Request Advanced Threat Prevention Report
The API Reference information for retrieving Advanced Threat Prevention reports based on the report ID can be found here.
Overview
The Threat Vault API can be used to request Advanced Threat Prevention reports. Consider the following examples:
Keep a few things in mind when formatting your API query:
- All the query strings in Get requests must be a URL-Encoded parameter string. If you use a space in the URL-Encoded request, you must include either a plus sign (+) or %20 to replace the space.
- You can specify the content type of the request body and response by specifying the Content-Type header. Some responses generate an HTTP response in addition to a JSON object.
- Do not embed API keys in code or application source tree files. This can inadvertently expose the API key. Instead, consider storing the API key in environmental variables or files that are excluded from your application source tree files.
Example 1: Request information about a specific Advanced Threat Prevention report based on the report ID
curl -X POST -d '{"id": ["e88b8a0ba98a01624aa87aa81339a8bdbb4b8c0148475fd4218fc46ab9ca2559", "a23b5d46d6ac77e70376080517991187a07ac008bfc799f08795d59c57e23a50"]}' \
'https://api.threatvault.paloaltonetworks.com/service/v1/atp/reports' \
-H 'X-API-KEY: API_KEY' \
-H 'Content-Type: application/json'
A successful API call returns, within the contents section, status="success" along with contents of the specified Advanced Threat Prevention reports.
{
"success": true,
"data": [
{
"report_id": "e88b8a0ba98a01624aa87aa81339a8bdbb4b8c0148475fd4218fc46ab9ca2559",
"err_msg": "",
"panos_info": {
"fw_addr_v4": "10.2.4.6",
"fw_addr_v6": "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
"fw_app_version": "8538-7276",
"fw_hostname": "QA-Test",
"fw_model": "PA-3260",
"fw_serial": "016401005176",
"fw_sw_version": "10.2.0"
},
"session_info": {
"flow_info": {
"saddr": "192.168.1.1",
"daddr": "34.1.3.5",
"sport": "3456",
"dport": "80",
"data_type": "http"
},
"session_id": "1437373",
"session_timestamp": "2022-03-07T14:08:31.491236585-08:00"
},
"transaction_data": [
{
"transaction_id": 1,
"payload_sha256": "004c89823c6462640ba1e0c3d9a3e18f1418965df809d88b8687fc9137246871",
"reports": [
{
"ds_name": "mlc2-http",
"status": "ok",
"ds_report": [
{
"payload_info": {
"Method": "GET",
"URI": "/-36721HLYW/2pRLi?rndad=3118229241-1631980139",
"Version": "HTTP/1.1",
"Host": "hurirk.net",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0)
Gecko/20100101 Firefox/59.0",
"Content-type": "multipart/form-data; boundary=---------------------
HEOILpSJxajJHrzAkpfAE",
"Cookies": "asdwdasss"
},
"malware_families": [
{
"malware_family_type": "aaaa",
"confidence": 0.85
},
{
"malware_family_type": "bbbb",
"confidence": 0.45
}
]
}
]
},
{
"ds_name": "cs-http",
"status": "ok",
"ds_report": [
{
"malware_families": [
{
"malware_family_type": "aaaa",
"confidence": 0.85
},
{
"malware_family_type": "bbbb",
"confidence": 0.45
}
]
}
]
}
]
},
{
"transaction_id": 2,
"payload_sha256": "421874c14f77c231a6d0294fa9c2268b470ebe33674dd19af9c0dbb5353b4e74",
"reports": [
{
"ds_name": "mlc2-unknown-udp",
"status": "ok",
"ds_report": [
{
"malware_families": [
{
"malware_family_type": "aaaa",
"confidence": 0.85
},
{
"malware_family_type": "bbbb",
"confidence": 0.45
}
]
}
]
}
]
}
]
}
],
"message": "Successful"
}