: Search for Signatures
Focus
Focus

Search for Signatures

Table of Contents

Search for Signatures

Use these endpoints to search for signatures that match the specified parameters.

Resource

  • Anti-spyware, vulnerability, and file-format signatures
    https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/ips/search
  • Antivirus Signatures
    https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/panav/search
  • DNS | RTDNS Signatures
    https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/dns/search

Request Parameters

The following table describes the parameters used with this endpoint.
Parameters
Description
Type
Example or Possible Values
apiKey
( Required) API key tied to your license. All users attached to a license share a single API key.
string
Example (obfuscated):
d32108a5-XXX-XXXX-XXXX-c04bda5b8450
{signatureName}
Palo Alto Networks textual identifier for the threat.
string
A valid signature name.
Example:
TDSS/Win32.fey.a
For /ips/search queries, the signature is an approximate string (fuzzy) search.
{vendor}
The identification number for a security vendor. Only available for:
/ips/search
exactString
A valid vendor reference number.
Example:
25461
{cve}
The reference number for a vulnerability as defined by Common Vulnerabilities and Exposures (CVE). Only available for:
/ips/search
exactString
A CVE reference number for a vulnerability.
Example:
cve-2015-8650
{domainName}
The name of the domain. Only available for:
/dns/search
string
A valid Internet domain.
Example:
google.com

Sample Request

curl -X POST -H "Content-Type: application/json" -d '{"from": 0, "size":10, "field": "signatureName", "value": "ExpertAntivirus_4_1" }' 'https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/ips/search?api_key=apikey'

Sample Response

The response to signature searches is similar to sample and sessions searches. Use the af_cookie parameter from the initial response to view the results of your search:
{ { "total_count": 1, "page_count": 1, "signatures": [{ "metadata": { "severity": "low", "reference": "http://www.spywareguide.com/spydet_3531_expertantivirus.html,http://www.ca.com/securityadvisor/pest/pest.aspx?id=45311130", "panOsMaximumVersion": "", "description": "This signature detects the runtime behavior of ExpertAntivirus 4.1ExpertAntivirus is a rogue anti-spyware program that reports false positive infections.", "panOsMinimumVersion": "6.1.0", "action": "alert", "category": "adware", "changeData": "" }, "cve": "", "signatureName": "ExpertAntivirus_4_1", "vendor": "", "signatureType": "spyware", "firstReleaseTime": "2015-06-26 UTC", "signatureId": 11785, "latestReleaseTime": "2020-06-09 UTC", "latestReleaseVersion": 8281, "status": "released", "firstReleaseVersion": 509 }] }
Use the af_cookie parameter when you check on the results of your search using the /ips/search/result/, /panav/search/result, or dns/search/result/ resource.