Palo Alto Networks

WildFire API

A cloud-based API for submitting files, URLs, and links for advanced malware analysis in the WildFire sandbox environment. The API returns threat verdicts (benign, malware, grayware, phishing) and detailed analysis reports including behavioral indicators, network activity, and file artifacts. Supports file submission via multipart form upload, verdict queries by hash (MD5, SHA-256), and retrieval of PCAP files and detailed analysis reports.

Documentation GitHub OpenAPI

Documentation

https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-api

https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-api/get-started-with-the-wildfire-api

https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-api

Specifications

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-wildfire-api-openapi-original.yml

Examples

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/wildfire-api-analysis-report-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/wildfire-api-bulk-verdict-response-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/wildfire-api-sandbox-report-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/wildfire-api-submit-response-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/wildfire-api-verdict-response-example.json

Schemas & Data

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/wildfire-api-analysis-report-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/wildfire-api-bulk-verdict-response-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/wildfire-api-sandbox-report-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/wildfire-api-submit-response-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/wildfire-api-verdict-response-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/wildfire-api-analysis-report-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/wildfire-api-bulk-verdict-response-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/wildfire-api-sandbox-report-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/wildfire-api-submit-response-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/wildfire-api-verdict-response-structure.json

Other Resources

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-ld/palo-alto-wildfire-api-context.jsonld

