Get a WildFire Verdict (WildFire API)

Use the
/get/verdict
resource to get a WildFire verdict for a sample based on the MD5 or SHA-256 hash or a web page based on the URL.
When requesting multiple WildFire verdicts, use the
/get/verdicts
resource to reduce the number of requests that count toward your daily limit. Learn how to Get Multiple WildFire Verdicts (WildFire API) and learn about request limits as part of WildFire API Access Control.

Resource

/get/verdict/

Request Parameters

Use the following form parameters when requesting a WildFire verdict for a sample or web page:
Parameters
Description
Example
apikey
(
Required
) API key
Example:
apikey=<API KEY>
hash
MD5 or SHA-256 hash value of the sample
Example:
hash=afe6b95ad95bc689c356f34 ec8d9094c495e4af57c932ac413b65ef132063acc------
url
The URL of the web page
Example:
url=http://www.google.com

Example Request 1

Make a POST request to the /get/verdict resource and include the API key along with the MD5 or SHA-256 hash value of the sample, similar to the following cURL command:
curl -F 'apikey=<API KEY>' -F 'hash=afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc' 'https://wildfire.paloaltonetworks.com/publicapi/get/verdict'
The XML response contains the WildFire verdict along with the related hash values:
<wildfire> <get-verdict-info> <sha256>afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc</sha256> <verdict>1</verdict> <md5>0e4e3c2d84a9bc726a50b3c91346fbb1</md5> </get-verdict-info> </wildfire>
The
verdict
element value can be one of the following:
  • 0
    : benign
  • 1
    : malware
  • 2
    : grayware
  • 4
    : phishing
  • 5
    : C2
  • -100
    : pending, the sample exists, but there is currently no verdict (applicable to file analysis only)
  • -101
    : error
  • -102
    : unknown, cannot find sample record in the database
  • -103
    : invalid hash value
When sending an invalid hash value, an
HTTP 421
status is returned.

Example Request 2

Make a POST request to the /get/verdict resource and include the API key along with a web page URL, similar to the following cURL command:
curl -F 'apikey=<API KEY>' -F 'url=http://www.google.com' 'https://wildfire.paloaltonetworks.com/publicapi/get/verdict'
The XML response contains the WildFire verdict for the specified URL, the time and date when it was analyzed, and the validity, meaning that the verdict is up-to-date. URLs that have not been analyzed recently are considered obsolete and are designated as no longer valid:
<wildfire> <get-verdict-info> <url>http://www.google.com</url> <verdict>0</verdict> <analysis_time>2020-07-29T16:33:17Z</analysis_time> <valid>Yes</valid> </get-verdict-info> </wildfire>

Recommended For You