//
you're reading...
IT & TECHNOLOGY, Palo Alto Networks

Step-By-Step: Using AutoFocus API and Postman for Automation


PANW-New-Logo-3

One of the important components baked into the Palo Alto Networks next-generation security platform is our API. You can use our API to interact with and automate the various components of our platform, such as bulk searches, push and pull configurations, leveraging third-party applications and services, and more.

In this post, I’ll explain, step-by-step, how to use our API with AutoFocus utilizing the Postman app. Postman is a useful development and testing client for REST API, creating complex HTTP requests and giving you the ability to interact with the API as it presents a friendly GUI for constructing requests and for reading responses. We’ll be using this application to demonstrate Palo Alto Networks AutoFocus API capabilities.

Prerequisites

Before you can start using the AutoFocus API, there are a few steps needed to ensure things run smoothly:

  • Make sure you have portal access credentials to AutoFocus (Contact your Palo Alto Networks representative or partner if you’d like to purchase or trial AutoFocus)
  • Get your API Key (use the API Key process to obtain one)
  • Get familiarized with the AutoFocus portal and read our AutoFocus Administrator’s Guide
  • Brush up on your knowledge of web service APIs, HTTP, and JSON.
  • Install the Postman app

NOTE: Take the following steps if you already have access to the AutoFocus portal and want to retrieve your API Key:

autofocus api 1

Making your API Call

In this example, we want to find all the Dridex instances in our network that WildFire convicted as malware and where the destination files are the United States. We want those results in JSON format so we can use this data any way we want: parse it, use parts of it, export it to third-party-services or applications, or integrate the information into the SOC.

Many of the resources in the AutoFocus API require API calls to two resources. The first call is to initiate a search and the next is to check for the results of that search. Take the following steps to configure the Postman Application.

Step 1: Configuring the search query

As mentioned before, you need to craft two API calls to two different resources. The first call is the query itself to pull the data and the second one is to fetch and present the results. Both calls use the POST method. Crafting the AutoFocus query itself can get complicated depending on the query you want to design.

The best way to create your own query is to use the AutoFocus search option and then export the query into a file using the following process:

  • Log in to the AutoFocus portal
  • Create the query as described

autofocus api 2

  • Use the export option to export your search

autofocus api 3

  • You can then copy the search or save it to a file and use it later when you need it

autofocus api 4

As a side note, the same rule applies when you want to create an API call using a shell/python script using the CLI instead of the Postman Application.

For the first call:

  • Configure Postman POST method to communicate to:https://autofocus.paloaltonetworks.com/api/v1.0/samples/search/
  • Choose the “raw” option under the “Body” tab
  • Select the JSON (application/json) output
  • In the query field, use the API Key you copied into the “apiKey”: “XXXXX”
  • Type in the query and click the “Send” button

autofocus api 5

  • If everything went well and the apiKey value you have entered is correct, you will get the query result values in the results window.
  • The specific value you need to look for is the af_cookie. Once you find it, copy the value.
  • The af_cookie expires 120 seconds after the search results are complete (when af_complete_percentage is 100) or after you view completed search results.

autofocus api 6

Step 2: Viewing the Results

To view the results and retrieve the af_cookie, you need to configure Postman to perform the second POST method and point it to the results link.

autofocus api 7

You should be able to view the output in the results/output window at the bottom of the Postman Application.

autofocus api 8

Then copy and search the results you pulled from AutoFocus. You can also save the output to a file and perform regular expression and parsing as needed, export the data, etc…

Conclusion

This was just one example of the different ways you can leverage and use the AutoFocus API to perform automation and link between various third-party-tools and streamline your threat

intelligence analysis, perform bulk searches, import and export queries, leverage IOC, and so on. AutoFocus is a powerful tool for performing threat intelligence, leveraging the rich data Wildfire provides and shortening the analysis time needed to reach a quicker resolution and root cause analysis. By adding the power of the API, you achieve integration and automation between the Palo Alto Networks platform and your existing infrastructure, further streamlining analysis and getting the results you need, quickly and easily.

For more information, visit the AutoFocus API website to find different examples, configurations, prerequisites, rate limits, and other resources.

[Palo Alto Networks Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 115,116 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,068 other followers

Twitter Updates

Archives

January 2016
M T W T F S S
« Dec   Feb »
 123
45678910
11121314151617
18192021222324
25262728293031
%d bloggers like this: