Search for Signatures
Table of Contents
Expand all | Collapse all
-
- Get Session Details
- Get Sample Analysis
- Get Tags
- Get Tag Details
- Get Threat Indicator Feed
- Get Custom Threat Indicator Feed
- Get Threat Intelligence Card Summary
- Export List
- Get Anti-spyware, Vulnerability, and File-Format Signature
- Get Antivirus Signature
- Get DNS Signature
- Get Geolocation
- Get Anti-spyware, Vulnerability, and File-Format Release Info
Search for Signatures
Use these endpoints to search for signatures that match
the specified parameters.
Resource
- Anti-spyware, vulnerability, and file-format signatureshttps://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/ips/searchAntivirus Signatureshttps://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/panav/searchDNS | RTDNS Signatureshttps://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/dns/search
Request Parameters
The following table describes the parameters used with this endpoint.ParametersDescriptionTypeExample or Possible ValuesapiKey ( Required) API key tied to your license. All users attached to a license share a single API key.stringExample (obfuscated):d32108a5-XXX-XXXX-XXXX-c04bda5b8450{signatureName} Palo Alto Networks textual identifier for the threat.stringA valid signature name.Example:TDSS/Win32.fey.aFor /ips/search queries, the signature is an approximate string (fuzzy) search.{vendor} The identification number for a security vendor. Only available for:/ips/searchexactStringA valid vendor reference number.Example:25461{cve} The reference number for a vulnerability as defined by Common Vulnerabilities and Exposures (CVE). Only available for:/ips/searchexactStringA CVE reference number for a vulnerability.Example:cve-2015-8650{domainName} The name of the domain. Only available for:/dns/searchstringA valid Internet domain.Example:google.comSample Request
curl -X POST -H "Content-Type: application/json" -d '{"from": 0, "size":10, "field": "signatureName", "value": "ExpertAntivirus_4_1" }' 'https://autofocus.paloaltonetworks.com/api/intel/v1/threatvault/ips/search?api_key=apikey'Sample Response
The response to signature searches is similar to sample and sessions searches. Use the af_cookie parameter from the initial response to view the results of your search:{ { "total_count": 1, "page_count": 1, "signatures": [{ "metadata": { "severity": "low", "reference": "http://www.spywareguide.com/spydet_3531_expertantivirus.html,http://www.ca.com/securityadvisor/pest/pest.aspx?id=45311130", "panOsMaximumVersion": "", "description": "This signature detects the runtime behavior of ExpertAntivirus 4.1ExpertAntivirus is a rogue anti-spyware program that reports false positive infections.", "panOsMinimumVersion": "6.1.0", "action": "alert", "category": "adware", "changeData": "" }, "cve": "", "signatureName": "ExpertAntivirus_4_1", "vendor": "", "signatureType": "spyware", "firstReleaseTime": "2015-06-26 UTC", "signatureId": 11785, "latestReleaseTime": "2020-06-09 UTC", "latestReleaseVersion": 8281, "status": "released", "firstReleaseVersion": 509 }] }Use the af_cookie parameter when you check on the results of your search using the /ips/search/result/, /panav/search/result, or dns/search/result/ resource.