Get Threat Intelligence Card Summary
Table of Contents
Expand all | Collapse all
-
- Get Session Details
- Get Sample Analysis
- Get Tags
- Get Tag Details
- Get Threat Indicator Feed
- Get Custom Threat Indicator Feed
- Get Threat Intelligence Card Summary
- Export List
- Get Anti-spyware, Vulnerability, and File-Format Signature
- Get Antivirus Signature
- Get DNS Signature
- Get Geolocation
- Get Anti-spyware, Vulnerability, and File-Format Release Info
Get Threat Intelligence Card Summary
Use this resource to retrieve a summary contained in
an AutoFocus Threat Intelligence Card. To view this information,
you must specify the threat indicator type and value (domains, URLs,
file hash, or IP address) and whether you want to include AutoFocus
tags in the response.
Resource
/tic?indicatorType={indicator_type}&indicatorValue={value_of_indicator} &includeTags={true_or_false}'
Request URL Parameters
The following entries describe the URL
parameters for Get Threat Intelligence Card Summary requests.
Parameters | Description | Type | Example or Possible Values |
|---|---|---|---|
| {indicatorType} | ( Required) Type of threat indicator. | string | Possible values: domain, url, filehash,
ipv4_address, ipv6_address |
| {indicatorValue} | ( Required) Value of the threat indicator. | string | Example: google.com The
threat indicator value must correspond with the defined indicatorType. |
| {includeTags} | ( Required) Option to include or exclude
AutoFocus tags. | string | Possible values: true, false |
Request Header Parameters
The following entries describe the header
parameters for Get Threat Intelligence Card Summary requests.
Parameters | Description | Type | Example or Possible
Values |
|---|---|---|---|
| apiKey | ( Required) API key tied to your license.
All users attached to a license share a single API key. | string | Example (obfuscated): d32108a5-XXX-XXXX-XXXX-c04bda5b8450 |
JSON Sample
Request
Include
the threat indicator type and value, as well as the option to include
tags in the resource URL, and the API key in the request.
curl -X GET -H "apiKey: apiKey" "https://autofocus.paloaltonetworks.com/api/v1.0/tic?indicatorType=DOMAIN&indicatorValue=exampledomain.com&includeTags=true"
Response
The
response, which is specific to the threat indicator that you specify
in your request, provides a summarization report about the threat,
including (as appropriate) the WildFire verdict, sample source,
associated tags, domain creation date, the file type, and the first
seen date.
{ "bucketInfo" : { "dailyBucketStart" : "2019-11-16 12:03:55", "dailyPoints" : 25000, "dailyPointsRemaining" : 24990, "minuteBucketStart" : "2019-11-16 12:03:55", "minutePoints" : 200, "minutePointsRemaining" : 190, "waitInSeconds" : 0 }, "indicator" : { "firstSeenTsGlobal" : 1571672361000, "indicatorType" : "DOMAIN", "indicatorValue" : "exampledomain.com", "lastSeenTsGlobal" : 1573856504000, "latestPanVerdicts" : { "WF_SAMPLE" : "MALWARE" }, "seenByDataSourceIds" : [ "WF_SAMPLE" ], "summaryGenerationTs" : 1574114155914, "whoisAdminCountry" : null, "whoisAdminEmail" : null, "whoisAdminName" : null, "whoisDomainCreationDate" : null, "whoisDomainExpireDate" : null, "whoisDomainUpdateDate" : null, "whoisRegistrant" : null, "whoisRegistrar" : null, "whoisRegistrarUrl" : null, "wildfireRelatedSampleVerdictCounts" : { "MALWARE" : 99 } }, "tags": [ { count: 12081983, customer_name: "Palo Alto Networks Unit42", description: "This windows command and/or registry setting adds an allowed program to bypass the Windows firewall, often used by malware to ensure c2 traffic is not blocked by the local firewall.", doc_count: 1, lasthit: "2019-01-15 04:38:01", public_tag_name: "Unit42.ModifyWindowsFirewall", source: "Unit 42", tag_class_id: 5, tag_definition_id: 37576, tag_definition_scope: "unit42", tag_definition_scope_id: 4, tag_definition_status: "enabled", tag_definition_status_id: 1, tag_name: "ModifyWindowsFirewall” }, { count: 8843812, customer_name: "Palo Alto Networks Unit42", description: "Virut is a file-infecting virus that has been in the wild since 2006. It communicates over IRC to retrieve commands from it's owner. Virut variants often infect other malware executables which can lead to inaccurate signature results. ", doc_count: 1, lasthit: "2019-05-14 04:37:53", public_tag_name: "Commodity.Virut", source: "Unit 42", tag_class_id: 3, tag_definition_id: 27326, tag_definition_scope: "commodity", tag_definition_scope_id: 3, tag_definition_status: "enabled", tag_definition_status_id: 1, tag_name: "Virut” }, { count: 4928903, customer_name: "Palo Alto Networks Unit42", description: "The sample alters the hosts file on a system and affects the resolution of domain names to IP addresses. This is often used to prevent a system from reaching a security company's domain for updates. It can also be used for phishing attacks.", doc_count: 1, lasthit: "2019-01-15 04:30:43", public_tag_name: "Unit42.ModifyHostsFile", source: "Unit 42", tag_class_id: 5, tag_definition_id: 43791, tag_definition_scope: "unit42", tag_definition_scope_id: 4, tag_definition_status: "enabled", tag_definition_status_id: 1, tag_name: "ModifyHostsFile", } ] } }