5.6 Ensure alerts are enabled for malicious files detected by WildFire

Information

Configure WildFire to send an alert when a malicious file is detected. This alert could be sent by whichever means is preferable, including email, SNMP trap, or syslog message.
Alternatively, configure the WildFire cloud to generate alerts for malicious files. The cloud can generate alerts in addition to or instead of the local WildFire implementation. Note that the destination email address of alerts configured in the WildFire cloud portal is tied to the logged in account, and cannot be modified. Also, new systems added to the WildFire cloud portal will not be automatically set to email alerts.
Rationale:
WildFire analyzes files that have already been downloaded and possibly executed. A WildFire verdict of malicious indicates that a computer could already be infected. In addition, because WildFire only analyzes files it has not already seen that were not flagged by the firewall's antivirus filter, files deemed malicious by WildFire are more likely to evade detection by desktop antivirus products.

Solution

From GUI: Select Device > Server Profiles > Email
Click Add.
Enter a name for the Profile.
Select the virtual system from the Location drop down menu (if applicable).
Click Add.
Configure the Syslog Server: Name, Display Name, Syslog Server, Transport, Port, Format, Facility
Click OK.
Click Commit to save the configuration
Configure the SMTP Server: Name, Display Name, From, To, Additional Recipients, Gateway IP or Hostname Click OK Click Commit to save the configuration
Default Value:
Not Configured

See Also

https://workbench.cisecurity.org/files/1664

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4(5), CSCv6|6.5, CSCv6|8.5

Plugin: Palo_Alto

Control ID: e549f94d7dc6a107e580c9935cfe14a61b62bad6fceaec5fcca4740bd12361a9