url-and-analysis-properties.csv

Information about web address browsing parameters.

The file contains only one entry.

Created—Date and time when the web address browsing started (for example, 2018-01-17T15:30:16.077Z).

Analyzed—Date and time when the browsing results analysis completed (for example, 2018-01-17T15:39:02.673Z).

AvBasesVersion—Date and time when anti-virus databases were updated (for example, 2018-01-17T18:36:00Z).

Zone—Zone of the web address (for example, Red).

Status—Status of the web address (for example, Malware).

State—Browsing task state (for example, completed).

ErrorCode—Task error description. If the task completed successfully, an empty string is returned.

Url—Web address that was browsed in Kaspersky Sandbox (for example, http://example.com/path/to/page.html).

HasApt—Shows whether the file is related to an advanced persistent threat (APT) attack.

categories.csv

Information about browsed and redirected web addresses categories.

Zone—Zone of the web address (for example, Green).

Category—Name of a category to which the web address belongs (for example, CATEGORY_SOCIAL_NETS).

publications.csv

Information about Crimeware Threat Intelligence and/or APT Intelligence reports to which the analyzed web address is related.

Id—ID of a Crimeware Threat Intelligence and/or APT Intelligence report (for example, 216456).

Name—Name of a Crimeware Threat Intelligence and/or APT Intelligence report (for example, Sofacy - New AZZY backdoor).

detection-names.csv

Information about threats that were detected during the web address emulation.

Zone—Danger zone to which the object refers (for example, Malware).

Threat—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).

hosts-ips.csv

Information about IP addresses that were accessed in all HTTP(S) requests after the FQDN resolved.

Zone—Zone of the IP address (for example, Green).

Ip—IP address to which FQDN resolved.

IpStatus—Status of a country's region detection (Reserved, Known, NoInfo).

IpCountryCode—Two-letter country code (ISO 3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP addresses, the NULL value is exported.

ASN—Autonomous system number according to RFC 1771 and RFC 4893.

Hits—Number of times when the IP address was detected by Kaspersky expert systems.

Domain—Fully qualified domain name (FQDN) that resolved to the IP address.

WHOIS-ips.csv

WHOIS information about host of the analyzed web address.

For IP addresses:

ASN—Autonomous system number according to RFC 1771 and RFC 4893.

Net—Array of descriptions of the networks that the IP address belongs to.

Contacts—Contacts that are registered for the IP address.

For FQDN:

DomainName—Name of the domain for the analyzed web address.

Created—Date and time when the domain for the analyzed web address was registered.

Updated—Date and time when registration information about the domain for the analyzed web address was last updated.

Expires—Date when the domain expires.

NameServers—Name servers of the domain for the analyzed web address.

Contacts—Contact that are registered for the IP address.

Registrar—Name of the registrar of the domain for the analyzed web address.

DomainStatus—Status of the domain for the analyzed web address (for example, clientTransferProhibited).

RegistrationOrganization—Name of the registration organization.

triggered-network-rules.csv

Information about SNORT and Suricata rules that were triggered during analysis of traffic from the web address.

Zone—Danger zone (level) of the network traffic detected by the SNORT or Suricata rule (for example, High).

RuleName—SNORT or Suricata rule name (for example, Trojan.Agent.HTTP.C&C).

screens (folder)

Set of screenshots (PNG images) that were taken during the web address browsing.

—

network.pcap

Information about activities that were registered during the web address browsing.

—