Request Threat Signature Metadata in Batch Mode

A POST request to retrieve the threats signature metadata by id, name or sample hash (sha256 or md5) in batch mode. Batch limit is 100 entries.

• Notes:
  • Optionally, each query parameter can be used together with the "type" query parameter to filter out the results.
  • Any Antivirus / WildFire release summary information before February 2020 is best-effort since the information is not available.

application/json

Request Body required

• id string[]

  Provides the threat signatures metadata by exact match of the signature ids.

  ---

  curl -v -X POST -H 'X-API-KEY: API_KEY' \
    -H 'Content-Type: application/json' \
    -d '{"id": ["280392504"]}' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats'
• md5 string[]

  Provides the file information and threat signatures that match the hash of the sample.

  ---

  curl -v -X POST -H 'X-API-KEY: API_KEY' \
    -H 'Content-Type: application/json' \
    -d '{"md5": ["ca066f965dfbc5392871d3fa281236cf"]}' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats'
• name string[]

  Provides the threat signatures metadata by exact match of the signature names.

  ---

  curl -v -X POST -H 'X-API-KEY: API_KEY' \
    -H 'Content-Type: application/json' \
    -d '{"name": ["Microsoft PE File"]}' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats'
• sha256 string[]

  Provides the file information and threat signatures that match the hash of the sample.

  ---

  curl -v -X POST -H 'X-API-KEY: API_KEY' \
    -H 'Content-Type: application/json' \
    -d '{"sha256": ["7879722cd37b1c5b2703ea5a1a92a036a96f4a1fc6272b92c197b3a4b17267cc"]}' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats'
• type string

  Possible values: [ips, fileformat, spyware, vulnerability, antivirus, dns, rtdns, spywarec2]

  Provides the threat signature metadata based on the threat type. Use together with the other fields to filter out the results.

  ⚠️ Use without quotes

  • Options:
    • antivirus (Provides Antivirus signatures metadata)
    • dns (Provides DNS signatures metadata)
    • fileformat (Provides all IPS File-Format signature metadata)
    • ips (Provides all IPS signature metadata)
    • rtdns (Provides Real-Time DNS Detection entries metadata)
    • spyware (Provides all IPS Anti-Spyware signature metadata)
    • spywarec2 (Provides Spyware C2 signatures metadata)
    • vulnerability (Provides all IPS Vulnerability Protection signature metadata)

  ---

  curl -v -X POST -H 'X-API-KEY: API_KEY' \
    -H 'Content-Type: application/json' \
    -d '{"id": ["280392504"], "type":"antivirus"}' \
    'https://api.threatvault.paloaltonetworks.com/service/v1/threats'

Responses

• 200
• 4XX
• 5XX

---

Request succeeded

Response Headers

• X-Day-RateLimit-Limit integer
  Example: 2000

  The maximum number of requests that the user is permitted to make per day.

• X-Day-RateLimit-Remaining integer

  The number of requests remaining in the current rate limit window (one day).

• X-Day-RateLimit-Reset integer

  The epoch timestamp at which the current rate limit window (one day) resets.

• X-Minute-RateLimit-Limit integer
  Example: 200

  The maximum number of requests that the user is permitted to make per minute.

• X-Minute-RateLimit-Remaining integer

  The number of requests remaining in the current rate limit window (one minute).

• X-Minute-RateLimit-Reset integer

  The epoch timestamp at which the current rate limit window (one minute) resets.

application/json

• Schema
• Example (from schema)

---

Schema

• count integer

  The total number of entries found.

• data object[]

  The data of the response.

  Array [

  antivirus object[]

  List of Antivirus signatures.

  Array [

  id string

  The unique threat signature id.

  name string

  The threat signature name.

  severity string

  The threat signature severity. List: low, informative, medium, high or critical

  type string

  A numerical value describing the type of the threat signature.

  subtype string

  The threat signature subtype.

  action string

  The threat signature default action. This is generally empty for Antivirus signatures.

  description string

  The threat signature description.

  create_time string

  The threat signature creation time.

  status string

  The threat signature creation time. List: active or inactive

  related_sha256_hashes string[]

  The list of related sha256 hashes for the threat signature.

  release object

  The threat signature release information.

  antivirus object

  The threat signature information related to Antivirus package updates.

  first_release_version string

  The release version when the threat signature was first released with Antivirus package.

  first_release_time string

  The release time when the threat signature was first released with Antivirus package.

  last_release_version string

  The release version when the threat signature was last released with Antivirus package.

  last_release_time string

  The release time when the threat signature was last released with Antivirus package.

  wildfire object

  The threat signature information related to WildFire package updates.

  first_release_version string

  The release version when the threat signature was first released with WildFire package.

  first_release_time string

  The release time when the threat signature was first released with WildFire package.

  last_release_version string

  The release version when the threat signature was last released with WildFire package.

  last_release_time string

  The release time when the threat signature was last released with WildFire package.

  ]

  ]
• link object[]

  The pagination information of the results.

  Array [

  next string

  The URL of previous page with results.

  previous string

  The URL of next page with results.

  ]
• message string

  Generic response message.

• success boolean

  The response status.

{
  "count": 1,
  "data": [
    {
      "antivirus": [
        {
          "id": "280392504",
          "name": "trojan/Win32 DLL.razy.slo",
          "severity": "medium",
          "type": "0",
          "subtype": "virus",
          "action": "",
          "description": "This signature detected trojan/Win32 DLL.razy.slo",
          "create_time": "2019-06-19T17:06:12Z",
          "status": "active",
          "related_sha256_hashes": [
            "47e3da7e179b755a1ccc8fe8fc506a2fb15baff2c124b15cf2f5e29038f3d1ac",
            "5cd3e058f6049a31a42c292ebb091a1b5ea4bd9c7bc6fed5ac8a33c5fc89924a"
          ],
          "release": {
            "antivirus": {
              "first_release_version": "3017",
              "first_release_time": "2018-03-02T11:06:51Z",
              "last_release_version": "4115",
              "last_release_time": "2022-06-14T13:35:54Z"
            },
            "wildfire": {
              "first_release_version": "359199",
              "first_release_time": "2019-06-19T17:06:35Z",
              "last_release_version": "672412",
              "last_release_time": "2022-06-14T16:56:15Z"
            }
          }
        }
      ]
    }
  ],
  "link": [
    {
      "next": "string",
      "previous": "string"
    }
  ],
  "message": "Successful",
  "success": true
}

Client related error response

application/json

• Schema
• Example (from schema)

---

Schema

• message string

  Generic response message.

• success boolean

  The response status.

{
  "message": "Error message.",
  "success": false
}

Server related error response

application/json

• Schema
• Example (from schema)

---

Schema

• message string

  Generic response message.

• success boolean

  The response status.

{
  "message": "Error message.",
  "success": false
}

Loading...