Get Master YARA
The ics/get_master_yara
endpoint is used to display a Master YARA file. Results are provided in the base64 gzip format and must be decoded.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/ics/get_master_yara
Query parameters: The endpoint does not expect any parameters.
Request example:
Request a Master YARA for APT Intelligence reports:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/ics/get_master_yara?report_group=apt'
|
Responses
Click the links below for information about possible responses.
Expand all | Collapse all
200 OK
Request processed successfully.
The endpoint returns a report that includes all available Industrial Threat intelligence reports at Kaspersky Threat Intelligence Portal in YARA Rules format. Results are provided in the base64 gzip format and must be decoded.
For more information on YARA Rules, see https://yara.readthedocs.io.
See result example
import "math"
import "pe"
rule apt_ZZ_Ismdoor_crypto {
meta:
author = "Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "22-2-2017"
report = "Ismdoor - possible Shamoon attack vector found in Saudi Arabia"
reference = "https://apt.threatintel.kaspersky.com/download.php?doc=intelcustomers/2017_02_Ismdoor-possibleShamoonattackvectorfoundinSaudiArabia/Ismdoor%20-%20possible%20Shamoon%20attack%20vector%20found%20in%20Saudi%20Arabia.pdf"
strings:
$a1 = { A7 00 [2-10] D4 00 [2-10] D0 00 [2-10] D2 00 [2-10] D8 00 [2-10] A5 00 [2-10] B6 00 [2-10] 26 01 [2-10] 94 01 [2-10] 82 01 [2-10] 90 01 [2-10] 87 01 [2-10] 4E 02 [2-10] A5 02}
condition:
uint16(0) == 0x5A4D and
all of them
}
...more rules
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
403 Forbidden
Request not processed: running requests by using an API token is forbidden for this service.
You can use an API token only for running Threat Lookup API requests.
For other Kaspersky Threat Intelligence Portal services, a certificate is required, an API token usage is not available.
451 Unavailable For Legal Reasons
Page top