1. Home
    2. WildFire
    3. WildFire API Reference
    4. Get WildFire Information through the WildFire API
    5. Get a WildFire Analysis Report (WildFire API)

    Get a WildFire Analysis Report (WildFire API)

    Use this resource to get a WildFire Analysis report for a specified sample hash value in one of the following formats: XML, PDF, and MAEC; or a web page URL in the JSON format.
    Palo Alto Networks recommends waiting at least 5 minutes before you request a WildFire Analysis Report or Get a WildFire Verdict (WildFire API) on a sample submission.

    Resource

    /get/report/

    Request Parameters

    Use the following form parameters when requesting a WildFire Analysis report:
    Parameters
    Description
    Example
     
    apikey
    (
    Required
    ) API key
    Example:
    apikey=<API KEY>
    agent
    (
    Required for Prisma Access and Prisma Cloud Compute-based WildFire public API keys
    ) Designates the API key type
    Example:
    agent=pcc
    Options include:
    • pcc
      —for use with Prisma Cloud Compute-based WildFire public API keys
    • prismaaccessapi
      —for use with Prisma Access-based WildFire public API keys
    hash
    (
    Required for file-based requests
    ) MD5 or SHA-256 hash value of the sample
    Example:
    hash=afe6b95ad95bc689c356f34ec8d9094
	c495e4af57c932ac413b65ef132063acc
    url
    (
    Required for URL-based requests
    ) The URL of the web page
    Example:
    url=http://www.google.com
    format
    (
    Applicable to WildFire sample analysis reports only
    ) Report format
    Acceptable values:
    • xml
       (Default)
    • pdf
    • maec
    WildFire URL analysis reports are only available in the JSON format.

    Example Request 1

    Make a POST request to the
    /get/report
     resource and include the API key, the MD5 or SHA-256 hash value of the sample, and optionally include the platform and report output type, similar to the following cURL command:
    curl
-JO -F 'apikey=<API KEY>' -F 'hash=04f4f1c83f1e69b1f055202964536f13'
-F 'format=xml' 'https://wildfire.paloaltonetworks.com/publicapi/get/report'
    The response saves or generates the output of the WildFire analysis report using one of the specified formats: XML, PDF, or MAEC (if none is specified, as in this example, it defaults to XML). When requesting a PDF, the response uses the
    application/octet-stream
     content-type; while a MAEC format report response uses the
    application/json
     content type.
    Here is an example response for a WildFire analysis report request in XML:
    <wildfire> 
    <version>2.0</version> 
    <file_info> 
        <malware>yes</malware> 
        <sha1>828f02e6ca4bcf6c30264137f758fbe20dd866db</sha1> 
        <filetype>PE</filetype> 
        <sha256>ca007e3b395688f5f3062729978dcdbadc90d9c3501d9a89c139d11c58d2a15e</sha256> 
        <md5>04f4f1c83f1e69b1f055202964536f13</md5> 
        <size>796268</size> 
    </file_info> 
<task_info> 
<report> 
  <version>3.0</version> 
  <platform>204</platform> 
  <software>PE Static Analyzer</software> 
  <sha256>ca007e3b395688f5f3062729978dcdbadc90d9c3501d9a89c139d11c58d2a15e</sha256> 
  <md5>04f4f1c83f1e69b1f055202964536f13</md5> 
  <malware>no</malware> 
  <summary> 
    <entry details="Entropy is a measurement of the randomness in data. Overlays with high entropy indicate encoded or encrypted data." id="3030" score="0.0">Contains overlay data with high entropy</entry> 
    <entry details="Sections with a large discrepancy between raw and virtual sizes may indicate a packed or obfuscated PE file." id="3013" score="0.0">Contains sections with size discrepancies</entry> 
    <entry details="Thread-local storage (TLS) is normally used to manage data in multithreaded applications. However, it can also allow execution of code outside of the expected entry point of a PE file." id="3019" score="0.0">Contains a TLS section</entry> 
    <entry details="The PE file checksum is required for drivers, boot-time DLLs, and other DLLs loaded into secure system processes. Malware often ignores this value or sets it to zero." id="3015" score="0.0">Contains an invalid checksum</entry> 
    <entry details="Overlay data is extra data appended to the end of a PE image. Many legitimate files, including all files that are digitally signed, contain overlay data. However, malware often uses overlays to embed encoded or encrypted data as well." id="3029" score="0.0">Contains overlay data</entry> 
    <entry details="Standard section names are defined by the compiler. Non-standard section names may indicate a packed or obfuscated PE file." id="3003" score="0.0">Contains non-standard section names</entry> 
    <entry details="Sections with zero size indicate a packed or obfuscated PE file." id="3036" score="0.0">Contains sections with zero size</entry> 
  </summary> 
</report> 
<!-- TRUNCATED RESPONSE --> 
</task_info> 
</wildfire>

    Example Request 2

    Make a POST request to the
    /get/report
     resource and include the API key, the MD5 or SHA-256 hash value of the sample, and optionally include the platform and report output type, similar to the following cURL command:
    curl
-JO -F 'apikey=<API KEY>' -F 'sha256=ac1f40162a2435537171dbe29feaf3b75ce0d12c86db411259914ad75e689266' -F 'format=maec'
-F 'https://wildfire.paloaltonetworks.com/publicapi/get/report'
    In this example, the response provides the WildFire analysis report for the specified SHA256 hash in the MAEC format using the
    application/json
     content type.
    Here is an example response for a WildFire analysis report request in the MAEC format:
    
