AutoFocus® API Reference
  • AutoFocus® API Reference
  • All AutoFocus Documentation
  • All Documentation
AutoFocus® API Reference
: Search for Signatures
Focus
Download PDF
Focus
  1. Home
  2. AutoFocus
  3. AutoFocus® API Reference
  4. Perform AutoFocus Searches
  5. Search for Signatures
Download PDF

AutoFocus® API Reference

Search for Signatures

Table of Contents

Search for Signatures

Use these endpoints to search for signatures that match the specified parameters.
  • Resource
  • Request Parameters
  • Sample Request
  • Sample Response

Resource

  • Anti-spyware, vulnerability, and file-format signatures
    https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/ips/search
  • Antivirus Signatures
    https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/panav/search
  • DNS | RTDNS Signatures
    https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/dns/search

Request Parameters

The following table describes the parameters used with this endpoint.
Parameters
Description
Type
Example or Possible Values
apiKey
( Required) API key tied to your license. All users attached to a license share a single API key.
string
Example (obfuscated):
d32108a5-XXX-XXXX-XXXX-c04bda5b8450
{signatureName}
Palo Alto Networks textual identifier for the threat.
string
A valid signature name.
Example:
TDSS/Win32.fey.a
For /ips/search queries, the signature is an approximate string (fuzzy) search.
{vendor}
The identification number for a security vendor. Only available for:
/ips/search
exactString
A valid vendor reference number.
Example:
25461
{cve}
The reference number for a vulnerability as defined by Common Vulnerabilities and Exposures (CVE). Only available for:
/ips/search
exactString
A CVE reference number for a vulnerability.
Example:
cve-2015-8650
{domainName}
The name of the domain. Only available for:
/dns/search
string
A valid Internet domain.
Example:
google.com

Sample Request

curl -X POST -H "Content-Type: application/json" -d '{"from": 0, "size":10, "field": "signatureName", "value": "ExpertAntivirus_4_1" }' 'https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/ips/search?api_key=apikey'

Sample Response

The response to signature searches is similar to sample and sessions searches. Use the af_cookie parameter from the initial response to view the results of your search: 

				{
				{
				"total_count": 1,
				"page_count": 1,
				"signatures": [{
				"metadata": {
				"severity": "low",
				"reference": "http://www.spywareguide.com/spydet_3531_expertantivirus.html,http://www.ca.com/securityadvisor/pest/pest.aspx?id=45311130",
				"panOsMaximumVersion": "",
				"description": "This signature detects the runtime behavior of ExpertAntivirus 4.1ExpertAntivirus is a rogue anti-spyware program that reports false positive infections.",
				"panOsMinimumVersion": "6.1.0",
				"action": "alert",
				"category": "adware",
				"changeData": ""
				},
				"cve": "",
				"signatureName": "ExpertAntivirus_4_1",
				"vendor": "",
				"signatureType": "spyware",
				"firstReleaseTime": "2015-06-26 UTC",
				"signatureId": 11785,
				"latestReleaseTime": "2020-06-09 UTC",
				"latestReleaseVersion": 8281,
				"status": "released",
				"firstReleaseVersion": 509
				}]
				}
Use the af_cookie parameter when you check on the results of your search using the /ips/search/result/, /panav/search/result, or dns/search/result/ resource.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.