: Get Threat Intelligence Card Summary
Focus
Focus

Get Threat Intelligence Card Summary

Table of Contents

Get Threat Intelligence Card Summary

Use this resource to retrieve a summary contained in an AutoFocus Threat Intelligence Card. To view this information, you must specify the threat indicator type and value (domains, URLs, file hash, or IP address) and whether you want to include AutoFocus tags in the response.

Resource

/tic?indicatorType={indicator_type}&indicatorValue={value_of_indicator} &includeTags={true_or_false}'

Request URL Parameters

The following entries describe the URL parameters for Get Threat Intelligence Card Summary requests.
Parameters
Description
Type
Example or Possible Values
{indicatorType}
( Required) Type of threat indicator.
string
Possible values:
domain, url, filehash, ipv4_address, ipv6_address
{indicatorValue}
( Required) Value of the threat indicator.
string
Example:
google.com
The threat indicator value must correspond with the defined indicatorType.
{includeTags}
( Required) Option to include or exclude AutoFocus tags.
string
Possible values:
true, false

Request Header Parameters

The following entries describe the header parameters for Get Threat Intelligence Card Summary requests.
Parameters
Description
Type
Example or Possible Values
apiKey
( Required) API key tied to your license. All users attached to a license share a single API key.
string
Example (obfuscated):
d32108a5-XXX-XXXX-XXXX-c04bda5b8450

JSON Sample

Request

Include the threat indicator type and value, as well as the option to include tags in the resource URL, and the API key in the request.
curl -X GET -H "apiKey: apiKey" "https://autofocus.paloaltonetworks.com/api/v1.0/tic?indicatorType=DOMAIN&indicatorValue=exampledomain.com&includeTags=true"

Response

The response, which is specific to the threat indicator that you specify in your request, provides a summarization report about the threat, including (as appropriate) the WildFire verdict, sample source, associated tags, domain creation date, the file type, and the first seen date.
{ "bucketInfo" : { "dailyBucketStart" : "2019-11-16 12:03:55", "dailyPoints" : 25000, "dailyPointsRemaining" : 24990, "minuteBucketStart" : "2019-11-16 12:03:55", "minutePoints" : 200, "minutePointsRemaining" : 190, "waitInSeconds" : 0 }, "indicator" : { "firstSeenTsGlobal" : 1571672361000, "indicatorType" : "DOMAIN", "indicatorValue" : "exampledomain.com", "lastSeenTsGlobal" : 1573856504000, "latestPanVerdicts" : { "WF_SAMPLE" : "MALWARE" }, "seenByDataSourceIds" : [ "WF_SAMPLE" ], "summaryGenerationTs" : 1574114155914, "whoisAdminCountry" : null, "whoisAdminEmail" : null, "whoisAdminName" : null, "whoisDomainCreationDate" : null, "whoisDomainExpireDate" : null, "whoisDomainUpdateDate" : null, "whoisRegistrant" : null, "whoisRegistrar" : null, "whoisRegistrarUrl" : null, "wildfireRelatedSampleVerdictCounts" : { "MALWARE" : 99 } }, "tags": [ { count: 12081983, customer_name: "Palo Alto Networks Unit42", description: "This windows command and/or registry setting adds an allowed program to bypass the Windows firewall, often used by malware to ensure c2 traffic is not blocked by the local firewall.", doc_count: 1, lasthit: "2019-01-15 04:38:01", public_tag_name: "Unit42.ModifyWindowsFirewall", source: "Unit 42", tag_class_id: 5, tag_definition_id: 37576, tag_definition_scope: "unit42", tag_definition_scope_id: 4, tag_definition_status: "enabled", tag_definition_status_id: 1, tag_name: "ModifyWindowsFirewall” }, { count: 8843812, customer_name: "Palo Alto Networks Unit42", description: "Virut is a file-infecting virus that has been in the wild since 2006. It communicates over IRC to retrieve commands from it's owner. Virut variants often infect other malware executables which can lead to inaccurate signature results. ", doc_count: 1, lasthit: "2019-05-14 04:37:53", public_tag_name: "Commodity.Virut", source: "Unit 42", tag_class_id: 3, tag_definition_id: 27326, tag_definition_scope: "commodity", tag_definition_scope_id: 3, tag_definition_status: "enabled", tag_definition_status_id: 1, tag_name: "Virut” }, { count: 4928903, customer_name: "Palo Alto Networks Unit42", description: "The sample alters the hosts file on a system and affects the resolution of domain names to IP addresses. This is often used to prevent a system from reaching a security company's domain for updates. It can also be used for phishing attacks.", doc_count: 1, lasthit: "2019-01-15 04:30:43", public_tag_name: "Unit42.ModifyHostsFile", source: "Unit 42", tag_class_id: 5, tag_definition_id: 43791, tag_definition_scope: "unit42", tag_definition_scope_id: 4, tag_definition_status: "enabled", tag_definition_status_id: 1, tag_name: "ModifyHostsFile", } ] } }