https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45285#M1039 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Has the URI you mentioned already been valid?</P><P>I tried following command today but no luck.</P><P></P><P>-------------------------------</P><P><SPAN>$ curl -i -k -F device_id=001606000xxx -F report_id=417xxx -F format=xml </SPAN><A class="jive-link-external-small" href="https://wildfire.paloaltonetworks.com/publicapi/report">https://wildfire.paloaltonetworks.com/publicapi/report</A></P><P>HTTP/1.1 100 Continue</P><P></P><P></P><P>HTTP/1.1 400 Bad Request</P><P>Server: nginx/1.0.9</P><P>Date: Thu, 11 Jul 2013 07:22:30 GMT</P><P>Content-Type: text/html</P><P>Transfer-Encoding: chunked</P><P>Connection: keep-alive</P><P>X-Powered-By: PHP/5.3.6</P><P>-------------------------------</P><P></P><P>Also tried with wget to check if the curl I am using is something wrong but almost same result.</P><P>-------------------------------</P><P><SPAN>$ wget --no-check-certificate --post-data 'device_id=001606000xxx&amp;report_id=417xxx&amp;format=xml' </SPAN><A class="jive-link-external-small" href="https://wildfire.paloaltonetworks.com/publicapi/report">https://wildfire.paloaltonetworks.com/publicapi/report</A></P><P><SPAN>--2013-07-11 08:25:46--&nbsp; </SPAN><A class="jive-link-external-small" href="https://wildfire.paloaltonetworks.com/publicapi/report">https://wildfire.paloaltonetworks.com/publicapi/report</A></P><P>Resolving wildfire.paloaltonetworks.com... 54.241.16.153</P><P>Connecting to wildfire.paloaltonetworks.com|54.241.16.153|:443... connected.</P><P>WARNING: certificate common name `*.wildfire.paloaltonetworks.com' doesn't match requested host name `wildfire.paloaltonetworks.com'.</P><P>HTTP request sent, awaiting response... 400 Bad Request</P><P>2013-07-11 08:25:47 ERROR 400: Bad Request.</P><P>-------------------------------</P><P></P><P>Any mistakes I am making?</P><P></P><P>Thanks,</P></BODY></HTML> Thu, 11 Jul 2013 07:33:36 GMT tmyzw 2013-07-11T07:33:36Z https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45281#M1035 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I have been looking at the RESTful XML API in order to retrieve logs, and have noticed that the API returns traffic and threat logs, but it does not return wildfire logs.</P><P>To retrieve threat logs I provide type=logs and log-type=threat as parameters.</P><P></P><P>Wildfire logs show up with type=THREAT and subType=wildfire when retrieved through syslog. Shouldn't they then be return similarly through the REST API?</P><P></P><P>Thanks!</P></BODY></HTML> Wed, 01 May 2013 13:41:49 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45281#M1035 wissa 2013-05-01T13:41:49Z https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45282#M1036 <HTML><HEAD></HEAD><BODY><P>Wildfire logs cannot be retrieved from the API using the 'log-type=threat' option. A new 'log-type=wildfire' option is being added for this in upcoming PAN-OS 5.0.x software update.</P></BODY></HTML> Wed, 01 May 2013 19:15:48 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45282#M1036 SRA 2013-05-01T19:15:48Z https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45283#M1037 <HTML><HEAD></HEAD><BODY><P>Thanks, savasarala. Will the file hash be available with the new option for wildfire logs?</P></BODY></HTML> Thu, 02 May 2013 04:20:18 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45283#M1037 wissa 2013-05-02T04:20:18Z https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45284#M1038 <HTML><HEAD></HEAD><BODY><P>Hi wissa,</P><P></P><P>There is a bug fix to address accessing WildFire logs via the API that is planned for the upcoming maintenance release 5.0.5, due soon.</P><P></P><P>The hash is not available within the WildFire logs on the device, but can be accessed via the WildFire API.&nbsp; In order to retrieve file hash (along with other WildFire forensics details), <SPAN style="font-size: 10pt; line-height: 1.5em;">you can use the WildFire logs on the device and turn into WildFire API queries.&nbsp; We recently added a new WildFire API method used to query based on device id (S/N) and report ID in the WildFire reports (labeled as threat ID or "tid").</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P>A demonstration of the API query as a CURL command is provided below:</P><P></P><P><SPAN>curl -i -k -F device_id=[SERIAL NUMBER] -F report_id=[TID FROM LOG] -F format=xml </SPAN><A class="jive-link-external-small" href="https://wildfire.paloaltonetworks.com/publicapi/report">https://wildfire.paloaltonetworks.com/publicapi/report</A></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">WildFire logs can be exported to provide this information using log export or log forwarding.