Wildfire categorizing as cat=THREAT but not sure why? How to update FPs?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Wildfire categorizing as cat=THREAT but not sure why? How to update FPs?

L0 Member

Hi everyone,


Apologies in advance if this has been asked, but this is my first post re: Wildfire.

 

We receive e-mail alerts via our SIEM when something is categorized as malicious from our PA device, but I noticed that all that is listed within the payload that tells me why it was categorized as a threat is:

 

"cat=THREAT" 

 

As well as the hash which has no matches in VirusTotal. 

 

I can tell by the sending e-mail and recipient that this is a false positive (as well as the subject line) so how can I ensure that wildfire learns this is not a threat? There is not much I can go off of in terms of the payload. I would just like to fine tune our alerts in PA/wildfire. 


Thank you in advance!

1 REPLY 1

L2 Linker

The way I've been doing it is via the WildFire page at https://wildfire.paloaltonetworks.com/

 

Go to the Reports page and find the entry (if any). Click on the report icon on the left column, scroll to the bottom of the page and report an incorrect verdict. This page only shows what your firewall has uploaded to WildFire, so if another PAN customer was patient zero, you won't see it in here. If you don't see it listed but still want to report it as a false positive, you'll need to upload the file in question on the Upload Sample page. Once the upload is complete, go back to the reports page and you'll see it at the top of the list. You'll then be able to report the incorrect verdict.

 

If you have your firewall configured to send you the WildFire report PDF to you via e-mail, you can do the same report incorrect verdict via that PDF as well.

  • 2745 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!