Stop Malware in its Tracks with DFLabs SOAR and Palo Alto WildFire

Back to all articles

Stop Malware with SOAR

Today’s cyber security programs must be more resilient than ever before. With malware attacks and exploit kits becoming extremely sophisticated and easy to access, anyone with a little bit of money can cause a tremendous amount of damage.

Detect and Rapidly Respond to Today’s Most Elusive Malware and Zero-Day Attacks with DFLabs SOAR and Palo Alto WildFire

DFLabs’ integration with Palo Alto combines the next-gen detection capabilities of WildFire’s dynamic and static malware analysis techniques with the automation power of IncMan’s R3 Rapid Response Runbooks to provide organizations with the tools necessary to fortify their security defenses from these elusive threats.

The Problem

The sophistication and ease of access to today’s malware and exploit kits have made the jobs of security professionals exponentially harder. Not only are they defending their organizations with less than adequate staffing, but they are also having to contend with adversaries that no longer must be highly skilled and techniques that evade legacy detection mechanisms.

The evolution of weaponizing malware has driven the need for more advanced detection mechanisms and faster mitigation processes. Without these, organizations have little to no chance of protecting their businesses and assets from modern attacks.

  • How can organizations protect their businesses and assets from today’s sophisticated malware and exploit kits?
  • How can organizations quickly detect and remediate zero-day vulnerabilities while overcoming inadequate staffing concerns?
  • How can organizations discover and contain the spread of elusive malware before it can cause immeasurable damage?

The DFLabs and Palo Alto WildFire Solution

The DFLabs and Palo Alto WildFire solution extends Wildfire’s high-fidelity, evasion-resistant protection to an organization’s entire security stack through automated workflows. These workflows are designed to mimic analyst behavior during the initial triaging phase of incident investigations.

By gathering evidence through enrichment actions, DFLabs IncMan SOAR can operationalize the intelligence gained from Palo Alto WildFire to make automated decisions on behalf of an organization’s security team. These automated decision points remove the need for human intervention in the early stages of incident investigation and allow for immediate containment of a threat in a matter of seconds.

  • Protect high-value assets from today’s sophisticated attacks by automating evidence gathering from the industry’s most advanced malware detection platform
  • Issue containment activities within seconds to stop the spread of malware without the need for human intervention
  • Increase security staffing by automating the triaging phase of incident investigations through automated decision points

About Palo Alto Wildfire

Palo Alto Networks WildFire malware prevention service is the industry’s most advanced analysis and prevention engine for highly evasive zero-day exploits and malware. The service employs a unique multi-technique approach, combining dynamic and static analysis, innovative machine learning techniques, and a groundbreaking bare metal analysis environment to detect and prevent even the most evasive threats.

Palo Alto WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxing and signature-based detection and blocking of malware. WildFire extends the capabilities of Palo Alto Networks next-generation firewalls to identify and block targeted and unknown malware.

Use Case

An alert is received from the Palo Alto NGFW indicating that an executable had been downloaded by one of the organization’s users. IncMan receives this alert and executes the Suspicious Application Download R3 Rapid Response Runbooks. The runbook issues commands to gather enrichment data from the organization’s Palo Alto Wildfire. The file used to download the application is sent to Wildfire to be detonated. Once detonated, IncMan issues additional enrichment actions to gather a PCAP from the file’s detonation, the detonation report, and its detonation verdict. Once this data is collected, IncMan comes to its first conditional action.

This action looks at the information gathered from WildFire. If the file is found to be malicious, the R3 Rapid Response Runbook immediately upgrades the incident’s priority to high, adds the file’s MD5 hash to the incident as an artifact, and issues a query to the organization’s SIEM for historical data on any additional users who may have interacted with the file. If the file does not have a negative detonation score, IncMan checks its hash against another threat intelligence platform to verify that the file is benign. If the second threat intelligence score is also clean the runbook will close out the incident and exit.

If the second threat intelligence service finds that the file has a negative reputation score, IncMan will follow the original path taken to begin containment actions. If the query issued against the organization’s SIEM does not indicate that any additional host had interacted with the malicious file, the R3 Rapid Response Runbook will ban the file hash from the environment, create a new Priority 1 ticket in the organization’s ticketing system, and create a new task for the affected machine to be triaged for possible contamination before exiting. If it is found that an additional machine may be affected by this file, the machine is added to the incident as a new artifact and the priority is upgraded to critical and the security team is notified of the incident.


When it comes to combating today’s malware attacks organizations cannot afford to be caught on their heels. By deploying advanced detection and prevention technologies along with automation strategies security teams can overcome staffing shortages and be assured that these sophisticated attacks cannot elude their detections.

The DFLabs and Palo Alto solution provides organizations with the reinforcements necessary to ensure that their security program, and the teams that support it, can quickly and efficiently stop these threats in its tracks and prevent their organizations from becoming its next victim.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo