Request Threat Metadata

A GET request to retrieve threat metadata. The nature of the query is determined by the query parameter that you provide on the call to this API.

• Notes:
  • Optionally, each query parameter can be used together with the "type" query parameter to filter out the results.
  • Any Antivirus / WildFire release summary information before February 2020 is best-effort since the information is not available.

Query Parameters

• id string

  Query a specific Threat signature by signature ID.

• name string

  Provides the threat signatures metadata by exact match of the signature names.

  Note: IPS threat signatures also support partial match.

  ---

  curl -v -H 'X-API-KEY: API_KEY' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats?name=Microsoft+PE+File'
• cve string

  Provides the threat signatures metadata by exact or partial match of the CVE tied to the signatures.

  Valid partial CVE format: CVE-YYYY

  Valid exact CVE format: CVE-YYYY-NNNN (NNNN can be 4 or more digits)

  ---

  curl -v -H 'X-API-KEY: API_KEY' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats?cve=CVE-2020-1234'

  or

  curl -v -H 'X-API-KEY: API_KEY' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats?cve=CVE-2021'
• vendor string

  Provides the threat signature metadata by matching the vendor ID tied to the signatures.

  This parameter is only supported for IPS threat signature requests.

  ---

  curl -v -H 'X-API-KEY: API_KEY' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats?vendor=MS16-095'
• fromReleaseDate string

  Used together with toReleaseDate field. Provides the IPS threat signatures metadata by the release dates range.

  Only supported for IPS threat signatures: fileformat, spyware, vulnerability

  ---

  curl -v -H 'X-API-KEY: API_KEY' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats?fromReleaseVersion=8440&toReleaseVersion=8446'
• toReleaseDate string

  The right boundary of date range query, must use with fromReleaseDate. Example can be found in fromReleaseDate section

• fromReleaseVersion string

  Used together with toReleaseVersion field. Provides the IPS threat signatures metadata by the release versions range.

  Only supported for IPS threat signatures: fileformat, spyware, vulnerability

  ---

  curl -v -H 'X-API-KEY: API_KEY' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats?fromReleaseVersion=8440&toReleaseVersion=8446'
• toReleaseVersion string

  The right boundary of version range query, must use with fromReleaseVersion. Example can be found in toReleaseVersion section

• releaseDate string

  Provides the IPS threat signatures metadata by the release date.

  Only supported for IPS threat signatures: fileformat, spyware, vulnerability

  ---

  curl -v -H 'X-API-KEY: API_KEY' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats?releaseDate=2021-08-17'
• releaseVersion string

  Provides the IPS threat signatures metadata by the release version.

  Only supported for IPS threat signatures: fileformat, spyware, vulnerability

  ---

  curl -v -H 'X-API-KEY: API_KEY' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats?releaseVersion=8446'
• type string

  Possible values: [ips, fileformat, spyware, vulnerability, antivirus, dns, rtdns, spywarec2]

  Provides the threat signature metadata based on the threat type. Use together with the other fields to filter out the results.

  ⚠️ Use without quotes

  • Options:
    • antivirus (Provides Antivirus signatures metadata)
    • dns (Provides DNS signatures metadata)
    • fileformat (Provides all IPS File-Format signature metadata)
    • ips (Provides all IPS signature metadata)
    • rtdns (Provides Real-Time DNS Detection entries metadata)
    • spyware (Provides all IPS Anti-Spyware signature metadata)
    • spywarec2 (Provides Spyware C2 signatures metadata)
    • vulnerability (Provides all IPS Vulnerability Protection signature metadata)

  ---

  Get all IPS signatures:

  curl -v -H 'X-API-KEY: API_KEY' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats?type=ips'

  Note: This use-case is only supported for IPS threat signatures: fileformat, spyware, vulnerability

  ---

  Get all File-Format signatures that were recently updated between Content Version 8590 and Content Version 8594:

  curl -v -H 'X-API-KEY: API_KEY' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats?fromReleaseVersion=8590&toReleaseVersion=8594&type=fileformat'
• sha256 string

  Provides the file information and threat signatures that match the hash of the sample.

