Configuring Palo Alto Networks WildFire and Tanium Threat Response

Palo Alto Networks Wildfire sources are not supported with Tanium Cloud.

Quickly find malware on endpoints with the integration between Palo Alto Networks WildFire (WildFire) and Threat Response.


You can use Palo Alto Networks firewall security policies to capture suspicious files and forward them to the WildFire system for threat analysis. If the file is malware, the status is reported back to the firewall.

After the WildFire analysis is completed, you can send the data to Connect and Threat Response to find evidence of the malware on all endpoints.

How Tanium integrates with WildFire

Connect communicates with the firewall and WildFire to get a Malware report, then sends to Threat Response.

Tanium and WildFire
  1. Connect queries the firewall for new malware alerts on a configured interval.
  2. When Connect has a list of malware alerts, it checks with WildFire for associated WildFire reports.
  3. The WildFire reports that are associated with the list of malware alerts are sent to Connect.
  4. Connect converts the WildFire report into a Structured Threat Information Expression (STIX™) indicator of compromise (IOC).
  5. The STIX IOC is imported into Threat Response.
  6. Threat Response searches the environment for evidence of the malware on the endpoints.


Palo Alto Networks requirements

  • A subscription to Cloud WildFire ( or a configured WF-500 WildFire appliance.
  • Palo Alto Networks Firewall with or without Panorama.
  • A user account on the firewall or Panorama that has API access privileges. This account can be read-only, but API access privilege is required. For more information, see Palo Alto Networks: Manage Firewall Administrators.

Tanium requirements

  • Tanium™ Core Platform 7.0 or later.
  • Threat Response 1.0 or later.
  • Connect 3.2.0 or later.
  • On the Tanium Module Server, port 443 must allow outbound TCP. See Host and network security requirements.

Check for WildFire submissions in Palo Alto Networks console

To verify that you are getting reports for malicious files in Palo Alto Networks that can be imported into Tanium:

  1. Click the Monitor tab and go to Logs > WildFire Submissions.
  2. Check for Malicious entries in the Verdict column.
  3. Check the values in the Receive Time column. Tanium only downloads reports that are less than 24 hours old.

If you do not see any data on this screen, check your Palo Alto Networks configuration.

Specify general connection information

  1. On the Connect Overview page, scroll to the Connections section and click Create Connection.
  2. Enter a name and description for your connection.
  3. (Optional) Set the log level.
    By default, the logging is set to Information. Set the log level to Trace or Debug if you are debugging the connection. To reduce the amount of logging, you can set the log level to Warning, Error or Fatal.

Configure WildFire as the connection source

When Tanium finds a new malware alert in the firewall, it retrieves the associated malware report from WildFire as defined in the connection source settings.

  1. Define credentials for the Palo Alto Networks Panorama or individual firewall.
    Tanium queries for new malware alerts on a periodic basis. The user needs to have at least read-only (device_admin_readonly) access to the logs API.
  2. Specify settings for WildFire.
    When Tanium gets a new malware alert from the firewall, it retrieves the associated malware report from WildFire. This section specifies the details for Tanium to access WildFire.
  3. (Optional) Define advanced settings.
    FilterRestricts which WildFire reports Tanium collects. For more information, see (Optional) Filter WildFire reports.
    Evidence ValueA decimal value between 0 and 1 that specifies how strict the IOC indicators generated are to the malicious event. The default 0.4 value is recommended. If you want a more detailed IOC that might generate false positives, try 0.1, 0.2 or 0.3.
    Optional parametersContact Tanium Support for optional parameters.
    Collect New Reports every time (Ignore Cache File)Specifies if the Tanium collects all WildFire reports every time it connects. The default is disabled (unselected). If unselected, WildFire reports that have already been downloaded are ignored. If selected, existing WildFire reports are re-downloaded, which can be useful in troubleshooting.
    Use Tanium Module Server Proxy Setting

    Select if you have a proxy defined for the Tanium™ Module Server. For more information, see Tanium Console User Guide: Configuring proxy server settings.

(Optional) Filter WildFire reports

Use a filter to restrict which WildFire reports Tanium collects. For most use cases, no filter is required. The syntax of this filter is defined by the filter syntax of the Palo Alto Networks filter interface.

The filter maps to the Palo Alto Networks data filtering format. You can use this field to expand the filter beyond the last 24 hours. The filter syntax uses epoch time for date and time. To figure out what epoch time to specify, see Epoch converter. For example, the following filter looks at all malicious WildFire reports found after Sun, 4 Oct 2015 14:45:11 GMT.

( category eq malicious ) and (receive_time geq 1443969911)

  1. (Optional) You can create a filter with the correct syntax in the Palo Alto Networks console. Click the Monitor tab and go to Logs > WildFire Submissions.
    1. Click the Add button next to the filter bar.
    2. Use the add log filter window to create a filter.
      When you return to the main Monitor page, you can copy the filter expression that is displayed.
  2. Go to the Tanium Connect page where you are creating the connection and paste the filter in the Filter field of the Connection source section.

Configure Tanium Threat Response as the connection destination

Select Detect Intel Provider as the data destination.

Schedule the connection

Connections can run at a highly configurable time interval, such as multiple times per hour, day, week, or month.

If you do not enable the schedule, the connection only runs when you manually run it.

Use the Schedule section to update the schedule:

  • Select Enable schedule.
  • In the Schedule Type, select Basic to build a schedule with the provided controls.
  • To view or edit the Cron expression directly, select Advanced - Define as a Cron Expression, and use the Advanced field to edit the Cron expression.

If a user that owns a scheduled connection is deleted, future scheduled instances of that connection do not run. For more information, see Problem: Scheduled connection owned by a deleted user no longer runs.

For more information about Cron syntax, see Reference: Cron syntax.

Save and verify connection

  1. After you enter the details for the connection, click Save.

    To save the connection and immediately run the connection, click Run and Save.

    If needed, resolve any errors or missing information. After the connection creates successfully, the connection details display.

  2. To view details when the connection runs, click the Logs tab.
  3. To view an individual run log, expand the row table. For more information on resolving errors, see Troubleshooting.

The following messages indicate that the connection test completed successfully:

30 Today at 04:00:43 PM | INFO | 3272 | WriteToDetect: inserting ioc
32 Today at 04:00:43 PM | INFO | 3272 | StreamRunner: Connection run complete. Duration: 3, Data Transferred: 5.51 KB

View intel from WildFire in Threat Response

From the Threat Response menu, go to Intel > Sources.
You can see the intel that was imported from WildFire. You can add the Wildfire intel to Threat Response group configurations for continuous endpoint scanning.

The intel document that is created by this connection is a combination of the name of the firewall where the alert was discovered and the first 8 characters of the SHA-256 hash that uniquely identifies the WildFire report.