Additional IP list changes

PaloAltoNetworks · Nov 14, 2023 · 953298d · 953298d
1 parent bd39bbe
commit 953298d
Show file tree

Hide file tree

Showing 8 changed files with 357 additions and 7 deletions.
diff --git a/openapi-specs/threat-vault/ThreatPrevention.yaml b/openapi-specs/threat-vault/ThreatPrevention.yaml
@@ -1500,7 +1500,7 @@ paths:
       operationId: ip_feed
       security:
         - X-API-KEY: [ ]
-      summary: Request IP Feed information through the Threat Vault API
+      summary: Request IP Feed Information
       tags: [Threat Prevention]
       description: |
         A GET request to retrieve the IP feed information by name, IP address or IP address range.
@@ -1674,7 +1674,7 @@ paths:
       operationId: ip_feed_batch
       security:
         - X-API-KEY: []
-      summary: Request IP Feed information through the Threat Vault API in Batch Mode
+      summary: Request IP Feed Information in Batch Mode
       tags: [Threat Prevention]
       description: |
         A POST request to retrieve the IP feed information by IP address. Batch limit is 100 entries.

diff --git a/package.json b/package.json
@@ -23,7 +23,7 @@
     "re-gen": "yarn clean-all && yarn gen-all",
     "getBlogs": "curl -H \"Accept: application/json\" \"https://api.rss2json.com/v1/api.json?rss_url=https%3A%2F%2Fmedium.com%2Ffeed%2Fpalo-alto-networks-developer-blog\" -o src/components/Medium/blogs.json",
     "getHashicorpBlogs": "curl -H \"Accept: application/json\" \"https://api.rss2json.com/v1/api.json?rss_url=https%3A%2F%2Fwww.hashicorp.com%2Fblog%2Fproducts%2Fterraform%2Ffeed.xml\" -o src/components/ProductLandingPage/Feeds/feeds.json",
-    "start:netsec": "cross-env PRODUCTS_INCLUDE=cdss,threat-vault,dns-security,iot,expedition,cloudngfw,cdl,panos,terraform,ansible,splunk,aiops-ngfw yarn start",
+    "start:netsec": "cross-env PRODUCTS_INCLUDE=cdss,threat-vault,dns-security,iot,expedition,cloudngfw,cdl,panos,terraform,ansible,splunk,aiops-ngfw-bpa yarn start",
     "start:splunk": "cross-env PRODUCTS_INCLUDE=panos,terraform,ansible,splunk yarn start",
     "start:sase": "cross-env PRODUCTS_INCLUDE=sase,access,sdwan yarn start",
     "start:cloud": "cross-env PRODUCTS_INCLUDE=prisma-cloud,compute yarn start",

diff --git a/products/cdss/docs/release-notes/changelog.md b/products/cdss/docs/release-notes/changelog.md
@@ -15,3 +15,4 @@ keywords:
 | August 08, 2022 | First public release of the Threat Vault API for Threat Prevention and Advanced Threat Prevention subscription holders. |
 | August 23, 2022 | First public `BETA` release of the DNS Security API for DNS Security subscription holders. |
 | April 23, 2023 | The Threat Vault API now supports retrieval of [predefined EDL](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/built-in-edls.html) ([external dynamic list](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list.html)) content. |
+| November 01, 2023 | The Threat Vault API now supports retrieval of [IP Feed Information](/threat-vault/api/ip-feed/) and [IP Feed Information in Batch Mode](/threat-vault/api/ip-feed-batch/). |
diff --git a/products/cdss/docs/release-notes/release-notes.md b/products/cdss/docs/release-notes/release-notes.md
@@ -14,7 +14,7 @@ These release notes highlight API changes made for the various CDSS (Cloud-Deliv
 
 In addition, you can refer to the TechDocs [product documentation](https://docs.paloaltonetworks.com/cdss) for release information about non-API feature enhancements:
 
-See also the [change log](/cdss/docs/release-notes/changelog) for information on all changes to this API documentation, some of which have
+See also the [change log](../../cdss/docs/release-notes/changelog) for information on all changes to this API documentation, some of which have
 occurred in between API product releases.
 
 ## August 2022

diff --git a/products/cdss/sidebars.js b/products/cdss/sidebars.js
@@ -94,6 +94,14 @@ module.exports = {
               type: "doc",
               id: "threat-vault/docs/examples/get-content-release-notes",
             },
+            {
+              type: "doc",
+              id: "threat-vault/docs/examples/get-ip-feed-information",
+            },
+            {
+              type: "doc",
+              id: "threat-vault/docs/examples/get-ip-feed-batch-mode",
+            },
           ],
         },
         {

