Skip to main content

Palo Alto Networks WildFire v2

This Integration is part of the Palo Alto Networks WildFire Pack.#

Use the Palo Alto Networks Wildfire integration to automatically identify unknown threats and stop attackers in their tracks by performing malware dynamic analysis.

Palo Alto Networks WildFire v2 Playbooks#

  1. WildFire - Detonate File
  2. Detonate URL - WildFire v2.1

Use Cases#

  1. Send a file sample to WildFire.
  2. Upload a file hosted on a website to WildFire.
  3. Submit a webpage to WildFire.
  4. Get a report regarding the sent samples using file hash.
  5. Get sample file from WildFire.
  6. Get verdict regarding multiple hashes (up to 500) using the wildfire-get-verdicts command.

Configure WildFire v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for WildFire-v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server base URL (e.g., https://192.168.0.1/publicapi)True
    API KeyTrue
    Source ReliabilityReliability of the source providing the intelligence data.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Return warning entry for unsupported file typesFalse
    Create relationshipsCreate relationships between indicators as part of Enrichment.False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

file#


Retrieve results for a file hash using WildFire

Base Command#

file

Input#

Argument NameDescriptionRequired
fileFile hash to check.Optional
md5MD5 hash to check.Optional
sha256SHA256 hash to check.Optional

Context Output#

PathTypeDescription
File.NamestringName of the file.
File.TypestringFile type, for example: "PE".
File.SizestringSize of the file.
File.MD5stringMD5 hash of the file.
File.SHA1stringSHA1 hash of the file.
File.SHA256stringSHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.DigitalSignature.Publisherstring
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
WildFire.Report.StatusstringThe status of the submission.
WildFire.Report.SHA256stringSHA256 hash of the submission.
InfoFile.EntryIDUnknownThe EntryID of the report file.
InfoFile.ExtensionstringExtension of the report file.
InfoFile.NamestringName of the report file.
InfoFile.InfostringDetails of the report file.
InfoFile.SizenumberSize of the report file.
InfoFile.TypestringThe report file type.
File.FeedRelatedIndicators.valueStringIndicators that are associated with the file.
File.FeedRelatedIndicators.typeStringThe type of the indicators that are associated with the file.
File.TagsStringTags that are associated with the file.
File.Behavior.detailsStringFile behavior details.
File.Behavior.actionStringFile behavior action.

Command Example#

!file file=735bcfa56930d824f9091188eeaac2a1d68bc64a21f90a49c5ff836ed6ea723f

Human Readable Output#

WildFire File Report#

FileTypeMD5SHA256SizeStatus
JScriptccdb1053f56a2d297906746bc720ef2a735bcfa56930d824f9091188eeaac2a1d68bc64a21f90a49c5ff836ed6ea723f12Completed

wildfire-upload#


Uploads a file to WildFire for analysis.

