: Standalone WildFire API Subscription
Focus
Focus

Standalone WildFire API Subscription

Table of Contents

Standalone WildFire API Subscription

Palo Alto Networks now offers a subscription service enabling access to the advanced file analysis capabilities of the WildFire cloud for customers operating SOAR tools, custom security applications, and other threat assessment software through a RESTful, XML-based API. This standalone WildFire API subscription offering allows you to make queries to the WildFire cloud threat database for information about potentially malicious content, and submit files for analysis using the advanced threat analysis capabilities of WildFire, based on your organization’s specific requirements. The enhanced access limits of the subscription allow organizations of various sizes to customize their access limits according to their usage - this includes scalable licenses that allow a specific number of file/report queries, sample submissions (for WildFire analysis), or a combination of the two.
WildFire queries allow you to retrieve existing WildFire verdicts, samples (does not include benign samples), packet captures (PCAPs), and WildFire analysis reports, which provide detailed information about a sample, including file information, behavior summary, analysis results, and more. To conform to established privacy policies, you can only download samples and packet captures of the files that your organization has submitted. These samples have been collected by the global community of Palo Alto Networks users, through an array of products, as well as internal research teams. WildFire sample submissions allow you to submit unknown samples for WildFire analysis, using the same advanced analysis and prevention engine used in integrated WildFire cloud solutions.
For more information about Palo Alto Networks privacy policies, file retention practices, and the acceptable use policy, please refer to: WildFire Privacy Datasheet and WildFire Acceptable Use Policy.
With the introduction of the standalone WildFire API subscription, several changes have been implemented for existing firewall-attached, WildFire subscription holders.
  • The daily base WildFire API query/submit limits have been updated to the following:
    • Sample submission—150
    • Sample query (including WildFire reports)—1,050
For information about licensing options, please contact your Palo Alto Networks sales representative.
Before you can access the WildFire API key, you must have an active firewall-attached WildFire subscription or the WildFire API subscription registered to an account holder in your organization. Your WildFire cloud API key is assigned when you purchase your subscription and expires when the subscription term expires. The details of your account can be accessed from the Palo Alto Networks Customer Support Portal.
You can view and manage your API usage, including a history of recent submissions, API key details, usage statistics/limits, and your organization’s verdict statistics in the WildFire cloud portal. You can also perform the same tasks that are available as API endpoints directly through the portal, such as uploading samples and viewing WildFire reports though an easy to use interface.
Verdicts that you suspect are either false-positives or false-negatives can be submitted for review and analysis by the Palo Alto Networks threat team using the WildFire cloud portal. This option is available at the bottom of the analysis report of the sample in question.
The following WildFire API endpoints are available for sample queries and submissions:
For detailed information about using the WildFire API, see the WildFire API Reference.
API Resource
Description
Documentation Link
WildFire Submit Sample Endpoints
/submit/file
Submit a supported file type for WildFire analysis.
/submit/url
Submit a supported file type on a website for WildFire analysis. Use this resource for files hosted remotely and not website URLs.
/submit/link
Submit a single website link for WildFire analysis.
/submit/links
Use this resource to submit multiple website URLs (up to 1000) for WildFire analysis. This resource is preferable when you have a large list of URLs to be analyzed.
WildFire Query Endpoints
/get/sample
Use the /get/sample resource to download a sample based on the MD5 or SHA-256 hash of the file that your organization uploaded for WildFire analysis.
Palo Alto Networks provides access to malware samples collected by the WildFire cloud for an indefinite period, while grayware samples are available for 14 days. Benign samples are not available for download.
/get/pcap
Use the /get/pcap resource to request a packet capture (PCAP) recorded during analysis of a particular sample that your organization uploaded for WildFire analysis.Use either the MD5 or SHA-256 hash of the sample file as a search query.
/get/verdict
Use the /get/verdict resource to get a WildFire verdict for a sample based on the MD5 or SHA-256 hash or a web page based on the URL.
/get/verdicts
Use this resource to get multiple WildFire verdicts based on a text file that contains multiple hashes. You can include up to 500 hash values in a single file, with each hash value being on a separate line.
/get/report
Use this resource to get a WildFire Analysis report for a specified sample hash value or web page URL.
/get/webartifacts
Use this resource to get the web artifacts found during analysis of the specified web page URL.