Threat Vault API Cheat Sheet
7418
Created On 08/22/22 10:37 AM - Last Modified 09/25/25 16:00 PM
Objective
To provide a quick guide for the most common commands used for Threat Vault API.
Environment
Threat Vault API
Procedure
Before you get started:
How to obtain your Threat Vault API key
Queries
Threat ID:
curl -v -H 'X-API-KEY: <APIKEY>' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?id=<Threat_ID>'
MD5:
curl -v -H 'X-API-KEY: <APIKEY>' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?md5=<MD5_HASH>'
SHA256:
curl -v -H 'X-API-KEY: <APIKEY>' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?sha256=<SHA256_HASH>'
Signature name:
curl -v -H 'X-API-KEY: <APIKEY>' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?name=<Signature+Name or Group+of+words>'
- queries with multiple words must use + in place of spaces, example: command+and+control
CVE Coverage:
curl -v -H 'X-API-KEY: <APIKEY>' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats/cve-coverage?cve_id=<CVE-XXXX-XXXX>'
Predefined EDL Content:
curl -v -H 'X-API-KEY: <APIKEY>' 'https://api.threatvault.paloaltonetworks.com/service/v1/edl?name=panw-highrisk-ip-list&version=latest'
- Note: the value for 'name' in the above curl can only be one of the following:
- panw-highrisk-ip-list
- panw-known-ip-list
- panw-bulletproof-ip-list
- panw-torexit-ip-list
IP feed:
curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/ip-feed?name=malicious'
Date (both single date and date range):
curl -v -H 'X-API-KEY: <APIKEY>' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?releaseDate=<DATE>'
curl -v -H 'X-API-KEY: <APIKEY>' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?fromReleaseDate=<FROMDATE>&toReleaseDate=<TODATE>'
Content version release notes:
curl -v -H 'X-API-KEY: <APIKEY>' 'https://api.threatvault.paloaltonetworks.com/service/v1/release-notes?type=content&version=<VERSION>'
Signature history, Antivirus package:
curl -v -H 'X-API-KEY: <APIKEY>' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats/history?id=<Threat_ID>&type=antivirus'
- Note: only available for signatures that are released, not available for replaced or disabled signatures
Signature history, WildFire package:
curl -v -H 'X-API-KEY: <APIKEY>' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats/history?id=<Threat_ID>&type=wildfire'
- Note: only available for signatures that are released, not available for replaced or disabled signatures
Batch Queries
The limit for batch queries is 100 entries per query (examples show 3 entries). Batch queries available are:
Threat ID:
curl -v -X POST -H 'X-API-KEY: <APIKEY>' -H 'Content-Type: application/json' -d '{"id":["<Threat_ID>","<Threat_ID>","<Threat_ID>"]}' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats'
MD5:
curl -v -X POST -H 'X-API-KEY: <APIKEY>' -H 'Content-Type: application/json' -d '{"md5":["<MD5_HASH>","<MD5_HASH>","<MD5_HASH>"]}' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats'
SHA256:
curl -v -X POST -H 'X-API-KEY: <APIKEY>' -H 'Content-Type: application/json' -d '{"sha256":["<SHA256_HASH>","<SHA256_HASH>","<SHA256_HASH>"]}' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats'
IP Feed:
curl -v -X POST -H 'X-API-KEY: <APIKEY>' -H 'Content-Type: application/json' -d '{"ipaddr":["<IP>","<IP>","<IP>"]}' 'https://api.threatvault.paloaltonetworks.com/service/v1/ip-feed'
Signature name:
curl -v -X POST -H 'X-API-KEY: <APIKEY>' -H 'Content-Type: application/json' -d '{"name":["<Signature+Name or Group+of+words>","<Signature+Name or Group+of+words>","<Signature+Name or Group+of+words>"]}' 'https://api.threatvault.paloaltonetworks.com/service/v1/threats'
- queries with multiple words must use + in place of spaces, example: command+and+control