WildFire Threat Detection | LogForge Templates Registry

malware threat-intelligence file-analysis wildfire security

📄 CSV Format

📊 12 Fields

✨ Generator

⏱️ Medium Frequency

Overview

WildFire threat detection events generated when files are analyzed and classified as malicious by Palo Alto's cloud-based threat intelligence service

When Generated:

When files are submitted to WildFire for analysis
Upon completion of static and dynamic malware analysis
When threat verdicts are returned from WildFire cloud
During file reputation lookups for known threats

Security Relevance: Critical

Compliance: NIST Cybersecurity Framework MITRE ATT&CK ISO 27001 SOC 2

Frequency Notes: Moderate frequency during business hours when file downloads and email attachments are common

Resources

Documentation

WildFire Administrator Guide official
Threat Prevention Best Practices official
PAN-OS Log Field Reference official

Tools

WildFire Portal - Web interface for file analysis and threat intelligence
AutoFocus - Contextual threat intelligence platform

Generation Configuration

Base Frequency: 25 events/hour

Time Patterns: business_hours night_hours weekend

Business Hours Multiplier: 1.5x

Night Hours Multiplier: 0.8x

Weekend Multiplier: 0.6x

Details

wildfire_thr...

Event Type

Fields

Medium

Frequency

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example Value	Possible Values
threat_type Source: threat_types \| random	String	Required	—	Category of threat detected by WildFire analysis	`ransomware`	`virus` - Traditional malware including trojans, worms, and viruses `spyware` - Information stealing malware and keyloggers `vulnerability` - Exploit attempts targeting known vulnerabilities `command-and-control` - C2 communication and botnet activity `ransomware` - File encryption and extortion malware
severity Source: Calculated based on threat_type	String	Required	—	Threat severity level assigned by WildFire	`critical`	`informational` - Low-impact or suspicious but not confirmed malicious `low` - Minor threat with limited impact potential `medium` - Moderate threat requiring attention `high` - Significant threat requiring immediate action `critical` - Severe threat with high impact potential
filename Source: Dynamic generation based on threat type	String	Required	—	Name of analyzed file including extension	`invoice_a8b9c2d1.pdf`	—
file_hash Source: random_string(64, '0123456789abcdef')	String	Required	`64-character hexadecimal`	SHA-256 hash of analyzed file	`a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890`	—
signature_id Source: Generated with timestamp and random number	String	Required	`Vendor:Date:ID`	Unique signature identifier from WildFire	`PaloAltoNetworks:20250526:12345`	—
threat_description Source: threat_descriptions[threat_type] \| random	String	Required	—	Detailed description of threat behavior and characteristics	`WF-Ransom.PDF-JS BlackCat Ransomware variant detected`	—
source_ip Source: registry.get_random_device().ip_address	IP Address	Required	—	Internal IP address of host that triggered analysis	`192.168.1.100`	—
dest_ip Source: random_public_ip()	IP Address	Required	—	External IP address contacted by malware	`185.220.101.42`	—
dest_country Source: countries \| random	String	Required	—	Country associated with destination IP	`Russia`	—
session_id Source: random_int(10000, 999999)	Integer	Required	—	Unique session identifier for the connection	`542318`	—
user Source: registry.get_random_user().username	String	Required	—	Username associated with the threat event	`jdoe`	—
timestamp Source: current_timestamp() \| format_timestamp('%Y/%m/%d %H:%M:%S')	DateTime	Required	`YYYY/MM/DD HH:MM:SS`	Event timestamp in MM/DD/YYYY HH:MM:SS format	`2025/05/26 14:30:15`	—