- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
With more organizations embracing digital systems to process information from their customers, partners, and employees, the functionality of uploading files via websites and online applications are commonplace. An ever-increasing number of malicious files and filetypes must be reviewed and confirmed to not be malicious before being safely stored or used by the application to prevent security incidents caused by malicious files being processed.
This is one use-case for the WildFire API, allowing organizations to use a scalable and automated solution to confidently scan and confirm if the files are malicious or benign.
This tutorial shows how to implement an event-driven pipeline for automated malicious file detection of files uploaded to Google Cloud Storage using Palo Alto Networks' WildFire API.
WildFire is at the forefront of security with native integrations to Palo Alto Networks products, such as the Next-Generation Firewalls, Cortex XDR, and other Palo Alto Networks solutions. With the WildFire API, security teams can now extend the advanced analysis and protections of WildFire to a growing number of use cases.
WildFire is the industry’s most advanced analysis and prevention engine for highly evasive zero-day exploits and malware. The service employs a unique multi-technique approach combining dynamic and static analysis, and innovative machine learning techniques, to detect and prevent even the most evasive threats.
The WildFire RESTful API enables organizations to extend malware detection capabilities beyond the typical control points. The API includes the ability to submit files and URL links for analysis, and query for known and new verdicts. Many organizations have already adopted this API to automate the submissions of files extending the protections to cloud storage and B2C portals.
Customers who adopt the WildFire API will benefit from the research of Unit 42, Palo Alto Threat Research teams, and the growing database of more than 16 billion malicious samples WildFire. WildFire is the largest cloud-based file analysis solution in the industry, analyzing submissions from more than 80,000 global customers. The analysis results are updated in real-time and often include detections for novel malware campaigns ahead of other cloud-based analysis solutions.
To use the Palo Alto Networks WildFire API, you must have a WildFire API key.
Palo Alto Networks now offers a subscription service enabling access to the advanced file analysis capabilities of the WildFire cloud for customers operating SOAR tools, custom security applications, and other threat assessment software through a RESTful, XML-based API. This standalone WildFire API subscription offering allows you to make queries to the WildFire cloud threat database for information about potentially malicious content, and submit files for analysis using the advanced threat analysis capabilities of WildFire, based on your organization’s specific requirements.
For any customers that do not currently have an existing WildFire service or any relationship with Palo Alto Networks, please contact our Sales team to discuss how to obtain an evaluation of this service. You can contact the sales team by following this link.
For existing customers of Palo Alto Networks using the WildFire service follow these steps to get your API key for the WildFire public cloud:
Your account may have more than one WildFire API key. Choose one that is valid and has an Expiration that is in the future.
To understand this file scanning pipeline it's important that you understand the following components:
The following steps outline the architectural pipeline:
Once the files are moved to the “Scanned Files” Cloud Storage Bucket the rest of the event-driven application logic can proceed on these files with the knowledge that they have been analyzed and have been found to be benign by the Palo Alto Networks WildFire service.
The security team can investigate the quarantined files as needed to understand the types of attacks that are being attempted on the organization, and better understand the threat landscape.
The following steps create and deploy this demonstration environment for use with the WildFire API.
Follow these steps to get the demonstration environment setup in Google Cloud:
Ensure that you understand the relevant charges associated with this deployment before proceeding. To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.
When you finish this tutorial, you can avoid continued billing by deleting the resources you created. For more information, see the “Clean up” section below.
gcloud config set project replace-this-project-id-with-yours |
gcloud services enable cloudfunctions.googleapis.com gcloud services enable cloudbuild.googleapis.com gcloud services enable secretmanager.googleapis.com |
cd gcp-wildfire-api |
terraform init |
terraform plan |
terraform apply |
Apply complete! Resources: 15 added, 0 changed, 0 destroyed. Outputs: gcs_bucket_for_upload = "gs://sponge-upload" |
gsutil cp upload_file.pdf gs://sponge-upload |
Once you have completed your testing please delete the deployment that has been created. To do this run the following command from the Cloud Console:
terraform destroy |
You will be prompted to review the proposed changes, and accept them before proceeding, on completion will see this message:
Destroy complete! Resources: 15 destroyed. |
The following articles and information are useful for understanding more about the WildFire service:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
3 Likes | |
2 Likes | |
1 Like | |
1 Like | |
1 Like |