Standalone WildFire API Subscription
Table of Contents
Standalone WildFire API Subscription
Palo Alto Networks now offers a subscription
service enabling access to the advanced file analysis capabilities
of the WildFire cloud for customers operating SOAR tools, custom
security applications, and other threat assessment software through
a RESTful, XML-based API. This standalone WildFire API subscription
offering allows you to make queries to the WildFire cloud threat
database for information about potentially malicious content, and
submit files for analysis using the advanced threat analysis capabilities
of WildFire, based on your organization’s specific requirements.
The enhanced access limits of the subscription allow organizations
of various sizes to customize their access limits according to their
usage - this includes scalable licenses that allow a specific number
of file/report queries, sample submissions (for WildFire analysis),
or a combination of the two.
WildFire queries allow you to retrieve existing
WildFire verdicts, samples (does not include benign samples), packet
captures (PCAPs), and WildFire analysis reports, which provide detailed
information about a sample, including file information, behavior
summary, analysis results, and more. To conform to established privacy
policies, you can only download samples and packet captures of the
files that your organization has submitted. These samples have been
collected by the global community of Palo Alto Networks users, through
an array of products, as well as internal research teams. WildFire
sample submissions allow you to submit unknown samples for WildFire
analysis, using the same advanced analysis and prevention
engine used in integrated WildFire cloud solutions.
For more information about Palo Alto Networks privacy policies,
file retention practices, and the acceptable use policy, please
refer to: WildFire Privacy Datasheet and WildFire Acceptable Use Policy.
With the introduction of the standalone WildFire API subscription,
several changes have been implemented for existing firewall-attached,
WildFire subscription holders.
- The daily base WildFire API query/submit limits have been updated to the following:
- Sample submission—150
- Sample query (including WildFire reports)—1,050
For information about licensing options, please contact your
Palo Alto Networks sales representative.
Before you can access the WildFire API key, you must have an
active firewall-attached WildFire subscription or the WildFire API
subscription registered to an account holder in your organization.
Your WildFire cloud API key is assigned when you purchase your subscription
and expires when the subscription term expires. The details of your
account can be accessed from the Palo Alto Networks Customer Support
Portal.
You can view and manage your API usage, including a history of
recent submissions, API key details, usage statistics/limits, and
your organization’s verdict statistics in the WildFire cloud portal.
You can also perform the same tasks that are available as API endpoints
directly through the portal, such as uploading samples and viewing
WildFire reports though an easy to use interface.
Verdicts that you suspect are either false-positives or false-negatives
can be submitted for review and analysis by the Palo Alto Networks
threat team using the WildFire cloud portal. This option is available
at the bottom of the analysis report of the sample in question.
The following WildFire API endpoints are available for sample
queries and submissions:
For detailed information about using the WildFire API,
see the WildFire API Reference.
API Resource | Description | Documentation Link |
|---|---|---|
WildFire Submit Sample Endpoints | ||
/submit/file | Submit a supported file type for WildFire
analysis. | |
/submit/url | Submit a supported file type on a website
for WildFire analysis. Use this resource for files hosted remotely
and not website URLs. | |
/submit/link | Submit a single website link for WildFire
analysis. | |
/submit/links | Use this resource to submit multiple website
URLs (up to 1000) for WildFire analysis. This resource is preferable
when you have a large list of URLs to be analyzed. | |
WildFire Query Endpoints | ||
/get/sample | Use the /get/sample resource to download
a sample based on the MD5 or SHA-256 hash of the file that your
organization uploaded for WildFire analysis. Palo Alto Networks
provides access to malware samples collected by the WildFire cloud
for an indefinite period, while grayware samples are available for 14
days. Benign samples are not available for download. | |
/get/pcap | Use the /get/pcap resource to request a
packet capture (PCAP) recorded during analysis of a particular sample
that your organization uploaded for WildFire analysis.Use either
the MD5 or SHA-256 hash of the sample file as a search query. | |
/get/verdict | Use the /get/verdict resource to get a WildFire
verdict for a sample based on the MD5 or SHA-256 hash or a web page
based on the URL. | |
/get/verdicts | Use this resource to get multiple WildFire
verdicts based on a text file that contains multiple hashes. You
can include up to 500 hash values in a single file, with each hash
value being on a separate line. | |
/get/report | Use this resource to get a WildFire Analysis
report for a specified sample hash value or web page URL. | |
/get/webartifacts | Use this resource to get the web artifacts
found during analysis of the specified web page URL. | |