Review WildFire Analysis Details - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

For each file, Cortex XDR receives a file verdict and the WildFire Analysis Report detailing additional information you can use to assess the nature of a file.

For each file, Cortex XDR receives a file verdict and the WildFire Analysis Report. This report contains detailed sample information and behavior analysis in different sandbox environments, leading to the WildFire verdict. You can use the report to assess whether the file poses a real threat on an endpoint. The details in the WildFire analysis report for each event vary depending on the file type and the behavior of the file.

  1. Drill down into the WildFire Analysis Details.

    WildFire analysis details are available for files that receive a WildFire verdict. The Analysis Reports section includes the WildFire analysis for each testing environment based on the observed behavior for the file.

    1. Open the WildFire report.

      If you are analyzing an incident, right-click the incident and View Incident. From the Key Artifacts involved in the incident, select the file for which you want to view the WildFire report and open (WF-report-icon.png). Alternatively, if you are analyzing an alert, right-click the alert and Analyze. You can open (WF-report-icon.png) the WildFire report of any file included in the alert Causality Chain.

      Note

      Cortex XDR displays the preview of WildFire reports that were generated within the last couple of years only. To view a report that was generated more than two years ago, you can download the WildFire report.

    2. Analyze the WildFire report.

      On the left side of the report, you can see all the environments in which the Wildfire service tested the sample. If a file is low risk and WildFire can easily determine that it is safe, only static analysis is performed on the file. Select the testing environment on the left, for example, Windows 7 x64 SP1, to review the summary and additional details for that testing environment. To learn more about the behavior summary, see WildFire Analysis Reports—Close Up.

    3. (Optional) Download the WildFire report.

      If you want to download the WildFire report as it was generated by the WildFire service, click (WF-report-download-icon.png). The report is downloaded in PDF format.

  2. Report an incorrect verdict to Palo Alto Networks.

    If you know the WildFire verdict is incorrect, for example, WildFire assigned a Malware verdict to a file you wrote and know to be Benign, you can report an incorrect verdict to Palo Alto Networks to request the verdict change.

    1. Review the report information and verify the verdict that you are reporting.

    2. Report (WF-report-verdict-as-incorrect-icon.png) the verdict to Palo Alto Networks.

    3. Suggest a different Verdict for the hash.

    4. Enter any details that may help us to better understand why you disagree with the verdict.

    5. Enter an email address to receive an email notification after Palo Alto Networks completes the additional analysis.

    6. After you enter all the details, click OK.

      From this point on, the threat team will perform further analysis of the sample to determine if it should be reclassified. If a malware sample is determined to be safe, the signature for the file is disabled in an upcoming antivirus signature update or if a benign file is determined to be malicious, a new signature is generated. After the investigation is complete, you will receive an email describing the action that was taken.