Base Command#

wildfire-upload

Input#

Argument NameDescriptionRequired
uploadID of the entry containing the file to upload.Optional
pollingWhether to use Cortex XSOAR's built-in polling to retrieve the result when it's ready. Possible values are: true, false.Optional
interval_in_secondsInterval in seconds between each poll. Default is 60.Optional
md5Used for the inner polling flow. For uploading a file, use the 'upload' argument instead.Optional
formatThe type of structured report (XML or PDF) to request. Only relevant when polling=true. Possible values are: xml, pdf. Default is pdf.Optional
verboseWhether to receive extended information from WildFire. Only relevant when polling=true. Possible values are: true, false. Default is false.Optional
extended_dataIf set to “true”, the report will return extended data which includes the additional outputs. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
WildFire.Report.MD5stringMD5 hash of the submission.
WildFire.Report.SHA256stringSHA256 hash of the submission.
WildFire.Report.FileTypestringThe submission type.
WildFire.Report.SizenumberThe size of the submission.
WildFire.Report.StatusstringThe status of the submission.
File.NamestringName of the file.
File.TypestringFile type, for example: "PE".
File.SizenumberSize of the file.
File.MD5stringMD5 hash of the file.
File.SHA1stringSHA1 hash of the file.
File.SHA256stringSHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.DigitalSignature.PublisherstringThe entity that signed the file for authenticity purposes.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringVendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
InfoFile.EntryIDstringThe EntryID of the report file.
InfoFile.ExtensionstringThe extension of the report file.
InfoFile.NamestringThe name of the report file.
InfoFile.InfostringDetails of the report file.
InfoFile.SizenumberThe size of the report file.
InfoFile.TypestringThe report file type.
WildFire.Report.NetworkInfo.URL.HoststringSubmission related hosts
WildFire.Report.NetworkInfo.URL.MethodstringSubmission related method
WildFire.Report.NetworkInfo.URL.URIstringSubmission related uri
WildFire.Report.NetworkInfo.URL.UserAgentstringSubmission related user agent
WildFire.Report.NetworkInfo.UDP.IPstringSubmission related IPs, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.PortstringSubmission related ports, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.JA3stringSubmission related JA3s, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.JA3SstringSubmission related JA3Ss, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.CountrystringSubmission related Countries, in UDP protocol.
WildFire.Report.NetworkInfo.TCP.IPstringSubmission related IPs, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.JA3stringSubmission related JA3s, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.JA3SstringSubmission related JA3Ss, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.CountrystringSubmission related Countries, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.PortstringSubmission related ports, in TCP protocol.
WildFire.Report.NetworkInfo.DNS.QuerystringSubmission DNS queries.
WildFire.Report.NetworkInfo.DNS.ResponsestringSubmission DNS responses.
WildFire.Report.NetworkInfo.DNS.TypestringSubmission DNS Types.
WildFire.Report.Evidence.md5stringSubmission evidence MD5 hash.
WildFire.Report.Evidence.TextstringSubmission evidence text.
WildFire.Report.detection_reasons.descriptionstringReason for the detection verdict.
WildFire.Report.detection_reasons.namestringName of the detection.
WildFire.Report.detection_reasons.typestringType of the detection.
WildFire.Report.detection_reasons.verdictstringVerdict of the detection.
WildFire.Report.detection_reasons.artifactsunknownArtifacts of the detection reasons.
WildFire.Report.iocsunknownAssociated IOCs.
WildFire.Report.verdictstringThe verdict of the report.
WildFire.Report.PlatformstringThe Platform of the report
WildFire.Report.SoftwarestringThe Software of the report
WildFire.Report.ProcessList.ServicestringThe process service
WildFire.Report.ProcessList.ProcessCommandstringThe process command
WildFire.Report.ProcessList.ProcessNamestringThe process name
WildFire.Report.ProcessList.ProcessPidstringThe process pid
WildFire.Report.ProcessList.ProcessFilestringLists files that started a child processes, the process name, and the action the process performed.
WildFire.Report.ProcessTree.ProcessNamestringThe process name
WildFire.Report.ProcessTree.ProcessPidstringThe process pid
WildFire.Report.ProcessTree.ProcessTextstringThe action the process performed.
WildFire.Report.ProcessTree.Process.ChildNamestringThe child process name
WildFire.Report.ProcessTree.Process.ChildPidstringThe child process pid
WildFire.Report.ProcessTree.Process.ChildTextstringThe action the child process performed.
WildFire.Report.ExtractedURL.URLstringThe extracted url
WildFire.Report.ExtractedURL.VerdictstringThe extracted verdict
WildFire.Report.Summary.TextstringThe summary of the report
WildFire.Report.Summary.DetailsstringThe details summary of the report
WildFire.Report.Summary.BehaviorstringThe behavior summary of the report
WildFire.Report.ELF.ShellCommandsstringThe shell commands

Command Example#

!wildfire-upload upload=294@675f238c-ed75-4cae-83d2-02b6b820168b

Human Readable Output#

WildFire Upload File#

FileTypeMD5SHA256SizeStatus
Jscript for WSHccdb1053f56a2d297906746bc720ef2a735bcfa56930d824f9091188eeaac2a1d68bc64a21f90a49c5ff836ed6ea723f12Pending

wildfire-upload-file-url#


Uploads the URL of a remote file to WildFire for analysis.

