Skip to main content

Palo Alto Networks WildFire v2

This Integration is part of the Palo Alto Networks WildFire Pack.#

Use the Palo Alto Networks Wildfire integration to automatically identify unknown threats and stop attackers in their tracks by performing malware dynamic analysis.

Palo Alto Networks WildFire v2 Playbooks#

  1. WildFire - Detonate File
  2. Detonate URL - WildFire v2.1

##Use Cases

  1. Send a File sample to WildFire.
  2. Upload a file hosted on a website to WildFire.
  3. Submit a webpage to WildFire.
  4. Get a report regarding the sent samples using file hash.
  5. Get sample file from WildFire.
  6. Get verdict regarding multiple hashes(up to 500) using the wildfire-get-verdicts command.

Configure WildFire v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for WildFire-v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server base URL (e.g. https://192.168.0.1/publicapi)True
    API KeyTrue
    Source ReliabilityReliability of the source providing the intelligence data.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Return warning entry for unsupported file typesFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

file#


Retrieve results for a file hash using WildFire

Base Command#

file

Input#

Argument NameDescriptionRequired
fileFile hash to check.Optional
md5MD5 hash to check.Optional
sha256SHA256 hash to check.Optional

Context Output#

PathTypeDescription
File.NamestringName of the file.
File.TypestringFile type, for example: "PE"
File.SizestringSize of the file.
File.MD5stringMD5 hash of the file.
File.SHA1stringSHA1 hash of the file.
File.SHA256stringSHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
WildFire.Report.StatusstringThe status of the submission.
WildFire.Report.SHA256stringSHA256 hash of the submission.
InfoFile.EntryIDUnknownThe EntryID of the report file.
InfoFile.ExtensionstringExtension of the report file.
InfoFile.NamestringName of the report file.
InfoFile.InfostringDetails of the report file.
InfoFile.SizenumberSize of the report file.
InfoFile.TypestringThe report file type.
File.FeedRelatedIndicators.valueStringIndicators that are associated with the File.
File.FeedRelatedIndicators.typeStringThe type of the indicators that are associated with the File.
File.TagsStringTags that are associated with the File.
File.Behavior.detailsStringFile behavior details.
File.Behavior.actionStringFile behavior action.

Command Example#

!file file=735bcfa56930d824f9091188eeaac2a1d68bc64a21f90a49c5ff836ed6ea723f

Human Readable Output#

WildFire File Report#

FileTypeMD5SHA256SizeStatus
JScriptccdb1053f56a2d297906746bc720ef2a735bcfa56930d824f9091188eeaac2a1d68bc64a21f90a49c5ff836ed6ea723f12Completed

wildfire-upload#


Uploads a file to WildFire for analysis.

Base Command#

wildfire-upload

Input#

Argument NameDescriptionRequired
uploadID of the entry containing the file to upload.Optional
pollingUse XSOAR built-in polling to retrieve the result when it's ready. Possible values are: true, false.Optional
interval_in_secondsInterval in seconds between each poll. Default is 60.Optional
md5Used for the inner polling flow, for uploading a file use the 'upload' argument instead.Optional
formatRequest a structured report (XML or PDF). Only relevant for when using polling=true. Possible values are: xml, pdf. Default is pdf.Optional
verboseReceive extended information from WildFire. Only relevant for when using polling=true. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
WildFire.Report.MD5stringMD5 hash of the submission.
WildFire.Report.SHA256stringSHA256 hash of the submission.
WildFire.Report.FileTypestringThe submission type.
WildFire.Report.SizenumberThe size of the submission.
WildFire.Report.StatusstringThe status of the submission.
File.NamestringName of the file.
File.TypestringFile type, for example: "PE"
File.SizenumberSize of the file.
File.MD5stringMD5 hash of the file.
File.SHA1stringSHA1 hash of the file.
File.SHA256stringSHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringVendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
InfoFile.EntryIDstringThe EntryID of the report file.
InfoFile.ExtensionstringThe extension of the report file.
InfoFile.NamestringThe name of the report file.
InfoFile.InfostringDetails of the report file.
InfoFile.SizenumberThe size of the report file.
InfoFile.TypestringThe report file type.
WildFire.Report.Network.UDP.IPstringSubmission related IPs, in UDP protocol.
WildFire.Report.Network.UDP.PortstringSubmission related ports, in UDP protocol.
WildFire.Report.Network.TCP.IPstringSubmission related IPs, in TCP protocol.
WildFire.Report.Network.TCP.PortstringSubmission related ports, in TCP protocol.
WildFire.Report.Network.DNS.QuerystringSubmission DNS queries.
WildFire.Report.Network.DNS.ResponsestringSubmission DNS responses.
WildFire.Report.Evidence.md5stringSubmission evidence MD5 hash.
WildFire.Report.Evidence.TextstringSubmission evidence text.
WildFire.Report.detection_reasons.descriptionstringReason for the detection verdict.
WildFire.Report.detection_reasons.namestringName of the detection.
WildFire.Report.detection_reasons.typestringType of the detection.
WildFire.Report.detection_reasons.verdictstringVerdict of the detection.
WildFire.Report.detection_reasons.artifactsunknownArtifacts of the detection reasons.
WildFire.Report.iocsunknownAssociated IOCs.
WildFire.Report.verdictstringThe verdict of the report.