{ "success": true, "result": {
    "detection_reasons": [],
    "iocs": [],
    "maec_packages": [
        {
            "id": "package--f4dc11a8-b803-437c-5f1f-de0a08ea5fe7",
            "maec_objects": [
                {
                    "analysis_metadata": [
                        {
                            "analysis_type": "static",
                            "conclusion": "no detection",
                            "is_automated": true,
                            "tool_refs": [
                                "1"
                            ]
                        }
                    ],
                    "dynamic_features": {
                        "action_refs": [
                            "malware-action--cf4acb1f-d613-4ff3-472a-c877418c3e15"
                        ],
                        "behavior_refs": [
                            "behavior--3a7cd04f-b867-4c06-e97e-911df668b4aa",
                            "behavior--832fc6d9-d0d7-44ef-84d7-95015187f56f",
                            "behavior--688b7e60-b8f3-482a-f40c-b43121b9fe7d",
                            "behavior--574cc6a8-2334-4abf-f11c-54c92e5749a6"
                        ]
                    },
                    "id": "malware-instance--bdae93df-8bb1-4521-696a-593eee2574fb",
                    "instance_object_refs": [
                        "0"
                    ],
                    "type": "malware-instance"
                },
                {
                    "description": "PDF contains an URI.",
                    "id": "behavior--3a7cd04f-b867-4c06-e97e-911df668b4aa",
                    "name": "pdf_sa_uri",
                    "type": "behavior"
                },
                {
                    "description": "PDF has only one page.",
                    "id": "behavior--832fc6d9-d0d7-44ef-84d7-95015187f56f",
                    "name": "pdf_sa_onepage",
                    "type": "behavior"
                },
                {
                    "description": "PDF document contains an canonicalized object key of Action",
                    "id": "behavior--688b7e60-b8f3-482a-f40c-b43121b9fe7d",
                    "name": "pdf_ko_action",
                    "type": "behavior"
                },
                {
                    "description": "The action of containing network artifacts.",
                    "id": "malware-action--cf4acb1f-d613-4ff3-472a-c877418c3e15",
                    "name": "network-artifacts",
                    "output_object_refs": [
                        "4",
                        "2",
                        "3"
                    ],
                    "type": "malware-action"
                },
                {
                    "action_refs": [
                        "malware-action--cf4acb1f-d613-4ff3-472a-c877418c3e15"
                    ],
                    "description": "File contains one or more URL/domain name/IP address",
                    "id": "behavior--574cc6a8-2334-4abf-f11c-54c92e5749a6",
                    "name": "sa_url",
                    "type": "behavior"
                }
            ],
            "observable_objects": {
                "0": {
                    "hashes": {
                        "MD5": "3b695ce4b733069a1b8671c4e9ebe247",
                        "SHA-1": "25fec390b4419edd0a08784bcb8960143443b347",
                        "SHA-256": "ac1f40162a2435537171dbe29feaf3b75ce0d12c86db411259914ad75e689266"
                    },
                    "type": "file",
                    "x-wf-file-type": "pdf"
                },
                "1": {
                    "name": "PDF Static Analyzer",
                    "type": "software"
                },
                "2": {
                    "type": "url",
                    "value": "2.2.2.2/"
                },
                "3": {
                    "type": "url",
                    "value": "portal-beta1.wildfire.paloaltonetworks.com/report/box/7521c97f1705211618f8db072b6d0d0e5c28d0d727ecde12344745974d07e068/25887678581"
                },
                "4": {
                    "type": "url",
                    "value": "2.2.2.2:1234/"
                }
            },
            "schema_version": "5.0",
            "type": "package"
        }
    ],
    "primary_malware_instances": {
        "package--f4dc11a8-b803-437c-5f1f-de0a08ea5fe7": "malware-instance--bdae93df-8bb1-4521-696a-593eee2574fb"
    },
    "sa_package": "package--f4dc11a8-b803-437c-5f1f-de0a08ea5fe7",
    "schema_version": "1.0",
    "sha256": "ac1f40162a2435537171dbe29feaf3b75ce0d12c86db411259914ad75e689266",
    "type": "wf-report",
    "verdict": "no detection"
} }
}

    Example Request 3

    Make a POST request to the
    /get/report
     resource and include the API key, the URL of the web page, and optionally include the platform and report output type, similar to the following cURL command:
    curl
-JO -F 'apikey=<API KEY>' -F 'url=http://www.google.com'
-F 'https://wildfire.paloaltonetworks.com/publicapi/get/report'
    The response saves the URL analysis report in JSON format. If an exact match of the specified URL cannot be found, WildFire delivers a best guess match. The URL match type is indicated by the
    url_type
     entry in the response.
    original
     indicates an exact match, while
    best match
     is shown for the best found match.
    Here is an example response for a WildFire URL analysis report request:
    
    {
        "success": true,
        "result": {
           "analysis_time": "2020-04-22:42:30Z",
           "url_type": "original",
           "report": "<MAEC report>"
        <size>796268</size> 
    }
}

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo