I'm having trouble determining which malware has already been seen by WildFire (therefore it was not re-sent for analysis and blocked by the FW) vs. a file that our organization sent to WF and was determined to be malicious after analysis (not seen before by WF) . This would significantly help our organization respond to malicious files that may have made it to internal systems (mail servers, desktop, etc). Right now, I go into the analysis report and look at the first seen date... I know there's a better way.
In Data Filtering log:
- action 'wildfire-upload-success' means file was first seen by your device,
- action 'wildfire-upload-skip' means file was already known to WF
Yes, unfortunately you need to look in 2 log files to see if it was malicious and if you were first to see it.
In addition to what @santonic said, you should have a look at WildFire Submissions log. By default it will only display malicious files that were uploaded to the cloud, from which we can conclude that those files have not been previously seen by the WF cloud, were not blocked and made it through to your network.
You can also turn on option Device > Setup > Wildfire > Report benign files. With this option enabled Wildfire Submissions log wil also display Benign files which were uploaded to the cloud.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!