Base Command#

wildfire-upload-file-url

Input#

Argument NameDescriptionRequired
uploadURL of the remote file to upload.Optional
urlUsed for the inner polling flow. For uploading a URL, use the 'upload' argument instead.Optional
pollingWhether to use Cortex XSOAR's built-in polling to retrieve the result when it's ready. Possible values are: true, false.Optional
interval_in_secondsInterval in seconds between each poll. Default is 60.Optional
formatThe type of structured report (XML or PDF) to request. Only relevant when polling=true. Possible values are: xml, pdf. Default is pdf.Optional
verboseWhether to receive extended information from WildFire. Only relevant when polling=true. Possible values are: true, false. Default is false.Optional
extended_dataIf set to “true”, the report will return extended data which includes the additional outputs. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
WildFire.Report.MD5stringMD5 hash of the submission.
WildFire.Report.SHA256stringSHA256 hash of the submission.
WildFire.Report.StatusstringThe status of the submission.
WildFire.Report.URLstringURL of the submission.
File.NamestringName of the file.
File.TypestringFile type, for example: "PE".
File.SizenumberSize of the file.
File.MD5stringMD5 hash of the file.
File.SHA1stringSHA1 hash of the file.
File.SHA256stringSHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.DigitalSignature.PublisherstringThe entity that signed the file for authenticity purposes.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringVendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
InfoFile.EntryIDstringThe EntryID of the report file.
InfoFile.ExtensionstringThe extension of the report file.
InfoFile.NamestringThe name of the report file.
InfoFile.InfostringDetails of the report file.
InfoFile.SizenumberThe size of the report file.
InfoFile.TypestringThe report file type.
WildFire.Report.NetworkInfo.URL.HoststringSubmission related hosts
WildFire.Report.NetworkInfo.URL.MethodstringSubmission related method
WildFire.Report.NetworkInfo.URL.URIstringSubmission related uri
WildFire.Report.NetworkInfo.URL.UserAgentstringSubmission related user agent
WildFire.Report.NetworkInfo.UDP.IPstringSubmission related IPs, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.PortstringSubmission related ports, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.JA3stringSubmission related JA3s, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.JA3SstringSubmission related JA3Ss, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.CountrystringSubmission related Countries, in UDP protocol.
WildFire.Report.NetworkInfo.TCP.IPstringSubmission related IPs, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.JA3stringSubmission related JA3s, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.JA3SstringSubmission related JA3Ss, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.CountrystringSubmission related Countries, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.PortstringSubmission related ports, in TCP protocol.
WildFire.Report.NetworkInfo.DNS.QuerystringSubmission DNS queries.
WildFire.Report.NetworkInfo.DNS.ResponsestringSubmission DNS responses.
WildFire.Report.NetworkInfo.DNS.TypestringSubmission DNS Types.
WildFire.Report.Evidence.md5stringSubmission evidence MD5 hash.
WildFire.Report.Evidence.TextstringSubmission evidence text.
WildFire.Report.detection_reasons.descriptionstringReason for the detection verdict.
WildFire.Report.detection_reasons.namestringName of the detection.
WildFire.Report.detection_reasons.typestringType of the detection.
WildFire.Report.detection_reasons.verdictstringVerdict of the detection.
WildFire.Report.detection_reasons.artifactsunknownArtifacts of the detection reasons.
WildFire.Report.iocsunknownAssociated IOCs.
WildFire.Report.verdictstringThe verdict of the report.
WildFire.Report.PlatformstringThe Platform of the report
WildFire.Report.SoftwarestringThe Software of the report
WildFire.Report.ProcessList.ServicestringThe process service
WildFire.Report.ProcessList.ProcessCommandstringThe process command
WildFire.Report.ProcessList.ProcessNamestringThe process name
WildFire.Report.ProcessList.ProcessPidstringThe process pid
WildFire.Report.ProcessList.ProcessFilestringLists files that started a child processes, the process name, and the action the process performed.
WildFire.Report.ProcessTree.ProcessNamestringThe process name
WildFire.Report.ProcessTree.ProcessPidstringThe process pid
WildFire.Report.ProcessTree.ProcessTextstringThe action the process performed.
WildFire.Report.ProcessTree.Process.ChildNamestringThe child process name
WildFire.Report.ProcessTree.Process.ChildPidstringThe child process pid
WildFire.Report.ProcessTree.Process.ChildTextstringThe action the child process performed.
WildFire.Report.ExtractedURL.URLstringThe extracted url
WildFire.Report.ExtractedURL.VerdictstringThe extracted verdict
WildFire.Report.Summary.TextstringThe summary of the report
WildFire.Report.Summary.DetailsstringThe details summary of the report
WildFire.Report.Summary.BehaviorstringThe behavior summary of the report
WildFire.Report.ELF.ShellCommandsstringThe shell commands

Command Example#

!wildfire-upload-file-url upload=http://www.software995.net/bin/pdf995s.exe

Human Readable Output#

WildFire Upload File URL#

FileTypeMD5SHA256SizeStatusURL
PE32 executable891b77e864c88881ea98be867e74177f555092d994b8838b8fa18d59df4fdb26289d146e071e831fcf0c6851b5fb04f85958304Pendinghttp://www.software995.net/bin/pdf995s.exe

wildfire-report#


Retrieves results for a file hash using WildFire.

Base Command#

wildfire-report

Input#

Argument NameDescriptionRequired
md5MD5 hash to check.Optional
sha256SHA256 hash to check.Optional
hashDeprecated. Use the sha256 argument instead.Optional
formatThe type of structured report (XML or PDF) to request. Possible values are: xml, pdf. Default is pdf.Optional
verboseReceive extended information from WildFire. Possible values are: true, false. Default is false.Optional
urlRetrieves results for a URL using WildFire. The report format is in JSON.Optional
extended_dataIf set to “true”, the report will return extended data which includes the additional outputs. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
File.NamestringName of the file.
File.TypestringFile type, for example: "PE"
File.SizenumberSize of the file.
File.MD5stringMD5 hash of the file.
File.SHA1stringSHA1 hash of the file.
File.SHA256stringSHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.DigitalSignature.PublisherstringThe entity that signed the file for authenticity purposes.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringVendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
WildFire.Report.StatusstringThe status of the submission.
WildFire.Report.SHA256stringSHA256 hash of the submission.
InfoFile.EntryIDstringThe EntryID of the report file.
InfoFile.ExtensionstringThe extension of the report file.
InfoFile.NamestringThe name of the report file.
InfoFile.InfostringDetails of the report file.
InfoFile.SizenumberThe size of the report file.
InfoFile.TypestringThe report file type.
WildFire.Report.NetworkInfo.URL.HoststringSubmission related hosts
WildFire.Report.NetworkInfo.URL.MethodstringSubmission related method
WildFire.Report.NetworkInfo.URL.URIstringSubmission related uri
WildFire.Report.NetworkInfo.URL.UserAgentstringSubmission related user agent
WildFire.Report.NetworkInfo.UDP.IPstringSubmission related IPs, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.PortstringSubmission related ports, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.JA3stringSubmission related JA3s, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.JA3SstringSubmission related JA3Ss, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.CountrystringSubmission related Countries, in UDP protocol.
WildFire.Report.NetworkInfo.TCP.IPstringSubmission related IPs, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.JA3stringSubmission related JA3s, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.JA3SstringSubmission related JA3Ss, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.CountrystringSubmission related Countries, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.PortstringSubmission related ports, in TCP protocol.
WildFire.Report.NetworkInfo.DNS.QuerystringSubmission DNS queries.
WildFire.Report.NetworkInfo.DNS.ResponsestringSubmission DNS responses.
WildFire.Report.NetworkInfo.DNS.TypestringSubmission DNS Types.
WildFire.Report.Evidence.md5stringSubmission evidence MD5 hash.
WildFire.Report.Evidence.TextstringSubmission evidence text.
WildFire.Report.detection_reasons.descriptionstringReason for the detection verdict.
WildFire.Report.detection_reasons.namestringName of the detection.
WildFire.Report.detection_reasons.typestringType of the detection.
WildFire.Report.detection_reasons.verdictstringVerdict of the detection.
WildFire.Report.detection_reasons.artifactsunknownArtifacts of the detection reasons.
WildFire.Report.iocsunknownAssociated IOCs.
WildFire.Report.verdictstringThe verdict of the report.
WildFire.Report.PlatformstringThe Platform of the report
WildFire.Report.SoftwarestringThe Software of the report
WildFire.Report.ProcessList.ServicestringThe process service
WildFire.Report.ProcessList.ProcessCommandstringThe process command
WildFire.Report.ProcessList.ProcessNamestringThe process name
WildFire.Report.ProcessList.ProcessPidstringThe process pid
WildFire.Report.ProcessList.ProcessFilestringLists files that started a child processes, the process name, and the action the process performed.
WildFire.Report.ProcessTree.ProcessNamestringThe process name
WildFire.Report.ProcessTree.ProcessPidstringThe process pid
WildFire.Report.ProcessTree.ProcessTextstringThe action the process performed.
WildFire.Report.ProcessTree.Process.ChildNamestringThe child process name
WildFire.Report.ProcessTree.Process.ChildPidstringThe child process pid
WildFire.Report.ProcessTree.Process.ChildTextstringThe action the child process performed.
WildFire.Report.ExtractedURL.URLstringThe extracted url
WildFire.Report.ExtractedURL.VerdictstringThe extracted verdict
WildFire.Report.Summary.TextstringThe summary of the report
WildFire.Report.Summary.DetailsstringThe details summary of the report
WildFire.Report.Summary.BehaviorstringThe behavior summary of the report
WildFire.Report.ELF.ShellCommandsstringThe shell commands

Command Example#

!wildfire-report url=https://www.demisto.com

Human Readable Output#

Wildfire URL report for https://www.demisto.com#

sha256typeverdict
288cd35401e334a2defc0b428d709f58d4ea28c8e9c6e47fdba88da2d6bc88a7wf-reportbenign

wildfire-get-verdict#


Returns a verdict for a hash.

