I didn't realize Wildfire can issue multiple verdicts for a submitted file. So it can indeed issue a verdict of malicious AND phishing? At 10:28 the presenter says "either malicious OR phishing verdicts" so I'm wondering if that connector should have been "or" instead.
at 9:00 where you created the filter for WildFire logs - you used an 'and' operator but afterwards you kept speaking of it as though it was an 'or' operator. Is that a mistake ? Does it need to match both malicious and phishing to be forwarded - or would a match on either result in the log being forwarded ?
No, what he created means that it would have to match on both the 'malicious' and 'phishing' categories or it will not send the log. Based on how he built this, he's going to be missing a lot (if not all) of the alerts he's hoping to receive from the Wildfire Log Type. The correct connector, in this case, would to have the setting of "Or" as opposed to "And" in order to trigger a log forward condition on either one of these filters.