Details
WildFire email alerts can be generated on the Palo Alto Networks firewall (THREAT ALERT) or on the cloud (WildFire analysis report), as shown in the example below. The email that comes from the firewall is different than the email coming from the cloud. They both can be configured at the same time. If they are both configured, the first time a file is analyzed for a verdict, an e-mail alert for both will be received at about the same time.
The WildFire public-cloud only generates email alerts if the sample submission was sourced from a firewall or a manual portal upload. The WildFire public-cloud will not generate email alerts for samples submitted through the API (i.e. Proofpoint), even if the sample is found to be malicious. The exception to this is that if a firewall sample is "blocked but forwarded" to WildFire, the WildFire public-cloud will suppress email alert generation. For more information on blocked forwarding please refer to https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/latest-wildfire-cloud-features/wildfire-analysis-of-blocked-files.
Below is an example of a WildFire email alert generated on the firewall:
Shown below is an example of a WildFire email alert generated from the cloud:
The following is an example of a detailed forensics report that appears when the user clicks on the provided link (shown above):
Steps
Configuring WildFire alerts to be sent from the firewall
Email alerts can be sent to only two recipients, (comma, space or semicolon separated values are not supported). The recipients can be on email distribution lists.
1. Email alerts are configured under Device > Server Profiles > Email:
2. Alerts can be activated under Objects > Log Forwarding. Add the previously configured email profile under Forward Method > EMAIL:
3. Make sure that the relevant policies have the Log Forwarding profile setting activated under Policies > Security and the User's policies:
Configuring email alerts to be sent from the WildFire cloud
These alerts can be subscribed to each WildFire user. To create a WildFire user reference the following link:: How to Create a WildFire User
- Login with the assigned WildFire user at: https://wildfire.paloaltonetworks.com/. Please refer to the Administration Guide to find the URLs of the other regional clouds.
- Go to Settings > Configure Alerts and search for the firewall serial numbers desired to subscribe to for alerts, and whether the user wishes to receive an alert for verdicts resulting as Malware / Grayware / Benign / Phishing.
- Once the appropriate check boxes are selected, click on 'Update Notification' to apply changes.