Tips & Tricks: Export Threat Vault spyware and vulnerability signatures using XML API

Tips & Tricks: Export Threat Vault spyware and vulnerability signatures using XML API

32533
Created On 09/25/18 18:59 PM - Last Modified 04/22/22 12:42 PM


Resolution


Did you know you can export the list of current spyware and vulnerability signatures from Threat Vault using XML API? This could be useful in helping to determine existing coverage. Using the XML API, you can export this information in an easy-to-parse format.

 

But before using the API, you must generate an API key to authenticate all API calls.

 

Construct a request using credentials for an existing admin account. Use the URL below, replacing hostname, username, and password with the appropriate values. Any special characters in the password must be URL/percent-encoded.

 

http(s)://hostname/api/?type=keygen&user=username&password=password

 

The result will be an XML block that contains the key. It should look like the following :

<response status="success">

     <result>

          <key>gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU</key>

     </result>

</response>

 

The key must be URL encoded when used in HTTP requests.

 

Let's return to exporting the threat vault using XML API. Now that you have generated an API key, use the following API call to export the list of spyware and vulnerability signatures in Threat Vault.

 

https://hostname/api/?

type=config&action=get&key=gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU&xpath=/config/predefined/threats

 

 

The output will look similar to the screenshot below:

image.png

Note: this will only provide the Threat ID and Threat name for the entries. If you need additional information such as type, default action taken, and severity. You will need to use the following commands:

For all signatures (vulnerability and spyware)

  • https://hostname/api/?key=gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU&type=op&cmd=<show><predefined><xpath>/predefined/threats/</xpath></predefined></show>

For just vulnerability signatures

  • https://hostname/api/?key=gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU&type=op&cmd=<show><predefined><xpath>/predefined/threats/vulnerability</xpath></predefined></show>

For just spyware signatures

  • https://hostname/api/?key=gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU&type=op&cmd=<show><predefined><xpath>/predefined/threats/phone-home</xpath></predefined></show>


The above commands will provide more details for each signature as shown below:
image.png

Please Note: due to the size of the list and your available memory, you may not be able to view this expanded detailed list from your browser and receive an error similar to the one below: 

image.png
In these cases, you will need to use the curl command from a terminal:

  • curl -kX GET 'https://hostname/api/?key=gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU&type=op&cmd=<show><predefined><xpath>/predefined/threats</xpath></predefined></show>'


 

The following link provides more information on XML API :

PAN-OS® and Panorama™ API Guide

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSMCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language