Command Example#

!wildfire-upload upload=294@675f238c-ed75-4cae-83d2-02b6b820168b

Human Readable Output#

WildFire Upload File#

FileTypeMD5SHA256SizeStatus
Jscript for WSHccdb1053f56a2d297906746bc720ef2a735bcfa56930d824f9091188eeaac2a1d68bc64a21f90a49c5ff836ed6ea723f12Pending

wildfire-upload-file-url#


Uploads the URL of a remote file to WildFire for analysis.

Base Command#

wildfire-upload-file-url

Input#

Argument NameDescriptionRequired
uploadURL of the remote file to upload.Optional
urlUsed for the inner polling flow, for uploading a url use the 'upload' argument instead.Optional
pollingUse XSOAR built-in polling to retrieve the result when it's ready. Possible values are: true, false.Optional
interval_in_secondsInterval in seconds between each poll. Default is 60.Optional
formatRequest a structured report (XML or PDF). Only relevant for when using polling=true. Possible values are: xml, pdf. Default is pdf.Optional
verboseReceive extended information from WildFire. Only relevant for when using polling=true. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
WildFire.Report.MD5stringMD5 hash of the submission.
WildFire.Report.SHA256stringSHA256 hash of the submission.
WildFire.Report.StatusstringThe status of the submission.
WildFire.Report.URLstringURL of the submission.
File.NamestringName of the file.
File.TypestringFile type, for example: "PE"
File.SizenumberSize of the file.
File.MD5stringMD5 hash of the file.
File.SHA1stringSHA1 hash of the file.
File.SHA256stringSHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringVendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
InfoFile.EntryIDstringThe EntryID of the report file.
InfoFile.ExtensionstringThe extension of the report file.
InfoFile.NamestringThe name of the report file.
InfoFile.InfostringDetails of the report file.
InfoFile.SizenumberThe size of the report file.
InfoFile.TypestringThe report file type.
WildFire.Report.Network.UDP.IPstringSubmission related IPs, in UDP protocol.
WildFire.Report.Network.UDP.PortstringSubmission related ports, in UDP protocol.
WildFire.Report.Network.TCP.IPstringSubmission related IPs, in TCP protocol.
WildFire.Report.Network.TCP.PortstringSubmission related ports, in TCP protocol.
WildFire.Report.Network.DNS.QuerystringSubmission DNS queries.
WildFire.Report.Network.DNS.ResponsestringSubmission DNS responses.
WildFire.Report.Evidence.md5stringSubmission evidence MD5 hash.
WildFire.Report.Evidence.TextstringSubmission evidence text.
WildFire.Report.detection_reasons.descriptionstringReason for the detection verdict.
WildFire.Report.detection_reasons.namestringName of the detection.
WildFire.Report.detection_reasons.typestringType of the detection.
WildFire.Report.detection_reasons.verdictstringVerdict of the detection.
WildFire.Report.detection_reasons.artifactsunknownArtifacts of the detection reasons.
WildFire.Report.iocsunknownAssociated IOCs.
WildFire.Report.verdictstringThe verdict of the report.

Command Example#

!wildfire-upload-file-url upload=http://www.software995.net/bin/pdf995s.exe

Human Readable Output#

WildFire Upload File URL#

FileTypeMD5SHA256SizeStatusURL
PE32 executable891b77e864c88881ea98be867e74177f555092d994b8838b8fa18d59df4fdb26289d146e071e831fcf0c6851b5fb04f85958304Pendinghttp://www.software995.net/bin/pdf995s.exe

wildfire-report#


Retrieves results for a file hash using WildFire.

