Focus

WildFire API Reference

Submit a Sample Verdict Change (API)

Table of Contents

Submit a Sample Verdict Change (API)

Changes the WildFire verdict applied to a sample. Verdict changes apply only to those samples submitted to the WildFire appliance, and the verdict for the same sample remains unchanged in the WildFire global cloud. Use this resource to update incorrect verdicts generated by local WildFire analysis.

The WildFire private cloud content package is updated to reflect any verdict changes that you make (on the firewall, select DeviceDynamic UpdatesWF-Private to enable WildFire private cloud content updates). When you change a sample verdict to malicious, the WildFire appliance generates a new signature to detect the malware and adds that signature to the WildFire private cloud content package. When you change a sample verdict to benign, the WildFire appliance removes the signature from the WildFire private cloud content package.

Resource

/submit/local-verdict-change/

Request Parameters

Use the following parameters when changing a WildFire appliance verdict for a sample:

Parameters	Description	Example
apikey	(`Required for API key authentication`) API key	Example: apikey=<API KEY>
Authorization	(`Required for token-based authentication`) HTTP request header for token-based authentication. To obtain an access token, create a WildFire API token in Strata Cloud Manager, then generate an access token from the authentication service.	Example: -H "Authorization: Bearer <ACCESS_TOKEN>"
agent	(`Required for Prisma Access and Prisma Cloud Compute-based WildFire public API keys`) Designates the API key type	Example: agent=pcc Options include: pcc—for use with Prisma Cloud Compute-based WildFire public API keys prismaaccessapi—for use with Prisma Access-based WildFire public API keys
hash	(`Required`) SHA-256 hash value of the sample	Example: hash=afe6b95ad95bc689c356f34 ec8d9094c495e4af57c932ac413b65ef132063acc
comment	(`Required`) A description of the change request in quotes, with a maximum length of 2,048 characters.	Example: comment=This is a legitimate sample that erroneously generated a value of malware. Modifying to benign.
verdict	(`Required`) The new verdict to be applied to the sample	The verdict value can have one of the following: 0: benign 1: malware 2: grayware 4: phishing (Applicable only to samples processed through email link analysis.) Example: verdict=1

Example Request

Make a POST request to the /submit/local-verdict-change resource and include the API key, the SHA-256 hash value of the sample, the desired verdict for the sample, and a comment with a description of the change.

In the request, include the API key, the hash value of the sample, and the new verdict for the sample:

curl
-k -F ‘apikey=<API KEY>’ -F ‘hash=afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc’
-F ‘verdict=1’ -F ‘comment=changing verdict from benign to malicious’
‘https://10.1.1.1/publicapi/submit/local-verdict-change’

The XML response verifies a successful verdict change. Example:

<wildfire> 
    <body>verdict is changed (old verdict: 0, new verdict:1)</body> 
    <headers/> 
</wildfire>

Example Request (Token-Based Authentication)

Alternatively, you can authenticate using a Bearer token instead of an API key. Make the same POST request to the /submit/change-request resource, but replace the apikey form field with an Authorization header containing your access token:

curl -F 'hash=afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc' -F 'verdict=1' -F 'email=user@example.com' -F 'comment=This is malware' -H 'Authorization: Bearer <ACCESS_TOKEN>' 'https://wildfire.paloaltonetworks.com/publicapi/submit/change-request'

Submit Multiple Website Links to WildFire (API)

Get WildFire Information through the WildFire API