Parameters	Description	Type	Example or Possible Values
scope	Scope of the search.	string enumeration	Possible values: visible : tags visible to you private : private tags owned by you mine : tags owned by you public : public tags unit42 : Unit 42 tags commodity : Unit 42 commodity tags Default value: visible
pageSize	The number of results to provide per response.	Number	Possible values: Range is 1-200 ; default is 50 .
pageNum	The page number from which to start displaying tag. When pageNum is specified, results are shown starting from that particular page number. A value of 0 indicates page 1.	Number	Possible values: Range is 0-1,000,000,000; default is 0.
sortBy	Sort by the specified label.	String enumeration	Possible values: name, status, count, lasthit, upVotes Default value: name
order	Sort either in ascending or descending order. Ascending order is alphabetical or numbers sorted from lowest to highest, descending order is the opposite.	String enumeration	Possible values: asc, desc Default value: asc
query	Filter the results based on the specified tag conditions and values.	String enumeration	Possible values: field : the name of a tag identifier operator : specifies the condition whereby the value is evaluated. value : the parameter that is being tested. See Tag Identifiers and Parameter Types and Operators for a complete list of available fields, operators, and acceptable values.

Tag Identifiers

The following table describes tag identifiers for Get Tags requests.

Field Name	Artifact Type as it Appears on AutoFocus Web Portal	Field Type	Acceptable Values and Examples
alias	Alias	typeAheadSelect	Valid AutoFocus tag. Example: Cekar
customer	Author Company	String	Valid organization that created the tag. Example: Palo Alto Networks
author	Author Email	exactString	Valid email address of the tag creator. Example: john.doe@company.com
tag_class	Class	Select	Valid tag class ID number. 1 : Actor 2 : Campaign. 3 : Malware Family. 4 : Exploit. 5 : Malicious Behavior. Example: 1
created	Created	Date	The creation date of a tag. Example: 2015-09-21T11:33:20
description	Description	String	The description contained in a tag. Example: advertising banners
comments	# Comments	Number	The number of comments associated with a tag. Example: 2
lastComment	Last Comment	Date	The date of the last comment added to a tag. Example: 2010-09-21T11:34:15
lastHit	Last Hit	Date	The time at which the most recent sample matched to the tag was detected. Example: 2016-19-21T11:31:10
matchCriteria	Match Criteria	String	The conditions listed in the definition column contained within an AutoFocus tag. Example: sample.exe
tag_name	Name	String	The name of an AutoFocus tag. Example: Sconato
tag_group	Tag Group	typeAheadSelect	The name of an AutoFocus tag group. Example: AdWare
reference	References	String	External references providing more information or context for the given threat. Example: Symantec
numSamples	# Samples	Number	The total number of private and public samples matched to the tag. Example: 4
tagType	Scope	Select	A valid tag type. Example: private
source	Source	String	Organization or individual that discovered the threat defined in the tag. Example: Secureworks
status	Status	Select	The current operational status of a tag. Example: Removing
upVotes	# Up Votes	Number	The number of up-votes the tag has received from the AutoFocus community. Example: 2
updated	Updated	Date	The date and time that the tag was most recently modified. Example: 2016-19-21T11:31:10

Parameter Types and Operators

The following table lists the parameter types and corresponding operators for Tag Identifiers.

Parameter Type	Available Operators
alias	contains, does not contain, proximity
bool	is true, is false, has no value, has any value
date	is in the range, is after, is before, is, has no value, has any value
exactString	is, is not, has no value, has any value
exactStringList	is, is not, is in the list, is not in the list, has no value, has any value
exactStringListRegexp	is, is not, is in the list, is not in the list, has no value, has any value, regexp
ipAddress	is, is not, is in the range, has no value, has any value
number	is, is not, is in the range, greater than, greater than or equal, less than, less than or equal, has no value, has any value
numberString	is, is not
select	is, is not, is in the list, is not in the list, has no value, has any value
simpleSelect	is, is not, is in the list, is not in the list
simpleStringList	is, is not, is in the list, is not in the list
singleSelect	is, is not
singleSelectVal	is, is not, has no value, has any value
string	contains, does not contain, has no value, has any value
stringList	contains, does not contain, is in the list, is not in the list, has no value, has any value
stringProx	contains, does not contain, has no value, has any value, proximity, regexp
tagList	is in the list, is not in the list, has no value, has any value
typeAheadSelect	is, is not, is in the list, is not in the list

JSON Sample

Request

Response

Request

Include optional request body parameters along with your API key to further filter results.

curl -X POST -H "Content-Type: application/json" -d  
'{ 
"apiKey": "apiKey", 
"scope": "unit42", 
"pageNum": 0, 
"pageSize": 3, 
"sortBy": "name", 
"order": "asc", 
"query":{"field":"tag_name","operator":"contains","value":"4h"} 
}' 'https://autofocus.paloaltonetworks.com/api/v1.0/tags'

Response

The response contains a list of tags that match filters sent in the optional request body parameters.

