5.6 Ensure alerts are enabled for malicious files detected by WildFire - log-type 'wildfire'

Information

Configure WildFire to send an alert when a malicious or greyware file is detected. This alert could be sent by whichever means is preferable, including email, SNMP trap, or syslog message.

Alternatively, configure the WildFire cloud to generate alerts for malicious files. The cloud can generate alerts in addition to or instead of the local WildFire implementation. Note that the destination email address of alerts configured in the WildFire cloud portal is tied to the logged in account, and cannot be modified. Also, new systems added to the WildFire cloud portal will not be automatically set to email alerts.

Rationale:

WildFire analyzes files that have already been downloaded and possibly executed. A WildFire verdict of malicious indicates that a computer could already be infected. In addition, because WildFire only analyzes files it has not already seen that were not flagged by the firewall's antivirus filter, files deemed malicious by WildFire are more likely to evade detection by desktop antivirus products.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From GUI, configure some combination of the following Server Profiles:
Configure the Email Server:
Select Device > Server Profiles > Email
Click Add
Enter a name for the Profile.
Select the virtual system from the Location drop down menu (if applicable)
Click Add
Configure the Syslog Server:
Select Device > Server Profiles > Syslog > Add
Enter Name, Display Name, Syslog Server, Transport, Port, Format, Facility
Click OK
Click Commit to save the configuration
Configure the SMTP Server:
Select Device > Server Profiles > Email
Select Add, Name, Display Name, From, To, Additional Recipients, Gateway IP or Hostname
Click OK
Click Commit to save the configuration
Navigate to Objects, Log Forwarding
Choose Add, set the log type to 'wildfire', add the filter '(verdict neq benign)', then add log destinations for SNMP, Syslog, Email or HTTP as required.

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/files/3750