Focus

AutoFocus® API Reference

Get Sample Analysis

Table of Contents

Get Sample Analysis

Use this resource to get properties, behaviors, and activities observed for a sample during WildFire™ analysis. To look at this information from the WildFire sample analysis report, include the SHA256 hash of the sample as a URL parameter.

Resource
Request Parameters
JSON Sample
STIX Sample

Resource

/sample/{sample_id}/analysis/
stix/sample/{sample_id}/analysis

Request URL Parameters

The following table describes URL parameters for Get Sample Analysis requests.

Parameters	Description	Type	Example or Possible Values
{sample_id}	(Required) SHA256 hash of the sample. The hash is provided in responses to sample searches.	string	Example: d87edc101466ec130ce42183c79a5d503a972530bac8463ac640eac37659ccd9

Request Body Parameters

The following table describes body parameters for Get Sample Analysis requests.

Parameters	Description	Type	Example or Possible Values
coverage	Boolean to indicate whether to include applicable signature coverage data. This option allows you to see the WildFire signatures available to cover a given sample. Sample coverage allows you to determine the current level of protection for malware.	boolean	Possible values: true, false Example: { "apiKey":"apikey", "coverage":”true”, "sections":["coverage"] }
sections	Include specific WildFire analysis sections, which describe the observed behavior.	string enumeration	apk_app_icon :apk_app_name :apk_cert_file :apk_certificate_id :apk_defined_activity :apk_defined_intent_filter apk_defined_receiver apk_defined_sensor apk_defined_service apk_digital_signer apk_embedded_library apk_embeded_url apk_internal_file apk_isrepackaged apk_packagename apk_requested_permission apk_sensitive_api_call apk_suspicious_behavior apk_suspicious_file apk_suspicious_pattern apk_suspicious_action_monitored apk_suspicious_file apk_suspicious_string apk_version_num behavior_type connection coverage dns file http japi mac_embedded_url misc mutex process registry service user_agent To include coverage as a section, you must also request coverage as part of your response ("coverage":"true"). Example: { "apiKey":"apikey", "coverage":"true", "sections":["coverage"] }
platforms	Analysis environments to include in the response.	string enumeration	Possible values: win7, winxp, android, static_analyzer, mac, bare_metal Example: { "apiKey": "apikey", "sections": ["file"], "platforms": ["win7", "winxp"] }

JSON Sample

Request
Response

Request

Include the SHA256 hash in the resource URL, and the API key in the request body.

curl -X POST -H "Content-Type: application/json"  
-d '{   
  "apiKey":"apikey", 
  "coverage":true, 
  "sections":["coverage"] 
}' 'https://autofocus.paloaltonetworks.com/api/v1.0/sample/3d0d8c0e8b80ea89b6c360d0077ae2e6d08f654ad28d7c5da57adaf4593a333f/analysis'

Response

The response, which is specific to the hash that you specify in your request, includes numerous details categorized for both Windows XP and Windows 7: observed behavior; file activity; HTTP requests, process activity; registry activity; DNS activity, connection activity; user agent string fragments; mutex activity, API activity.

{ 
  "sections": [], 
  "platforms": [ 
    "static_analyzer", 
    "win7", 
    "winxp" 
  ], 
  "coverage": { 
    "wf_av_sig": [ 
      { 
        "name": "Virus/Win32.WGeneric.hosfp", 
        "create_date": "2016-03-05T06:03:40.000Z", 
        "first_added_daily": 1805, 
        "last_added_daily": 1805, 
        "first_added_15min": 90419, 
        "last_added_15min": 90419, 
        "first_added_5min": 16375, 
        "last_added_5min": 16375, 
        "currently_present_daily": false, 
        "currently_present_15min": false, 
        "currently_present_5min": false 
      } 
    ], 
    "dns_sig": [ 
      { 
        "name": "generic:www.stsunsetwest.com", 
        "create_date": "2014-01-29T13:30:52.000Z", 
        "first_added_daily": 1202, 
        "last_added_daily": 1202, 
        "first_added_15min": null, 
        "last_added_15min": null, 
        "first_added_5min": null, 
        "last_added_5min": null, 
        "currently_present_daily": false, 
        "currently_present_15min": false, 
        "currently_present_5min": false, 
        "domain": "www.stsunsetwest.com" 
      }, 
<!-- TRUNCATED -->

STIX Sample

Request
Response

Request

Include the SHA256 hash in the resource URL, and the API key in the request body.

curl -X POST -H "Content-Type: application/xml" -d ' 
<req> 
    <apiKey>apikey</apiKey> 
    <sections><item>file</item></sections> 
    <platforms><item>win7</item><item>winxp</item></platforms> 
</req>' "https://autofocus.paloaltonetworks.com/api/v1.0/stix/sample/3d0d8c0e8b80ea89b6c360d0077ae2e6d08f654ad28d7c5da57adaf4593a333f/analysis"

Response

<maecBundle:Action id="autofocus:action-caa0b4e9-18e1-41d6-80ae-5c981196aa08"> 
     <cybox:Description>Line counts: Malware: 29962552, Benign: 15163791, Grayware: 3153170</cybox:Description> 
     <cybox:Action_Arguments> 
       <cybox:Action_Argument> 
          <cybox:Argument_Value>Write</cybox:Argument_Value> 
       </cybox:Action_Argument> 
       <cybox:Action_Argument> 
          <cybox:Argument_Value>Windows\AppCompat\Programs\RecentFileCache.bcf</cybox:Argument_Value> 
       </cybox:Action_Argument> 
     </cybox:Action_Arguments> 
     <cybox:Associated_Objects> 
       <cybox:Associated_Object id="autofocus:Process-70224e7f-a126-48a7-9111-933e8e0f8c40"> 
          <cybox:Properties xsi:type="ProcessObj:ProcessObjectType"> 
            <ProcessObj:Name>svchost.exe</ProcessObj:Name> 
          </cybox:Properties> 
       </cybox:Associated_Object> 
       <cybox:Associated_Object id="autofocus:System-319a6a30-face-49a4-9e41-262558602a0c"> 
          <cybox:Properties xsi:type="SystemObj:SystemObjectType"> 
            <SystemObj:OS> 
               <SystemObj:Platform> 
                 <cyboxCommon:Identifier system="win7">None</cyboxCommon:Identifier> 
               </SystemObj:Platform> 
            </SystemObj:OS> 
          </cybox:Properties> 
       </cybox:Associated_Object> 
     </cybox:Associated_Objects> 
  </maecBundle:Action> 
  <maecBundle:Action id="autofocus:action-06c9fc06-000b-4759-a555-ed22c35a5d6d"> 
     <cybox:Description>Line counts: Malware: 1, Benign: 0, Grayware: 0</cybox:Description> 
     <cybox:Action_Arguments> 
       <cybox:Action_Argument> 
          <cybox:Argument_Value>Write</cybox:Argument_Value> 
       </cybox:Action_Argument> 
       <cybox:Action_Argument> 
          <cybox:Argument_Value>Users\Administrator\AppData\Local\Temp\is-RUD9I.tmp\sample.tmp</cybox:Argument_Value> 
       </cybox:Action_Argument> 
     </cybox:Action_Arguments> 
     <cybox:Associated_Objects> 
       <cybox:Associated_Object id="autofocus:Process-4e3fe414-af23-47bd-9338-c5a2665a3903"> 
          <cybox:Properties xsi:type="ProcessObj:ProcessObjectType"> 
            <ProcessObj:Name>sample.exe</ProcessObj:Name> 
          </cybox:Properties> 
       </cybox:Associated_Object> 
       <cybox:Associated_Object id="autofocus:System-02eb108b-9d06-4e23-ba87-36a9d84ac95d"> 
          <cybox:Properties xsi:type="SystemObj:SystemObjectType"> 
            <SystemObj:OS> 
               <SystemObj:Platform> 
                 <cyboxCommon:Identifier system="win7">None</cyboxCommon:Identifier> 
               </SystemObj:Platform> 
            </SystemObj:OS> 
          </cybox:Properties> 
       </cybox:Associated_Object> 
     </cybox:Associated_Objects> 
  </maecBundle:Action>

Get Session Details

Get Tags