Palo Alto WildFire
App Vendor: Palo Alto Networks
Connector Category: Data Enrichment & Threat Intelligence | Network Security | Forensics & Malware Analysis
App Version in Orchestrate: 1.0.0
API Version: 1.0.0
About App
The Palo Alto WildFire app enables security teams to detect, analyze, and block unknown samples such as files, URLs or any links. Based on the properties and behaviour displayed of the unknown sample, WildFire determines the sample to be benign, grayware, phishing, or malicious.
The WildFire app is used to connect with the Palo Alto WildFire enterprise application to submit files, URL's and links for analysis and receive verdicts from WildFire.
Palo Alto Wildfire app is configured with the Orchestrate application to perform the following actions:
Action | Description |
|---|---|
Get Hash Verdict | This action retrieves verdict about a hash from Palo Alto. |
Get URL Verdict | This action retrieves verdict about a URL from Palo Alto. |
Get Web Artifacts | This action retrieves the web artifacts found during the analysis of the specified web page URL from Palo Alto. |
Get Report | This action retrieves a report from Palo Alto. |
Get PCAP | This action retrieves a packet capture (PCAP) file from Palo Alto. |
Get Sample | This action retrieves a file from Palo Alto based on the MD5 or SHA-256 hash value. |
Submit URL | This action submits a website link to Palo Alto for analysis. |
Submit Remote File | This action submits a remote file to Palo Alto for analysis. |
Submit File | This action submits a local file to Palo Alto for analysis. |
Get Verdict | This action retrieves a verdict from Palo Alto. |
Configuration Parameters
The following configuration parameters are required for the WildFire app to communicate with the Palo Alto WildFire enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Key | Enter the API key to authenticate with PaloAlto Wildfire. Example: XXXX972a2167c93df3372de34c2fb18bae5d319a | Password | Required |
Action: Get Hash Verdict
This action retrieves verdict about a hash from Palo Alto.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash | Enter the hash to get the verdict from Palo Alto. Example: "dca86121cc7427e375fd24fe5871d727" | Text | Required |
Example Request
[
{
"hash": "dca86121cc7427e375fd24fe5871d727"
}
]Action: Get URL Verdict
This action retrieves verdict about a URL from Palo Alto.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
URL | Enter the URL of the web page to get verdict from Palo Alto. Example: "www.sampledomain.com/samples" | Text | Required |
Example Request
[
{
"url": "www.sampledomain.com/samples"
}
]Action: Get Web Artifacts
This action retrieves the web artifacts found during the analysis of the specified web page URL from Palo Alto.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Download Type | Enter the web artifact download type. Example: "screenshots" | Text | Required | Allowed values:
|
File Name | Enter the filename to save the response to. Example: "https://wildfire.testdomain.com/get/sample.pdf" | Text | Required | |
URL | Enter the URL of the web page to get the corresponding artifacts. Example: "www.sampledomain.com/samples" | Text | Required |
Example Request
[
{
"download_type": "screenshots",
"file_name": "https://wildfire.testdomain.com/get/sample.pdf",
"url": "www.sampledomain.com/samples"
}
]Action: Get Report
This action retrieves a report from Palo Alto using the Hash value.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Hash | Enter the file hash [MD5/ SHA-256] to retrieve the report. Example: "b0cfc14687e42e2236db247f5c7d861a" | Text | Required | |
File Name | Enter the filename to save the response to. Example: "https://wildfire.testdomain.com/get/sample" | Text | Required | |
Download Format | Enter the format to download the report. Example: "pdf" | Text | Optional | Allowed values:
Default value: |
Example Request
[
{
"file_hash": "b0cfc14687e42e2236db247f5c7d86",
"file_name": "https://wildfire.testdomain.com/get/sample",
"download_format": "pdf"
}
]Action: Get PCAP
This action retrieves a packet capture (PCAP) recorded during the analysis of a particular sample from Palo Alto. Use the hash value (MD5 or SHA-256) of the sample file and also specify the platform of the desired PCAP to indicate which PCAP must be returned.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Hash | Enter the file hash [MD5/ SHA-256] to retrieve the packet capture information. Example: "b0cfc14687e42e2236db247f5c7d861a" | Text | Required | |
File Name | Enter the filename to save the response to. Example: "https://wildfire.testdomain.com/get/sample.pdf" | Text | Required | |
Platform ID | Enter the platform ID to receive the PCAP from. Example: "Windows XP" | Integer | Required | Accepted values: [1: Windows XP, Adobe Reader 9.3.3, Office 2003, 2: Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007 , 3: Windows XP, Adobe Reader 11, Flash 11, Office 2010, 4: Windows 7 32-bit, Adobe Reader 11, Flash 11, Office 2010, 5: Windows 7 64-bit, Adobe Reader 11, Flash 11, Office 2010, 100: PDF Static Analyzer, 101: DOC/CDF Static Analyzer, 102: Java/Jar Static Analyzer, 103: Office 2007 Open XML Static Analyzer, 104: Adobe Flash Static Analyzer, 204: PE Static Analyzer, 800: Archives (RAR and 7-Zip files)] |
Example Request
[
{
"file_hash": "b0cfc14687e42e2236db247f5c7d86",
"file_name": "https://wildfire.testdomain.com/get/sample.pdf",
"platform_id": "Windows XP"
}
]Action: Get Sample
This action retrieves and downloads the sample files from Palo Alto based on the MD5 or SHA-256 hash value.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Hash | Enter the file hash [MD5/ SHA-256] to retrieve the sample. Example: "b0cfc14687e42e2236db247f5c7d861a" | Text | Required | |
File Name | Enter the filename to save the response to. Example: "https://wildfire.testdomain.com/get/sample.pdf" | Text | Required |
Example Request
[
{
"file_hash": "b0cfc14687e42e2236db247f5c7d861a",
"file_name": "https://wildfire.testdomain.com/get/sample.pdf"
}
]Action: Submit URL
This action submits a website link to Palo Alto for analysis.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
URL | Enter the website link to submit for analysis. Example: "www.sampledomain.com/samples" | Text | Required |
Example Request
[
{
"url": "www.sampledomain.com/samples"
}
]Action: Submit Remote File
This action submits a remote file to Palo Alto for analysis.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
URL | Enter the remote file URL to submit for analysis. Example: "http://www.samplefile.com/samples/pdf.pdf" | Text | Required |
Example Request
[
{
"url": "http://www.samplefile.com/samples/pdf.pdf"
}
]Action: Submit File
This action submits a local file to Palo Alto for analysis.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Name | Enter the filename to submit for analysis. Example: "sample.pdf" | Text | Required | |
File Path | Enter the local file path to submit. Example: "c:\sample.pdf" | Text | Required |
Example Request
[
{
"file_name": "sample.pdf",
"file_path": "c:\sample.pdf"
}
]Action: Get Verdict
This action retrieves a verdict from Palo Alto for a sample based on the MD5 or SHA-256 hash or a web page based on the URL. The verdict indicates if the sample is benign, malware, phishing or grayware.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Type | Enter the file type to get verdict of. Example: "MD5" | Text | Required | |
File Value | Enter the hash value of the file to get verdict of. Example: "c8d9094c495e4af57c932ac413b65ef132063acc" | Text | Required |
Example Request
[
{
"file_type": "MD5",
"file_value": "c8d9094c495e4af57c932ac413b65ef132063acc"
}
]