The table below contains possible sections available for a domain investigation in JSON format.
Section in API
|
Section in web interface
|
Description
|
LicenseInfo
|
—
|
Information on the license used:
AccessType—License type (Commercial or Trial).
DayRequests—Number of requests performed in the current day (for a commercial license).
DayQuota—Daily limit of requests (for a commercial license).
TokenExpirationDate—Date when an API token expires. If there is no API token requested, the null value is returned.
|
Zone
|
On the Threat Lookup results page, the panel with the requested object and its status appears in a certain color, depending on the zone of the investigated object.
|
Color of the zone that a domain belongs to.
|
RelatedObjects
|
—
|
Information about the presence of malicious objects associated with the indicator.
HasRedZone—Shows whether there are malicious objects (zone=red) related to the indicator: true—there are related malicious objects; false—no related malicious objects.
|
DomainGeneralInfo
|
Overview
|
The following information about the requested domain will be provided:
FilesCount—Number of known malicious / all files.
UrlsCount—Number of known malicious / all web addresses.
HitsCount—Number of IP addresses related to the domain.
Domain—Name of the requested domain.
Ipv4Count—Number of IP addresses (IPv4) for the requested domain.
Categories—Categories of the requested domain.
CategoriesWithZone—Categories of the requested domain and zones that the category belongs to.
HasApt—Shows whether the requested domain is related to an advanced persistent threat (APT) attack.
RelatedAptReports—Array of objects that describe APT Intelligence reports, Crimeware Threat Intelligence reports, and Industrial Threat intelligence reports to which the requested domain is related. Each object contains a report's ID, type, and title. The report ID can be used as an argument (publication_id) for the get_one endpoint, which is used to obtain specific information for a report. If the requested domain is not related to reports, an empty array is returned.
|
FilesAccessed
|
Files that accessed the requested domain
|
Information about files that accessed the requested domain:
Zone—Color of the zone that a file belongs to.
AccessedHitsCount—Number of file downloads from the requested domain as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded file.
LastSeen—Date and time when the file was last downloaded from the requested domain, according to your computer local time zone.
FirstSeen—Date and time when the file was first downloaded from the requested domain, according to your computer local time zone.
DetectionName—Name of the detected object.
|
FilesDownloaded
|
Files downloaded from requested domain
|
Information about objects that were downloaded from the requested domain and web addresses of the requested domain:
Zone—Color of the zone that a file belongs to.
DownloadedHitsCount—Number of file downloads from the requested domain as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded file.
LastSeen—Date and time when the file was last downloaded from the requested domain, according to your computer local time zone.
FirstSeen—Date and time when the file was first downloaded from the requested domain, according to your computer local time zone.
DetectionName—Date and time when the file was first downloaded from the requested domain.
|
Subdomains
|
Subdomains
|
Information about hosts related to the requested domain (subdomains):
Zone—Color of the zone that a subdomain belongs to.
Subdomain—Name of the detected subdomain.
UrlsCount—Number of web addresses related to the subdomain.
FilesCount—Number of files hosted on the detected subdomain.
FirstSeen—Date and time when the subdomain was first detected, according to your computer local time zone.
|
UrlReferrals
|
Referrals to domain
|
Information about web addresses that refer to the requested domain:
Zone—Color of the zone that a web address belongs to.
LastSeen—Date and time when the requested domain was last referred to by listed web addresses, according to your computer local time zone.
Url—Web address that refers to the requested domain.
IsUrlTruncated—Shows whether private data was filtered in the displayed web address.
|
UrlReferredTo
|
Domain referred to the following URLs
|
Information about web addresses that the requested domain refers to:
Zone—Color of the zone that a web address belongs to.
LastSeen—Date and time when the requested domain was last referred to by listed web addresses, according to your computer local time zone.
Url—Web address that refers to the requested domain.
IsUrlTruncated—Shows whether private data was filtered in the displayed web address.
|
DomainWhoIsInfo
|
WHOIS
|
The following information about the requested domain will be provided:
DomainName—Name of the requested domain.
Created—Date when the requested domain was registered.
Updated—Date when registration information about the requested domain was last updated.
Expires—Expiration date of the requested domain.
NameServers—Name servers of the requested domain.
Contacts—Contact information for the owner of the requested domain, including:
ContactType
Name
Organization
Address
City
State
PostalCode
CountryCode
Phone
Fax
Email
Registrar—Name, IANA ID, and email of the registrar of the requested domain.
DomainStatus—Statuses of the requested domain.
RegistrationOrganization—Name of the registration organization.
|
DomainDnsResolutions
|
DNS resolutions for domain
|
The following information about the requested domain will be provided:
Zone—Color of the zone that the domain belongs to.
Ip—IP address.
CountryCode—Two-letter country code (ISO 3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP addresses, the NULL value is exported.
Status—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and NoInfo for IP addresses that do not belong to any country and are not reserved).
HitsCount—Number of IP address detections by Kaspersky expert systems.
FirstSeen—Date and time when the requested domain first resolved to the IP address, according to your computer local time zone.
LastSeen—Date and time when the requested domain last resolved to the IP address, according to your computer local time zone.
DailyPeak—Maximum number of domain resolutions to the IP address per day.
PeakDate—Date of maximum number of domain resolutions to the IP address.
ThreatScore—Probability that the requested domain will be dangerous (0 to 100).
|
FeedMasks
|
URL masks
|
The following information about the requested domain will be provided:
Zone—Color of the zone that a domain belongs to (Red or Yellow).
NormalizedMask—Requested domain mask.
FeedNames—Threat Data Feeds that contain the requested domain mask.
Type—Type of the requested domain and web addresses mask.
|
hostSimilarDomains
|
Similar domains
|
The following information about domains whose names are close in spelling to the name of the requested domain is provided:
zone—Color of the zone that a similar domain belongs to.
domain—Similar domain name.
registration—Date when a similar domain was registered.
expiration—Expiration date of a similar domain.
http_open—Shows whether an HTTP port is open.
https_open—Shows whether an HTTPS port is open.
|
hostSpamInfo
|
Spam attacks
|
The following information about spam attacks associated with the requested domain is provided:
spam_attacks—Number of spam attacks.
spam_ratio—Ratio of spam generated by the requested domain to the rest of the content.
last_attack_date—Date of the latest spam attack.
spam_attack_types—Array of attack types.
|
hostPhishingInfo
|
Phishing attacks
|
The following information about phishing attacks associated with the requested domain is provided:
phishing_attacks—Number of phishing attacks.
last_attack_date—Date of the latest phishing attack.
regions—Top 10 regions affected by the phishing attack.
phish_kit—Name of a phishing kit (a set of materials and tools) used during the phishing attack.
stolen_data_type—Type of data stolen during phishing attack, for example, user names, passwords.
attacked_industry—Target industry of a phishing attack.
attacked_organization—Target organization of a phishing attack.
|
DataFeeds
|
Data Feeds
|
List of Threat Data Feeds that contain information about the requested domain. If the requested domain is not mentioned in Threat Data Feeds, this section is not returned.
|