  ---

  curl -v -H 'X-API-KEY: API_KEY' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats?sha256=7879722cd37b1c5b2703ea5a1a92a036a96f4a1fc6272b92c197b3a4b17267cc'
• md5 string

  Provides the file information and threat signatures that match the hash of the sample.

  ---

  curl -v -H 'X-API-KEY: API_KEY' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats?md5=ca066f965dfbc5392871d3fa281236cf'
• limit string

  The maximum number of results to return in each page.

  ---

  curl -v -H 'X-API-KEY: API_KEY' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats?type=ips&limit=1000'
• offset string

  The starting position of the query in relation to the complete set of the unpaginated results.

  ---

  curl -v -H 'X-API-KEY: API_KEY' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats?type=ips&limit=1000&offset=1000'

Responses

• 200
• 4XX
• 5XX

---

Request succeeded

Response Headers

• X-Day-RateLimit-Limit integer
  Example: 2000

  The maximum number of requests that the user is permitted to make per day.

• X-Day-RateLimit-Remaining integer

  The number of requests remaining in the current rate limit window (one day).

• X-Day-RateLimit-Reset integer

  The epoch timestamp at which the current rate limit window (one day) resets.

• X-Minute-RateLimit-Limit integer
  Example: 200

  The maximum number of requests that the user is permitted to make per minute.

• X-Minute-RateLimit-Remaining integer

  The number of requests remaining in the current rate limit window (one minute).

• X-Minute-RateLimit-Reset integer

  The epoch timestamp at which the current rate limit window (one minute) resets.

application/json

• Schema
• Example (from schema)

---

Schema

• count integer

  The total number of entries found.

• data object[]

  The data of the response.

  Array [

  fileformat array

  List of File-Format signatures.

  spyware array

  List of Anti-Spyware signatures.

  vulnerability object[]

  List of Vulnerability Protection signatures.

  Array [

  id string

  The unique id of the signature.

  name string

  The name of the signature.

  description string

  The description of the signature.

  category string

  The threat category of the signature.

  min_version string

  The PAN-OS minimum version.

  max_version string

  The PAN-OS maximum version.

  severity string

  The severity of the threat.

  default_action string

  The default action when the signature is triggered.

  cve array

  The CVE (Common Vulnerabilities and Exposures) of the threat.

  vendor array

  The vulnerability identifier issued by vendor on advisories.

  reference array

  The public reference of the threat.

  status string

  The status of the signature.

  details object

  Any additional details of the signature.

  ori_release_version string

  The original release version of the signature.

  latest_release_version string

  The latest release version of the signature.

  ori_release_time string

  The original release time of the signature.

  latest_release_time string

  The latest release time of the signature.

  ]

  ]
• link object[]

  The pagination information of the results.

  Array [

  next string

  The URL of previous page with results.

  previous string

  The URL of next page with results.

  ]
• message string

  Generic response message.

• success boolean

  The response status.

{
  "count": 6,
  "data": [
    {
      "fileformat": [
        null
      ],
      "spyware": [
        null
      ],
      "vulnerability": [
        {
          "id": "30135",
          "name": "Name of the threat",
          "description": "Description of the threat ...",
          "category": "code-execution",
          "min_version": "8.1.0",
          "max_version": "11.1.0",
          "severity": "high",
          "default_action": "alert",
          "cve": [
            "CVE-2007-1204",
            "CVE-2021-35393"
          ],
          "vendor": [
            "MS07-019"
          ],
          "reference": [
            "Url1",
            "Url2"
          ],
          "status": "released",
          "details": {},
          "ori_release_version": "8451",
          "latest_release_version": "8451",
          "ori_release_time": "2021-08-31 01:25:04",
          "latest_release_time": "2021-08-31 01:25:04"
        }
      ]
    }
  ],
  "link": [
    {
      "next": "string",
      "previous": "string"
    }
  ],
  "message": "Successful",
  "success": true
}

Client related error response

application/json

• Schema
• Example (from schema)

---

Schema

• message string

  Generic response message.

• success boolean

  The response status.

{
  "message": "Error message.",
  "success": false
}

Server related error response

application/json

• Schema
• Example (from schema)

---

Schema

• message string

  Generic response message.

• success boolean

  The response status.

{
  "message": "Error message.",
  "success": false
}

Loading...