Base Command#

wildfire-report

Input#

Argument NameDescriptionRequired
md5MD5 hash to check.Optional
sha256SHA256 hash to check.Optional
hashDeprecated - Use the sha256 argument instead.Optional
formatRequest a structured report (XML or PDF). Possible values are: xml, pdf. Default is pdf.Optional
verboseReceive extended information from WildFire. Possible values are: true, false. Default is false.Optional
urlRetrieves results for a URL using WildFire. The report format is in JSON.Optional

Context Output#

PathTypeDescription
File.NamestringName of the file.
File.TypestringFile type, for example: "PE"
File.SizenumberSize of the file.
File.MD5stringMD5 hash of the file.
File.SHA1stringSHA1 hash of the file.
File.SHA256stringSHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringVendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
WildFire.Report.StatusstringThe status of the submissiom.
WildFire.Report.SHA256stringSHA256 hash of the submission.
InfoFile.EntryIDstringThe EntryID of the report file.
InfoFile.ExtensionstringThe extension of the report file.
InfoFile.NamestringThe name of the report file.
InfoFile.InfostringDetails of the report file.
InfoFile.SizenumberThe size of the report file.
InfoFile.TypestringThe report file type.
WildFire.Report.Network.UDP.IPstringSubmission related IPs, in UDP protocol.
WildFire.Report.Network.UDP.PortstringSubmission related ports, in UDP protocol.
WildFire.Report.Network.TCP.IPstringSubmission related IPs, in TCP protocol.
WildFire.Report.Network.TCP.PortstringSubmission related ports, in TCP protocol.
WildFire.Report.Network.DNS.QuerystringSubmission DNS queries.
WildFire.Report.Network.DNS.ResponsestringSubmission DNS responses.
WildFire.Report.Evidence.md5stringSubmission evidence MD5 hash.
WildFire.Report.Evidence.TextstringSubmission evidence text.
WildFire.Report.detection_reasons.descriptionstringReason for the detection verdict.
WildFire.Report.detection_reasons.namestringName of the detection.
WildFire.Report.detection_reasons.typestringType of the detection.
WildFire.Report.detection_reasons.verdictstringVerdict of the detection.
WildFire.Report.detection_reasons.artifactsunknownArtifacts of the detection reasons.
WildFire.Report.iocsunknownAssociated IOCs.
WildFire.Report.verdictstringThe verdict of the report.

Command Example#

!wildfire-report url=https://www.demisto.com

Human Readable Output#

Wildfire URL report for https://www.demisto.com#

sha256typeverdict
288cd35401e334a2defc0b428d709f58d4ea28c8e9c6e47fdba88da2d6bc88a7wf-reportbenign

wildfire-get-verdict#


Returns a verdict for a hash.

Base Command#

wildfire-get-verdict

Input#

Argument NameDescriptionRequired
hashHash to get the verdict for.Required

Context Output#

PathTypeDescription
WildFire.Verdicts.MD5stringMD5 hash of the file.
WildFire.Verdicts.SHA256stringSHA256 hash of the file.
WildFire.Verdicts.VerdictnumberVerdict of the file.
WildFire.Verdicts.VerdictDescriptionstringDescription of the file verdict.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringVendor used to calculate the score.
DBotScore.ScorenumberThe actual score.

Command Example#

!wildfire-get-verdict hash=afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc

Human Readable Output#

WildFire Verdict#

MD5SHA256VerdictVerdictDescription
0e4e3c2d84a9bc726a50b3c91346fbb1afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc1malware

wildfire-get-verdicts#


Returns a verdict regarding multiple hashes, stored in a TXT file or given as list.

Base Command#

wildfire-get-verdicts

Input#

Argument NameDescriptionRequired
EntryIDEntryID of the text file that contains multiple hashes. Limit is 500 hashes.Optional
hash_listA list of hashes to get verdicts for.Optional

Context Output#

PathTypeDescription
WildFire.Verdicts.MD5stringMD5 hash of the file.
WildFire.Verdicts.SHA256stringSHA256 hash of the file.
WildFire.Verdicts.VerdictnumberVerdict of the file.
WildFire.Verdicts.VerdictDescriptionstringDescription of the file verdict.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringVendor used to calculate the score.
DBotScore.ScorenumberThe actual score.

