WildFire Email Alerts: How to Subscribe or Add Additional Recipients

WildFire Email Alerts: How to Subscribe or Add Additional Recipients

14419
Created On 09/25/18 15:19 PM - Last Modified 02/04/21 18:57 PM


Resolution

Details

WildFire email alerts can be generated on the Palo Alto Networks firewall (THREAT ALERT) or on the cloud (WildFire analysis report), as shown in the example below. The email that comes from the firewall is different than the email coming from the cloud. They both can be configured at the same time. If they are both configured, the first time a file is analyzed for a verdict, an e-mail alert for both will be received at about the same time.

Screen Shot 2014-08-26 at 12.48.01 PM.png

 

The WildFire public-cloud only generates email alerts if the sample submission was sourced from a firewall or a manual portal upload. The WildFire public-cloud will not generate email alerts for samples submitted through the API (i.e. Proofpoint), even if the sample is found to be malicious. The exception to this is that if a firewall sample is "blocked but forwarded" to WildFire, the WildFire public-cloud will suppress email alert generation. For more information on blocked forwarding please refer to https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-new-features/wildfire-features/wildfire-analysis-of-blocked-files.html
 

Below is an example of a WildFire email alert generated on the firewall:

Screen Shot 2014-08-26 at 12.40.33 PM.png

 

Shown below is an example of a WildFire email alert generated from the cloud:

Screen Shot 2014-08-26 at 12.42.53 PM.png

 

The following is an example of a detailed forensics report that appears when the user clicks on the provided link (shown above):

Screen Shot 2014-08-26 at 12.44.18 PM.png

Screen Shot 2014-08-26 at 12.45.41 PM.png

 

Steps

Configuring WildFire alerts to be sent from the firewall

Email alerts can be sent to only two recipients, (comma, space or semicolon separated values are not supported). The recipients can be on email distribution lists.

  1. Email alerts are configured under Device > Server Profiles > Email:
    Screen Shot 2014-08-26 at 12.54.53 PM.png
  2. Alerts can be activated under Objects > Log Forwarding > WildFire Settings and Add the previously configured email profile under Benign_x_Email and Malicious_x_Email:Screen Shot 2014-08-26 at 12.56.07 PM.png
  3. Make sure that the relevant policies have the Log Forwarding profile setting activated under Policies > Security and the User's policies:Screen Shot 2014-08-26 at 12.58.46 PM.png

 

Configuring email alerts to be sent from the WildFire cloud

These alerts can be subscribed to each WildFire user. To create a WildFire user reference the following link:: How to Create a WildFire User

  1. Login with the assigned WildFire user at: https://wildfire.paloaltonetworks.com/
  2. Go to Settings > Configure Alerts and search for the firewall serial numbers desired to subscribe to for alerts, and whether the user wises to receive an alert for verdicts resulting as malware or benign.
  3. Once the appropriate check boxes are selected, click on 'Update Notification' to apply changes.
    Screen Shot 2014-08-26 at 1.12.12 PM.png


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClDkCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language