Skip to main content

Detonate URL - WildFire v2.2

This Playbook is part of the WildFire by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Detonate a webpage or remote file using the WildFire v2 integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types: APK, JAR, DOC, DOCX, RTF, OOXLS, XLSX, PPT, PPTX, XML, PE32, PDF, DMG, PKG, RAR, 7Z, JS.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • Palo_Alto_Networks_WildFire_v2
  • WildFire-v2

Scripts#

This playbook does not use any scripts.

Commands#

  • wildfire-report
  • wildfire-upload-url

Playbook Inputs#


NameDescriptionDefault ValueRequired
URLURL of the webpage or file url to detonate. The URL is taken from the context.URL.DataOptional
IntervalDuration for executing the polling (in seconds).60Optional
TimeoutThe duration after which to stop polling and to resume the playbook (in seconds).600Optional
ReportFileTypeThe resource type to download. Values: PDF (default), XML.Optional

Playbook Outputs#


PathDescriptionType
DBotScoreThe DBotScore object.unknown
DBotScore.ScoreThe actual score.number
File.SizeFile size.number
File.MD5MD5 hash.string
File.SHA1SHA1 hash.string
File.TypeFile type e.g. "PE".string
File.SHA256SHA256 hash.string
File.EntryIDThe Entry ID of the sample.string
File.Malicious.VendorFor malicious files, the vendor that determined that the file is malicious.string
File.NameFilename.string
File.Malicious.DescriptionFor malicious files, the reason the vendor determined that the file is malicious.string
DBotScore.IndicatorThe indicator we tested.string
DBotScore.TypeThe type of indicator.string
DBotScore.VendorVendor used to calculate the score.string
IP.AddressIPs relevant to the sample.string
FileThe File object.unknown
InfoFileThe report file object.unknown
InfoFile.EntryIDThe EntryID of the report file.string
InfoFile.ExtensionThe extension of the report file.string
InfoFile.NameThe name of the report file.string
InfoFile.InfoThe info of the report file.string
InfoFile.SizeThe size of the report file.number
InfoFile.TypeThe type of the report file.string
File.MaliciousThe malicious object.unknown
WildFire.ReportThe submission object.unknown
WildFire.Report.MD5MD5 of the submission.string
WildFire.Report.SHA256SHA256 of the submission.string
WildFire.Report.FileTypeThe type of the submission.string
WildFire.Report.StatusThe status of the submission.string
WildFire.Report.SizeThe size of the submission.number
WildFire.Report.URLURL of the submission.string
WildFire.Report.detection_reasonsThe detection reasons object.unknown
WildFire.Report.detection_reasons.descriptionReason for the detection verdict.string
WildFire.Report.detection_reasons.nameName of the detection.string
WildFire.Report.detection_reasons.typeType of the detection.string
WildFire.Report.detection_reasons.verdictVerdict of the detection.string
WildFire.Report.detection_reasons.artifactsArtifacts for the detection reasons.string
WildFire.Report.iocsAssociated IOCs.string
WildFire.Report.ExtractedURL.URLThe extracted URL.string
WildFire.Report.ExtractedURL.VerdictThe extracted verdict.number

Playbook Image#


Detonate URL - WildFire v2.2