Request Threat Metadata
GET/threats
A GET request to retrieve threat metadata. The nature of the query is determined by the query parameter that you provide on the call to this API.
- Notes:
- Optionally, each query parameter can be used together with the "type" query parameter to filter out the results.
- Any Antivirus / WildFire release summary information before February 2020 is best-effort since the information is not available.
Request
Query Parameters
- Options:
- antivirus (Provides Antivirus signatures metadata)
- dns (Provides DNS signatures metadata)
- fileformat (Provides all IPS File-Format signature metadata)
- ips (Provides all IPS signature metadata)
- rtdns (Provides Real-Time DNS Detection entries metadata)
- spyware (Provides all IPS Anti-Spyware signature metadata)
- spywarec2 (Provides Spyware C2 signatures metadata)
- vulnerability (Provides all IPS Vulnerability Protection signature metadata)
Query a specific Threat signature by signature ID.
Provides the threat signatures metadata by exact match of the signature names.
Note: IPS threat signatures also support partial match.
curl -v -H 'X-API-KEY: API_KEY' \
'https://api.threatvault.paloaltonetworks.com/service/v1/threats?name=Microsoft+PE+File'
Provides the threat signatures metadata by exact or partial match of the CVE tied to the signatures.
Valid partial CVE format: CVE-YYYY
Valid exact CVE format: CVE-YYYY-NNNN (NNNN can be 4 or more digits)
curl -v -H 'X-API-KEY: API_KEY' \
'https://api.threatvault.paloaltonetworks.com/service/v1/threats?cve=CVE-2020-1234'
or
curl -v -H 'X-API-KEY: API_KEY' \
'https://api.threatvault.paloaltonetworks.com/service/v1/threats?cve=CVE-2021'
Provides the threat signature metadata by matching the vendor ID tied to the signatures.
This parameter is only supported for IPS threat signature requests.
curl -v -H 'X-API-KEY: API_KEY' \
'https://api.threatvault.paloaltonetworks.com/service/v1/threats?vendor=MS16-095'
Used together with toReleaseDate field. Provides the IPS threat signatures metadata by the release dates range.
Only supported for IPS threat signatures: fileformat, spyware, vulnerability
curl -v -H 'X-API-KEY: API_KEY' \
'https://api.threatvault.paloaltonetworks.com/service/v1/threats?fromReleaseVersion=8440&toReleaseVersion=8446'
The right boundary of date range query, must use with fromReleaseDate. Example can be found in fromReleaseDate section
Used together with toReleaseVersion field. Provides the IPS threat signatures metadata by the release versions range.
Only supported for IPS threat signatures: fileformat, spyware, vulnerability
curl -v -H 'X-API-KEY: API_KEY' \
'https://api.threatvault.paloaltonetworks.com/service/v1/threats?fromReleaseVersion=8440&toReleaseVersion=8446'
The right boundary of version range query, must use with fromReleaseVersion. Example can be found in toReleaseVersion section
Provides the IPS threat signatures metadata by the release date.
Only supported for IPS threat signatures: fileformat, spyware, vulnerability
curl -v -H 'X-API-KEY: API_KEY' \
'https://api.threatvault.paloaltonetworks.com/service/v1/threats?releaseDate=2021-08-17'
Provides the IPS threat signatures metadata by the release version.
Only supported for IPS threat signatures: fileformat, spyware, vulnerability
curl -v -H 'X-API-KEY: API_KEY' \
'https://api.threatvault.paloaltonetworks.com/service/v1/threats?releaseVersion=8446'
Possible values: [ips, fileformat, spyware, vulnerability, antivirus, dns, rtdns, spywarec2]
Provides the threat signature metadata based on the threat type. Use together with the other fields to filter out the results.
