: Get Sample Analysis
Focus
Focus

Get Sample Analysis

Table of Contents

Get Sample Analysis

Use this resource to get properties, behaviors, and activities observed for a sample during WildFire™ analysis. To look at this information from the WildFire sample analysis report, include the SHA256 hash of the sample as a URL parameter.

Resource

/sample/{sample_id}/analysis/ stix/sample/{sample_id}/analysis

Request URL Parameters

The following table describes URL parameters for Get Sample Analysis requests.
Parameters
Description
Type
Example or Possible Values
{sample_id}
(
Required
) SHA256 hash of the sample. The hash is provided in responses to sample searches.
string
Example:
d87edc101466ec130ce42183c79a5d503a972530bac8463ac640eac37659ccd9

Request Body Parameters

The following table describes body parameters for Get Sample Analysis requests.
Parameters
Description
Type
Example or Possible Values
coverage
Boolean to indicate whether to include applicable signature coverage data. This option allows you to see the WildFire signatures available to cover a given sample. Sample coverage allows you to determine the current level of protection for malware.
boolean
Possible values:
true, false
Example:
{ "apiKey":"apikey", "coverage":”true”, "sections":["coverage"] }
sections
Include specific WildFire analysis sections, which describe the observed behavior.
string enumeration
apk_app_icon
:
apk_app_name
:
apk_cert_file
:
apk_certificate_id
:
apk_defined_activity
:
apk_defined_intent_filter
apk_defined_receiver
apk_defined_sensor
apk_defined_service
apk_digital_signer
apk_embedded_library
apk_embeded_url
apk_internal_file
apk_isrepackaged
apk_packagename
apk_requested_permission
apk_sensitive_api_call
apk_suspicious_behavior
apk_suspicious_file
apk_suspicious_pattern
apk_suspicious_action_monitored
apk_suspicious_file
apk_suspicious_string
apk_version_num
behavior_type
connection
coverage
dns
file
http
japi
mac_embedded_url
misc
mutex
process
registry
service
user_agent
To include coverage as a section, you must also request coverage as part of your response (
"coverage":"true"
).
Example:
{ "apiKey":"apikey", "coverage":"true", "sections":["coverage"] }
platforms
Analysis environments to include in the response.
string enumeration
Possible values:
win7, winxp, android, static_analyzer, mac, bare_metal
Example:
{ "apiKey": "apikey", "sections": ["file"], "platforms": ["win7", "winxp"] }

JSON Sample

Request

Include the SHA256 hash in the resource URL, and the API key in the request body.
curl -X POST -H "Content-Type: application/json" -d '{ "apiKey":"apikey", "coverage":true, "sections":["coverage"] }' 'https://autofocus.paloaltonetworks.com/api/v1.0/sample/3d0d8c0e8b80ea89b6c360d0077ae2e6d08f654ad28d7c5da57adaf4593a333f/analysis'

Response

The response, which is specific to the hash that you specify in your request, includes numerous details categorized for both Windows XP and Windows 7: observed behavior; file activity; HTTP requests, process activity; registry activity; DNS activity, connection activity; user agent string fragments; mutex activity, API activity.
{ "sections": [], "platforms": [ "static_analyzer", "win7", "winxp" ], "coverage": { "wf_av_sig": [ { "name": "Virus/Win32.WGeneric.hosfp", "create_date": "2016-03-05T06:03:40.000Z", "first_added_daily": 1805, "last_added_daily": 1805, "first_added_15min": 90419, "last_added_15min": 90419, "first_added_5min": 16375, "last_added_5min": 16375, "currently_present_daily": false, "currently_present_15min": false, "currently_present_5min": false } ], "dns_sig": [ { "name": "generic:www.stsunsetwest.com", "create_date": "2014-01-29T13:30:52.000Z", "first_added_daily": 1202, "last_added_daily": 1202, "first_added_15min": null, "last_added_15min": null, "first_added_5min": null, "last_added_5min": null, "currently_present_daily": false, "currently_present_15min": false, "currently_present_5min": false, "domain": "www.stsunsetwest.com" }, <!-- TRUNCATED -->

STIX Sample

Request

Include the SHA256 hash in the resource URL, and the API key in the request body.
curl -X POST -H "Content-Type: application/xml" -d ' <req> <apiKey>apikey</apiKey> <sections><item>file</item></sections> <platforms><item>win7</item><item>winxp</item></platforms> </req>' "https://autofocus.paloaltonetworks.com/api/v1.0/stix/sample/3d0d8c0e8b80ea89b6c360d0077ae2e6d08f654ad28d7c5da57adaf4593a333f/analysis"

Response

The response, which is specific to the hash that you specify in your request, includes numerous details categorized for both Windows XP and Windows 7: observed behavior; file activity; HTTP requests, process activity; registry activity; DNS activity, connection activity; user agent string fragments; mutex activity, API activity.
<maecBundle:Action id="autofocus:action-caa0b4e9-18e1-41d6-80ae-5c981196aa08"> <cybox:Description>Line counts: Malware: 29962552, Benign: 15163791, Grayware: 3153170</cybox:Description> <cybox:Action_Arguments> <cybox:Action_Argument> <cybox:Argument_Value>Write</cybox:Argument_Value> </cybox:Action_Argument> <cybox:Action_Argument> <cybox:Argument_Value>Windows\AppCompat\Programs\RecentFileCache.bcf</cybox:Argument_Value> </cybox:Action_Argument> </cybox:Action_Arguments> <cybox:Associated_Objects> <cybox:Associated_Object id="autofocus:Process-70224e7f-a126-48a7-9111-933e8e0f8c40"> <cybox:Properties xsi:type="ProcessObj:ProcessObjectType"> <ProcessObj:Name>svchost.exe</ProcessObj:Name> </cybox:Properties> </cybox:Associated_Object> <cybox:Associated_Object id="autofocus:System-319a6a30-face-49a4-9e41-262558602a0c"> <cybox:Properties xsi:type="SystemObj:SystemObjectType"> <SystemObj:OS> <SystemObj:Platform> <cyboxCommon:Identifier system="win7">None</cyboxCommon:Identifier> </SystemObj:Platform> </SystemObj:OS> </cybox:Properties> </cybox:Associated_Object> </cybox:Associated_Objects> </maecBundle:Action> <maecBundle:Action id="autofocus:action-06c9fc06-000b-4759-a555-ed22c35a5d6d"> <cybox:Description>Line counts: Malware: 1, Benign: 0, Grayware: 0</cybox:Description> <cybox:Action_Arguments> <cybox:Action_Argument> <cybox:Argument_Value>Write</cybox:Argument_Value> </cybox:Action_Argument> <cybox:Action_Argument> <cybox:Argument_Value>Users\Administrator\AppData\Local\Temp\is-RUD9I.tmp\sample.tmp</cybox:Argument_Value> </cybox:Action_Argument> </cybox:Action_Arguments> <cybox:Associated_Objects> <cybox:Associated_Object id="autofocus:Process-4e3fe414-af23-47bd-9338-c5a2665a3903"> <cybox:Properties xsi:type="ProcessObj:ProcessObjectType"> <ProcessObj:Name>sample.exe</ProcessObj:Name> </cybox:Properties> </cybox:Associated_Object> <cybox:Associated_Object id="autofocus:System-02eb108b-9d06-4e23-ba87-36a9d84ac95d"> <cybox:Properties xsi:type="SystemObj:SystemObjectType"> <SystemObj:OS> <SystemObj:Platform> <cyboxCommon:Identifier system="win7">None</cyboxCommon:Identifier> </SystemObj:Platform> </SystemObj:OS> </cybox:Properties> </cybox:Associated_Object> </cybox:Associated_Objects> </maecBundle:Action>

Recommended For You