https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-api-malware-hashes/m-p/217023#M1687 <P>Thanks for the options.&nbsp; I forgot about API and will go that route as we're still on 7.1 and not yet an AutoFocus subscriber.</P> Thu, 07 Jun 2018 15:45:32 GMT jt1025 2018-06-07T15:45:32Z https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-api-malware-hashes/m-p/215779#M1682 <P>I'm trying to get the file hash values for all submissions WildFire deems as malware.&nbsp; Is this possible?&nbsp; From what I've read you have to specify the hash value in the API call but I'd just like a list of all values.</P> Tue, 29 May 2018 20:02:33 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-api-malware-hashes/m-p/215779#M1682 jt1025 2018-05-29T20:02:33Z https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-api-malware-hashes/m-p/216393#M1684 <P>I don't think you can.&nbsp; The idea of the API is to query for an Ad Hoc verdict not to pull the data for a separate or offline solution.</P><P>&nbsp;</P> Sat, 02 Jun 2018 14:00:07 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-api-malware-hashes/m-p/216393#M1684 pulukas 2018-06-02T14:00:07Z https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-api-malware-hashes/m-p/216931#M1686 <P>As <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9524">@pulukas</a> said, you can't do this with the WildFire API, but there are a couple other solutions:</P> <P>&nbsp;</P> <P>1. The sha256 hashes are available on the Firewalls/Panorama.&nbsp; They can output via syslog or webhook as they happen, or you can query them via the PAN-OS API.</P> <P><A href="https://www.paloaltonetworks.com/documentation/81/pan-os/xml-api/pan-os-xml-api-request-types/retrieve-logs-api#id9888056f-a9b3-4b36-8033-a8bd5f5ce0bd" target="_blank">https://www.paloaltonetworks.com/documentation/81/pan-os/xml-api/pan-os-xml-api-request-types/retrieve-logs-api#id9888056f-a9b3-4b36-8033-a8bd5f5ce0bd</A></P> <P>&nbsp;</P> <P>2. AutoFocus subscribers can get a list of hashes via the AutoFocus API.&nbsp; Here's an example request for hashes of all 'private' malware samples, which means all samples submitted by your organization to WildFire:</P> <P><A href="https://www.paloaltonetworks.com/documentation/autofocus/autofocus/autofocus_api/perform-autofocus-searches/search-samples-and-sessions" target="_blank">https://www.paloaltonetworks.com/documentation/autofocus/autofocus/autofocus_api/perform-autofocus-searches/search-samples-and-sessions</A></P> <P>&nbsp;</P> <P>And an example result showing the sha256, md5, and sha1 hashes of one of the samples returned:</P> <P><A href="https://www.paloaltonetworks.com/documentation/autofocus/autofocus/autofocus_api/perform-autofocus-searches/view-search-results" target="_blank">https://www.paloaltonetworks.com/documentation/autofocus/autofocus/autofocus_api/perform-autofocus-searches/view-search-results</A></P> Thu, 07 Jun 2018 03:10:27 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-api-malware-hashes/m-p/216931#M1686 btorresgil 2018-06-07T03:10:27Z https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-api-malware-hashes/m-p/217023#M1687 <P>Thanks for the options.&nbsp; I forgot about API and will go that route as we're still on 7.1 and not yet an AutoFocus subscriber.</P> Thu, 07 Jun 2018 15:45:32 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/wildfire-api-malware-hashes/m-p/217023#M1687 jt1025 2018-06-07T15:45:32Z