Did you know you can export the list of current spyware and vulnerability signatures from Threat Vault using XML API? This could be useful in helping to determine existing coverage. Using the XML API, you can export this information in an easy-to-parse format.
But before using the API, you must generate an API key to authenticate all API calls.
Construct a request using credentials for an existing admin account. Use the URL below, replacing hostname, username, and password with the appropriate values. Any special characters in the password must be URL/percent-encoded.
http(s)://hostname/api/?type=keygen&user=username&password=password
The result will be an XML block that contains the key. It should look like the following :
<response status="success">
<result>
<key>gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU</key>
</result>
</response>
The key must be URL encoded when used in HTTP requests.
Let's return to exporting the threat vault using XML API. Now that you have generated an API key, use the following API call to export the list of spyware and vulnerability signatures in Threat Vault.
https://hostname/api/?
type=config&action=get&key=gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU&xpath=/config/predefined/threats
The output will look similar to the screenshot below:
Note: this will only provide the Threat ID and Threat name for the entries. If you need additional information such as type, default action taken, and severity. You will need to use the following commands:
For all signatures (vulnerability and spyware)
- https://hostname/api/?key=gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU&type=op&cmd=<show><predefined><xpath>/predefined/threats/</xpath></predefined></show>
For just vulnerability signatures
- https://hostname/api/?key=gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU&type=op&cmd=<show><predefined><xpath>/predefined/threats/vulnerability</xpath></predefined></show>
For just spyware signatures
- https://hostname/api/?key=gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU&type=op&cmd=<show><predefined><xpath>/predefined/threats/phone-home</xpath></predefined></show>
The above commands will provide more details for each signature as shown below:
Please Note: due to the size of the list and your available memory, you may not be able to view this expanded detailed list from your browser and receive an error similar to the one below:
In these cases, you will need to use the curl command from a terminal:
- curl -kX GET 'https://hostname/api/?key=gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU&type=op&cmd=<show><predefined><xpath>/predefined/threats</xpath></predefined></show>'
The following link provides more information on XML API :
PAN-OS® and Panorama™ API Guide