list A list of hashes to get verdicts for. Optional

Context Output
Path Type Description
WildFire.Verdicts.MD5 string MD5 hash of the file.
WildFire.Verdicts.SHA256 string SHA256 hash of the file.
WildFire.Verdicts.Verdict number Verdict of the file.
WildFire.Verdicts.VerdictDescription string Description of the file verdict.
DBotScore.Indicator string The indicator that was tested.
DBotScore.Type string The indicator type.
DBotScore.Vendor string Vendor used to calculate the score.
DBotScore.Score number The actual score.

Command Example 
!wildfire-get-verdicts EntryID="1770@24"
Human Readable Output
Screen Shot 2019-05-09 at 18 24 31

7. Upload a URL for analysis

Uploads a URL to WildFire for analysis.

Note : Only malicious URLs will be included and displayed in the report. There will be no record of non-malicious URLs.

Base Command

wildfire-upload-url

Input
Argument Name Description Required
upload URL to submit to WildFire. Required

Context Output
Path Type Description
WildFire.Report.MD5 string MD5 of the submission.
WildFire.Report.SHA256 string SHA256 of the submission.
WildFire.Report.Status string The status of the submission.
WildFire.Report.URL string URL of the submission.

Command Example 
!wildfire-upload-url upload=https://moviepropit.com/eas/chase/home/
Human Readable Output
Screen Shot 2019-05-09 at 18 33 44

8. Get a sample

Retrieves a sample. Malicious files are saved indefinitely. Non-malicious files are saved for 14 days.

Base Command

wildfire-get-sample

Input
Argument Name Description Required
md5 MD5 hash of the sample. Optional
sha256 SHA256 hash of the sample. Optional

Context Output

There is no context output for this command.

Command Example 
!wildfire-get-sample md5=5af84a3db5883627bfdff909e210634e
Human Readable Output
Screen Shot 2019-05-09 at 18 30 35
Edit this page
Report an Issue