Configuring Palo Alto Networks WildFire and Tanium Threat Response
Quickly find malware on endpoints with the integration between Palo Alto Networks WildFire (WildFire) and Threat Response.
You can use Palo Alto Networks firewall security policies to capture suspicious files and forward them to the WildFire system for threat analysis. If the file is malware, the status is reported back to the firewall.
After the WildFire analysis is completed, you can send the data to Connect and Threat Response to find evidence of the malware on all endpoints.
How Tanium integrates with WildFire
Connect communicates with the firewall and WildFire to get Malware report, then sends to Threat Response.
- Connect queries the firewall for new malware alerts on a configured interval.
- When Connect has a list of malware alerts, it checks with WildFire for associated WildFire reports.
- The WildFire reports that are associated with the list of malware alerts are sent to Connect.
- Connect converts the WildFire report into a Structured Threat Information Expression (STIX™) indicator of compromise (IOC).
- The STIX IOC is imported into Threat Response.
- Threat Response searches the environment for evidence of the malware on the endpoints.
Palo Alto Networks requirements
- A subscription to Cloud WildFire (wildfire.paloaltonetworks.com) or a configured WF-500 WildFire appliance.
- Palo Alto Networks Firewall with or without Panorama.
- A user account on the firewall or Panorama that has API access privileges. This account can be read-only, but API access privilege is required. For more information, see Palo Alto Networks: Manage Firewall Administrators.
- Tanium™ Core Platform 7.0 or later.
- Threat Response 1.0 or later.
- Connect 3.2.0 or later.
- Click the Monitor tab and go to Logs > WildFire Submissions.
- Check for Malicious entries in the Verdict column.
- Check the values in the Receive Time column. Tanium only downloads reports that are less than 24 hours old.
If you do not see any data on this screen, check your Palo Alto Networks configuration.
- On the Connect home page, click Create Connection > Create.
- Enter a name and description for your connection.
- If you want to enable your connection to run on a schedule, select Enable. You can specify the specifics about the schedule when you configure the rest of the connection. If the schedule is not enabled, the connection only runs when you manually run it.
- (Optional) Set the logging level.
By default, the logging is set to Information. Set the log level to Trace or Debug if you are debugging the connection. To reduce the amount of logging, you can set the log level to Warning, Error or Fatal.
When Tanium finds a new malware alert in the firewall, it retrieves the associated malware report from WildFire as defined in the connection source settings.
Define credentials for the Palo Alto Network Panorama or individual firewall.
Tanium queries for new malware alerts on a periodic basis. The user needs to have at least read-only (device_admin_readonly) access to the logs API.
- Specify settings for WildFire.
When Tanium gets a new malware alert from the firewall, it retrieves the associated malware report from WildFire. This section specifies the details for Tanium to access WildFire.
- (Optional) Define advanced settings.
Table 1: WildFire Source Settings Setting Description Filter Restricts which WildFire reports Tanium collects. For more information, see (Optional) Filter WildFire reports. Evidence Value A decimal value between 0 and 1 that specifies how strict the IOC indicators generated are to the malicious event. The default 0.4 value is recommended. If you want a more detailed IOC that might generate false positives, try 0.1, 0.2 or 0.3. Optional parameters Ask your TAM about optional parameters. Collect New Reports every time (Ignore Cache File) Specifies if the Tanium collects all WildFire reports every time it connects. The default is disabled (unselected). If unselected, WildFire reports that have already been downloaded are ignored. If selected, existing WildFire reports are re-downloaded, which can be useful in troubleshooting. Use Tanium Module Server Proxy Setting
Select if you have a proxy defined for the Tanium™ Module Server. For more information, see Tanium Platform Installation Guide: Proxy server settings.
Use a filter to restrict which WildFire reports Tanium collects. For most use cases, no filter is required. The syntax of this filter is defined by the filter syntax of the Palo Alto Network filter interface.
The filter maps to the Palo Alto Networks data filtering format. You can use this field to expand the filter beyond the last 24 hours. The filter syntax uses epoch time for date and time. To figure out what epoch time to specify, see Epoch converter. For example, the following filter looks at all malicious WildFire reports found after Sun, 4 Oct 2015 14:45:11 GMT.
( category eq malicious ) and (receive_time geq 1443969911)
- (Optional) You can create a filter with the correct syntax in the Palo Alto Networks console. Click the Monitor tab and go to Logs > WildFire Submissions.
- Go to the Tanium Connect page where you are creating the connection and paste the filter in the Filter field of the Connection source section.
Connections can run at a highly configurable time interval, such as multiple times per hour, day, week, or month.
Update the schedule:
- Use the Generate Cron tab to build a schedule based on some common time intervals. This tab generates a Cron expression.
- To view or edit the Cron expression directly, click the Edit Cron Expression tab.
A quick reference to Cron syntax follows. You can use Crontab to build a Cron expression.
┌──────────── minute │ ┌────────── hour │ │ ┌──────── day of month │ │ │ ┌────── month │ │ │ │ ┌──── day of week │ │ │ │ │ │ │ │ │ │ * * * * *
Each asterisk is a field that must be included in the Cron expression. The field value can either be an asterisk (any value) or one of the following values:
|day of month||1-31|
|day of week (Sunday is 0 and 7)||0-7|
- Click Create Connection > Create. When the connection gets created, your new connection displays in the list on the Connections page.
- To view details about when the connection is running, click the name of the connection. On the resulting connection details page, click the Runs tab.
- To view individual run logs, click the link in the Status column in the Runs table.
The following messages indicate that the connection test completed successfully:
30 Today at 04:00:43 PM | INFO | 3272 | WriteToDetect: inserting ioc
32 Today at 04:00:43 PM | INFO | 3272 | StreamRunner: Connection run complete. Duration: 3, Data Transferred: 5.51 KB
In Threat Response, click Intel > Sources.
You can see the intel that was imported from WildFire. You can add the Wildfire intel to Threat Response group configurations for continuous endpoint scanning.
The intel document that is created by this connection is a combination of the name of the firewall where the alert was discovered and the first 8 characters of the SHA-256 hash that uniquely identifies the WildFire report.
Last updated: 2/25/2020 3:08 PM | Feedback