Command Example#

Human Readable Output#

wildfire-upload-url#


Uploads a URL of a webpage to WildFire for analysis.

Base Command#

wildfire-upload-url

Input#

Argument NameDescriptionRequired
uploadURL to submit to WildFire.Optional
urlUsed for the inner polling flow, for uploading a url use the 'upload' argument instead.Optional
pollingUse XSOAR built-in polling to retrieve the result when it's ready. Possible values are: true, false.Optional
interval_in_secondsInterval in seconds between each poll. Default is 60.Optional
formatRequest a structured report (XML or PDF). Only relevant for when using polling=true. Possible values are: xml, pdf. Default is pdf.Optional
verboseReceive extended information from WildFire. Only relevant for when using polling=true. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
WildFire.Report.MD5stringMD5 of the submission.
WildFire.Report.SHA256stringSHA256 of the submission.
WildFire.Report.StatusstringThe status of the submission.
WildFire.Report.URLstringURL of the submission.
File.NamestringName of the file.
File.TypestringFile type, for example: "PE"
File.SizenumberSize of the file.
File.MD5stringMD5 hash of the file.
File.SHA1stringSHA1 hash of the file.
File.SHA256stringSHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringVendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
InfoFile.EntryIDstringThe EntryID of the report file.
InfoFile.ExtensionstringThe extension of the report file.
InfoFile.NamestringThe name of the report file.
InfoFile.InfostringDetails of the report file.
InfoFile.SizenumberThe size of the report file.
InfoFile.TypestringThe report file type.
WildFire.Report.Network.UDP.IPstringSubmission related IPs, in UDP protocol.
WildFire.Report.Network.UDP.PortstringSubmission related ports, in UDP protocol.
WildFire.Report.Network.TCP.IPstringSubmission related IPs, in TCP protocol.
WildFire.Report.Network.TCP.PortstringSubmission related ports, in TCP protocol.
WildFire.Report.Network.DNS.QuerystringSubmission DNS queries.
WildFire.Report.Network.DNS.ResponsestringSubmission DNS responses.
WildFire.Report.Evidence.md5stringSubmission evidence MD5 hash.
WildFire.Report.Evidence.TextstringSubmission evidence text.
WildFire.Report.detection_reasons.descriptionstringReason for the detection verdict.
WildFire.Report.detection_reasons.namestringName of the detection.
WildFire.Report.detection_reasons.typestringType of the detection.
WildFire.Report.detection_reasons.verdictstringVerdict of the detection.
WildFire.Report.detection_reasons.artifactsunknownArtifacts of the detection reasons.
WildFire.Report.iocsunknownAssociated IOCs.
WildFire.Report.verdictstringThe verdict of the report.

Command Example#

!wildfire-upload-url upload=https://www.demisto.com

Human Readable Output#

WildFire Upload URL#

MD5SHA256StatusURL
67632f32e6af123aa8ffd1fe8765a783c51a8231d1be07a2545ac99e86a25c5d68f88380b7ebf7ac91501661e6d678bbPendinghttps://www.demisto.com

wildfire-get-sample#


Retrieves a sample.

Base Command#

wildfire-get-sample

Input#

Argument NameDescriptionRequired
md5MD5 hash of the sample.Optional
sha256SHA256 hash of the sample.Optional

Context Output#

There is no context output for this command.

Command Example#

!wildfire-get-sample sha256=afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc

Human Readable Output#

There is no human-readable output for this command.

wildfire-get-url-webartifacts#


Get web artifacts for a URL webpage. An empty tgz will be returned, no matter what the verdict, or even if the URL is malformed.

Base Command#

wildfire-get-url-webartifacts

Input#

Argument NameDescriptionRequired
urlURL of the webpage.Required
typesWhether to download as screenshots or as downloadable files. if not specified, both will be downloaded. Possible values are: download_files, screenshot.Optional

Context Output#

PathTypeDescription
InfoFile.EntryIDStringThe EntryID of the webartifacts.
InfoFile.ExtensionstringExtension of the webartifacts.
InfoFile.NamestringName of the webartifacts.
InfoFile.InfostringDetails of the webartifacts.
InfoFile.SizenumberSize of the webartifacts.
InfoFile.TypestringThe webartifacts file type.

Command Example#

!wildfire-get-url-webartifacts url=http://royalmail-login.com

Human Readable Output#

There is no human-readable output for this command.