Get a WildFire Analysis Report (WildFire API)
Use this resource to get a WildFire Analysis report
for a specified sample hash value or web page URL.
Palo
Alto Networks recommends waiting at least 5 minutes before you request a
WildFire Analysis Report or Get a WildFire Verdict (WildFire API) on a sample submission.
Resource
/get/report/
Request Parameters
Use the following form
parameters when requesting a WildFire Analysis report:
Parameters | Description | Example |
---|---|---|
| ( Required ) API key | Example:
|
| ( Required for file-based requests )
MD5 or SHA-256 hash value of the sample | Example:
|
| ( Required for URL-based requests )
The URL of the web page | Example:
|
| ( Applicable to WildFire sample analysis
reports only ) Report format | Acceptable values:
WildFire
URL analysis reports are only available in the JSON format. |
Example Request 1
Make a POST request
to the
/get/report
resource and include the
API key, the MD5 or SHA-256 hash value of the sample, and optionally
include the platform, similar to the following cURL command:curl -JO -F 'apikey=<API KEY>' -F 'hash=04f4f1c83f1e69b1f055202964536f13' -F 'format=xml' 'https://wildfire.paloaltonetworks.com/publicapi/get/report'
The
response saves the WildFire analysis report in either XML
or PDF format. When requesting a PDF, the response uses a
application/octet-stream
content-type.Here
is an example XML report:
<wildfire> <version>2.0</version> <file_info> <malware>yes</malware> <sha1>828f02e6ca4bcf6c30264137f758fbe20dd866db</sha1> <filetype>PE</filetype> <sha256>ca007e3b395688f5f3062729978dcdbadc90d9c3501d9a89c139d11c58d2a15e</sha256> <md5>04f4f1c83f1e69b1f055202964536f13</md5> <size>796268</size> </file_info> <task_info> <report> <version>3.0</version> <platform>204</platform> <software>PE Static Analyzer</software> <sha256>ca007e3b395688f5f3062729978dcdbadc90d9c3501d9a89c139d11c58d2a15e</sha256> <md5>04f4f1c83f1e69b1f055202964536f13</md5> <malware>no</malware> <summary> <entry details="Entropy is a measurement of the randomness in data. Overlays with high entropy indicate encoded or encrypted data." id="3030" score="0.0">Contains overlay data with high entropy</entry> <entry details="Sections with a large discrepancy between raw and virtual sizes may indicate a packed or obfuscated PE file." id="3013" score="0.0">Contains sections with size discrepancies</entry> <entry details="Thread-local storage (TLS) is normally used to manage data in multithreaded applications. However, it can also allow execution of code outside of the expected entry point of a PE file." id="3019" score="0.0">Contains a TLS section</entry> <entry details="The PE file checksum is required for drivers, boot-time DLLs, and other DLLs loaded into secure system processes. Malware often ignores this value or sets it to zero." id="3015" score="0.0">Contains an invalid checksum</entry> <entry details="Overlay data is extra data appended to the end of a PE image. Many legitimate files, including all files that are digitally signed, contain overlay data. However, malware often uses overlays to embed encoded or encrypted data as well." id="3029" score="0.0">Contains overlay data</entry> <entry details="Standard section names are defined by the compiler. Non-standard section names may indicate a packed or obfuscated PE file." id="3003" score="0.0">Contains non-standard section names</entry> <entry details="Sections with zero size indicate a packed or obfuscated PE file." id="3036" score="0.0">Contains sections with zero size</entry> </summary> </report> <!-- TRUNCATED RESPONSE --> </task_info> </wildfire>
Example Request 2
Make a POST request
to the
/get/report
resource and include the
API key, the URL of the web page, and optionally include the platform,
similar to the following cURL command:curl -JO -F 'apikey=<API KEY>' -F 'url=http://www.google.com' -F 'https://wildfire.paloaltonetworks.com/publicapi/get/report'
The
response saves the URL analysis report in JSON format. If an exact
match of the specified URL cannot be found, WildFire delivers a
best guess match. The URL match type is indicated by the
url_type
entry
in the response. original
indicates
an exact match, while best match
is
shown for the best found match.Here is an example response
for a WildFire URL analysis report request:
{ "success": true, "result": { "analysis_time": "2020-04-22:42:30Z", "url_type": "original", "report": "<MAEC report>" <size>796268</size> } }
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.