Cortex & Wildfire - The WF detailed analyze reports arrives with a delay.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cortex & Wildfire - The WF detailed analyze reports arrives with a delay.

L2 Linker

Dear PA community members,

 

I've done the research but could not find any info bout the Wildfire limitations nor any issues which could explain why in some cases the WildFire Report arrives with delays.

 

As per WildFire Analysis Concepts: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/endpo... ,

*the only limitation mentioned in the documentation is: "Cortex XDR sends unknown samples for in-depth analysis to WildFire. WildFire accepts up to 1,000,000 sample uploads per day and up to 1,000,000 verdict queries per day from each Cortex XDR tenant. The daily limit resets at 23:59:00 UTC. Uploads that exceed the sample limit are queued for analysis after the limit resets. WildFire also limits sample sizes to 100MB. "

 

Based on the documentation WF should be able to deliver a verdict within 10-15 min after uploading the file (PE), which seems to be happening for most of the cases. Unfortunately but for some files, sent for Wildfire analysis after being Prevented (Blocked) on the XDR agent, the Cortex receives the verdict hours (sometimes days) later.

 

The thing is, as per my understanding the wildfire should be able to take just seconds to run the analysis and to generate the report, but for any reason, the Cortex has received it only the next day.

Also, I know that as for the Next-Generation Firewalls the signatures will be updated and shared within the next Content Updates, but it's not what I will expect for Cortex / Taps. 
*Am I missing something here, or it's something for the Palo Alto TAC to check?

 

As additional info, I've noticed that the recent files impacted by this issue have been first prevented (blocked), and on the next day WildFire changed the verdict from "Unknown" to "Benign".

 

Did anyone have similar issues in the past with WF?
Could you please advise and point me in the correct documentation?

 

I will appreciate your help to understand this issue.

Thank you in advance and kind regards.

1 accepted solution

Accepted Solutions

Hi @A_Adamski

 

In my experience, the average verdict delivery time is seven minutes after WildFire produces the verdict. The detailed analysis report usually arrives with the verdict in the same timeframe. If it takes longer than an hour to receive the verdict and/or report, that would be something to escalate to Support as well.

 

Note: There aren't any official times offered in Palo Alto Networks documentation in terms of the verdict or report delivery, and these times are only my observations.

 

Please let me know your thoughts.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

View solution in original post

4 REPLIES 4

L4 Transporter

Hi @A_Adamski ,

 

Correct, a Wildfire verdict should be available after several minutes on average. However, some considerations could delay or prevent an expedient verdict delivery, such as network issues, queuing, file size, and sample upload limit. To pinpoint exactly where the issue may lie, engaging Palo Alto Support and providing them with the alert data and potentially the tech support data from the endpoint would help them determine exactly why an endpoint or a set of them are not receiving the verdict.

 

As for files being blocked due to a verdict of "malware" and then changed to "unknown" or "benign," it is an infrequent occurrence called verdict flipping. Cortex XDR synchronizes verdicts received from Wildfire every thirty to sixty minutes to ensure that it has the latest information and then delivers that to the agents when they check-in during its five-minute heartbeat. This verdict change is often the result of further analysis being performed on a file due to internal WildFire processes or a Cortex XDR user submitting an "Incorrect Verdict" request from the Cortex XDR Console. More information can be found here:

 

Report an incorrect verdict

Verdicts 

 

Please let me know if you have any other questions.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

Hey Gjenkins,

 

Thank you for your help.

Let me check the links you've supplied, but as I assume if I'll see this happening again the best thing to do is to collect the logs and involve the PA TAC.

 

Let's say the file has been successfully uploaded to WildFilre, the Endpoint does not have any network-related issues, and the file does not exceed 100 MB, so in such a case I should expect the WF verdict and the report within 15-30 min, is that right?

I'm wondering how long the detailed analysis and report generation in WF can take time and if there are any other cases when it takes longer to finish after uploading the file to the WF cloud of course (without the things you've already mentioned as network issues, queuing, file size, and sample upload limit).

 

Best Regards.

 

 

 

 

Hi @A_Adamski

 

In my experience, the average verdict delivery time is seven minutes after WildFire produces the verdict. The detailed analysis report usually arrives with the verdict in the same timeframe. If it takes longer than an hour to receive the verdict and/or report, that would be something to escalate to Support as well.

 

Note: There aren't any official times offered in Palo Alto Networks documentation in terms of the verdict or report delivery, and these times are only my observations.

 

Please let me know your thoughts.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

Dear Gjenkins,

 

My best wishes in the New Year.

 

Thank you very much for your help and the knowledge you've shared as you've clarified all my doubts. 

I don't face this issue anymore, but if it will happen again in the future, I'll be reaching out to the PA TAC Support.

 

Thank you and my best regards,
Arek

  • 1 accepted solution
  • 7499 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!