Get Threat Intelligence Card Summary
Use this resource to retrieve a summary contained in
an AutoFocus Threat Intelligence Card. To view this information,
you must specify the threat indicator type and value (domains, URLs,
file hash, or IP address) and whether you want to include AutoFocus
tags in the response.
Resource
/tic?indicatorType={indicator_type}&indicatorValue={value_of_indicator} &includeTags={true_or_false}'
Request
URL Parameters
The following entries describe the URL
parameters for Get Threat Intelligence Card Summary requests.
Parameters | Description | Type | Example or Possible Values |
---|---|---|---|
{indicatorType} | ( Required ) Type of threat indicator. | string | Possible values: domain, url, filehash,
ipv4_address, ipv6_address |
{indicatorValue} | ( Required ) Value of the threat indicator. | string | Example: google.com The
threat indicator value must correspond with the defined indicatorType. |
{includeTags} | ( Required ) Option to include or exclude
AutoFocus tags. | string | Possible values: true, false |
Request
Header Parameters
The following entries describe the header
parameters for Get Threat Intelligence Card Summary requests.
Parameters | Description | Type | Example or Possible
Values |
---|---|---|---|
apiKey | ( Required ) API key tied to your license.
All users attached to a license share a single API key. | string | Example (obfuscated): d32108a5-XXX-XXXX-XXXX-c04bda5b8450 |
Request
Include
the threat indicator type and value, as well as the option to include
tags in the resource URL, and the API key in the request.
curl -X GET -H "apiKey: apiKey" "https://autofocus.paloaltonetworks.com/api/v1.0/tic?indicatorType=DOMAIN&indicatorValue=exampledomain.com&includeTags=true"
Response
The
response, which is specific to the threat indicator that you specify
in your request, provides a summarization report about the threat,
including (as appropriate) the WildFire verdict, sample source,
associated tags, domain creation date, the file type, and the first
seen date.
{ "bucketInfo" : { "dailyBucketStart" : "2019-11-16 12:03:55", "dailyPoints" : 25000, "dailyPointsRemaining" : 24990, "minuteBucketStart" : "2019-11-16 12:03:55", "minutePoints" : 200, "minutePointsRemaining" : 190, "waitInSeconds" : 0 }, "indicator" : { "firstSeenTsGlobal" : 1571672361000, "indicatorType" : "DOMAIN", "indicatorValue" : "exampledomain.com", "lastSeenTsGlobal" : 1573856504000, "latestPanVerdicts" : { "WF_SAMPLE" : "MALWARE" }, "seenByDataSourceIds" : [ "WF_SAMPLE" ], "summaryGenerationTs" : 1574114155914, "whoisAdminCountry" : null, "whoisAdminEmail" : null, "whoisAdminName" : null, "whoisDomainCreationDate" : null, "whoisDomainExpireDate" : null, "whoisDomainUpdateDate" : null, "whoisRegistrant" : null, "whoisRegistrar" : null, "whoisRegistrarUrl" : null, "wildfireRelatedSampleVerdictCounts" : { "MALWARE" : 99 } }, "tags": [ { count: 12081983, customer_name: "Palo Alto Networks Unit42", description: "This windows command and/or registry setting adds an allowed program to bypass the Windows firewall, often used by malware to ensure c2 traffic is not blocked by the local firewall.", doc_count: 1, lasthit: "2019-01-15 04:38:01", public_tag_name: "Unit42.ModifyWindowsFirewall", source: "Unit 42", tag_class_id: 5, tag_definition_id: 37576, tag_definition_scope: "unit42", tag_definition_scope_id: 4, tag_definition_status: "enabled", tag_definition_status_id: 1, tag_name: "ModifyWindowsFirewall” }, { count: 8843812, customer_name: "Palo Alto Networks Unit42", description: "Virut is a file-infecting virus that has been in the wild since 2006. It communicates over IRC to retrieve commands from it's owner. Virut variants often infect other malware executables which can lead to inaccurate signature results. ", doc_count: 1, lasthit: "2019-05-14 04:37:53", public_tag_name: "Commodity.Virut", source: "Unit 42", tag_class_id: 3, tag_definition_id: 27326, tag_definition_scope: "commodity", tag_definition_scope_id: 3, tag_definition_status: "enabled", tag_definition_status_id: 1, tag_name: "Virut” }, { count: 4928903, customer_name: "Palo Alto Networks Unit42", description: "The sample alters the hosts file on a system and affects the resolution of domain names to IP addresses. This is often used to prevent a system from reaching a security company's domain for updates. It can also be used for phishing attacks.", doc_count: 1, lasthit: "2019-01-15 04:30:43", public_tag_name: "Unit42.ModifyHostsFile", source: "Unit 42", tag_class_id: 5, tag_definition_id: 43791, tag_definition_scope: "unit42", tag_definition_scope_id: 4, tag_definition_status: "enabled", tag_definition_status_id: 1, tag_name: "ModifyHostsFile", } ] } }
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.