Threat Vault Response Fields
Upon a successful response, the Threat Vault API responds to certain requests by returning a JSON object that contains specific information relevant to the endpoint. The JSON object contains a series of unique data fields that correspond to certain Threat Vault data types, operational metrics, or status.
Threat Signature Metadata Response Fields (IPS)
The following JSON response fields are found in Request Threat Signature Metadata:
| Field | Description |
|---|---|
success | The response status. |
link | The pagination information of the results. |
link.previous | URL of the previous page with results. |
link.next | URL of the next page with results. |
count | The total number of entries found. |
data | Data of the response. |
data.fileformat | List of File-Format signatures. |
data.spyware | List of Anti-Spyware signatures. |
data.vulnerability | List of Vulnerability Protection signatures. |
data.fileformat.id data.spyware.id data.vulnerability.id | Unique signature ID. |
data.fileformat.name data.spyware.name data.vulnerability.name | IPS signature name |
data.fileformat.description data.spyware.description data.vulnerability.description | Signature description. |
data.fileformat.category data.spyware.category data.vulnerability.category | Threat category of the signature. |
data.fileformat.min_version data.spyware.min_version data.vulnerability.min_version | PAN-OS minimum version. |
data.fileformat.max_version data.spyware.max_version data.vulnerability.max_version | PAN-OS maximum version. |
data.fileformat.severity data.spyware.severity data.vulnerability.severity | Threat severity level. |
data.fileformat.default_action data.spyware.default_action data.vulnerability.default_action | The default action when the signature is triggered. |
data.fileformat.cve data.spyware.cve data.vulnerability.cve | The CVE (Common Vulnerabilities and Exposures) identifier of the threat. |
data.fileformat.vendor data.spyware.vendor data.vulnerability.vendor | The vulnerability identifier issued by vendor on advisories. |
data.fileformat.reference data.spyware.reference data.vulnerability.reference | The public reference of the threat. |
data.fileformat.status data.spyware.status data.vulnerability.status | Signature status. |
data.fileformat.details data.spyware.details data.vulnerability.details | Any additional details of the signature. |
data.fileformat.ori_release_version data.spyware.ori_release_version data.vulnerability.ori_release_version | The original release version of the signature. |
data.fileformat.latest_release_version data.spyware.latest_release_version data.vulnerability.latest_release_version | The latest release version of the signature. |
data.fileformat.ori_release_time data.spyware.ori_release_time data.vulnerability.ori_release_time | The original release time of the signature. |
data.fileformat.latest_release_time data.spyware.latest_release_time data.vulnerability.latest_release_time | The latest release time of the signature. |
message | Generic response message. |
Threat Metadata Response Fields (Antivirus)
The following JSON response fields are found in Request Threat Metadata:
| Field | Description |
|---|---|
success | The response status. |
link | The pagination information of the results. |
link.previous | The URL of the previous page with results. |
link.next | The URL of the next page with results. |
count | The total number of entries found. |
data | The data of the response. |
data.antivirus | List of Antivirus signatures. |
data.dns | List of DNS signatures. |
data.rtdns | List of Real-Time DNS Detection entries. |
data.spywarec2 | List of Anti-Spyware C2 signatures. |
data.antivirus.id data.dns.id data.rtdns.id data.spywarec2.id | The unique threat signature id. |
data.antivirus.name data.dns.name data.rtdns.name data.spywarec2.name | The threat signature name. |
data.antivirus.severity data.dns.severity data.rtdns.severity data.spywarec2.severity | The threat signature severity. List: low, informative, medium, high or critical |
data.antivirus.type data.dns.type data.rtdns.type data.spywarec2.type | A numerical value describing the type of the threat signature. |
data.antivirus.subtype data.dns.subtype data.rtdns.subtype data.spywarec2.subtype | The threat signature subtype. |
data.antivirus.action data.dns.action data.rtdns.action data.spywarec2.action | The threat signature default action. This is generally empty for Antivirus signatures. |
data.antivirus.description data.dns.description data.rtdns.description data.spywarec2.description | The threat signature description. |
data.antivirus.create_time data.dns.create_time data.rtdns.create_time data.spywarec2.create_time | The threat signature creation time. |
data.antivirus.status data.dns.status data.rtdns.status data.spywarec2.status | The threat signature status. List: active or inactive |