</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><SPAN>The full API manual (not including the above new method) is available at: </SPAN><A class="jive-link-external-small" href="https://wildfire.paloaltonetworks.com/Wildfire/Home/APIProgrammingGuide">https://wildfire.paloaltonetworks.com/Wildfire/Home/APIProgrammingGuide</A><SPAN>.&nbsp; Documentation will be updated soon to include this new API method.</SPAN></SPAN></P></BODY></HTML> Fri, 03 May 2013 03:55:27 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45284#M1038 tettema 2013-05-03T03:55:27Z https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45285#M1039 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Has the URI you mentioned already been valid?</P><P>I tried following command today but no luck.</P><P></P><P>-------------------------------</P><P><SPAN>$ curl -i -k -F device_id=001606000xxx -F report_id=417xxx -F format=xml </SPAN><A class="jive-link-external-small" href="https://wildfire.paloaltonetworks.com/publicapi/report">https://wildfire.paloaltonetworks.com/publicapi/report</A></P><P>HTTP/1.1 100 Continue</P><P></P><P></P><P>HTTP/1.1 400 Bad Request</P><P>Server: nginx/1.0.9</P><P>Date: Thu, 11 Jul 2013 07:22:30 GMT</P><P>Content-Type: text/html</P><P>Transfer-Encoding: chunked</P><P>Connection: keep-alive</P><P>X-Powered-By: PHP/5.3.6</P><P>-------------------------------</P><P></P><P>Also tried with wget to check if the curl I am using is something wrong but almost same result.</P><P>-------------------------------</P><P><SPAN>$ wget --no-check-certificate --post-data 'device_id=001606000xxx&amp;report_id=417xxx&amp;format=xml' </SPAN><A class="jive-link-external-small" href="https://wildfire.paloaltonetworks.com/publicapi/report">https://wildfire.paloaltonetworks.com/publicapi/report</A></P><P><SPAN>--2013-07-11 08:25:46--&nbsp; </SPAN><A class="jive-link-external-small" href="https://wildfire.paloaltonetworks.com/publicapi/report">https://wildfire.paloaltonetworks.com/publicapi/report</A></P><P>Resolving wildfire.paloaltonetworks.com... 54.241.16.153</P><P>Connecting to wildfire.paloaltonetworks.com|54.241.16.153|:443... connected.</P><P>WARNING: certificate common name `*.wildfire.paloaltonetworks.com' doesn't match requested host name `wildfire.paloaltonetworks.com'.</P><P>HTTP request sent, awaiting response... 400 Bad Request</P><P>2013-07-11 08:25:47 ERROR 400: Bad Request.</P><P>-------------------------------</P><P></P><P>Any mistakes I am making?</P><P></P><P>Thanks,</P></BODY></HTML> Thu, 11 Jul 2013 07:33:36 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45285#M1039 tmyzw 2013-07-11T07:33:36Z https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45286#M1040 <HTML><HEAD></HEAD><BODY><P>you are missing the apikey.&nbsp; I use -d in the below because you don't need a <CODE>multipart/form-data request, but -F will work also.</CODE></P><P></P><P></P><P>KEY=xxx</P><P><SPAN>$ curl -i -d "apikey=$KEY" -d device_id=00xxx -d report_id=247406568 </SPAN><A class="jive-link-external-small" href="https://wildfire.paloaltonetworks.com/publicapi/report">https://wildfire.paloaltonetworks.com/publicapi/report</A></P><P>HTTP/1.1 200 OK</P><P>Server: nginx/1.0.9</P><P>Date: Sat, 13 Jul 2013 00:23:43 GMT</P><P>Content-Type: text/xml; charset=utf-8</P><P>Transfer-Encoding: chunked</P><P>Connection: keep-alive</P><P>X-Powered-By: PHP/5.3.6</P><P></P><P></P><P></P><P></P><P></P><P></P><P>&lt;wildfire&gt; </P><P>&lt;report&gt;</P><P>&nbsp; &lt;version&gt;0.1&lt;/version&gt;</P><P>&nbsp; &lt;task&gt;353397118&lt;/task&gt;</P><P>&nbsp; &lt;sha256&gt;8122940e894a0dafa2fc75310909d83646dfdea2e30845511c1dc697be7b779c&lt;/sha256&gt;</P><P>&nbsp; &lt;md5&gt;eadf7415867bfaa3dc4c34c1016f6440&lt;/md5&gt;</P><P>&nbsp; &lt;size&gt;707120&lt;/size&gt;</P><P>&nbsp; &lt;malware&gt;yes&lt;/malware&gt;</P></BODY></HTML> Sat, 13 Jul 2013 00:32:53 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45286#M1040 ksteves1 2013-07-13T00:32:53Z https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45287#M1041 <HTML><HEAD></HEAD><BODY><P>It worked as expected!</P><P></P><P>Thank you,</P><P>Takahiro</P></BODY></HTML> Sat, 13 Jul 2013 01:29:51 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-event-through-the-rest-api/m-p/45287#M1041 tmyzw 2013-07-13T01:29:51Z