One of the important components baked into the Palo Alto Networks next-generation security platform is our API. You can use our API to interact with and automate the various components of our platform, such as bulk searches, push and pull configurations, leveraging third-party applications and services, and more.
In this post, I’ll explain, step-by-step, how to use our API with AutoFocus utilizing the Postman app. Postman is a useful development and testing client for REST API, creating complex HTTP requests and giving you the ability to interact with the API as it presents a friendly GUI for constructing requests and for reading responses. We’ll be using this application to demonstrate Palo Alto Networks AutoFocus API capabilities.
Before you can start using the AutoFocus API, there are a few steps needed to ensure things run smoothly:
NOTE: Take the following steps if you already have access to the AutoFocus portal and want to retrieve your API Key:
In this example, we want to find all the Dridex instances in our network that WildFire convicted as malware and where the destination files are the United States. We want those results in JSON format so we can use this data any way we want: parse it, use parts of it, export it to third-party-services or applications, or integrate the information into the SOC.
Many of the resources in the AutoFocus API require API calls to two resources. The first call is to initiate a search and the next is to check for the results of that search. Take the following steps to configure the Postman Application.
As mentioned before, you need to craft two API calls to two different resources. The first call is the query itself to pull the data and the second one is to fetch and present the results. Both calls use the POST method. Crafting the AutoFocus query itself can get complicated depending on the query you want to design.
The best way to create your own query is to use the AutoFocus search option and then export the query into a file using the following process:
As a side note, the same rule applies when you want to create an API call using a shell/python script using the CLI instead of the Postman Application.
For the first call:
To view the results and retrieve the af_cookie, you need to configure Postman to perform the second POST method and point it to the results link.
You should be able to view the output in the results/output window at the bottom of the Postman Application.
Then copy and search the results you pulled from AutoFocus. You can also save the output to a file and perform regular expression and parsing as needed, export the data, etc...
This was just one example of the different ways you can leverage and use the AutoFocus API to perform automation and link between various third-party-tools and streamline your threat
intelligence analysis, perform bulk searches, import and export queries, leverage IOC, and so on. AutoFocus is a powerful tool for performing threat intelligence, leveraging the rich data Wildfire provides and shortening the analysis time needed to reach a quicker resolution and root cause analysis. By adding the power of the API, you achieve integration and automation between the Palo Alto Networks platform and your existing infrastructure, further streamlining analysis and getting the results you need, quickly and easily.
For more information, visit the AutoFocus API website to find different examples, configurations, prerequisites, rate limits, and other resources.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.