Request Advanced Threat Prevention Report in Batch Mode

POST 
/atp/reports

A POST request to retrieve the ATP report by report id in batch mode. Batch limit is 100 entries. Get one or more ATP reports. User must provide one or more report IDs in request body.

Request

application/json

Body

required

id string[]
Provides the ATP report by matching the report id of the customer.
---
curl -v -X POST -H 'X-API-KEY: API_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"id": ["c25b5d86d8ac77e10376000517491157a07ac008bfc799f08795d59c57e23a50", "a23b5d46d6ac77e70376080517991187a07ac008bfc799f08795d59c57e23a50"]}' \
  'https://api.threatvault.paloaltonetworks.com/service/v1/atp/reports'

Responses

200

Request succeeded

Response Headers

• X-Day-RateLimit-Limit integer
  Example: 2000

  The maximum number of requests that the user is permitted to make per day.

• X-Day-RateLimit-Remaining integer

  The number of requests remaining in the current rate limit window (one day).

• X-Day-RateLimit-Reset integer

  The epoch timestamp at which the current rate limit window (one day) resets.

• X-Minute-RateLimit-Limit integer
  Example: 200

  The maximum number of requests that the user is permitted to make per minute.

• X-Minute-RateLimit-Remaining integer

  The number of requests remaining in the current rate limit window (one minute).

• X-Minute-RateLimit-Reset integer

  The epoch timestamp at which the current rate limit window (one minute) resets.

application/json

Schema

Schema

success boolean

The response status.

data object[]
The data of the response.
Array [
report_id string
The id of the ATP report.
err_msg string
Any error message related to the report.
panos_info object
All related PAN-OS information.
fw_hostname string
Firewall Hostname.
fw_addr_v4 string
Firewall MP interface IPv4.
fw_addr_v6 string
Firewall MP interface IPv6. (Can be empty)
fw_app_version string
Firewall Content package version.
fw_sw_version string
Firewall PANOS version.
fw_serial string
Firewall Serial Number.
fw_model string
Firewall model.
session_info object
All related session information.
session_id string
Session ID.
session_timestamp string
Session timestamp.
flow_info object
saddr string
Session source IP address.
daddr string
Session destination IP address.
sport string
Session source IP port.
dport string
Session destination IP port.
data_type string
Possible values: [http, ssl, unknown-tcp, unknown-udp]
The payload type.
transaction_data object
The list of transactions of the session. One session may have one or many transactions.
transaction_id string
The transaction id.
payload_sha256 string
The SHA256 hash value of the payload.
detection_results object
The detection results information.
detection_service string
The detection service.
details object
Details information.
attack_analysis object
The attack analysis information.
Attack Description string
The attack description.
Attack Details string
The attack details.
Attack Evidences string
The attack evidence.
payload_info object
The request payload information.
Connection string
A general header controls whether the network connection stays open after the current transaction finishes.
Cookie string
A header that contains stored HTTP cookies associated with the server.
Host string
A header that specifies the host and port number of the server to which the request is being sent.
Method string
A header that defines the desired action to be performed for a given resource.
URI string
A header that defines the resource.
User-Agent string
A header that identifies the requesting user agent.
Version string
A header that specifies the HTTP version.
verdict integer
The verdict value.
reports object[]
The list of detection service reports.
Array [
ds_name string
The detection service name.
ds_report object
The list of detection service reports.
payload_info object
Optional payload information.
malware_families object
The list of malware families.
malware_family_type string
The name/type of the malware family.
confidence string
The confidence value.
status string
A flag to indicate the report is ready or not.
]
]
message string

Generic response message.

Example (from schema)

{
  "success": true,
  "data": [
    {
      "report_id": "c25b5d86d8ac77e10376000517491157a07ac008bfc799f08795d59c57e23a50",
      "err_msg": "Error",
      "panos_info": {
        "fw_hostname": "fw-1",
        "fw_addr_v4": "10.0.0.0",
        "fw_addr_v6": "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
        "fw_app_version": "8527-12345",
        "fw_sw_version": "10.2.1",
        "fw_serial": "000000000000001",
        "fw_model": "PA-VM"
      },
      "session_info": {
        "session_id": "123456",
        "session_timestamp": "2022-04-11T10:00:00.740261097-07:00",
        "flow_info": {
          "saddr": "1.1.1.1",
          "daddr": "1.1.1.2",
          "sport": "49234",
          "dport": "80",
          "data_type": "http"
        }
      },
      "transaction_data": {
        "transaction_id": "0",
        "payload_sha256": "a15e20ddc3a0850b64cdc87a23230b51466f9879345435973ce360e80e1f670e",
        "detection_results": {
          "detection_service": "Empire C2",
          "details": {
            "attack_analysis": {
              "Attack Description": "Your system is under an early Empire C2 attack stage. The malware in your system is trying to set up the connection channel with a C2 server 192.168.10.4.",
              "Attack Details": "It is at the Empire C2 staging phase. The potential Empire C2 server is 192.168.10.4, and it is trying to install payloads in your system for future attacks.",
              "Attack Evidences": "The session key is encoded with netbios."
            },
            "payload_info": {
              "Connection": "Keep-Alive",
              "Cookie": "session=/YMjhqiUqqLLm7Lt8PXbLiMtD3Q%3D",
              "Host": "192.168.10.4:1813",
              "Method": "GET",
              "URI": "/daeedrxc/",
              "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9",
              "Version": "HTTP/1.1"
            }
          },
          "verdict": 1
        },
        "reports": [
          {
            "ds_name": "mlc2-http-ids",
            "ds_report": {
              "payload_info": {},
              "malware_families": {}
            },
            "status": "ok"
          }
        ]
      }
    }
  ],
  "message": "Successful"
}

4XX

Client related error response

application/json

Schema

Schema

message string

Generic response message.

success boolean

The response status.

Example (from schema)

{
  "message": "Error message.",
  "success": false
}

5XX

Server related error response

application/json

Schema

Schema

message string

Generic response message.

success boolean

The response status.

Example (from schema)

{
  "message": "Error message.",
  "success": false
}

Loading...