Request Antivirus Threat Signature Metadata
The API Reference information for retrieving antivirus threat signature metadata can be found here.
Overview
The Threat Vault API can be used to request antivirus threat signature metadata. Consider the following examples:
Keep a few things in mind when formatting your API query:
- All the query strings in Get requests must be a URL-Encoded parameter string. If you use a space in the URL-Encoded request, you must include either a plus sign (+) or %20 to replace the space.
- You can specify the content type of the request body and response by specifying the Content-Type header. Some responses generate an HTTP response in addition to a JSON object.
- Do not embed API keys in code or application source tree files. This can inadvertently expose the API key. Instead, consider storing the API key in environmental variables or files that are excluded from your application source tree files.
Example 1: Request information about a specific [antivirus] threat signature ID
curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?id=280392504'
A successful API call returns, within the contents section, status="success"
along with the threat signature details, in this case, an antivirus signature.
{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 1,
"data": {
"antivirus": [
{
"name": "trojan/Win32 DLL.razy.slo",
"severity": "medium",
"type": "0",
"subtype": "virus",
"description": "This signature detected trojan/Win32 DLL.razy.slo",
"action": "",
"id": "280392504",
"create_time": "2019-06-19T17:06:12Z",
"status": "active",
"related_sha256_hashes": [
"0b66779d8910e365c8de5ea030f9827ee32b418bc303c26e3252a4843b86118d",
"3b3d767226aa796013b075fd7d6baa432e3f2bf380c55655dedaa8ead038829e",
"b8cbc5c1b01ae17dec42eca0f4b448407a2d5b9f85580e0e122c1854f4f80e37",
"47e3da7e179b755a1ccc8fe8fc506a2fb15baff2c124b15cf2f5e29038f3d1ac",
"5cd3e058f6049a31a42c292ebb091a1b5ea4bd9c7bc6fed5ac8a33c5fc89924a",
"4a2b514a753611b464e7583ba512310cd58c8066f19b631134012ebe05cd0e5f",
"616c1d49dace7e984dcf02f94d81273db7f1eb06961cb60d5200ca89dbe640ac",
"b6976b2aca5d70d7f011ef72a8649a370f449811d11a488a46dc8b82ba0f2f2a",
"00710c2c75549989c1bc8374e9f04c3d9b529e2ec6e2ad3945ce89cf27e25bd4",
"3e7fcd52c9f88fef74427aa78240125417326297c07577eb98fa98f4e793ca0e"
],
"release": {
"antivirus": {
"first_release_version": "3017",
"first_release_time": "2019-06-21T13:37:09Z",
"last_release_version": "4179",
"last_release_time": "2022-08-18T11:01:05Z"
},
"wildfire": {
"first_release_version": "359199",
"first_release_time": "2019-06-19T17:06:35Z",
"last_release_version": "691140",
"last_release_time": "2022-08-19T01:42:11Z"
}
}
}
]
},
"message": "Successful"
}
Example 2: Request information about a specific antivirus signature based on the sample hash
curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?sha256=380082fbf9e57bcd524648efce14c92a4cb58cb745c30ef29730959d79164549'
A successful API call returns, within the Contents section, status="success"
along with the antivirus signature details:
{
"success": true,
"link": {
"next": null,
"previous": null
},
"count": 1,
"data": {
"fileinfo": [
{
"filetype": "DLL",
"sha256": "380082fbf9e57bcd524648efce14c92a4cb58cb745c30ef29730959d79164549",
"sha1": "d58869fb948c60bef544e1a36f4489fd76fd10ae",
"md5": "ca066f965dfbc5392871d3fa281236cf",
"size": "176128",
"type": "Virus",
"family": "WGeneric",
"platform": "Win32",
"wildfire_verdict": "malicious",
"create_time": "2021-12-02T20:27:12Z",
"signatures": {
"antivirus": [
{
"name": "trojan/Win32 DLL.razy.slo",
"severity": "medium",
"type": "0",
"subtype": "virus",
"description": "This signature detected trojan/Win32 DLL.razy.slo",
"action": "",
"id": "280392504",
"create_time": "2019-06-19T17:06:12Z",
"status": "active",
"related_sha256_hashes": [
"0b66779d8910e365c8de5ea030f9827ee32b418bc303c26e3252a4843b86118d",
"3b3d767226aa796013b075fd7d6baa432e3f2bf380c55655dedaa8ead038829e",
"b8cbc5c1b01ae17dec42eca0f4b448407a2d5b9f85580e0e122c1854f4f80e37",
"47e3da7e179b755a1ccc8fe8fc506a2fb15baff2c124b15cf2f5e29038f3d1ac",
"5cd3e058f6049a31a42c292ebb091a1b5ea4bd9c7bc6fed5ac8a33c5fc89924a",
"4a2b514a753611b464e7583ba512310cd58c8066f19b631134012ebe05cd0e5f",
"616c1d49dace7e984dcf02f94d81273db7f1eb06961cb60d5200ca89dbe640ac",
"b6976b2aca5d70d7f011ef72a8649a370f449811d11a488a46dc8b82ba0f2f2a",
"00710c2c75549989c1bc8374e9f04c3d9b529e2ec6e2ad3945ce89cf27e25bd4",
"3e7fcd52c9f88fef74427aa78240125417326297c07577eb98fa98f4e793ca0e"
],
"release": {
"antivirus": {
"first_release_version": "3017",
"first_release_time": "2019-06-21T13:37:09Z",
"last_release_version": "4179",
"last_release_time": "2022-08-18T11:01:05Z"
},
"wildfire": {
"first_release_version": "359199",
"first_release_time": "2019-06-19T17:06:35Z",
"last_release_version": "691140",
"last_release_time": "2022-08-19T01:42:11Z"
}
}
}
]
}
}
]
},
"message": "Successful"
}