⚠️ Use without quotes
Get all IPS signatures:
curl -v -H 'X-API-KEY: API_KEY' \
'https://api.threatvault.paloaltonetworks.com/service/v1/threats?type=ips'
Note: This use-case is only supported for IPS threat signatures: fileformat, spyware, vulnerability
Get all File-Format signatures that were recently updated between Content Version 8590 and Content Version 8594:
curl -v -H 'X-API-KEY: API_KEY' \
'https://api.threatvault.paloaltonetworks.com/service/v1/threats?fromReleaseVersion=8590&toReleaseVersion=8594&type=fileformat'
Provides the file information and threat signatures that match the hash of the sample.
curl -v -H 'X-API-KEY: API_KEY' \
'https://api.threatvault.paloaltonetworks.com/service/v1/threats?sha256=7879722cd37b1c5b2703ea5a1a92a036a96f4a1fc6272b92c197b3a4b17267cc'
Provides the file information and threat signatures that match the hash of the sample.
curl -v -H 'X-API-KEY: API_KEY' \
'https://api.threatvault.paloaltonetworks.com/service/v1/threats?md5=ca066f965dfbc5392871d3fa281236cf'
The maximum number of results to return in each page.
curl -v -H 'X-API-KEY: API_KEY' \
'https://api.threatvault.paloaltonetworks.com/service/v1/threats?type=ips&limit=1000'
The starting position of the query in relation to the complete set of the unpaginated results.
curl -v -H 'X-API-KEY: API_KEY' \
'https://api.threatvault.paloaltonetworks.com/service/v1/threats?type=ips&limit=1000&offset=1000'
Responses
- 200
- 4XX
- 5XX
Request succeeded
Response Headers
X-Day-RateLimit-Limit integer
Example: 2000The maximum number of requests that the user is permitted to make per day.
X-Day-RateLimit-Remaining integer
The number of requests remaining in the current rate limit window (one day).
X-Day-RateLimit-Reset integer
The epoch timestamp at which the current rate limit window (one day) resets.
X-Minute-RateLimit-Limit integer
Example: 200The maximum number of requests that the user is permitted to make per minute.
X-Minute-RateLimit-Remaining integer
The number of requests remaining in the current rate limit window (one minute).
X-Minute-RateLimit-Reset integer
The epoch timestamp at which the current rate limit window (one minute) resets.
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- Array [
- ]
- ]
- Array [
- ]
The total number of entries found.
data object[]
The data of the response.
List of File-Format signatures.
List of Anti-Spyware signatures.
vulnerability object[]
List of Vulnerability Protection signatures.
The unique id of the signature.
The name of the signature.
The description of the signature.
The threat category of the signature.
The PAN-OS minimum version.
The PAN-OS maximum version.
The severity of the threat.
The default action when the signature is triggered.
The CVE (Common Vulnerabilities and Exposures) of the threat.
The vulnerability identifier issued by vendor on advisories.
The public reference of the threat.
The status of the signature.
Any additional details of the signature.
The original release version of the signature.
The latest release version of the signature.
The original release time of the signature.
The latest release time of the signature.
link object[]
The pagination information of the results.
The URL of previous page with results.
The URL of next page with results.
Generic response message.
The response status.
{
"count": 6,
"data": [
{
"fileformat": [
null
],
"spyware": [
null
],
"vulnerability": [
{
"id": "30135",
"name": "Name of the threat",
"description": "Description of the threat ...",
"category": "code-execution",
"min_version": "8.1.0",
"max_version": "11.1.0",
"severity": "high",
"default_action": "alert",
"cve": [
"CVE-2007-1204",
"CVE-2021-35393"
],
"vendor": [
"MS07-019"
],
"reference": [
"Url1",
"Url2"
],
"status": "released",
"details": {},
"ori_release_version": "8451",
"latest_release_version": "8451",
"ori_release_time": "2021-08-31 01:25:04",
"latest_release_time": "2021-08-31 01:25:04"
}
]
}
],
"link": [
{
"next": "string",
"previous": "string"
}
],
"message": "Successful",
"success": true
}
Client related error response
- application/json
- Schema
- Example (from schema)
Schema
Generic response message.
The response status.
{
"message": "Error message.",
"success": false
}
Server related error response
- application/json
- Schema
- Example (from schema)
Schema
Generic response message.
The response status.
{
"message": "Error message.",
"success": false
}