Search Top Tags, Session Histogram, and Session Aggregate Data
Table of Contents
Search Top Tags, Session Histogram, and Session Aggregate Data
Use the session histogram search to get data that corresponds
to the Malware Download Sessions histogram
data when you view search statistics. Use the sample aggregate search
to view top file types. Use the session aggregate data search to
view aggregate data such as Top Firewalls, Top
Malware, Source Countries, and Destination Countries.
Use the top-tags search to identify the most popular tags for any
given period of time. The top-tags search corresponds to the Top
Tags data available when you view search statistics.
Aggregate
search data is limited to the top 10 results in each category while
top-tags data is limited to the top 20 tags.
Resources
/sessions/histogram/search/ /sessions/aggregate/search/ /top-tags/search/
Request Parameters
The following request parameters are available
when searching top tags, session histogram, and session aggregate
data.
Parameters | Description | Type | Example or Possible Values |
|---|---|---|---|
| apiKey | (Required) API key tied to your license.
All users attached to a license share a single API key. | string | Example (obfuscated): d32108a5-XXX-XXXX-XXXX-c04bda5b8450 |
| scope | (Required) Scope of the search. Case-sensitive. | string enumeration | Possible values: industry, organization,all, globalAdditional
possible values for /sessions/histogram/search/and /sessions/aggregate/search/:public, private |
| query | (Required) Query based on conditions
specified within this object. Condition match those found in the
AutoFocus web portal. | object array | See Search
Field Names and Search
Parameter Types and Operators for a list of available fields, operators,
and acceptable values. To easily determine
your query, first run the equivalent
search in the AutoFocus web portal and then use the API button to view the
corresponding JSON: 
|
| field | Field for which to provide aggregate data. Only
available and required for: /sessions/aggregate/search/ | string enumeration | Possible values for /sessions/aggregate/search/: sha256 app device_serial device_industry src_countrycode dst_countrycode upload_src |
| size | Number of results to return. Only available for: /sessions/aggregate/search/ /top-tags/search/ | number | Possible values: Any number above
0 up to 1000. Default value: 50 |
| tagScopes | Filter based on the type of malware. Only
available for: /top-tags/search/ | string enumeration (must be provided as a
JSON list) | Possible values: private,public, commodity, unit42Default
value: PrivateExample:
|
Sample Request
curl -X POST -H "Content-Type: application/json" -d '{ "apiKey": "apikey", "query": { "operator": "all", "children": [ { "field": "sample.malware", "operator": "is", "value": 1 }, { "field": "session.tstamp", "operator": "is in the range", "value": [ "2015-08-26T00:00:00", "2015-09-02T23:59:59" ] } ] },"scope":"public" }' 'https://autofocus.paloaltonetworks.com/api/v1.0/sessions/histogram/search'
View the corresponding cURLrequestor
Python syntax for initiating searches for samples, sessions,
and aggregate data from the AutoFocus web portal.
Sample Response
The response to session histogram and aggregate
searches is similar to sample and sessions searches. Use the af_cookie parameter
to view the results of your search:
{ "af_in_progress": true, "af_first_result_af_took": 0, "in_progress": true, "af_cookie": "0-041ff071-ba35-480a-bcb2-94403ba66c41+0", "af_complete_percentage": 0, "bucket_info": { "minute_points": 200, "daily_points": 25000, "minute_points_remaining": 190, "daily_points_remaining": 24946, "minute_bucket_start": "2015-10-21 15:37:34", "daily_bucket_start": "2015-10-21 14:41:07" } }
Use the af_cookie parameter
when you check on the results of your search using the /sessions/histogram/results/or /sessions/aggregate/results/ resource.
