WildFire Email Alerts: How to Subscribe or Add Additional Recipients

WildFire Email Alerts: How to Subscribe or Add Additional Recipients

26557
Created On 09/25/18 15:19 PM - Last Modified 01/11/23 06:58 AM


Resolution


Details

WildFire email alerts can be generated on the Palo Alto Networks firewall (THREAT ALERT) or on the cloud (WildFire analysis report), as shown in the example below. The email that comes from the firewall is different than the email coming from the cloud. They both can be configured at the same time. If they are both configured, the first time a file is analyzed for a verdict, an e-mail alert for both will be received at about the same time.

Screen Shot 2014-08-26 at 12.48.01 PM.png

 

The WildFire public-cloud only generates email alerts if the sample submission was sourced from a firewall or a manual portal upload. The WildFire public-cloud will not generate email alerts for samples submitted through the API (i.e. Proofpoint), even if the sample is found to be malicious. The exception to this is that if a firewall sample is "blocked but forwarded" to WildFire, the WildFire public-cloud will suppress email alert generation. For more information on blocked forwarding please refer to https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/latest-wildfire-cloud-features/wildfire-analysis-of-blocked-files.

Below is an example of a WildFire email alert generated on the firewall:

Screen Shot 2014-08-26 at 12.40.33 PM.png

 

Shown below is an example of a WildFire email alert generated from the cloud:

Screen Shot 2014-08-26 at 12.42.53 PM.png

 

The following is an example of a detailed forensics report that appears when the user clicks on the provided link (shown above):

Screen Shot 2014-08-26 at 12.44.18 PM.png

Screen Shot 2014-08-26 at 12.45.41 PM.png

 

Steps

Configuring WildFire alerts to be sent from the firewall

Email alerts can be sent to only two recipients, (comma, space or semicolon separated values are not supported). The recipients can be on email distribution lists.


1. Email alerts are configured under Device > Server Profiles > Email:
Email_Server_Profile.png


2. Alerts can be activated under Objects > Log Forwarding. Add the previously configured email profile under Forward Method > EMAIL:
Log_Forwarding_1.png
 
Log_Forwarding_2.png
 

3. Make sure that the relevant policies have the Log Forwarding profile setting activated under Policies > Security and the User's policies:
Security_Policy.png

 

Configuring email alerts to be sent from the WildFire cloud

These alerts can be subscribed to each WildFire user. To create a WildFire user reference the following link:: How to Create a WildFire User

  1. Login with the assigned WildFire user at: https://wildfire.paloaltonetworks.com/. Please refer to the Administration Guide to find the URLs of the other regional clouds.
  2. Go to Settings > Configure Alerts and search for the firewall serial numbers desired to subscribe to for alerts, and whether the user wishes to receive an alert for verdicts resulting as Malware / Grayware / Benign / Phishing.
  3. Once the appropriate check boxes are selected, click on 'Update Notification' to apply changes.
    WF_Portal.png
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClDkCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language