data.antivirus.related_sha256_hashes | The list of related sha256 hashes for the threat signature. |
data.antivirus.release data.dns.release data.spywarec2.release | The threat signature release information. Note: Any release information before February 2020 is best-effort since the information was not available in the legacy system. |
data.antivirus.release.antivirus data.dns.release.antivirus data.spywarec2.release.antivirus | The threat signature information related to Antivirus package updates. |
data.antivirus.release.antivirus.first_release_version data.dns.release.antivirus.first_release_version data.spywarec2.release.antivirus.first_release_version | The release version when the threat signature was first released with Antivirus package. |
data.antivirus.release.antivirus.first_release_time data.dns.release.antivirus.first_release_time data.spywarec2.release.antivirus.first_release_time | The release time when the threat signature was first released with Antivirus package. |
data.antivirus.release.antivirus.last_release_version data.dns.release.antivirus.last_release_version data.spywarec2.release.antivirus.last_release_version | The release version when the threat signature was last released with Antivirus package. |
data.antivirus.release.antivirus.last_release_time data.dns.release.antivirus.last_release_time data.spywarec2.release.antivirus.last_release_time | The release time when the threat signature was last released with Antivirus package. |
data.antivirus.release.wildfire data.dns.release.wildfire | The threat signature information related to WildFire package updates. |
data.antivirus.release.wildfire.first_release_version data.dns.release.wildfire.first_release_version | The release version when the threat signature was first released with WildFire package. |
data.antivirus.release.wildfire.first_release_time data.dns.release.wildfire.first_release_time | The release time when the threat signature was first released with WildFire package. |
data.antivirus.release.wildfire.last_release_version data.dns.release.wildfire.last_release_version | The release version when the threat signature was last released with WildFire package. |
data.antivirus.release.wildfire.last_release_time data.dns.release.wildfire.last_release_time | The release time when the threat signature was last released with WildFire package. |
data.fileinfo | The sample file information. |
data.fileinfo.filetype | The file type of the sample. |
data.fileinfo.sha256 | The SHA256 hash of the sample. |
data.fileinfo.sha1 | The SHA1 hash of the sample. |
data.fileinfo.md5 | The MD5 hash of the sample. |
data.fileinfo.size | The size of the sample. |
data.fileinfo.type | The type of the sample. List: Email-Worm, Trojan, Virus, etc. |
data.fileinfo.family | The family name of the sample. List: Suspicious, WGeneric, etc. |
data.fileinfo.platform | The platform of the sample. List: Android, OSX, Win32, etc. |
data.fileinfo.wildfire_verdict | The WildFire verdict of the sample. List: benign, malicious or grayware |
data.fileinfo.create_time | The creation time of the sample. |
data.fileinfo.signatures | The signatures related to the sample. |
data.fileinfo.signatures.antivirus | Same as 'data.antivirus' above. |
message | Generic response message. |
Threat Signature Release History Response Fields
The following JSON response fields are found in Request Threat Signature Release History:
| Field | Description |
|---|---|
success | The response status. |
link | The pagination information of the results. |
link.previous | The URL of the previous page with results. |
link.next | The URL of the next page with results. |
count | The total number of entries found. |
data | The data of the response. |
data.version | The version of the release. |
data.build_time | The time when the package was built. |
data.release_time | The time when the package was released externally. |
data.message | Generic response message. |
Predefined EDL Content Response Fields
The following JSON response fields are found in Request Predefined EDL Content:
| Field | Description |
|---|---|
success | The response status. |
link | The pagination information of the results. |
link.previous | The URL of the previous page with results. |
link.next | The URL of the next page with results. |
count | The total number of entries found. |
data | The data of the response. |
data.version | The version of the release. |
data.name | The predefined EDL name. |
data.ipaddr | The IP address. |
message | Generic response message. |
Threat Prevention IP Feed Response Fields
The following JSON response fields are found in Request IP Feed Information and Request IP Feed Information in Batch Mode:
| Field | Description |
|---|---|
success | The response status. |
