This article contains information on integrating Mimecast with Palo Alto Networks WildFire for attachment scanning, prerequisites, integration steps, email notifications, dashboard insights, and troubleshooting tips. It is intended for Administrators.
When integrated, Mimecast queries WildFire to see if the SHA-256 hash for an attachment is known. If the hash is known to WildFire, a verdict is obtained. If the hash is unknown, the attachment is uploaded to WildFire. A verdict of the uploaded file is then provided to Mimecast. If a Malicious verdict is returned, an email notification is sent to one or more pre-determined recipients, outlining any actions taken by Mimecast and a summary of the WildFire report. Additionally, threat remediation can be invoked to remove the message containing the threat.
The current list of file types supported by WildFire is listed on the WildFire File Type Support page on the Palo Alto website.
Mimecast Prerequisites
The following must be enabled on your Mimecast account:
- Targeted Threat Protection – Attachment Protect: See the Targeted Threat Protection – Attachment Protect page for full details.
- Targeted Threat Protection: Internal Email Protect: See the Targeted Threat Protection: Internal Email Protect page for full details.
- A Server Connection must be configured and fully operational. See the Managing Server Connections page for full details.
- Threat Remediation settings must be enabled: See the Threat Remediation page for full details.
Palo Alto Networks prerequisites
- An active WildFire subscription: See the Palo Alto Wildfire website for complete details.
- A WildFire API Key: This can be found using the following link: https://wildfire.paloaltonetworks.com/wildfire/account
- Supported file types: WildFire File Type Support
- Wildfire subscription limits.
- Sample Submissions are limited to 150 per 24-hour period.
- Queries are limited to 1050 per 24-hour period.
Both of these limits can be increased by contacting Palo Alto Networks' customer support and requesting an increase.
Integrating WildFire Steps
Before proceeding to configure the integration for WildFire, ensure that you have obtained an API key for your organization.
- Log in to the Mimecast Administration Console.
- Navigate to Integrations | API & Platform Integrations | Available Integrations.
- Click the Create Integration button under Palo Alto Networks WildFire.
- You must read and accept the disclaimer by selecting the I accept checkbox.
- Click the Next button.
- Select your WildFire Region using the dropdown.
- Enter the API Key for your organization’s WildFire subscription.
- Click the Verify button.
- Once verified, click the Next button.
- Select the Indicators that will be shared with WildFire.
The integration itself will not alert or report on malicious attachments found. Instead, Mimecast will use the notification options already set in the relevant Attachment Protection definition.
- Click the Next button.
- Select the remedial actions you want to be taken for a malicious verdict from WildFire.
- Click the Next button.
- Specify a maximum of 5 internal email addresses or pre-configured groups to receive emails containing the WildFire Summary report.
- Click the Next button.
- Review the Summary page.
- Click the Status toggle to enable the integration.
- Click the Finish button.
Email Notifications
Notifications are only generated when an attachment, determined to be benign by Attachment Protection, receives a malicious verdict from WildFire.
The integration will not generate notifications for attachments determined to be malicious by Attachment Protection regardless if the integration has been configured to share malicious and/or benign attachments.
Mimecast Analysis & Response
Analysis & Response will display malicious verdicts for data shared with WildFire. The Source appears as ‘Palo Alto Networks,’ and the Threat Type shows as ‘Malware.’ The Threat Name appears as ‘PAN_sha256’ followed by the first six digits of the SHA-256 hash.
The evidence pane displays the full WildFire report in XML format when the file hash is selected using the drop-down.
Troubleshooting
To verify that the integration is working as desired, check the following:
- The designated WildFire portal for the cloud region (that which the integration is configured to share data) should be used to verify that data is flowing
- Data shared with WildFire will be displayed on the Reports tab of the WildFire portal, with the Upload Source shown as ‘Manual.’ The regional WildFire Cloud portals are listed for reference:
- Global Cloud: https://wildfire.paloaltonetworks.com
- EU Cloud: https://eu.wildfire.paloaltonetworks.com
- Japan Cloud: https://jp.wildfire.paloaltonetworks.com
- Singapore Cloud: https://sg.wildfire.paloaltonetworks.com
- UK Cloud: https://uk.wildfire.paloaltonetworks.com
- Canada Cloud: https://ca.wildfire.paloaltonetworks.com
- Australia Cloud: https://au.wildfire.paloaltonetworks.com
Canada and Australia WildFire Clouds are not currently supported but are included in the above list for future release.
Comments
Please sign in to leave a comment.