Request Advanced Threat Prevention Report in Batch Mode
POST/atp/reports
A POST request to retrieve the ATP report by report id in batch mode. Batch limit is 100 entries. Get one or more ATP reports. User must provide one or more report IDs in request body.
Request
- application/json
Body
required
Provides the ATP report by matching the report id of the customer.
curl -v -X POST -H 'X-API-KEY: API_KEY' \
-H 'Content-Type: application/json' \
-d '{"id": ["c25b5d86d8ac77e10376000517491157a07ac008bfc799f08795d59c57e23a50", "a23b5d46d6ac77e70376080517991187a07ac008bfc799f08795d59c57e23a50"]}' \
'https://api.threatvault.paloaltonetworks.com/service/v1/atp/reports'
Responses
- 200
- 4XX
- 5XX
Request succeeded
Response Headers
X-Day-RateLimit-Limit integer
Example: 2000The maximum number of requests that the user is permitted to make per day.
X-Day-RateLimit-Remaining integer
The number of requests remaining in the current rate limit window (one day).
X-Day-RateLimit-Reset integer
The epoch timestamp at which the current rate limit window (one day) resets.
X-Minute-RateLimit-Limit integer
Example: 200The maximum number of requests that the user is permitted to make per minute.
X-Minute-RateLimit-Remaining integer
The number of requests remaining in the current rate limit window (one minute).
X-Minute-RateLimit-Reset integer
The epoch timestamp at which the current rate limit window (one minute) resets.
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- Array [
- ]
- ]
The response status.
data object[]
The data of the response.
The id of the ATP report.
Any error message related to the report.
panos_info object
All related PAN-OS information.
Firewall Hostname.
Firewall MP interface IPv4.
Firewall MP interface IPv6. (Can be empty)
Firewall Content package version.
Firewall PANOS version.
Firewall Serial Number.
Firewall model.
session_info object
All related session information.
Session ID.
Session timestamp.
flow_info object
Session source IP address.
Session destination IP address.
Session source IP port.
Session destination IP port.
Possible values: [http, ssl, unknown-tcp, unknown-udp]
The payload type.
transaction_data object
The list of transactions of the session. One session may have one or many transactions.
The transaction id.
The SHA256 hash value of the payload.
detection_results object
The detection results information.
The detection service.
details object
Details information.
attack_analysis object
The attack analysis information.
The attack description.
The attack details.
The attack evidence.
payload_info object
The request payload information.
A general header controls whether the network connection stays open after the current transaction finishes.
A header that contains stored HTTP cookies associated with the server.
A header that specifies the host and port number of the server to which the request is being sent.
A header that defines the desired action to be performed for a given resource.
A header that defines the resource.
A header that identifies the requesting user agent.
A header that specifies the HTTP version.
The verdict value.
reports object[]
The list of detection service reports.
The detection service name.
ds_report object
The list of detection service reports.
Optional payload information.
malware_families object
The list of malware families.
The name/type of the malware family.
The confidence value.
A flag to indicate the report is ready or not.
Generic response message.
{
"success": true,
"data": [
{
"report_id": "c25b5d86d8ac77e10376000517491157a07ac008bfc799f08795d59c57e23a50",
"err_msg": "Error",
"panos_info": {
"fw_hostname": "fw-1",
"fw_addr_v4": "10.0.0.0",
"fw_addr_v6": "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
"fw_app_version": "8527-12345",
"fw_sw_version": "10.2.1",
"fw_serial": "000000000000001",
"fw_model": "PA-VM"
},
"session_info": {
"session_id": "123456",
"session_timestamp": "2022-04-11T10:00:00.740261097-07:00",
"flow_info": {
"saddr": "1.1.1.1",
"daddr": "1.1.1.2",
"sport": "49234",
"dport": "80",
"data_type": "http"
}
},
"transaction_data": {
"transaction_id": "0",
"payload_sha256": "a15e20ddc3a0850b64cdc87a23230b51466f9879345435973ce360e80e1f670e",
"detection_results": {
"detection_service": "Empire C2",
"details": {
"attack_analysis": {
"Attack Description": "Your system is under an early Empire C2 attack stage. The malware in your system is trying to set up the connection channel with a C2 server 192.168.10.4.",
"Attack Details": "It is at the Empire C2 staging phase. The potential Empire C2 server is 192.168.10.4, and it is trying to install payloads in your system for future attacks.",
"Attack Evidences": "The session key is encoded with netbios."
},
"payload_info": {
"Connection": "Keep-Alive",
"Cookie": "session=/YMjhqiUqqLLm7Lt8PXbLiMtD3Q%3D",
"Host": "192.168.10.4:1813",
"Method": "GET",
"URI": "/daeedrxc/",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9",
"Version": "HTTP/1.1"
}
},
"verdict": 1
},
"reports": [
{
"ds_name": "mlc2-http-ids",
"ds_report": {
"payload_info": {},
"malware_families": {}
},
"status": "ok"
}
]
}
}
],
"message": "Successful"
}
Client related error response
- application/json
- Schema
- Example (from schema)
Schema
Generic response message.
The response status.
{
"message": "Error message.",
"success": false
}
Server related error response
- application/json
- Schema
- Example (from schema)
Schema
Generic response message.
The response status.
{
"message": "Error message.",
"success": false
}