diff --git a/products/threat-vault/docs/examples/get-ip-feed-batch-mode.mdx b/products/threat-vault/docs/examples/get-ip-feed-batch-mode.mdx
@@ -0,0 +1,80 @@
+---
+id: get-ip-feed-batch-mode
+title: Request IP Feed Information in Batch Mode
+description: Threat Vault API example showing how to request IP feed information using the IP address, IP address range, or the name of the feed in batch mode.
+hide_title: false
+hide_table_of_contents: false
+keywords:
+  - security subscription
+---
+
+The API Reference information for retrieving IP feed information can be found
+[here](/threat-vault/api/ip-feed-batch/).
+
+## Overview
+
+The Threat Vault API can be used to request IP feed information in batch mode. Consider the following examples:
+
+Keep a few things in mind when formatting your API query:
+
+1. All the query strings in Get requests must be a URL-Encoded parameter string. If you use a space in the URL-Encoded request, you must include either a plus sign (+) or %20 to replace the space.
+2. You can specify the content type of the request body and response by specifying the Content-Type header. Some responses generate an HTTP response in addition to a JSON object.
+3. Do not embed API keys in code or application source tree files. This can inadvertently expose the API key. Instead, consider storing the API key in environmental variables or files that are excluded from your application source tree files.
+
+## Example 1: A POST request to retrieve the IP feed information based on a list of IP addresses:
+
+```shell-session
+curl -X POST -d '{"ipaddr": ["1.33.230.137", "1.117.154.185", "1.117.180.42"]}' 'https://api.threatvault.paloaltonetworks.com/service/v1/ip-feed' \
+    -H 'X-API-KEY: API_KEY' \
+    -H 'Content-Type: application/json'
+```
+
+A successful API call returns, within the contents section, `status="success"` along with the IP feed results.
+
+```json
+{
+    "success": true,
+    "link": {
+        "next": null,
+        "previous": null
+    },
+    "count": 3,
+    "data": [
+        {
+            "ipaddr": "1.33.230.137",
+            "name": "Malicious IP Feed",
+            "status": "released",
+            "release": {
+                "first_release_version": "3327",
+                "first_release_time": "2020-04-22T20:38:31Z"
+            },
+            "geo": "JP (Japan)",
+            "asn": "2514 (INFOSPHERE NTT PC Communications, Inc., JP)"
+        },
+        {
+            "ipaddr": "1.117.154.185",
+            "name": "Malicious IP Feed",
+            "status": "released",
+            "release": {
+                "first_release_version": "4090",
+                "first_release_time": "2022-05-21T21:43:42Z"
+            },
+            "geo": "CN (China)",
+            "asn": "45090 (TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN)"
+        },
+        {
+            "ipaddr": "1.117.180.42",
+            "name": "Malicious IP Feed",
+            "status": "released",
+            "release": {
+                "first_release_version": "3888",
+                "first_release_time": "2021-11-02T00:53:22Z"
+            },
+            "geo": "CN (China)",
+            "asn": "45090 (TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN)"
+        }
+    ],
+    "message": "Successful"
+}
+```
+
diff --git a/products/threat-vault/docs/examples/get-ip-feed-information.mdx b/products/threat-vault/docs/examples/get-ip-feed-information.mdx
@@ -0,0 +1,239 @@
+---
+id: get-ip-feed-information
+title: Request IP Feed Information
+description: Threat Vault API example showing how to request IP feed information using the IP address, IP address range, or the name of the feed.
+hide_title: false
+hide_table_of_contents: false
+keywords:
+  - security subscription
+---
+
+The API Reference information for retrieving IP feed information can be found
+[here](/threat-vault/api/ip-feed/).
+
+## Overview
+
+The Threat Vault API can be used to request IP feed information. Consider the following examples:
+
+Keep a few things in mind when formatting your API query:
+
+1. All the query strings in Get requests must be a URL-Encoded parameter string. If you use a space in the URL-Encoded request, you must include either a plus sign (+) or %20 to replace the space.
+2. You can specify the content type of the request body and response by specifying the Content-Type header. Some responses generate an HTTP response in addition to a JSON object.
+3. Do not embed API keys in code or application source tree files. This can inadvertently expose the API key. Instead, consider storing the API key in environmental variables or files that are excluded from your application source tree files.
+
+## Example 1: Request information about the specific IP feed name that is present in the Threat Intelligence database while limiting the maximum number of results to three:
+
+```shell-session
+curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/ip-feed?name=malicious&limit=3'
+```
+
+A successful API call returns, within the contents section, `status="success"` along with the IP feed results.
+
+```json
+{
+    "success": true,
+    "link": {
+        "next": "https://api.threatvault.paloaltonetworks.com/service/v1/ip-feed?name=malicious&limit=3&offset=3",
+        "previous": null
+    },
+    "count": 4508,
+    "data": [
+        {
+            "ipaddr": "1.33.230.137",
+            "name": "Malicious IP Feed",
+            "status": "released",
+            "release": {
+                "first_release_version": "3327",
+                "first_release_time": "2020-04-22T20:38:31Z"
+            },
+            "geo": "JP (Japan)",
+            "asn": "2514 (INFOSPHERE NTT PC Communications, Inc., JP)"
+        },
+        {
+            "ipaddr": "1.117.154.185",
+            "name": "Malicious IP Feed",
