Threat Lookup API

You can investigate objects by using the Kaspersky Threat Intelligence Portal API methods.

Endpoints, required parameters, responses, and usage examples are described in the OpenAPI documentation.

You can use the Threat Lookup API without a certificate, by using an API token if it is allowed by your organization.

Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms and Conditions online in your browser at https://tip.kaspersky.com.

To run a request by using Kaspersky Threat Intelligence Portal API:

  1. Perform the following steps depending on the second two-factor authentication method (certificate or API token):

Expand all | Collapse all

  1. Specify the required HTTP method.
  2. Enter your query in the following format:

    https://tip.kaspersky.com/api/<request type>/<request>?count=<records count>[&sections=<sections names>][&format=<result format>]

    Here:

    • <request type>—Type of object that you want to investigate.

      Available values:

      • hash—Specify this value to investigate a hash.
      • ip—Specify this value to investigate an IP address. If you want an IP address to be processed as a web address, add the http:// or https:// prefix to the IP address in your request. For example, 104.132.161.0 is processed as an IP address, and http://104.132.161.0 is processed as a web address.
      • domain—Specify this value to investigate a domain.
      • url—Specify this value to investigate a web address. Use percent-encoding (URL encoding) to convert certain characters into a valid ASCII format.
    • <request>—Object that you want to investigate.

      For a web address, its length is limited to a maximum of 2000 characters. If the requested web address length exceeds the limit, an HTTP error 414 (URI Too Long) is returned.

    • <records count>—Maximum number of records in each data group to display.

      If this parameter is not specified, up to 1000 records will be displayed. This restriction does not apply to DetectionsInfo and FileParentCertificates groups. For these groups, all records are displayed regardless of the number of records.

    • <sections names>—Sections that you want to process for the requested object. Use the comma to specify several sections.

      If the parameter is not specified, all sections will be processed.

      For faster request processing, we recommend that, in the <sections names> field, you specify only required sections you want to receive and, in the <records count> field, you specify the number of entries you want to receive.

      Use the question mark (?) to separate the first parameter from the request. Use the ampersand (&) to separate parameters from each other. The parameters can be specified in any order.

      Dates in all sections are displayed in Coordinated Universal Time (UTC) format.

    • <result format>—Investigation result format.

      This is an optional parameter.

      Available values:

      • json—Investigation results are returned in JSON format.
      • stix—Investigation results are returned in STIX format. If this value is specified, the <records count> and <sections names> parameters are ignored: data from all groups is returned.

      If the <result format> parameter is not specified, investigation results are returned in JSON format.

      For detailed information about investigation results, see related sections: hashes, IP addresses, domains, and web addresses.

View usage examples in the OpenAPI specification

In this section

Percent-encoding for web address investigation

Working with ktl_lookup utility
Page top