Configuring Palo Alto Networks WildFire and Tanium Detect

Quickly find malware on endpoints with the integration between Palo Alto Networks WildFire (WildFire) and Detect.

Overview

You can use Palo Alto Networks firewall security policies to capture suspicious files and forward them to the WildFire system for threat analysis. If the file is malware, the status is reported back to the firewall.

After the WildFire analysis is completed, you can send the data to Connect and Detect to find evidence of the malware on all endpoints.

How Tanium integrates with WildFire

Connect communicates with the firewall and WildFire to get Malware report, then sends to Detect.

Figure  1:  Tanium and WildFire
  1. Connect queries the firewall for new malware alerts on a configured interval.
  2. When Connect has a list of malware alerts, it checks with WildFire for associated WildFire reports.
  3. The WildFire reports that are associated with the list of malware alerts are sent to Connect.
  4. Connect converts the WildFire report into a Structured Threat Information Expression (STIX™) indicator of compromise (IOC).
  5. The STIX IOC is imported into Detect.
  6. Detect searches the environment for evidence of the malware on the endpoints.

Prerequisites

Palo Alto Networks requirements

  • A subscription to Cloud WildFire (wildfire.paloaltonetworks.com) or a configured WF-500 WildFire appliance.
  • Palo Alto Networks Firewall with or without Panorama.
  • A user account on the firewall or Panorama that has API access privileges. This account can be read-only, but API access privilege is required. For more information, see Palo Alto Networks: Manage Firewall Administrators.

Tanium requirements

  • Tanium™ Core Platform 6.5 or later.
  • Detect 2.2 or later.
  • Connect 3.2.0 or later.

Check for WildFire submissions in Palo Alto Networks console

To verify that you are getting reports for malicious files in Palo Alto Networks that can be imported into Tanium:

  1. Click the Monitor tab and go to Logs > WildFire Submissions.
  2. Check for Malicious entries in the Verdict column.
  3. Check the values in the Receive Time column. Tanium only downloads reports that are less than 24 hours old.

If you do not see any data on this screen, check your Palo Alto Networks configuration.

Specify general connection information

  1. On the Connect home page, click Create Connection > Create.
  2. Enter a name and description for your connection.
  3. If you want to enable your connection to run on a schedule, select Enable. You can specify the specifics about the schedule when you configure the rest of the connection. If the schedule is not enabled, the connection only runs when you manually run it.
  4. (Optional) Set the logging level.
    By default, the logging is set to Information. Set the log level to Trace or Debug if you are debugging the connection. To reduce the amount of logging, you can set the log level to Warning, Error or Fatal.

Configure WildFire as the connection source

When Tanium finds a new malware alert in the firewall, it retrieves the associated malware report from WildFire as defined in the connection source settings.

  1. Define credentials for the Palo Alto Network Panorama or individual firewall.
    Tanium queries for new malware alerts on a periodic basis. The user needs to have at least read-only (device_admin_readonly) access to the logs API.

  2. Specify settings for WildFire.
    When Tanium gets a new malware alert from the firewall, it retrieves the associated malware report from WildFire. This section specifies the details for Tanium to access WildFire.
  3. (Optional) Define advanced settings.
    Table 1:   WildFire Source Settings
    SettingDescription
    FilterRestricts which WildFire reports Tanium collects. For more information, see (Optional) Filter WildFire reports.
    Evidence ValueA decimal value between 0 and 1 that specifies how strict the IOC indicators generated are to the malicious event. The default 0.4 value is recommended. If you want a more detailed IOC that might generate false positives, try 0.1, 0.2 or 0.3.
    Optional parametersAsk your TAM about optional parameters.
    Collect New Reports every time (Ignore Cache File)Specifies if the Tanium collects all WildFire reports every time it connects. The default is disabled (unselected). If unselected, WildFire reports that have already been downloaded are ignored. If selected, existing WildFire reports are re-downloaded, which can be useful in troubleshooting.
    Use Tanium Module Server Proxy Setting

    Select if you have a proxy defined for the Tanium™ Module Server. For more information, see Tanium Platform Installation Guide: Proxy server settings.

Configure Tanium Detect as the connection destination

Select Detect Intel Provider as the data destination and select the IOC group that you created.

Schedule the connection

Connections can run at a highly configurable time interval, such as multiple times per hour, day, week, or month.

Update the schedule: 

  • Use the Generate Cron tab to build a schedule based on some common time intervals. This tab generates a Cron expression.
  • To view or edit the Cron expression directly, click the Edit Cron Expression tab.

Save and verify connection

  1. Click Create Connection > Create. When the connection gets created, your new connection displays in the list on the Connections page.
  2. To view details about when the connection is running, click the name of the connection. On the resulting connection details page, click the Runs tab.
  3. To view individual run logs, click the link in the Status column in the Runs table.

The following messages indicate that the connection test completed successfully:

30 Today at 04:00:43 PM | INFO | 3272 | WriteToDetect: inserting ioc
32 Today at 04:00:43 PM | INFO | 3272 | StreamRunner: Connection run complete. Duration: 3, Data Transferred: 5.51 KB

View intel from WildFire in Detect

In Detect, click Management > Sources.
You can see the intel that was imported from WildFire. You can add the Wildfire intel to Detect group configurations for continuous endpoint scanning.

The intel document that is created by this connection is a combination of the name of the firewall where the alert was discovered and the first 8 characters of the SHA-256 hash that uniquely identifies the WildFire report.

Last updated: 12/4/2018 3:28 PM | Feedback