View Search Results
Table of Contents
Expand all | Collapse all
-
- Get Session Details
- Get Sample Analysis
- Get Tags
- Get Tag Details
- Get Threat Indicator Feed
- Get Custom Threat Indicator Feed
- Get Threat Intelligence Card Summary
- Export List
- Get Anti-spyware, Vulnerability, and File-Format Signature
- Get Antivirus Signature
- Get DNS Signature
- Get Geolocation
- Get Anti-spyware, Vulnerability, and File-Format Release Info
View Search Results
For the following resources, first initiate searches
and then use the af_cookie or search_id string
provided in the response to view search results.
Resources for Initiating Searches | Corresponding Resources
for Viewing Results |
---|---|
/samples/search/ | /samples/results/{af_cookie} |
/stix/samples/search/ | /stix/samples/results/{af_cookie} |
/sessions/search/ | /sessions/results/{af_cookie} |
/stix/sessions/search/ | /stix/sessions/results/{af_cookie} |
/sessions/histogram/search/ | /sessions/histogram/results/{af_cookie} |
/sessions/aggregate/search/ | /sessions/aggregate/results/{af_cookie} |
/top-tags/search/ | /top-tags/results/{af_cookie} |
https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/ips/search | https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/ips/search/result/{search_id} |
https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/panav/search | https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/panav/search/result/{search_id} |
https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/dns/search | https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/dns/search/result/{search_id} |
JSON Sample
Request
Include
the af_cookie to the resource URL and
include the API key in the body of the request.
curl -X POST -H "Content-Type: application/json" -d '"apiKey":"apikey"' "https://autofocus.paloaltonetworks.com/api/v1.0/samples/results/0-31b8b9a7-82d2-4d2c-a414-717cba470f03+0"
Response
The
sample response contains key parameters such as af_message and af_in_progress to
indicate whether the previously initiated search is complete. When
the request is complete, the response af_message becomes complete.
{ "total": 11143, "hits": [ { "_id": "d5d252b2a7b145f0777b1e6020ecc2457f14cbb661b384fc7d8a80f3e1004a7a", "_source": { "create_date": "2016-10-06T02:03:38", "sha256": "d5d252b2a7b145f0777b1e6020ecc2457f14cbb661b384fc7d8a80f3e1004a7a", "ssdeep": "768:+4Ylr/tYrSD810d6xfhhbhBZawROX2kgzIcNaFi48o:+lr1cSgPxp/mXksooiro", "md5": "0611cdbf57b2a7c9840cbff969e6b3f2", "filetype": "Microsoft Excel Document", "sha1": "dd75186f97b13f9092f3e8dae2f82bb33a20eba4", "finish_date": "2016-10-06T02:11:31", "malware": 1, "size": 37284, "tag": [], "region": [ "us" ] }, "visible": true }, /* TRUNCATED */ ], "took": 19247, "af_in_progress": true, "af_first_result_af_took": 437, "af_complete_percentage": 72, "af_cookie": "2-91595279-f7d5-449e-b478-b231b2a9f266+0", "bucket_info": { "minute_points": 200, "daily_points": 100000, "minute_points_remaining": 179, "daily_points_remaining": 99178, "minute_bucket_start": "2016-10-10 17:43:55", "daily_bucket_start": "2016-10-10 03:27:03" }, "original_query": { "body": { "scope": "public", "sort": { "create_date": { "order": "desc" } }, "query": { "children": [ { "field": "session.src_country", "value": "Algeria", "operator": "is" } ], "operator": "all" }, "from": 0, "size": 50 }, "url": "/api/v1.0/samples/search" } }
STIX Sample
Request
Include
the af_cookie to the resource URL and
include the API key in the body of the request.
curl -X POST -H "Content-Type: application/xml" -d '<req><apiKey>apikey</apiKey></req>' "https://autofocus.paloaltonetworks.com/api/v1.0/stix/samples/results/0-0d0bb06b-6252-48ff-9d3a-4e43af844338+0"
Response
The
sample response contains key parameters such as af_message and af_in_progress to
indicate whether the previously initiated search is complete. When
the request is complete, the response af_message becomes complete.
<res> <total>1223</total> <took>13559</took> <aggregations></aggregations> <af_message>complete</af_message> <af_in_progress>false</af_in_progress> <af_first_result_af_took>123</af_first_result_af_took> <af_complete_percentage>100</af_complete_percentage> <af_cookie>0-726c560a-fa11-41c7-b900-b267c80c15b3+0</af_cookie> <bucket_info> <minute_points>200</minute_points> <daily_points>10000</daily_points> <minute_points_remaining>189</minute_points_remaining> <daily_points_remaining>9268</daily_points_remaining> <minute_bucket_start>2016-05-09 14:08:33</minute_bucket_start> <daily_bucket_start>2016-05-09 03:42:10</daily_bucket_start> </bucket_info> <original_query> <body> <scope>private</scope> <sort> <update_date> <order>desc</order> </update_date> </sort> <query> <children> <item> <field>session.src_country</field> <value>Algeria</value> <operator>is</operator> </item> </children> <operator>all</operator> </query> <from>0</from> <size>50</size> </body> <url>/api/v1.0/stix/samples/search</url> </original_query> <stix> <stix:STIX_Package xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:autofocus="https://autofocus.paloaltonetworks.com" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="autofocus:Package-e2f6487f-37c8-44a7-89e0-2cc7437549f7" version="1.1.1" timestamp="2016-05-09T21:09:31.626761+00:00"> <stix:Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0"> <cybox:Observable id="autofocus:Observable-75e24ed4-7201-458f-82b5-b1b529778f50"> <cybox:Description>Wildfire Verdict: 1, First Seen: 2016-04-07T04:51:26, Finish Date: 2016-04-07T04:59:16, Tags: [Unit42.zNOT-PE-1026,5672.Satish-Cushman-Meta-Word97-2003]</cybox:Description> <cybox:Object id="autofocus:File-f6c615ee-98f9-4a92-af21-d29c7c0262f0"> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Size_In_Bytes>110080</FileObj:Size_In_Bytes> <FileObj:File_Format>Microsoft Word 97 - 2003 Document</FileObj:File_Format> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>393e21b3540a2d2fb56f37e216ef4627d37fe4c407127beaf845aead5628264c</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> <cyboxCommon:Hash> <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>771b59b461da9487253ff40138de627c7ad96e7b</cyboxCommonSimple_Hash_Value> </cyboxCommon:Hash> <cyboxCommon:Hash> <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>ec5753a10ed77f0226c7490ced718c20</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> <cyboxCommon:Hash> <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SSDEEP</cyboxCommon:Type> <cyboxCommon:Fuzzy_Hash_Value>3072:SnfYFhXQIYH2c4tzeA/Kn334EEzUFYJ8Bei3DPOgyvqfYdth1lk6TVnAnZ0PmDz:Qm2ONBWpy</cyboxCommon:Fuzzy_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> <FileObj:Digital_Signatures> <cyboxCommon:Digital_Signature></cyboxCommon:Digital_Signature> </FileObj:Digital_Signatures> </cybox:Properties> </cybox:Object> </cybox:Observable> <!-- TRUNCATED --> </stix:Observables> </stix:STIX_Package> </stix> </res>