Search Top Tags, Session Histogram, and Session Aggregate Data
Table of Contents
Search Top Tags, Session Histogram, and Session Aggregate Data
Use the session histogram search to get data that corresponds
to the
Malware Download Sessions
histogram
data when you view search statistics. Use the sample aggregate search
to view top file types. Use the session aggregate data search to
view aggregate data such as Top Firewalls,
Top
Malware
, Source Countries
, and Destination Countries
.
Use the top-tags search to identify the most popular tags for any
given period of time. The top-tags search corresponds to the Top
Tags
data available when you view search statistics.Aggregate
search data is limited to the top 10 results in each category while
top-tags data is limited to the top 20 tags.
Resources
/sessions/histogram/search/ /sessions/aggregate/search/ /top-tags/search/
Request
Parameters
The following request parameters are available
when searching top tags, session histogram, and session aggregate
data.
Parameters | Description | Type | Example or Possible Values |
|---|---|---|---|
apiKey | ( Required ) API key tied to your license.
All users attached to a license share a single API key. | string | Example (obfuscated): d32108a5-XXX-XXXX-XXXX-c04bda5b8450 |
scope | ( Required ) Scope of the search. Case-sensitive. | string enumeration | Possible values: industry, organization,all, global Additional
possible values for /sessions/histogram/search/and /sessions/aggregate/search/:public, private |
query | ( Required ) Query based on conditions
specified within this object. Condition match those found in the
AutoFocus web portal. | object array | See Search
Field Names and Search
Parameter Types and Operators for a list of available fields, operators,
and acceptable values. To easily determine
your query , first run the equivalent
search in the AutoFocus web portal and then use the API button to view the
corresponding JSON: children object
array):
|
field | Field for which to provide aggregate data. Only
available and required for :/sessions/aggregate/search/ | string enumeration | Possible values for /sessions/aggregate/search/ :sha256 app device_serial device_industry src_countrycode dst_countrycode upload_src |
size | Number of results to return. Only available for :/sessions/aggregate/search/ /top-tags/search/ | number | Possible values: Any number above
0 up to 1000. Default value: 50 |
tagScopes | Filter based on the type of malware. Only
available for :/top-tags/search/ | string enumeration (must be provided as a
JSON list) | Possible values: private,public, commodity, unit42 Default
value: Private Example:
|
Sample
Request
curl -X POST -H "Content-Type: application/json" -d '{ "apiKey": "apikey", "query": { "operator": "all", "children": [ { "field": "sample.malware", "operator": "is", "value": 1 }, { "field": "session.tstamp", "operator": "is in the range", "value": [ "2015-08-26T00:00:00", "2015-09-02T23:59:59" ] } ] },"scope":"public" }' 'https://autofocus.paloaltonetworks.com/api/v1.0/sessions/histogram/search'
View the corresponding cURLrequestor
Python syntax for initiating searches for samples, sessions,
and aggregate data from the AutoFocus web portal.
Sample
Response
The response to session histogram and aggregate
searches is similar to sample and sessions searches. Use the
af_cookie
parameter
to view the results of your search:{ "af_in_progress": true, "af_first_result_af_took": 0, "in_progress": true, "af_cookie": "0-041ff071-ba35-480a-bcb2-94403ba66c41+0", "af_complete_percentage": 0, "bucket_info": { "minute_points": 200, "daily_points": 25000, "minute_points_remaining": 190, "daily_points_remaining": 24946, "minute_bucket_start": "2015-10-21 15:37:34", "daily_bucket_start": "2015-10-21 14:41:07" } }
Use the
af_cookie
parameter
when you check on the results of your search using the /sessions/histogram/results/or /sessions/aggregate/results/
resource.