APT and Crimeware Threat Intelligence reporting API

This section explains how to request reports by using Kaspersky Threat Intelligence Portal API.

Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms and Conditions online in your browser at https://tip.kaspersky.com.

The main purpose of the API is to give automated access for retrieving data from Kaspersky Threat Intelligence Portal. More precisely, the API is used to export reports for further integration using other external services. This documentation is valid for Kaspersky Threat Intelligence Portal API version 1.0.

To request reports by using Kaspersky Threat Intelligence Portal API:

1. Make sure that the application you use for working with Kaspersky Threat Intelligence Portal API uses the certificate you received from Kaspersky.
2. In the Authorization field of the HEADER section, specify the user name and password that you received from Kaspersky or your administrator.
3. Specify the Basic authentication scheme.
4. Specify the required HTTP method.
5. Run your query by using one of the endpoints described below.

Obtaining certificate, user name, and password

A certificate, user name, and password are required to work with Kaspersky Threat Intelligence Portal.

You must obtain a certificate, user name, and password from Kaspersky. The user name and password are used to refer to the service through Kaspersky Threat Intelligence Portal API.

Converting certificate to PEM format

You must convert the certificate received from your dedicated Kaspersky Technical Account Manager to PEM format before working with Kaspersky Threat Intelligence Portal API.

API Location

Unless otherwise instructed, you will access Kaspersky Threat Intelligence Portal API at the following location:

https://tip.kaspersky.com/api/publications/<endpoint>

Authentication

Access to the API is obtained by two authentication methods:

• You must use the certificate information provided by the administrator.
• You must use the user name and password provided by the administrator.

Authentication error message

For invalid user login details, the server will return a 401 Unauthorized HTTP error message.

Request examples:   Expand all | Collapse all Successful authentication: curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/publications/<endpoint>' See result example { "status": "ok", "status_msg": "", "return_data": <...see below...> } Invalid authentication: curl -u <invalid user_name or password> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/publications/<endpoint>' See result example { "status": "error", "status_msg": "Unauthorized" }

Endpoint return data

Each endpoint will return a JSON encoded array that has three entries: status, status_msg, and return_data.

• The status entry can be: ok or error.
• The status_msg entry will describe the error string (a text part according to section 10 of RFC 2616) in case status is not ok.
• The return_data entry will be documented accordingly by each endpoint.

Methods

APT and Crimeware Threat Intelligence reporting API methods

Method	Description
get_list	Obtains the list of reports published on Kaspersky Threat Intelligence Portal.
get_one	Obtains specific information for a publication.
get_master_ioc	Obtains a Master IOC file, that contains indicators of compromise in CSV file format.
get_master_yara	Obtains a Master YARA file.

See also: Actor profiles API

In this section Get report list Get specific report Get Master IOC file Get Master YARA file Using cURL utility for working with reports

Page top