link | The pagination information of the results. |
link.previous | The URL of previous page with results. |
link.next | The URL of next page with results. |
count | The total number of entries found. |
data | The data of the response. |
data.ipaddr | The IP address. |
data.name | The feed name. |
data.status | The current status of the feed. |
data.release | The release information of the feed. |
data.release.first_release_version | The first release version of the feed. |
data.release.first_release_time | The first release time of the feed. |
data.geo | The geolocation information. |
data.asn | The autonomous system information. |
message | Generic response message. |
Advanced Threat Prevention Report Response Fields
The following JSON response fields are found in Request ATP Report in Batch Mode:
| Field | Description |
|---|---|
success | The response status. |
data | The data of the response. |
data.report_id | The ID of the ATP report. |
data.err_msg | Any error message related to the report. |
data.panos_info | All related PAN-OS information. |
data.panos_info.fw_addr_v4 | Firewall IPv4 MP interface. |
data.panos_info.fw_addr_v6 | Firewall IPv6 MP interface (can be empty). |
data.panos_info.fw_app_version | Firewall content package version. |
data.panos_info.fw_hostname | Firewall hostname. |
data.panos_info.fw_model | Firewall model. |
data.panos_info.serial | Firewall serial number. |
data.panos_info.fw_sw_version | Firewall PAN-OS version. |
data.session_info | All related session information. |
data.session_info.flow_info.saddr | Session source IP address. |
data.session_info.flow_info.daddr | Session destination IP address. |
data.session_info.flow_info.sport | Session source IP port. |
data.session_info.flow_info.dport | Session destination IP port. |
data.session_info.flow_info.data_type | The payload type. List: http, ssl, unknown-tcp and unknown-udp. |
data.session_info.session_id | Session ID. |
data.session_info.session_timestamp | Session timestamp. |
data.transaction_data | The list of transactions of the session. One session may have one or many transactions. |
data.transaction_data.transaction_id | The transaction ID. |
data.transaction_data.payload_sha256 | The SHA256 hash value of the payload. |
data.transaction_data.detection_results | The detection results information. |
data.transaction_data.detection_results.detection_service | The detection service. |
data.transaction_data.detection_results.details | Details information. |
data.transaction_data.detection_results.details.attack_analysis | The attack analysis information. |
data.transaction_data.detection_results.details.attack_analysis.Attack Description | The attack description. |
data.transaction_data.detection_results.details.attack_analysis.Attack Details | The attack details. |
data.transaction_data.detection_results.details.attack_analysis.Attack Evidences | The attack evidence. |
data.transaction_data.detection_results.details.payload_info | The request payload information. |
data.transaction_data.detection_results.details.payload_info.Connection | A general header controls whether the network connection stays open after the current transaction finishes. |
data.transaction_data.detection_results.details.payload_info.Cookie | A header that contains stored HTTP cookies associated with the server. |
data.transaction_data.detection_results.details.payload_info.Host | A header that specifies the host and port number of the server to which the request is being sent. |
data.transaction_data.detection_results.details.payload_info.Method | A header that defines the desired action to be performed for a given resource. |
data.transaction_data.detection_results.details.payload_info.URI | A header that defines the resource. |
data.transaction_data.detection_results.details.payload_info.User-Agent | A header that identifies the requesting user agent. |
data.transaction_data.detection_results.details.payload_info.Version | A header that specifies the HTTP version. |
data.transaction_data.detection_results.verdict | The verdict value. |
data.transaction_data.reports | The list of detection service reports. |
data.transaction_data.reports.ds_name | The detection service name. |
data.transaction_data.reports.status | A flag to indicate the report is ready or not. |
data.transaction_data.reports.ds_report.payload_info | Optional payload information. For HTTP: Method, URI, Version, Host, User-Agent, Content-Type, Cookies. For other protocols: This field will not be available. |
data.transaction_data.reports.ds_report.malware_families | The list of malware families. |
data.transaction_data.reports.ds_report.malware_families.malware_family_type | The name/type of the malware family. |
data.transaction_data.reports.ds_report.malware_families.confidence | The confidence value. |
message | Generic response message. |