Base Command#

wildfire-get-verdict

Input#

Argument NameDescriptionRequired
hashComma-separated list of hashes to get the verdict for.Optional
urlThe URL to get the verdict for.Optional

Context Output#

PathTypeDescription
WildFire.Verdicts.MD5stringMD5 hash of the file.
WildFire.Verdicts.SHA256stringSHA256 hash of the file.
WildFire.Verdicts.VerdictnumberVerdict of the file.
WildFire.Verdicts.VerdictDescriptionstringDescription of the file verdict.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringVendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
WildFire.Verdicts.AnalysisTimedateVerdict analysis time.
WildFire.Verdicts.URLstringThe URL of the web page.
WildFire.Verdicts.ValidstringIs the URL valid.

Command Example#

!wildfire-get-verdict hash=afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc

Human Readable Output#

WildFire Verdict#

MD5SHA256VerdictVerdictDescription
0e4e3c2d84a9bc726a50b3c91346fbb1afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc1malware

wildfire-get-verdicts#


Returns a verdict regarding multiple hashes, stored in a TXT file or given as list.

Base Command#

wildfire-get-verdicts

Input#

Argument NameDescriptionRequired
EntryIDEntryID of the text file that contains multiple hashes. Limit is 500 hashes.Optional
hash_listA comma-separated list of hashes to get verdicts for.Optional

Context Output#

PathTypeDescription
WildFire.Verdicts.MD5stringMD5 hash of the file.
WildFire.Verdicts.SHA256stringSHA256 hash of the file.
WildFire.Verdicts.VerdictnumberVerdict of the file.
WildFire.Verdicts.VerdictDescriptionstringDescription of the file verdict.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringVendor used to calculate the score.
DBotScore.ScorenumberThe actual score.

Command Example#

Human Readable Output#

wildfire-upload-url#


Uploads a URL of a webpage to WildFire for analysis.

