Get WildFire Data Enrichment workflow

When the Security Operations Palo Alto Networks - Get WildFire Data Enrichment workflow is executed, a hash file is uploaded to WildFire. The data is enriched, and reports are downloaded to the instance to aid in processing potential malware attacks.

Before you begin

Role required: sn_si.analyst

About this task

The Security Operations Palo Alto Networks - Get WildFire Data Enrichment workflow is executed when a security incident is created from an alert received from the Palo Alto Network Firewall application. A malware hash from the email notification received from Firewall is entered on the IoC tab of the security incident, and the record is updated.
Figure 1. Security Operations Palo Alto Networks - Get WildFire Data Enrichment workflow
Wildfire data enrichment workflow

Procedure

  1. Navigate to Security Incident > Show Open Incidents.
  2. Based on the email notification received from Firewall, locate and open the security incident that was created.
  3. Click the Indicators of Compromise tab and populate the Malware hash with the hash you received in the alert.
  4. Click Update.
    The workflow causes the hash file to be uploaded to WildFire where the data is enriched. Reports in the PDF and XML formats are attached to the record (security incident or IoC) in your instance to aid in processing potential malware attacks.
    Note: If the enriched data includes packet capture information, PCAP information is also downloaded. PCAP data captures what actions the file was performing. For example, it can report on what servers the file was contacting. To view PCAP files, you need a packet analyzer, such as Wireshark.
    Figure 2. Sample PDF generated by Wildfire
    Sample PDF report