OpenAPI Specification

openapi: 3.1.0
info:
  title: Palo Alto Networks WildFire API
  description: >-
    Cloud-based REST API for submitting files, URLs, and links to the Palo Alto
    Networks WildFire sandbox for advanced malware analysis. WildFire executes
    submitted samples in a safe, isolated environment and returns threat verdicts
    (benign, malware, grayware, phishing) along with detailed behavioral
    analysis reports. The API supports file submission via multipart form
    upload, verdict queries by file hash (MD5 or SHA-256), bulk verdict
    lookups, and retrieval of PCAP network captures and full analysis reports
    in XML or PDF format. Authentication uses an API key passed as a form
    field in every POST request body.
  version: '1.0'
  contact:
    name: Palo Alto Networks Developer Support
    url: https://pan.dev/wildfire/
  license:
    name: Proprietary
    url: https://www.paloaltonetworks.com/legal
servers:
- url: https://wildfire.paloaltonetworks.com/publicapi
  description: WildFire global cloud (US).
- url: https://wildfire.{region}.paloaltonetworks.com/publicapi
  description: WildFire regional cloud endpoint.
  variables:
    region:
      description: Regional deployment (e.g., eu, jp).
      default: eu
tags:
- name: Report
  description: Retrieve detailed analysis reports and supporting files.
- name: Submit
  description: File, URL, and link submission for malware analysis.
- name: Verdict
  description: Retrieve analysis verdicts by file hash.
paths:
  /submit/file:
    post:
      operationId: submitFile
      summary: Palo Alto Networks Submit File for Analysis
      description: >-
        Submits a file to WildFire for malware analysis. The file is executed
        in an isolated sandbox environment and analyzed for malicious behavior.
        Supported file types include PE executables, DLLs, Office documents,
        PDFs, APKs, and scripts. Returns a SHA-256 hash and upload status.
        Poll /get/verdict for the analysis result.
      tags:
      - Submit
      requestBody:
        required: true
        content:
          multipart/form-data:
            schema:
              type: object
              required:
              - apikey
              - file
              properties:
                apikey:
                  type: string
                  description: WildFire API key for authentication.
                file:
                  type: string
                  format: binary
                  description: The file to submit for analysis (max 100 MB).
            examples:
              SubmitFileRequestExample:
                summary: Default submitFile request
                x-microcks-default: true
                value:
                  apikey: example-apikey
                  file: example-file
      responses:
        '200':
          description: File submitted successfully.
          content:
            application/xml:
              schema:
                $ref: '#/components/schemas/SubmitResponse'
              examples:
                SubmitFile200Example:
                  summary: Default submitFile 200 response
                  x-microcks-default: true
                  value:
                    upload-file-info: &id001
                      filename: Primary Firewall 60
                      filetype: standard
                      fileurl: example-fileurl
                      md5: e80837f90fb511c2a14570a6acc47263
                      sha256: b4ed4912613bb347504a26b57f498c5ea2364a7174f06253e7336aeac148a038
                      size: 806
                      url: https://mail.acme-systems.org/3910a3
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /submit/url:
    post:
      operationId: submitUrl
      summary: Palo Alto Networks Submit URL for Analysis
      description: >-
        Submits a URL to WildFire for phishing and malware analysis. WildFire
        visits the URL in an isolated browser environment and analyzes the
        page content and any downloaded files for malicious behavior.
      tags:
      - Submit
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
              - apikey
              - url
              properties:
                apikey:
                  type: string
                  description: WildFire API key for authentication.
                url:
                  type: string
                  description: URL to submit for analysis (must be a valid HTTP or HTTPS URL).
            examples:
              SubmitUrlRequestExample:
                summary: Default submitUrl request
                x-microcks-default: true
                value:
                  apikey: example-apikey
                  url: https://mail.example.com/063e82
      responses:
        '200':
          description: URL submitted successfully.
          content:
            application/xml:
              schema:
                $ref: '#/components/schemas/SubmitResponse'
              examples:
                SubmitUrl200Example:
                  summary: Default submitUrl 200 response
                  x-microcks-default: true
                  value:
                    upload-file-info: *id001
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /submit/link:
    post:
      operationId: submitLink
      summary: Palo Alto Networks Submit Link for Analysis
      description: >-
        Submits a hyperlink for WildFire analysis. Similar to URL submission
        but intended for links extracted from email bodies or documents.
      tags:
      - Submit
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
              - apikey
              - link
              properties:
                apikey:
                  type: string
                  description: WildFire API key for authentication.
                link:
                  type: string
                  description: Link to submit for analysis.
            examples:
              SubmitLinkRequestExample:
                summary: Default submitLink request
                x-microcks-default: true
                value:
                  apikey: example-apikey
                  link: https://portal.acme-systems.org/87b216
      responses:
        '200':
          description: Link submitted successfully.
          content:
            application/xml:
              schema:
                $ref: '#/components/schemas/SubmitResponse'
              examples:
                SubmitLink200Example:
                  summary: Default submitLink 200 response
                  x-microcks-default: true
