1. Home
    2. AutoFocus
    3. AutoFocus™ API References
    4. Perform Direct Searches
    5. Get Threat Intelligence Card Summary

    Get Threat Intelligence Card Summary

    Use this resource to retrieve a summary contained in an AutoFocus Threat Intelligence Card. To view this information, you must specify the threat indicator type and value (domains, URLs, file hash, or IP address) and whether you want to include AutoFocus tags in the response.

    Resource

    /tic?indicatorType={indicator_type}&indicatorValue={value_of_indicator}
				&includeTags={true_or_false}'

    Request URL Parameters

    The following entries describe the URL parameters for Get Threat Intelligence Card Summary requests.
    Parameters
    Description
    Type
    Example or Possible Values
    {indicatorType}
    (
    Required
    ) Type of threat indicator.
    string
    Possible values:
    domain, url, filehash, ipv4_address, ipv6_address
    {indicatorValue}
    (
    Required
    ) Value of the threat indicator.
    string
    Example:
    google.com
    The threat indicator value must correspond with the defined indicatorType.
    {includeTags}
    (
    Required
    ) Option to include or exclude AutoFocus tags.
    string
    Possible values:
    true, false

    Request Header Parameters

    The following entries describe the header parameters for Get Threat Intelligence Card Summary requests.
    Parameters
    Description
    Type
    Example or Possible Values
    apiKey
    (
    Required
    ) API key tied to your license. All users attached to a license share a single API key.
    string
    Example (obfuscated):
    d32108a5-XXX-XXXX-XXXX-c04bda5b8450

    JSON Sample

    Request

    Include the threat indicator type and value, as well as the option to include tags in the resource URL, and the API key in the request.
    curl -X GET -H "apiKey: apiKey" "https://autofocus.paloaltonetworks.com/api/v1.0/tic?indicatorType=DOMAIN&indicatorValue=exampledomain.com&includeTags=true"

    Response

    The response, which is specific to the threat indicator that you specify in your request, provides a summarization report about the threat, including (as appropriate) the WildFire verdict, sample source, associated tags, domain creation date, the file type, and the first seen date.
       {
   "bucketInfo" : {
      "dailyBucketStart" : "2019-11-16 12:03:55",
      "dailyPoints" : 25000,
      "dailyPointsRemaining" : 24990,
      "minuteBucketStart" : "2019-11-16 12:03:55",
      "minutePoints" : 200,
      "minutePointsRemaining" : 190,
      "waitInSeconds" : 0
   },
   "indicator" : {
      "firstSeenTsGlobal" : 1571672361000,
      "indicatorType" : "DOMAIN",
      "indicatorValue" : "exampledomain.com",
      "lastSeenTsGlobal" : 1573856504000,
      "latestPanVerdicts" : {
         "WF_SAMPLE" : "MALWARE"
      },
      "seenByDataSourceIds" : [
         "WF_SAMPLE"
      ],
      "summaryGenerationTs" : 1574114155914,
      "whoisAdminCountry" : null,
      "whoisAdminEmail" : null,
      "whoisAdminName" : null,
      "whoisDomainCreationDate" : null,
      "whoisDomainExpireDate" : null,
      "whoisDomainUpdateDate" : null,
      "whoisRegistrant" : null,
      "whoisRegistrar" : null,
      "whoisRegistrarUrl" : null,
      "wildfireRelatedSampleVerdictCounts" : {
         "MALWARE" : 99
      }
   },
   "tags": [
	{
	count: 12081983,
	customer_name: "Palo Alto Networks Unit42",
	description: "This windows command and/or registry setting adds an allowed program to bypass the Windows firewall, often used by malware to ensure c2 traffic
	is not blocked by the local firewall.",
	doc_count: 1,
	lasthit: "2019-01-15 04:38:01",
	public_tag_name: "Unit42.ModifyWindowsFirewall",
	source: "Unit 42",
	tag_class_id: 5,
	tag_definition_id: 37576,
	tag_definition_scope: "unit42",
	tag_definition_scope_id: 4,
	tag_definition_status: "enabled",
	tag_definition_status_id: 1,
	tag_name: "ModifyWindowsFirewall”
	},
	{
	count: 8843812,
	customer_name: "Palo Alto Networks Unit42",
	description: "Virut is a file-infecting virus that has been in the wild since 2006. It communicates over IRC to retrieve commands from it's owner. Virut
	variants often infect other malware executables which can lead to inaccurate signature results. ",
	doc_count: 1,
	lasthit: "2019-05-14 04:37:53",
	public_tag_name: "Commodity.Virut",
	source: "Unit 42",
	tag_class_id: 3,
	tag_definition_id: 27326,
	tag_definition_scope: "commodity",
	tag_definition_scope_id: 3,
	tag_definition_status: "enabled",
	tag_definition_status_id: 1,
	tag_name: "Virut”
	},
	{
	count: 4928903,
	customer_name: "Palo Alto Networks Unit42",
	description: "The sample alters the hosts file on a system and affects the resolution of domain names to IP addresses. This is often used to prevent a system
	from reaching a security company's domain for updates. It can also be used for phishing attacks.",
	doc_count: 1,
	lasthit: "2019-01-15 04:30:43",
	public_tag_name: "Unit42.ModifyHostsFile",
	source: "Unit 42",
	tag_class_id: 5,
	tag_definition_id: 43791,
	tag_definition_scope: "unit42",
	tag_definition_scope_id: 4,
	tag_definition_status: "enabled",
	tag_definition_status_id: 1,
	tag_name: "ModifyHostsFile",
	}
	]
	}
}

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo