The scheduled search "WildFire Reports - Retrieve Report" queries Wildfire using the API to retrieve the full Wildfire report. However it does this for benign and malicious files. This uses our 10,000 query limit by 8am.
I would only like to automatically retrieve the full wildfire report for malicious files.
How would you recommend implementing this?
I think I've figured it out:
Modify the saved search: "WildFire Reports - Retrieve Report" to only pass non-benign files to the panwildfirereport command:
From this:
`pan_wildfire` | panwildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report
To this:
`pan_wildfire` | search category!=benign | panwildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report
Hi Alex,
Based on feedback like this, I have changed the default behavior to only download wildfire reports for malicious files in version 5.0.0 of the app (available now).
It sounds like you're using a previous version, so you can upgrade to v5.0.0, or you can modify your saved search by adding a 'category="malicious"' to your search. Here is the link to the saved search that only downloads reports for malicious files as it is in v5.0.0. Just copy the category="malicious"
part of the search to your saved search:
If you choose to upgrade to 5.0.0, I recommend to use the upgrade guide:
http://pansplunk.readthedocs.org/en/latest/upgrade.html
Best regards,
-Brian
Hi
I am also struggling with populating Splunk with only the malicious wildfire reports within Splunk GUI. My problem is a mismatch of information. The Wildfire Dashboard is accuratley displaying the 'Wildfire Event Alerts', however this does not match the 'Search Wildfire Report Data', where only one result is populated.
Can anyone help me explain why or what to check please?
Thanks in advance
Roy
I think I've figured it out:
Modify the saved search: "WildFire Reports - Retrieve Report" to only pass non-benign files to the panwildfirereport command:
From this:
`pan_wildfire` | panwildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report
To this:
`pan_wildfire` | search category!=benign | panwildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report
That works, but you don't need the extra search
command. You can do this instead:
`pan_wildfire` category!=benign | panwildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report