                  value:
                    upload-file-info: *id001
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /get/verdict:
    post:
      operationId: getVerdict
      summary: Palo Alto Networks Get Verdict by Hash
      description: >-
        Retrieves the WildFire analysis verdict for a file identified by its
        MD5 or SHA-256 hash. Verdicts are: 0 (benign), 1 (malware), 2 (grayware),
        4 (phishing), -100 (pending analysis), -101 (error), -102 (unknown),
        -103 (invalid hash).
      tags:
      - Verdict
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
              - apikey
              - hash
              properties:
                apikey:
                  type: string
                  description: WildFire API key for authentication.
                hash:
                  type: string
                  description: MD5 or SHA-256 hash of the file to query.
            examples:
              GetVerdictRequestExample:
                summary: Default getVerdict request
                x-microcks-default: true
                value:
                  apikey: example-apikey
                  hash: example-hash
      responses:
        '200':
          description: Verdict returned successfully.
          content:
            application/xml:
              schema:
                $ref: '#/components/schemas/VerdictResponse'
              examples:
                GetVerdict200Example:
                  summary: Default getVerdict 200 response
                  x-microcks-default: true
                  value:
                    get-verdict-info: &id002
                      md5: 38498da0e6edd44b63ec5776e3ac4349
                      sha256: 48a8bc75aef249c015423b2e6abe7c31f9432715b65e0b0310e65f34d6b5d3ca
                      verdict: -101
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /get/verdicts:
    post:
      operationId: getBulkVerdicts
      summary: Palo Alto Networks Get Bulk Verdicts
      description: >-
        Retrieves WildFire analysis verdicts for multiple files in a single
        request. Submit an array of MD5 or SHA-256 hashes to query up to 500
        verdicts simultaneously.
      tags:
      - Verdict
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
              - apikey
              - hash
              properties:
                apikey:
                  type: string
                  description: WildFire API key for authentication.
                hash:
                  type: array
                  items:
                    type: string
                  description: Array of MD5 or SHA-256 hashes to query (max 500).
            examples:
              GetBulkVerdictsRequestExample:
                summary: Default getBulkVerdicts request
                x-microcks-default: true
                value:
                  apikey: example-apikey
                  hash:
                  - example-hash_item
                  - example-hash_item
      responses:
        '200':
          description: Bulk verdicts returned successfully.
          content:
            application/xml:
              schema:
                $ref: '#/components/schemas/BulkVerdictResponse'
              examples:
                GetBulkVerdicts200Example:
                  summary: Default getBulkVerdicts 200 response
                  x-microcks-default: true
                  value:
                    get-verdicts-info: &id003
                      entry:
                      - md5: 97ccdf884551f2ecf8abc10da662652d
                        sha256: 47d2198514583bc897bb7b8ae089187d336a6de865b6d6ad0e943777abbe85af
                        verdict: 596
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /get/report:
    post:
      operationId: getReport
      summary: Palo Alto Networks Get Analysis Report
      description: >-
        Retrieves the full WildFire analysis report for a sample identified
        by its MD5 or SHA-256 hash. Reports include behavioral analysis,
        network activity, file system changes, registry modifications, and
        process information. Reports are available in XML or PDF format.
      tags:
      - Report
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
              - apikey
              - hash
              - format
              properties:
                apikey:
                  type: string
                  description: WildFire API key for authentication.
                hash:
                  type: string
                  description: MD5 or SHA-256 hash of the analyzed sample.
                format:
                  type: string
                  enum:
                  - xml
                  - pdf
                  description: Report output format.
                type:
                  type: string
                  description: >-
                    Hash type. If omitted, WildFire auto-detects based on
                    hash length.
                  enum:
                  - md5
                  - sha256
            examples:
              GetReportRequestExample:
                summary: Default getReport request
                x-microcks-default: true
                value:
                  apikey: example-apikey
                  hash: example-hash
                  format: pdf
                  type: sha256
      responses:
        '200':
          description: Analysis report returned successfully.
          content:
            application/xml:
              schema:
                $ref: '#/components/schemas/AnalysisReport'
              examples:
                GetReport200Example:
                  summary: Default getReport 200 response
                  x-microcks-default: true
                  value:
                    wildfire: &id004
                      version: 2.3.1
                      file_info:
                        file_stype: standard
                        size: 531
                        md5: fe002567a9904394d4ceafd8a4fb3f00
                        sha256: 59258b8b3904457b736c4ebf1128de54a88068379c519afe5c7cae56cb75cd1e
                        create_time: '2025-07-04T20:04:29Z'
                      task_info:
                        report: example-report
            application/pdf:
              schema:
                type: string
                format: binary
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /get/sample:
    post:
      operationId: getSample
      summary: Palo Alto Networks Download Sample
      description: >-
