Get Tags
Table of Contents
Expand all | Collapse all
-
- Get Session Details
- Get Sample Analysis
- Get Tags
- Get Tag Details
- Get Threat Indicator Feed
- Get Custom Threat Indicator Feed
- Get Threat Intelligence Card Summary
- Export List
- Get Anti-spyware, Vulnerability, and File-Format Signature
- Get Antivirus Signature
- Get DNS Signature
- Get Geolocation
- Get Anti-spyware, Vulnerability, and File-Format Release Info
Get Tags
Use this resource to get a list of tags. You can specify
optional parameters such as scope to further
filter results.
Resource
/tags/ /stix/tags/
Request Parameters
Request Body Parameters
The following table describes body parameters
for Get Tags requests.
Parameters | Description | Type | Example or Possible
Values |
|---|---|---|---|
| scope | Scope of the search. | string enumeration | Possible values: visible:
tags visible to you private: private
tags owned by you mine: tags owned
by you public: public tags unit42:
Unit 42 tags commodity: Unit 42 commodity tags Default
value: visible |
| pageSize | The number of results to provide per response. | Number | Possible values: Range is 1-200;
default is 50. |
| pageNum | The page number from which to start displaying
tag. When pageNum is specified, results are
shown starting from that particular page number. A value of 0 indicates
page 1. | Number | Possible values: Range is 0-1,000,000,000;
default is 0. |
| sortBy | Sort by the specified label. | String enumeration | Possible values: name, status, count, lasthit, upVotesDefault
value: name |
| order | Sort either in ascending or descending order. Ascending
order is alphabetical or numbers sorted from lowest to highest, descending
order is the opposite. | String enumeration | Possible values: asc, descDefault
value: asc |
| query | Filter the results based on the specified
tag conditions and values. | String enumeration | Possible values: field:
the name of a tag identifier operator:
specifies the condition whereby the value is
evaluated. value: the parameter that
is being tested. See Tag
Identifiers and Parameter
Types and Operators for a complete list of available fields,
operators, and acceptable values. |
Tag Identifiers
The following table describes tag identifiers
for Get Tags requests.
Field Name | Artifact Type as
it Appears on AutoFocus Web Portal | Field Type | Acceptable Values
and Examples |
|---|---|---|---|
| alias | Alias | typeAheadSelect | Valid AutoFocus tag. Example: Cekar |
| customer | Author Company | String | Valid organization that created the tag. Example: Palo Alto Networks |
| author | Author Email | exactString | Valid email address of the tag creator. Example: john.doe@company.com |
| tag_class | Class | Select | Valid tag class ID number. 1:
Actor 2: Campaign. 3:
Malware Family. 4: Exploit. 5:
Malicious Behavior. Example: 1 |
| created | Created | Date | The creation date of a tag. Example: 2015-09-21T11:33:20 |
| description | Description | String | The description contained in a tag. Example: advertising banners |
| comments | # Comments | Number | The number of comments associated with a
tag. Example: 2 |
| lastComment | Last Comment | Date | The date of the last comment added to a
tag. Example: 2010-09-21T11:34:15 |
| lastHit | Last Hit | Date | The time at which the most recent sample
matched to the tag was detected. Example: 2016-19-21T11:31:10 |
| matchCriteria | Match Criteria | String | The conditions listed in the definition
column contained within an AutoFocus tag. Example: sample.exe |
| tag_name | Name | String | The name of an AutoFocus tag. Example: Sconato |
| tag_group | Tag Group | typeAheadSelect | The name of an AutoFocus tag group. Example: AdWare |
| reference | References | String | External references providing more information
or context for the given threat. Example: Symantec |
| numSamples | # Samples | Number | The total number of private and public samples
matched to the tag. Example: 4 |
| tagType | Scope | Select | A valid tag type. Example: private |
| source | Source | String | Organization or individual that discovered
the threat defined in the tag. Example: Secureworks |
| status | Status | Select | The current operational status of a tag. Example: Removing |
| upVotes | # Up Votes | Number | The number of up-votes the tag has received
from the AutoFocus community. Example: 2 |
| updated | Updated | Date | The date and time that the tag was most
recently modified. Example: 2016-19-21T11:31:10 |
Parameter Types and Operators
The following table lists the parameter
types and corresponding operators for Tag
Identifiers.
Parameter Type | Available Operators |
|---|---|
alias | contains, does not contain, proximity |
bool | is true, is false, has no value, has any value |
date | is in the range, is after, is before, is, has no value, has any value |
exactString | is, is not, has no value, has any value |
exactStringList | is, is not, is in the list, is not in the list, has no value, has any value |
exactStringListRegexp | is, is not, is in the list, is not in the list, has no value, has any value, regexp |
ipAddress | is, is not, is in the range, has no value, has any value |
number | is, is not, is in the range, greater than, greater than or equal, less than, less than or equal, has no value, has any value |
numberString | is, is not |
select | is, is not, is in the list, is not in the list, has no value, has any value |
simpleSelect | is, is not, is in the list, is not in the list |
simpleStringList | is, is not, is in the list, is not in the list |
singleSelect | is, is not |
singleSelectVal | is, is not, has no value, has any value |
string | contains, does not contain, has no value, has any value |
stringList | contains, does not contain, is in the list, is not in the list, has no value, has any value |
stringProx | contains, does not contain, has no value, has any value, proximity, regexp |
tagList | is in the list, is not in the list, has no value, has any value |
typeAheadSelect | is, is not, is in the list, is not in the list |
JSON Sample
Request
Include
optional request body parameters along with your API key to further filter
results.
curl -X POST -H "Content-Type: application/json" -d '{ "apiKey": "apiKey", "scope": "unit42", "pageNum": 0, "pageSize": 3, "sortBy": "name", "order": "asc", "query":{"field":"tag_name","operator":"contains","value":"4h"} }' 'https://autofocus.paloaltonetworks.com/api/v1.0/tags'
Response
The
response contains a list of tags that match filters sent in the
optional request body parameters.
{ "tags": [ { "tag_name": "1580", "public_tag_name": "Commodity.1580", "count": 1, "lasthit": "2015-10-15 05:42:40", "description": null, "tag_definition_status_id": 1, "tag_definition_scope_id": 3, "tag_class_id": null, "source": null, "customer_name": "Palo Alto Networks Unit42", "up_votes": null, "down_votes": null, "comments": null, "aliases": null, "tag_definition_status": "enabled", "tag_definition_scope": "commodity" }, { "tag_name": "4H", "public_tag_name": "Unit42.4H", "count": 39, "lasthit": "2015-12-01 09:43:46", "description": null, "tag_definition_status_id": 1, "tag_definition_scope_id": 4, "tag_class_id": null, "source": null, "customer_name": "Palo Alto Networks Unit42", "up_votes": null, "down_votes": null, "comments": null, "aliases": null, "tag_definition_status": "enabled", "tag_definition_scope": "unit42" }, { "tag_name": "6547", "public_tag_name": "Unit42.6547", "count": 0, "lasthit": null, "description": null, "tag_definition_status_id": 1, "tag_definition_scope_id": 4, "tag_class_id": null, "source": null, "customer_name": "Palo Alto Networks Unit42", "up_votes": null, "down_votes": null, "comments": null, "aliases": null, "tag_definition_status": "enabled", "tag_definition_scope": "unit42" } ], "total_count": 116, "bucket_info": { "minute_points": 200, "daily_points": 25000, "minute_points_remaining": 198, "daily_points_remaining": 24133, "minute_bucket_start": "2015-12-14 16:04:18", "daily_bucket_start": "2015-12-14 13:06:01" }
STIX Sample
Request
Include
optional request body parameters along with your API key to further filter
results.
curl -X POST -H "Content-Type: application/xml" -d '<req> <apiKey>apikey</apiKey> <scope>unit42</scope> <pageNum>0</pageNum> <pageSize>3</pageSize> <sortBy>name</sortBy> <order>asc</order> </req>' "https://autofocus.paloaltonetworks.com/api/v1.0/stix/tags"
Response
The
response contains a list of tags that match filters sent in the
optional request body parameters.
<res> <total_count>116</total_count> <bucket_info> <minute_points>200</minute_points> <daily_points>25000</daily_points> <minute_points_remaining>198</minute_points_remaining> <daily_points_remaining>24994</daily_points_remaining> <minute_bucket_start>2016-03-08 13:38:07</minute_bucket_start> <daily_bucket_start>2016-03-08 13:29:46</daily_bucket_start> </bucket_info> <stix> <stix:STIX_Package xmlns:stix="http://stix.mitre.org/stix-1" xmlns:autofocus="https://autofocus.paloaltonetworks.com" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="autofocus:Package-3a86b27f-be11-44ec-b508-58ae583f99b2" version="1.1.1" timestamp="2016-03-08T21:38:08.055197+00:00"> <stix:Indicators> <stix:Indicator id="autofocus:indicator-5cb3a95d-40a0-4563-acb9-12e57aeb6a35" timestamp="2015-10-15T05:42:40" xsi:type="indicator:IndicatorType"> <indicator:Title>Commodity.1580</indicator:Title> <indicator:Short_Description>Tag Name: 1580, Down Votes: 0, Up Votes: 0, Scope: commodity, Status: enabled, Comments: 0</indicator:Short_Description> <indicator:Sightings sightings_count="1" /> <indicator:Producer> <stixCommon:Description /> <stixCommon:Identity> <stixCommon:Name>Palo Alto Networks Unit42</stixCommon:Name> </stixCommon:Identity> </indicator:Producer> </stix:Indicator> <stix:Indicator id="autofocus:indicator-4d54e146-110f-45e9-8560-cc77c7d1b172" timestamp="2015-12-01T09:43:46" xsi:type="indicator:IndicatorType"> <indicator:Title>Unit42.4H</indicator:Title> <indicator:Short_Description>Tag Name: 4H, Down Votes: 1, Up Votes: 0, Scope: unit42, Status: enabled, Comments: 0</indicator:Short_Description> <indicator:Sightings sightings_count="38" /> <indicator:Producer> <stixCommon:Description /> <stixCommon:Identity> <stixCommon:Name>Palo Alto Networks Unit42</stixCommon:Name> </stixCommon:Identity> </indicator:Producer> </stix:Indicator> <stix:Indicator id="autofocus:indicator-8e996377-96bc-4e12-9ea6-dafc2abba436" timestamp="2016-03-08T21:38:08.056075+00:00" xsi:type="indicator:IndicatorType"> <indicator:Title>Unit42.6547</indicator:Title> <indicator:Short_Description>Tag Name: 6547, Down Votes: 0, Up Votes: 0, Scope: unit42, Status: enabled, Comments: 0</indicator:Short_Description> <indicator:Producer> <stixCommon:Description /> <stixCommon:Identity> <stixCommon:Name>Palo Alto Networks Unit42</stixCommon:Name> </stixCommon:Identity> </indicator:Producer> </stix:Indicator> </stix:Indicators> </stix:STIX_Package> </stix> </res>