Depending on the resource, your requests are either indirect
(asynchronous) or direct (synchronous). When you Perform AutoFocus Searches for
samples, sessions, or aggregate data, you first initiate a search
and then make further requests to get the results of your search.
For other resources, such as when you request session details and
analysis reports, you Perform Direct Searches and
immediately get corresponding data. The AutoFocus API uses either
JSON, which returns JSON, or XML, which returns data in XML-based
STIX format. Learn more about AutoFocus API STIX Support.
Using the POST method for requests, you can do the following:
Search for threat intelligence samples and sessions.
View aggregate data, such as popular malware, applications,
and source countries.
View file analysis data related to a specified sample.
Get tag lists, popular tags, and tag details.
Export lists based on previously saved threat artifacts.
Potential uses of the AutoFocus API include:
Automated feed extraction of threat analysis—Leverage
the AutoFocus API to integrate key data into a third-party dashboard
or service such as Splunk.
Automated hash extraction for blocking attacks—Use the AutoFocus
API to provide a layered approach to threat prevention. For example,
your organization can use the AutoFocus API in conjunction with
a firewall to look up sample hashes and block identified threats.
Automated import of threat intelligence on your firewall—Use
the AutoFocus API to look up hashes and corresponding tags to create
custom block lists on your firewall.
To make requests, you must Get Your API Key,
which you use to authenticate API calls. Each license uses one API
key, regardless of the number of users.
To control the number of requests you can make, you need to observe AutoFocus API Rate Limits,
which is a point system to track and rate limit API calls.