Skip to main content

WildFire - Detonate file v2

This Playbook is part of the WildFire by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Detonate one or more files using the Wildfire v2 integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - APK, JAR, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, OOXML, PE32, PE, PDF, DMG, PKG, RAR, 7Z, JS, ELF, HTA, LNK, VBS, PS1, PERL, PYTHON, SHELL.

Note: Base64 encoded files are currently not supported.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • Palo_Alto_Networks_WildFire_v2

Scripts#

  • SetAndHandleEmpty

Commands#

  • wildfire-report
  • wildfire-upload

Playbook Inputs#


NameDescriptionDefault ValueRequired
FileFile object of the file to detonate. The file is taken from the context.FileOptional
IntervalThe duration for executing the polling (in seconds).1Optional
TimeoutThe duration after which to stop polling and to resume the playbook. (in seconds)8Optional
ReportFileTypeThe resource type to download.Optional

Playbook Outputs#


PathDescriptionType
DBotScore.ScoreThe actual score.string
DBotScore.TypeThe type of the indicator.string
File.TypeThe file type, e.g. "PE".string
File.SizeThe file size.number
File.MD5The MD5 hash of the file.string
File.NameThe filename.string
File.SHA1The SHA1 hash of the file.string
FileThe file object.unknown
File.SHA256TheSHA256 hash of the file.string
File.MaliciousThe malicious object.unknown
File.Malicious.VendorThe vendor that made the decision that the file is malicious.string
DBotScoreThe DBot object.unknown
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.VendorThe vendor used to calculate the score.string
WildFire.ReportThe submission object.unknown
WildFire.Report.StatusThe status of the submission.string
WildFire.Report.SHA256The SHA256 hash of the submission.string
InfoFileThe report file object.unknown
InfoFile.EntryIDThe EntryID of the report file.string
InfoFile.ExtensionThe extension of the report file.string
InfoFile.NameThe name of the report file.string
InfoFile.InfoThe info of the report file.string
InfoFile.SizeThe size of the report file.number
InfoFile.TypeThe type of the report file.string
WildFire.Report.MD5The MD5 hash of the submission.string
WildFire.Report.FileTypeThe type of the submission.string
WildFire.Report.SizeThe size of the submission.number
WildFire.Report.detection_reasons.descriptionReason for the detection verdict.string

Playbook Image#


WildFire - Detonate file v2