The Threat Vault API provides Palo Alto Networks customers with an active Advanced Threat Prevention or Threat Prevention subscription with the ability to access threat signature metadata and other pertinent information that's only available in Threat Vault, through a programmatic RESTful API.
Before using the Threat Vault API, please refer to Cloud-Delivered Security Services API Developer's docs for more information about using the API, including authentication details, access limits, and examples.
Things to consider:
- To make Advanced | Threat Prevention API GET/POST requests, you must retrieve your Threat Vault API key, which is used to authenticate API calls. An organization (and corresponding superuser) can have a single API key at any given time, regardless of the number of users tied to the account.
- You must have an activated and unexpired Advanced | Threat Prevention security subscription to access a Threat Vault API key.
- The ATP endpoints retrieve data that is generated by features that are only available with an Advanced Threat Prevention subscription. Attempts to retrieve ATP-sourced content with only a Threat Prevention subscription will not return any results; however, the API request will consume your organization's daily allotment of calls.
- Attempting to view an unauthorized report ID (IDs that refer to reports outside of your organization) will not return any results.
- The number of API requests that can be submitted is throttled on a per API key basis. To control the number of requests you can make, you need to observe Threat Vault API Access Limits.