All Apps and Add-ons

Palo Alto Networks App for Splunk: How to get the Wildfire API scheduled search to retrieve a full report only for malicious files?

alex_nehmy
Engager

The scheduled search "WildFire Reports - Retrieve Report" queries Wildfire using the API to retrieve the full Wildfire report. However it does this for benign and malicious files. This uses our 10,000 query limit by 8am.

I would only like to automatically retrieve the full wildfire report for malicious files.

How would you recommend implementing this?

0 Karma
1 Solution

alex_nehmy
Engager

I think I've figured it out:

Modify the saved search: "WildFire Reports - Retrieve Report" to only pass non-benign files to the panwildfirereport command:

From this:

`pan_wildfire` | panwildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report

To this:

`pan_wildfire` | search category!=benign | panwildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report

View solution in original post

btorresgil
Builder

Hi Alex,

Based on feedback like this, I have changed the default behavior to only download wildfire reports for malicious files in version 5.0.0 of the app (available now).

It sounds like you're using a previous version, so you can upgrade to v5.0.0, or you can modify your saved search by adding a 'category="malicious"' to your search. Here is the link to the saved search that only downloads reports for malicious files as it is in v5.0.0. Just copy the category="malicious" part of the search to your saved search:

https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/blob/5.0.0/default/savedsearches.co...

If you choose to upgrade to 5.0.0, I recommend to use the upgrade guide:
http://pansplunk.readthedocs.org/en/latest/upgrade.html

Best regards,
-Brian

0 Karma

roy_dsouza
New Member

Hi
I am also struggling with populating Splunk with only the malicious wildfire reports within Splunk GUI. My problem is a mismatch of information. The Wildfire Dashboard is accuratley displaying the 'Wildfire Event Alerts', however this does not match the 'Search Wildfire Report Data', where only one result is populated.

Can anyone help me explain why or what to check please?

Thanks in advance

Roy

0 Karma

alex_nehmy
Engager

I think I've figured it out:

Modify the saved search: "WildFire Reports - Retrieve Report" to only pass non-benign files to the panwildfirereport command:

From this:

`pan_wildfire` | panwildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report

To this:

`pan_wildfire` | search category!=benign | panwildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report

btorresgil
Builder

That works, but you don't need the extra search command. You can do this instead:

`pan_wildfire` category!=benign | panwildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...