Request Advanced Threat Prevention Report PCAP
The API Reference information for retrieving the packet capture associated with a Advanced Threat Prevention report sample can be found here.
Overview
The Threat Vault API can be used to request the PCAP that is referenced in a specified Advanced Threat Prevention report. Consider the following examples:
Keep a few things in mind when formatting your API query:
- All the query strings in Get requests must be a URL-Encoded parameter string. If you use a space in the URL-Encoded request, you must include either a plus sign (+) or %20 to replace the space.
- You can specify the content type of the request body and response by specifying the Content-Type header. Some responses generate an HTTP response in addition to a JSON object.
- Do not embed API keys in code or application source tree files. This can inadvertently expose the API key. Instead, consider storing the API key in environmental variables or files that are excluded from your application source tree files.
Example 1: Request information about a specific sample (packet capture) referred to in an Advanced Threat Prevention report
curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/atp/reports/pcaps?
id=c25b5d86d8ac77e10376000517491157a07ac008bfc799f08795d59c57e23a50'
A successful API call returns a packet capture file.