Palo Alto Wildfire Malware Triage File

This Playbook template lets users detonate a file in Palo Alto Wildfire from ThreatConnect.

If the file is detected as malicious by by Palo Alto an incident will be created in ThreatConnect and any relevant indicators will be saved and associated to the Incident. Additionally, the Playbook will download and associate the PDF version of the report as a Document.

App Dependencies

  • Active Palo Alto Wildfire API Subscription

Use Cases

  • Manually submit a binary file stored in the ThreatConnect malware vault for analysis with Palo Alto Wildfire with a User Action trigger.
  • Swap the User Action trigger with others to create an automated analysis workflow.

Documentation

Triggers

  • UserAction

Organization Variables

This playbook expects the following organization variables:

  • keychain: Wildfire API Key

Variables Declared in the Playbook

The following variables are declared in this playbook:

  • verdict.malicious: Wildfire Verdict = Malicious
  • verdict.benign: Wildfire Verdict = Benign
  • report.filename: #App:13394:wildfire.file.md5!String.pdf