Using cURL utility for working with reports
Expand all | Collapse all
This section describes how you can request reports in different formats using the cURL utility.
To get a list of all available reports, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_list'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"count": 2,
"publications": [
{
"id": "ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt",
"updated": 1489079546,
"published": 1489079546,
"name": "APT10 Spearphishes Japanese Policy Experts late 2016 to early 2017",
"desc": "In late January 2017, JPCERT/CC reported a spearphishing campaign and related backdoor which they named ChChes. The campaign, which we have high confidence was carried out by the APT10 actor, targeted multiple Japanese organizations.",
"report_group": "apt",
"tags": ["Japan", "Educational", "APT10"],
"tags_industry": ["Educational"],
"tags_geo": ["Japan"],
"tags_actors": ["APT10"],
"pdfs": ["pt", "en"],
"exec_sums": ["en"]
},
{
"id": "ac36f465-337b-4f91-4177-0c7b6bdf6a48-apt",
"updated": 1487783546,
"published": 1487783546,
"name": "Ismdoor - possible Shamoon attack vector found in Saudi Arabia",
"desc": "Ismdoor is a family of malware which according to public sources might be connected or used in relation to the Shamoon2 attacks. Although no solid proof of connections with Shamoon have been identified so far, the distribution of the victims has a strong bias towards Saudi Arabia and Qatar, as well as other countries from the Gulf region.",
"report_group": "apt",
"tags": ["Iraq", "Jordan", " Qatar", " Saudi Arabia", "Energy"],
"tags_industry": ["Energy"],
"tags_geo": ["Iraq", "Jordan", "Qatar", "Saudi Arabia"],
"pdfs": ["pt", "en"],
"exec_sums": ["en"],
"exec_sum_text": [Text of the executive summary]
}
]
}
}
To get a list of all available reports within a specific time frame, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_list?date_start=1490628942&date_end=1490628942'
You can convert the date into UNIX format at www.epochconverter.com.
To request a certain report, execute:
curl -u <user name>-H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_one?publication_id=1166'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"id": "627",
"updated": 1435010400,
"published": 1435010400,
"name": "Sofacy – New AZZY backdoor",
"desc": "Description of the AZZY backdoor used by the Sofacy group.",
"report_group": "apt",
"tags": ["APT28","Fancy Bear","Sednit","Sofacy","Tsar Team"]
}
}
To request a report in a PDF format, execute:
curl –u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_one?publication_id=627&include_info=pdf,execsum'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"id": "627",
"updated": 1435010400,
"published": 1435010400,
"name": "Sofacy – New AZZY backdoor",
"desc": "Description of the AZZY backdoor used by the Sofacy group.",
"report_group": "apt",
"tags": ["APT28","Fancy Bear","Sednit","Sofacy","Tsar Team"],
"report_pdf": "..base64(gzip())..",
"report_execsum": "..base64(gzip()).."
}
}
If an invalid include_info value is used to get specific information about the report, an incorrect value will be ignored.
Using an invalid include_info value to get specific information about the report:
curl –u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_one?publication_id=627&include_info=pdf,<invalid_value>'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"id": "627",
"updated": 1435010400,
"published": 1435010400,
"name": "Sofacy – New AZZY backdoor",
"desc": "Description of the AZZY backdoor used by the Sofacy group.",
"report_group": "apt",
"tags": ["APT28","Fancy Bear","Sednit","Sofacy","Tsar Team"],
"report_pdf": "..base64(gzip()).."
}
}
To request a Master IOC, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_master_ioc'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"master_ioc": "..base64(gzip()).."
}
}
To request a Master YARA, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_master_yara'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"master_yara": "..base64(gzip()).."
}
}
To request an executive summary, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_one?publication_id=1187&include_info=execsum'
To request a report in all available formats, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_one?publication_id=627&include_info=all'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"id": "627",
"updated": 1435010400,
"published": 1435010400,
"name": "Sofacy – New AZZY backdoor",
"desc": "Description of the AZZY backdoor used by the Sofacy group.",
"report_group": "apt",
"tags": ["APT28","Fancy Bear","Sednit","Sofacy","Tsar Team"],
"report_pdf": "..base64(gzip())..",
"report_execsum": "..base64(gzip())..",
"report_iocs": "..base64(gzip())..",
"report_yara": "..base64(gzip()).."
}
}