{ 
    "tags": [ 
        { 
            "tag_name": "1580", 
            "public_tag_name": "Commodity.1580", 
            "count": 1, 
            "lasthit": "2015-10-15 05:42:40", 
            "description": null, 
            "tag_definition_status_id": 1, 
            "tag_definition_scope_id": 3, 
            "tag_class_id": null, 
            "source": null, 
            "customer_name": "Palo Alto Networks Unit42", 
            "up_votes": null, 
            "down_votes": null, 
            "comments": null, 
            "aliases": null, 
            "tag_definition_status": "enabled", 
            "tag_definition_scope": "commodity" 
        }, 
        { 
            "tag_name": "4H", 
            "public_tag_name": "Unit42.4H", 
            "count": 39, 
            "lasthit": "2015-12-01 09:43:46", 
            "description": null, 
            "tag_definition_status_id": 1, 
            "tag_definition_scope_id": 4, 
            "tag_class_id": null, 
            "source": null, 
            "customer_name": "Palo Alto Networks Unit42", 
            "up_votes": null, 
            "down_votes": null, 
            "comments": null, 
            "aliases": null, 
            "tag_definition_status": "enabled", 
            "tag_definition_scope": "unit42" 
        }, 
        { 
            "tag_name": "6547", 
            "public_tag_name": "Unit42.6547", 
            "count": 0, 
            "lasthit": null, 
            "description": null, 
            "tag_definition_status_id": 1, 
            "tag_definition_scope_id": 4, 
            "tag_class_id": null, 
            "source": null, 
            "customer_name": "Palo Alto Networks Unit42", 
            "up_votes": null, 
            "down_votes": null, 
            "comments": null, 
            "aliases": null, 
            "tag_definition_status": "enabled", 
            "tag_definition_scope": "unit42" 
        } 
    ], 
    "total_count": 116, 
    "bucket_info": { 
        "minute_points": 200, 
        "daily_points": 25000, 
        "minute_points_remaining": 198, 
        "daily_points_remaining": 24133, 
        "minute_bucket_start": "2015-12-14 16:04:18", 
        "daily_bucket_start": "2015-12-14 13:06:01" 
    }

STIX Sample

Request

Response

Request

Include optional request body parameters along with your API key to further filter results.

curl -X POST -H "Content-Type: application/xml" -d '<req> 
    <apiKey>apikey</apiKey>     
    <scope>unit42</scope> 
    <pageNum>0</pageNum> 
    <pageSize>3</pageSize> 
    <sortBy>name</sortBy> 
    <order>asc</order> 
</req>' "https://autofocus.paloaltonetworks.com/api/v1.0/stix/tags"

Response

The response contains a list of tags that match filters sent in the optional request body parameters.

<res> 
  <total_count>116</total_count> 
  <bucket_info> 
    <minute_points>200</minute_points> 
    <daily_points>25000</daily_points> 
    <minute_points_remaining>198</minute_points_remaining> 
    <daily_points_remaining>24994</daily_points_remaining> 
    <minute_bucket_start>2016-03-08 13:38:07</minute_bucket_start> 
    <daily_bucket_start>2016-03-08 13:29:46</daily_bucket_start> 
  </bucket_info> 
  <stix> 
    <stix:STIX_Package xmlns:stix="http://stix.mitre.org/stix-1" xmlns:autofocus="https://autofocus.paloaltonetworks.com" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="autofocus:Package-3a86b27f-be11-44ec-b508-58ae583f99b2" version="1.1.1" timestamp="2016-03-08T21:38:08.055197+00:00"> 
      <stix:Indicators> 
        <stix:Indicator id="autofocus:indicator-5cb3a95d-40a0-4563-acb9-12e57aeb6a35" timestamp="2015-10-15T05:42:40" xsi:type="indicator:IndicatorType"> 
          <indicator:Title>Commodity.1580</indicator:Title> 
          <indicator:Short_Description>Tag Name: 1580, Down Votes: 0, Up Votes: 0, Scope: commodity, Status: enabled, Comments: 0</indicator:Short_Description> 
          <indicator:Sightings sightings_count="1" /> 
          <indicator:Producer> 
            <stixCommon:Description /> 
            <stixCommon:Identity> 
              <stixCommon:Name>Palo Alto Networks Unit42</stixCommon:Name> 
            </stixCommon:Identity> 
          </indicator:Producer> 
        </stix:Indicator> 
        <stix:Indicator id="autofocus:indicator-4d54e146-110f-45e9-8560-cc77c7d1b172" timestamp="2015-12-01T09:43:46" xsi:type="indicator:IndicatorType"> 
          <indicator:Title>Unit42.4H</indicator:Title> 
          <indicator:Short_Description>Tag Name: 4H, Down Votes: 1, Up Votes: 0, Scope: unit42, Status: enabled, Comments: 0</indicator:Short_Description> 
          <indicator:Sightings sightings_count="38" /> 
          <indicator:Producer> 
            <stixCommon:Description /> 
            <stixCommon:Identity> 
              <stixCommon:Name>Palo Alto Networks Unit42</stixCommon:Name> 
            </stixCommon:Identity> 
          </indicator:Producer> 
        </stix:Indicator> 
        <stix:Indicator id="autofocus:indicator-8e996377-96bc-4e12-9ea6-dafc2abba436" timestamp="2016-03-08T21:38:08.056075+00:00" xsi:type="indicator:IndicatorType"> 
          <indicator:Title>Unit42.6547</indicator:Title> 
          <indicator:Short_Description>Tag Name: 6547, Down Votes: 0, Up Votes: 0, Scope: unit42, Status: enabled, Comments: 0</indicator:Short_Description> 
          <indicator:Producer> 
            <stixCommon:Description /> 
            <stixCommon:Identity> 
              <stixCommon:Name>Palo Alto Networks Unit42</stixCommon:Name> 
            </stixCommon:Identity> 
          </indicator:Producer> 
        </stix:Indicator> 
      </stix:Indicators> 
    </stix:STIX_Package> 
  </stix> 
</res>

Get Sample Analysis

Get Tag Details

AutoFocus® API Reference

Get Tags

Get Tags

Resource

Request Parameters

Request Body Parameters

Tag Identifiers

Parameter Types and Operators

JSON Sample

Request

Response

STIX Sample

Request

Response

Recommended For You