Update WildFire analysis settings

Cortex XSIAM Platform APIs
post /public_api/v1/configurations/agent/wildfire_analysis/set

Updates the WildFire analysis configuration for the tenant. When enabled, Cortex applies additional verification to files that received a Benign Low Confidence verdict from WildFire, enforcing the active Malware Security profile settings (local analysis, Allow, or Block).

Note: Disabling this setting takes immediate effect on new file hashes, fresh agent installations, and existing security policies. However, it may take up to one week to take effect on existing agents due to agent-side caching.

Authentication: api-key-header-x-xdr-auth-id Api Key "x-xdr-auth-id"
Authentication: api-key-header-authorization Api Key "Authorization"
CLIENT REQUEST
curl -X 'POST'
-H "x-xdr-auth-id: [[apiKey]]" \
-H "Authorization: [[apiKey]]" \
-H 'Accept: application/json'
-H 'Content-Type: application/json'
'https://api-yourfqdn/public_api/v1/configurations/agent/wildfire_analysis/set'
-d '{ "request_data" : { "enable_wildfire_analysis_scoring_for_benign_verdicts" : false } }'
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"request_data\":{\"enable_wildfire_analysis_scoring_for_benign_verdicts\":false}}" headers = { 'x-xdr-auth-id': "REPLACE_KEY_VALUE", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/configurations/agent/wildfire_analysis/set", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/configurations/agent/wildfire_analysis/set") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["x-xdr-auth-id"] = 'REPLACE_KEY_VALUE' request["content-type"] = 'application/json' request.body = "{\"request_data\":{\"enable_wildfire_analysis_scoring_for_benign_verdicts\":false}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": { "enable_wildfire_analysis_scoring_for_benign_verdicts": false } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/configurations/agent/wildfire_analysis/set"); xhr.setRequestHeader("x-xdr-auth-id", "REPLACE_KEY_VALUE"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/configurations/agent/wildfire_analysis/set") .header("x-xdr-auth-id", "REPLACE_KEY_VALUE") .header("content-type", "application/json") .body("{\"request_data\":{\"enable_wildfire_analysis_scoring_for_benign_verdicts\":false}}") .asString();
import Foundation let headers = [ "x-xdr-auth-id": "REPLACE_KEY_VALUE", "content-type": "application/json" ] let parameters = ["request_data": ["enable_wildfire_analysis_scoring_for_benign_verdicts": false]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/configurations/agent/wildfire_analysis/set")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/configurations/agent/wildfire_analysis/set", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":{\"enable_wildfire_analysis_scoring_for_benign_verdicts\":false}}", CURLOPT_HTTPHEADER => [ "content-type: application/json", "x-xdr-auth-id: REPLACE_KEY_VALUE" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/configurations/agent/wildfire_analysis/set"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "x-xdr-auth-id: REPLACE_KEY_VALUE"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"enable_wildfire_analysis_scoring_for_benign_verdicts\":false}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/configurations/agent/wildfire_analysis/set"); var request = new RestRequest(Method.POST); request.AddHeader("x-xdr-auth-id", "REPLACE_KEY_VALUE"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":{\"enable_wildfire_analysis_scoring_for_benign_verdicts\":false}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
required
application/json

Request payload for updating WildFire analysis configuration.

request_dataobject
enable_wildfire_analysis_scoring_for_benign_verdictsbooleanrequired

Set to true to enable WildFire analysis scoring for files that received a benign verdict.

REQUEST
{ "request_data": { "enable_wildfire_analysis_scoring_for_benign_verdicts": false } }
Responses

Successful response indicating the configuration was updated.

Body
application/json

Standard success response for configuration update operations.

replyboolean

Indicates whether the operation completed successfully.

Example:true
RESPONSE
{ "reply": true }

Bad request. The request was malformed or contained invalid parameters.

Body
application/json

Standard error response returned when a request fails.

replyobject

Error details container.

err_codeinteger

Numeric error code identifying the type of error.

err_msgstring

Human-readable error message describing what went wrong.

err_extrastring

Additional context about the error, if available.

RESPONSE
{ "reply": { "err_code": 400, "err_msg": "Bad request. Got an invalid JSON.", "err_extra": "Additional error context" } }

Unauthorized. Authentication credentials are missing or invalid.

Body
application/json

Standard error response returned when a request fails.

replyobject

Error details container.

err_codeinteger

Numeric error code identifying the type of error.

err_msgstring

Human-readable error message describing what went wrong.

err_extrastring

Additional context about the error, if available.

RESPONSE
{ "reply": { "err_code": 401, "err_msg": "Public API request unauthorized", "err_extra": "Additional error context" } }

Forbidden. The API key does not have the required permissions.

Body
application/json

Standard error response returned when a request fails.

replyobject

Error details container.

err_codeinteger

Numeric error code identifying the type of error.

err_msgstring

Human-readable error message describing what went wrong.

err_extrastring

Additional context about the error, if available.

RESPONSE
{ "reply": { "err_code": 403, "err_msg": "Forbidden. Access was denied to this resource.", "err_extra": "Insufficient permissions for api key" } }

Internal server error.

Body
application/json

Standard error response returned when a request fails.

replyobject

Error details container.

err_codeinteger

Numeric error code identifying the type of error.

err_msgstring

Human-readable error message describing what went wrong.

err_extrastring

Additional context about the error, if available.

RESPONSE
{ "reply": { "err_code": 500, "err_msg": "Internal server error", "err_extra": "Additional error context" } }