        Downloads the original sample file identified by its hash. Only
        available for samples where the verdict is malware or grayware.
        Requires an API key with sample download permissions.
      tags:
      - Report
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
              - apikey
              - hash
              properties:
                apikey:
                  type: string
                  description: WildFire API key with sample download permissions.
                hash:
                  type: string
                  description: MD5 or SHA-256 hash of the sample to download.
                type:
                  type: string
                  enum:
                  - md5
                  - sha256
            examples:
              GetSampleRequestExample:
                summary: Default getSample request
                x-microcks-default: true
                value:
                  apikey: example-apikey
                  hash: example-hash
                  type: md5
      responses:
        '200':
          description: Sample file returned successfully.
          content:
            application/octet-stream:
              schema:
                type: string
                format: binary
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /get/pcap:
    post:
      operationId: getPcap
      summary: Palo Alto Networks Get PCAP File
      description: >-
        Downloads the network packet capture (PCAP) file recorded during
        sandbox analysis of the specified sample. PCAP files contain the
        network traffic generated by the malware during detonation.
      tags:
      - Report
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
              - apikey
              - hash
              - platform
              properties:
                apikey:
                  type: string
                  description: WildFire API key for authentication.
                hash:
                  type: string
                  description: MD5 or SHA-256 hash of the analyzed sample.
                type:
                  type: string
                  enum:
                  - md5
                  - sha256
                platform:
                  type: string
                  description: >-
                    Analysis platform identifier (e.g., 100 for Windows XP,
                    200 for Windows 7, 400 for Android).
            examples:
              GetPcapRequestExample:
                summary: Default getPcap request
                x-microcks-default: true
                value:
                  apikey: example-apikey
                  hash: example-hash
                  type: md5
                  platform: example-platform
      responses:
        '200':
          description: PCAP file returned successfully.
          content:
            application/octet-stream:
              schema:
                type: string
                format: binary
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
components:
  responses:
    BadRequest:
      description: Malformed request, missing required parameters, or invalid API key format.
      content:
        application/xml:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Unauthorized:
      description: Missing API key or API key is invalid.
      content:
        application/xml:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Forbidden:
      description: >-
        Valid API key but insufficient permissions for the requested operation
        (e.g., sample download requires elevated permissions).
      content:
        application/xml:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    NotFound:
      description: No analysis result found for the specified hash.
      content:
        application/xml:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    InternalServerError:
      description: An internal server error occurred.
      content:
        application/xml:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
  schemas:
    SubmitResponse:
      type: object
      description: Response returned after successfully submitting a file, URL, or link.
      properties:
        upload-file-info:
          type: object
          properties:
            filename:
              type: string
              description: Original filename of the submitted file.
              example: Staging Agent 09
            filetype:
              type: string
              description: Detected file type.
              example: advanced
            fileurl:
              type: string
              description: URL of the submitted link or URL sample.
              example: example-fileurl
            md5:
              type: string
              description: MD5 hash of the submitted file.
              example: c3b5353b5e324afe11011c986fdff25e
            sha256:
              type: string
              description: SHA-256 hash of the submitted file.
              example: 6e459dbe581619c17119c4b6902f58ba424ef03b271bedcfdbc0431b7912882c
            size:
              type: integer
              description: File size in bytes.
              example: 334
            url:
              type: string
              description: Submitted URL value.
              example: https://login.example.com/8d2a5c
          example: *id001
    VerdictResponse:
      type: object
      description: WildFire verdict result for a single file hash query.
      properties:
        get-verdict-info:
          type: object
          properties:
            md5:
              type: string
              description: MD5 hash of the queried file.
              example: 629a220afeea672abcc2e391ea07b26d
            sha256:
              type: string
              description: SHA-256 hash of the queried file.
              example: 365d23a6a81b4ff0b6ea99f59667be72b252544284c549fc165bc04b9be441be
            verdict:
              type: integer
              description: >-
                Verdict code: 0 (benign), 1 (malware), 2 (grayware),
                4 (phishing), -100 (pending), -101 (error), -102 (unknown),
                -103 (invalid hash).
              enum:
              - 0
              - 1
              - 2
              - 4
              - -100
              - -101
              - -102
              - -103
              example: 2
          example: *id002
    BulkVerdictResponse:
      type: object
      description: WildFire bulk verdict results for multiple hash queries.
      properties:
        get-verdicts-info:
          type: object
          properties:
            entry:
              type: array
              items:
                type: object
                properties:
                  md5:
                    type: string
                    example: e508ea95575f45e7ba5e47b556d7a241
                  sha256:
                    type: string
                    example: 328888a8b561894deaaba0fb4e0abda175b02cafd71320b2b72d18c59139fd86
                  verdict:
                    type: integer
                    example: 792
              example:
              - md5: 36e5049a68495c51691a114c9087a07e
                sha256: c8899b756e0d13dd355342c97737825750fdb64903f4770725334e4991c4dc23
                verdict: 168
          example: *id003
    AnalysisReport:
      type: object
      description: >-
        Detailed WildFire analysis report including behavioral analysis,
        network activity, and system changes observed during sandbox execution.
      properties:
        wildfire:
          type: object
          properties:
            version:
              type: string
              example: 7.4.8
            file_info:
              type: object
              properties:
                file_stype:
                  type: string
                  example: standard
                size:
                  type: integer
                  example: 922
                md5:
                  type: string
                  example: db68a8bb1f10612a7b71092b35e4a545
                sha256:
                  type: string
                  example: 51031294c848b48ea0dc621ed7f3a86a61174866d4df7f6f379875b2415e918c
                create_time:
                  type: string
                  format: date-time
                  example: '2025-09-02T12:12:51Z'
              example:
                file_stype: standard
                size: 897
                md5: cb973a5cae8352a4a0e24ef1084a3b40
                sha256: 33e4e05c75f8845fc07508f405087c2628fafecb25faffccdd91728a00239652
                create_time: '2024-11-03T13:49:56Z'
            task_info:
              type: object
              properties:
                report:
                  oneOf:
                  - $ref: '#/components/schemas/SandboxReport'
                  - type: array
                    items:
                      $ref: '#/components/schemas/SandboxReport'
                  example: example-report
              example:
                report: example-report
          example: *id004
    SandboxReport:
      type: object
      description: Analysis results from a single sandbox execution environment.
      properties:
        platform:
          type: string
          description: Platform identifier (e.g., 100 for Windows XP SP3).
          example: example-platform
        software:
          type: string
          description: Sandbox software environment.
          example: example-software
        version:
          type: string
          example: 10.9.8
        summary:
          type: object
          properties:
            '@verdict':
              type: string
              enum:
              - benign
              - malware
              - grayware
              - phishing
              example: grayware
          example:
            '@verdict': grayware
        network:
          type: object
          properties:
            dns:
              type: array
              items:
                type: object
                properties:
                  '@query':
                    type: string
                    example: example-@query
                  '@response':
                    type: string
                    example: example-@response
              example:
              - '@query': example-@query
                '@response': example-@response
            tcp:
              type: array
              items:
                type: object
                properties:
                  '@ip':
                    type: string
                    example: example-@ip
                  '@port':
                    type: integer
                    example: 344
                  '@country':
                    type: string
                    example: JP
              example:
              - '@ip': example-@ip
                '@port': 823
                '@country': DE
              - '@ip': example-@ip
                '@port': 728
                '@country': JP
            http:
              type: array
              items:
                type: object
                properties:
                  '@request':
                    type: string
                    example: example-@request
                  '@response':
                    type: string
                    example: example-@response
              example:
              - '@request': example-@request
                '@response': example-@response
              - '@request': example-@request
                '@response': example-@response
          example:
            dns:
            - '@query': example-@query
              '@response': example-@response
            tcp:
            - '@ip': example-@ip
              '@port': 719
              '@country': JP
            http:
            - '@request': example-@request
              '@response': example-@response
        process_list:
          type: object
          properties:
            process:
              type: array
              items:
                type: object
                properties:
                  '@name':
                    type: string
                    example: Corporate Sensor 01
                  '@pid':
                    type: string
                    example: '394815'
                  '@text':
                    type: string
                    example: example-@text
              example:
              - '@name': Branch Agent 68
                '@pid': '593743'
                '@text': example-@text
              - '@name': Primary Agent 67
                '@pid': '145182'
                '@text': example-@text
          example:
            process:
            - '@name': Branch Policy 87
              '@pid': '603246'
              '@text': example-@text
    ErrorResponse:
      type: object
      description: Error response returned when a request fails.
      properties:
        error:
          type: object
          properties:
            error-message:
              type: string
              description: Human-readable error message.
              example: example-error-message
          example:
            error-message: example-error-message