+            "status": "released",
+            "release": {
+                "first_release_version": "4090",
+                "first_release_time": "2022-05-21T21:43:42Z"
+            },
+            "geo": "CN (China)",
+            "asn": "45090 (TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN)"
+        },
+        {
+            "ipaddr": "1.117.180.42",
+            "name": "Malicious IP Feed",
+            "status": "released",
+            "release": {
+                "first_release_version": "3888",
+                "first_release_time": "2021-11-02T00:53:22Z"
+            },
+            "geo": "CN (China)",
+            "asn": "45090 (TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN)"
+        }
+    ],
+    "message": "Successful"
+}
+```
+
+## Example 2: Request information about the specific matching IP address in the Threat Intelligence database: 
+
+```shell-session
+curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/ip-feed?ipaddr=193.189.116.210'
+```
+
+A successful API call returns, within the Contents section, `status="success"` along with the associated IP feed entry details:
+
+```json
+{
+    "success": true,
+    "link": {
+        "next": null,
+        "previous": null
+    },
+    "count": 1,
+    "data": [
+        {
+            "ipaddr": "193.189.116.210",
+            "name": "Malicious IP Feed",
+            "status": "released",
+            "release": {
+                "first_release_version": "2113",
+                "first_release_time": "2016-10-18T11:06:51Z"
+            },
+            "geo": "PL (Poland)",
+            "asn": "44124 (RYBNET-AS, PL)"
+        }
+    ],
+    "message": "Successful"
+}
+```
+
+## Example 3: Request information about the specific IP address using an IP address that does [not] exist in the Threat Intelligence database. This returns only Geolocation and Autonomous System information: 
+
+```shell-session
+curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/ip-feed?ipaddr=193.189.116.215'
+```
+
+A successful API call returns, within the Contents section, `status="success"` along with the associated IP feed entry details:
+
+```json
+{
+    "success": true,
+    "link": {
+        "next": null,
+        "previous": null
+    },
+    "count": 1,
+    "data": [
+        {
+            "ipaddr": "193.189.116.215",
+            "name": null,
+            "status": "N/A",
+            "release": {},
+            "geo": "PL (Poland)",
+            "asn": "44124 (RYBNET-AS, PL)"
+        }
+    ],
+    "message": "Successful"
+}
+```
+
+## Example 4: Request information about matching IP feed entries found in the Threat Intelligence database based on a range of IP addresses. This returns only Geolocation and Autonomous System information: 
+
+```shell-session
+curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/ip-feed?fromipaddr=185.130.5.207&toipaddr=185.130.5.236'
+```
+
+A successful API call returns, within the Contents section, `status="success"` along with the associated IP feed entry details:
+
+```json
+{
+    "success": true,
+    "link": {
+        "next": null,
+        "previous": null
+    },
+    "count": 7,
+    "data": [
+        {
+            "ipaddr": "185.130.5.207",
+            "name": "Malicious IP Feed",
+            "status": "released",
+            "release": {
+                "first_release_version": "2113",
+                "first_release_time": "2016-10-18T07:00:00Z"
+            },
+            "geo": "DE (Germany)",
+            "asn": "204527 (BJNIP, DE)"
+        },
+        {
+            "ipaddr": "185.130.5.208",
+            "name": "Malicious IP Feed",
+            "status": "released",
+            "release": {
+                "first_release_version": "2113",
+                "first_release_time": "2016-10-18T07:00:00Z"
+            },
+            "geo": "DE (Germany)",
+            "asn": "204527 (BJNIP, DE)"
+        },
+        {
+            "ipaddr": "185.130.5.224",
+            "name": "Malicious IP Feed",
+            "status": "released",
+            "release": {
+                "first_release_version": "2113",
+                "first_release_time": "2016-10-18T07:00:00Z"
+            },
+            "geo": "DE (Germany)",
+            "asn": "204527 (BJNIP, DE)"
+        },
+        {
+            "ipaddr": "185.130.5.231",
+            "name": "Malicious IP Feed",
+            "status": "released",
+            "release": {
+                "first_release_version": "2113",
+                "first_release_time": "2016-10-18T07:00:00Z"
+            },
+            "geo": "DE (Germany)",
+            "asn": "204527 (BJNIP, DE)"
+        },
+        {
+            "ipaddr": "185.130.5.233",
+            "name": "High Risk IP Feed",
+            "status": "expired",
+            "release": {
+                "first_release_version": "2113",
+                "first_release_time": "2016-10-18T07:00:00Z"
+            },
+            "geo": "DE (Germany)",
+            "asn": "204527 (BJNIP, DE)"
+        },
+        {
+            "ipaddr": "185.130.5.234",
+            "name": "High Risk IP Feed",
+            "status": "expired",
+            "release": {
+                "first_release_version": "2113",
+                "first_release_time": "2016-10-18T07:00:00Z"
+            },
+            "geo": "DE (Germany)",
+            "asn": "204527 (BJNIP, DE)"
+        },
+        {
+            "ipaddr": "185.130.5.235",
+            "name": "High Risk IP Feed",
+            "status": "expired",
+            "release": {
+                "first_release_version": "2113",
+                "first_release_time": "2016-10-18T07:00:00Z"
+            },
+            "geo": "DE (Germany)",
+            "asn": "204527 (BJNIP, DE)"
+        }
+    ],
+    "message": "Successful"
+}
+```