Base Command#

wildfire-upload-url

Input#

Argument NameDescriptionRequired
uploadURL to submit to WildFire.Optional
urlUsed for the inner polling flow. For uploading a URL, use the 'upload' argument instead.Optional
pollingWhether to use Cortex XSOAR's built-in polling to retrieve the result when it's ready. Possible values are: true, false.Optional
interval_in_secondsInterval in seconds between each poll. Default is 60.Optional
formatThe type of structured report (XML or PDF) to request. Only relevant when polling=true. Possible values are: xml, pdf. Default is pdf.Optional
verboseWhether to receive extended information from WildFire. Only relevant when polling=true. Possible values are: true, false. Default is false.Optional
extended_dataIf set to “true”, the report will return extended data which includes the additional outputs. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
WildFire.Report.MD5stringMD5 of the submission.
WildFire.Report.SHA256stringSHA256 of the submission.
WildFire.Report.StatusstringThe status of the submission.
WildFire.Report.URLstringURL of the submission.
File.NamestringName of the file.
File.TypestringFile type, for example: "PE".
File.SizenumberSize of the file.
File.MD5stringMD5 hash of the file.
File.SHA1stringSHA1 hash of the file.
File.SHA256stringSHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.DigitalSignature.PublisherstringThe entity that signed the file for authenticity purposes.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringVendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
InfoFile.EntryIDstringThe EntryID of the report file.
InfoFile.ExtensionstringThe extension of the report file.
InfoFile.NamestringThe name of the report file.
InfoFile.InfostringDetails of the report file.
InfoFile.SizenumberThe size of the report file.
InfoFile.TypestringThe report file type.
WildFire.Report.NetworkInfo.URL.HoststringSubmission related hosts
WildFire.Report.NetworkInfo.URL.MethodstringSubmission related method
WildFire.Report.NetworkInfo.URL.URIstringSubmission related uri
WildFire.Report.NetworkInfo.URL.UserAgentstringSubmission related user agent
WildFire.Report.NetworkInfo.UDP.IPstringSubmission related IPs, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.PortstringSubmission related ports, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.JA3stringSubmission related JA3s, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.JA3SstringSubmission related JA3Ss, in UDP protocol.
WildFire.Report.NetworkInfo.UDP.CountrystringSubmission related Countries, in UDP protocol.
WildFire.Report.NetworkInfo.TCP.IPstringSubmission related IPs, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.JA3stringSubmission related JA3s, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.JA3SstringSubmission related JA3Ss, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.CountrystringSubmission related Countries, in TCP protocol.
WildFire.Report.NetworkInfo.TCP.PortstringSubmission related ports, in TCP protocol.
WildFire.Report.NetworkInfo.DNS.QuerystringSubmission DNS queries.
WildFire.Report.NetworkInfo.DNS.ResponsestringSubmission DNS responses.
WildFire.Report.NetworkInfo.DNS.TypestringSubmission DNS Types.
WildFire.Report.Evidence.md5stringSubmission evidence MD5 hash.
WildFire.Report.Evidence.TextstringSubmission evidence text.
WildFire.Report.detection_reasons.descriptionstringReason for the detection verdict.
WildFire.Report.detection_reasons.namestringName of the detection.
WildFire.Report.detection_reasons.typestringType of the detection.
WildFire.Report.detection_reasons.verdictstringVerdict of the detection.
WildFire.Report.detection_reasons.artifactsunknownArtifacts of the detection reasons.
WildFire.Report.iocsunknownAssociated IOCs.
WildFire.Report.verdictstringThe verdict of the report.
WildFire.Report.PlatformstringThe Platform of the report
WildFire.Report.SoftwarestringThe Software of the report
WildFire.Report.ProcessList.ServicestringThe process service
WildFire.Report.ProcessList.ProcessCommandstringThe process command
WildFire.Report.ProcessList.ProcessNamestringThe process name
WildFire.Report.ProcessList.ProcessPidstringThe process pid
WildFire.Report.ProcessList.ProcessFilestringLists files that started a child processes, the process name, and the action the process performed.
WildFire.Report.ProcessTree.ProcessNamestringThe process name
WildFire.Report.ProcessTree.ProcessPidstringThe process pid
WildFire.Report.ProcessTree.ProcessTextstringThe action the process performed.
WildFire.Report.ProcessTree.Process.ChildNamestringThe child process name
WildFire.Report.ProcessTree.Process.ChildPidstringThe child process pid
WildFire.Report.ProcessTree.Process.ChildTextstringThe action the child process performed.
WildFire.Report.ExtractedURL.URLstringThe extracted url
WildFire.Report.ExtractedURL.VerdictstringThe extracted verdict
WildFire.Report.Summary.TextstringThe summary of the report
WildFire.Report.Summary.DetailsstringThe details summary of the report
WildFire.Report.Summary.BehaviorstringThe behavior summary of the report
WildFire.Report.ELF.ShellCommandsstringThe shell commands

Command Example#

!wildfire-upload-url upload=https://www.demisto.com

Human Readable Output#

WildFire Upload URL#

MD5SHA256StatusURL
67632f32e6af123aa8ffd1fe8765a783c51a8231d1be07a2545ac99e86a25c5d68f88380b7ebf7ac91501661e6d678bbPendinghttps://www.demisto.com

wildfire-get-sample#


Retrieves a sample.

Base Command#

wildfire-get-sample

Input#

Argument NameDescriptionRequired
md5MD5 hash of the sample.Optional
sha256SHA256 hash of the sample.Optional

Context Output#

There is no context output for this command.

Command Example#

!wildfire-get-sample sha256=afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc

Human Readable Output#

There is no human-readable output for this command.

wildfire-get-url-webartifacts#


Get web artifacts for a URL webpage. An empty tgz will be returned, no matter what the verdict, or even if the URL is malformed.

Base Command#

wildfire-get-url-webartifacts

Input#

Argument NameDescriptionRequired
urlURL of the webpage.Required
typesWhether to download as screenshots or as downloadable files. If not specified, both will be downloaded. Possible values are: download_files, screenshot.Optional

Context Output#

PathTypeDescription
InfoFile.EntryIDStringThe EntryID of the web artifacts.
InfoFile.ExtensionstringExtension of the web artifacts.
InfoFile.NamestringName of the web artifacts.
InfoFile.InfostringDetails of the web artifacts.
InfoFile.SizenumberSize of the web artifacts.
InfoFile.TypestringThe web artifacts file type.

Command Example#

!wildfire-get-url-webartifacts url=http://royalmail-login.com

Human Readable Output#

There is no human-readable output for this command.