Configuring Palo Alto Networks WildFire and Tanium Threat Response
Palo Alto Networks Wildfire sources are not supported with Tanium as a Service.
Quickly find malware on endpoints with the integration between Palo Alto Networks WildFire (WildFire) and Threat Response.
You can use Palo Alto Networks firewall security policies to capture suspicious files and forward them to the WildFire system for threat analysis. If the file is malware, the status is reported back to the firewall.
After the WildFire analysis is completed, you can send the data to Connect and Threat Response to find evidence of the malware on all endpoints.
How Tanium integrates with WildFire
Connect communicates with the firewall and WildFire to get a Malware report, then sends to Threat Response.
- Connect queries the firewall for new malware alerts on a configured interval.
- When Connect has a list of malware alerts, it checks with WildFire for associated WildFire reports.
- The WildFire reports that are associated with the list of malware alerts are sent to Connect.
- Connect converts the WildFire report into a Structured Threat Information Expression (STIX™) indicator of compromise (IOC).
- The STIX IOC is imported into Threat Response.
- Threat Response searches the environment for evidence of the malware on the endpoints.
Palo Alto Networks requirements
- A subscription to Cloud WildFire (wildfire.paloaltonetworks.com) or a configured WF-500 WildFire appliance.
- Palo Alto Networks Firewall with or without Panorama.
- A user account on the firewall or Panorama that has API access privileges. This account can be read-only, but API access privilege is required. For more information, see Palo Alto Networks: Manage Firewall Administrators.
- Tanium™ Core Platform 7.0 or later.
- Threat Response 1.0 or later.
- Connect 3.2.0 or later.
- On the Tanium Module Server, port 443 must allow outbound TCP. See Host and network security requirements.
- Click the Monitor tab and go to Logs > WildFire Submissions.
- Check for Malicious entries in the Verdict column.
- Check the values in the Receive Time column. Tanium only downloads reports that are less than 24 hours old.
If you do not see any data on this screen, check your Palo Alto Networks configuration.
- On the Connect Overview page, scroll to the Connections section and click Create Connection.
- Enter a name and description for your connection.
- (Optional) Set the log level.
By default, the logging is set to Information. Set the log level to Trace or Debug if you are debugging the connection. To reduce the amount of logging, you can set the log level to Warning, Error or Fatal.
When Tanium finds a new malware alert in the firewall, it retrieves the associated malware report from WildFire as defined in the connection source settings.
- Define credentials for the Palo Alto Network Panorama or individual firewall.
Tanium queries for new malware alerts on a periodic basis. The user needs to have at least read-only (device_admin_readonly) access to the logs API.
- Specify settings for WildFire.
When Tanium gets a new malware alert from the firewall, it retrieves the associated malware report from WildFire. This section specifies the details for Tanium to access WildFire.
- (Optional) Define advanced settings.
Table 1: WildFire Source Settings Setting Description Filter Restricts which WildFire reports Tanium collects. For more information, see (Optional) Filter WildFire reports. Evidence Value A decimal value between 0 and 1 that specifies how strict the IOC indicators generated are to the malicious event. The default 0.4 value is recommended. If you want a more detailed IOC that might generate false positives, try 0.1, 0.2 or 0.3. Optional parameters Contact Tanium Support for optional parameters. Collect New Reports every time (Ignore Cache File) Specifies if the Tanium collects all WildFire reports every time it connects. The default is disabled (unselected). If unselected, WildFire reports that have already been downloaded are ignored. If selected, existing WildFire reports are re-downloaded, which can be useful in troubleshooting. Use Tanium Module Server Proxy Setting
Select if you have a proxy defined for the Tanium™ Module Server. For more information, see Tanium Platform Installation Guide: Proxy server settings.
Use a filter to restrict which WildFire reports Tanium collects. For most use cases, no filter is required. The syntax of this filter is defined by the filter syntax of the Palo Alto Network filter interface.
The filter maps to the Palo Alto Networks data filtering format. You can use this field to expand the filter beyond the last 24 hours. The filter syntax uses epoch time for date and time. To figure out what epoch time to specify, see Epoch converter. For example, the following filter looks at all malicious WildFire reports found after Sun, 4 Oct 2015 14:45:11 GMT.
( category eq malicious ) and (receive_time geq 1443969911)
- (Optional) You can create a filter with the correct syntax in the Palo Alto Networks console. Click the Monitor tab and go to Logs > WildFire Submissions.
- Go to the Tanium Connect page where you are creating the connection and paste the filter in the Filter field of the Connection source section.
Connections can run at a highly configurable time interval, such as multiple times per hour, day, week, or month.
If you do not enable the schedule, the connection only runs when you manually run it.
Use the Schedule section to update the schedule:
- Select Enable schedule.
- In the Schedule Type, select Basic to build a schedule with the provided controls.
- To view or edit the Cron expression directly, select Advanced - Define as a Cron Expression, and use the Advanced field to edit the Cron expression.
A quick reference to Cron syntax follows. You can use Crontab to build a Cron expression.
┌──────────── minute │ ┌────────── hour │ │ ┌──────── day of month │ │ │ ┌────── month │ │ │ │ ┌──── day of week │ │ │ │ │ │ │ │ │ │ * * * * *
Each asterisk is a field that must be included in the Cron expression. The field value can either be an asterisk (any value) or one of the following values:
|day of month||1-31|
|day of week (Sunday is 0 and 7)||0-7|
- After you enter the details for the connection, click Save.
To save the connection and immediately run the connection, click Run and Save.
If needed, resolve any errors or missing information. After the connection creates successfully, the connection details display.
- To view details when the connection runs, click the Logs tab.
- To view an individual run log, expand the row table.
The following messages indicate that the connection test completed successfully:
30 Today at 04:00:43 PM | INFO | 3272 | WriteToDetect: inserting ioc
32 Today at 04:00:43 PM | INFO | 3272 | StreamRunner: Connection run complete. Duration: 3, Data Transferred: 5.51 KB
From the Threat Response menu, go to Intel > Sources.
You can see the intel that was imported from WildFire. You can add the Wildfire intel to Threat Response group configurations for continuous endpoint scanning.
The intel document that is created by this connection is a combination of the name of the firewall where the alert was discovered and the first 8 characters of the SHA-256 hash that uniquely identifies the WildFire report.
Last updated: 2/23/2021 4:41 PM | Feedback