Exporting results for IP address

RelatedAptReports—IDs of APT Intelligence reports and Crimeware Threat Intelligence reports, to which the requested object is related. For each report, its ID, type (fin or apt), and title are provided in a JSON-like format (pseudo-JSON), for example: {Id : 632-apt , Type : apt , Title : Sofacy-Delphocy Toolset}. If there are several reports for the requested object, each report is enclosed in braces, and reports are separated by a comma. The report ID can be used as an argument (publication_id) for the get_one endpoint, which is used to obtain specific information for a report.

For reserved IP addresses, only IpProperties.csv and IpWhoIsInfo.csv files are exported.

CSV archive contents for IP address

File name

Description

Columns

IpPdnsDomains.csv

pDNS information for the requested IP address.

Zone—Color of the zone that a domain (resolved to the requested IP address) belongs to.

Domain—Domain that resolves to the requested IP address.

FirstSeen—Date and time when the domain first resolved to the requested IP address, according to your computer local time zone.

LastSeen—Date and time when the domain last resolved to the requested IP address, according to your computer local time zone.

HitsCount—Number of times that the domain resolved to the requested IP address.

DailyPeak—Maximum number of domain resolutions to the requested IP address per day.

PeakDate—Date of maximum number of domain resolutions to the requested IP address.

CategoriesCategories of the requested IP address.

IpFiles.csv

Information about MD5 hashes of files that are related to web addresses containing domains that resolve to the requested IP address. Also, MD5 hashes of files that accessed the requested IP address are displayed.

Zone—Color of the zone that a file belongs to.

DownloadHitsCount—Number of times that a file was downloaded from the requested IP address as detected by Kaspersky expert systems.

Md5—MD5 hash of the downloaded file.

LastSeen—Date and time that the file was last downloaded from the requested IP address, according to your computer local time zone.

FirstSeen—Date and time the file was first downloaded from the requested IP address, according to your computer local time zone.

DetectionName—Name of the detected object.

Url—Web addresses used to download the file.

IpUrls.csv

Information about web addresses that contain the requested IP address and web addresses of the domain that resolves to the requested IP address.

Zone—Color of the zone that a web address belongs to.

UrlHitsCount—Number of web address detections by Kaspersky expert systems.

Url—Detected web address (including web addresses that contain the requested IP address).

IsUrlTruncated—Shows whether private data was filtered in the displayed web address.

FirstSeen—Date and time when the web address was first detected, according to your computer local time zone.

LastSeen—Date and time when the web address was last detected, according to your computer local time zone.

IpFeedMasks.csv

Information about masks of detected by Kaspersky expert systems web addresses that contain the requested IP address and web addresses of the domain that resolves to the requested IP address. If a mask is included in Threat Data Feeds, the feed names are also provided.

Zone—Color of the zone that web addresses covered by the corresponding mask (Red, Orange, or Yellow) belongs to.

NormalizedMask—Mask of the web address.

FeedNames—Threat Data Feeds that contain the web address mask (Malicious URL Feed, Phishing URL Feed, Botnet C&C URL Feed, APT URL Data Feed, and APT IP Data Feed.

MaskTypeType of the web address mask.

IpProperties.csv

General information about the requested IP address.

Status—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and NoInfo for IP addresses that do not belong to any country and are not reserved).

CountryCode—Two-letter country code (ISO 3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP addresses, the NULL value is exported.

HitsCount—Hits number (popularity) of the requested IP address.

FirstSeen—Date and time when the requested IP address appeared in Kaspersky expert systems statistics for the first time, according to your computer local time zone.

ThreatScore—Probability that the requested IP address appears dangerous (0 to 100). RelatedAptReports—IDs of APT Intelligence reports and Crimeware Threat Intelligence reports, to which the requested object is related. For each report, its ID, type (fin or apt), and title are provided in a JSON-like format (pseudo-JSON), for example: {Id : 632-apt , Type : apt , Title : Sofacy-Delphocy Toolset}. If there are several reports for the requested object, each report is enclosed in braces, and reports are separated by a comma. The report ID can be used as an argument (publication_id) for the get_one endpoint, which is used to obtain specific information for a report.

IpReputation.csv

Information about the requested IP address reputation and categories.

Ip—Requested IP address.

Zone—Color of the zone that an IP address belongs to.

Categories—Categories of the requested object and zones that the category belongs to. Category and zone are provided in a JSON-like format (pseudo-JSON), for example: {Name : CATEGORY_APT, Zone : Red}. If the requested object does not belong to any defined categories, the General category is specified.

HasApt—Shows whether the requested IP address is related to an advanced persistent threat (APT) attack.

BotnetCnCThreatName—Name of the detected Botnet C&C.

IpWhoIsInfo.csv

WHOIS information about the requested IP address.

Asn—Autonomous system number.

Net—Information about the network that the requested IP address belongs to.

Contacts—Contact information of the owner of the requested IP address.

IPSpamInfo.csv

Information about spam attacks associated with the requested IP address.

spam_attacks—Number of spam attacks.

spam_ratio—Ratio of spam generated by the requested IP address to the rest of the content.

last_attack_date—Date of the latest spam attack.

spam_attack_types—Array of attack types.

IPPhishingInfo.csv

Information about spam attacks associated with the requested IP address.

phishing_attacks—Number of phishing attacks.

phish_kit—Phishing kit name (set of materials and tools) used during the phishing attack.

last_attack_date—Date of the latest phishing attack.

regions—Top 10 regions affected by the phishing attack.

stolen_data_type—Type of data stolen during phishing attack, for example, user names, passwords.

attacked_industry—Target industry of a phishing attack.

attacked_organization—Target organization of a phishing attack.

IpTimeline.csv

Information about detection statistics and requested object status changes during the certain historical periods. The timeline is generated only when the detection statistics for the period is available for a specific object.

historical_zone—Object zone during the certain period.

historical_status—Object status during the certain period.

start_date—Start date and time of the period when the object was assigned to the certain status.

end_date—End date and time of the period when the object was assigned to the certain status.

categories—Categories assigned to the object during the specified period.

Page top