[Topic Help]
Kaspersky Threat Intelligence Portal Help
|
|
WHAT'S NEW
Find out what's new in the latest release and which features have already been introduced or are expected.
|
|
GETTING STARTED
Check which operating systems and browser versions are supported.
Set
up one-time password protection or obtain and import a
certificate.
Use an overview of current cyber threats and information about your organization on
the Home page to start threat investigation as soon as you sign in.
|
|
|
THREAT LOOKUP
Run search requests for indicators (hash, IP address, domain, web address) and actor
profiles.
You can also run search requests by using the Kaspersky Threat Intelligence Portal
API.
|
|
RESEARCH GRAPH
Explore a research graph visualizing the relationships of objects involved
in an incident investigation.
|
|
|
REPORTING
Search and view APT Intelligence, Crimeware Threat Intelligence and Industrial reports,
and actor profiles.
|
|
THREAT ANALYSIS
Upload/download
and execute files and emulate the opening of web addresses in a safe Kaspersky Sandbox environment.
You can also analyze objects by using the Kaspersky Threat Intelligence Portal API.
|
|
|
DIGITAL FOOTPRINT
View notifications about threats and reports from Kaspersky,
manage
assets for your organization.
OpenAPI specification for Digital Footprint Intelligence is also available.
Learn more about our new Tenant management service.
|
|
WHOIS TRACKING
Search for WHOIS information about domains and IP addresses.
|
|
|
APT C&C TRACKING
View and export a list of dangerous IP addresses of infrastructure connected to
advanced threats.
|
|
DATA FEEDS
Search and download Threat Data Feeds and view related materials. Download incident
response guides and tools, supplementary tools, and SIEM connectors.
Implementation guide that describes Kaspersky Threat Intelligence Data Feeds and their
usage is also available.
You can also obtain Threat Data Feeds by using the Kaspersky Threat Intelligence Portal API.
|
|
|
API REFERENCE
Use API methods to work with Kaspersky Threat Intelligence Portal services.
OpenAPI specification for Threat Lookup, Threat
Analysis, and Threat Data Feeds is also available.
|
|
ACCOUNT & NOTIFICATIONS
Change your account password and configure email
notifications.
Manage your employee accounts (for administrators).
|
Page top
[Topic KTIP]
About Kaspersky Threat Intelligence Portal
Kaspersky Threat Intelligence Portal (hereinafter also referred to as Kaspersky TIP) provides
reliable, immediate intelligence about cyber-threats, legitimate objects, their interconnections and indicators,
enriched with actionable context to inform your business or clients about the associated risks and implications.
Now you can mitigate and respond to threats more effectively, defending your system against attacks even before
they are launched.
Kaspersky Threat Intelligence Portal delivers all the knowledge acquired by Kaspersky about
cyber-threats and their relationships, brought together into a single, powerful web service. The goal is to
provide your security teams with as much data as possible in order to prevent cyber-attacks that can impact your
organization. The platform retrieves the latest detailed threat intelligence about web addresses, domains, IP
addresses, file hashes, statistical / behavioral data, WHOIS / DNS data, and so on. The result is global
visibility of new and emerging threats, helping you secure your organization and boosting incident response.
Threat intelligence is aggregated from fused, heterogeneous, and highly reliable sources. Then,
in real time, all the aggregated data is carefully inspected and refined using multiple preprocessing techniques,
such as statistical criteria, Kaspersky expert systems, validation by analysts, and allow-listing verification.
How it works
Indicators of compromise can be looked up through a web-based interface or Kaspersky Threat
Intelligence Portal API. Kaspersky Threat Intelligence Portal enables you to request threat intelligence about the
following objects:
- MD5, SHA1, and SHA256 hashes
- IP addresses
- Domains
- Web addresses
- APT Intelligence Reports
- Crimeware Threat Intelligence Reports
- Industrial Threat Intelligence Reports
- Actor Profiles
- Threat Infrastructure Tracking (within the last/actual daily feed)
- Digital Footprint Intelligence reports and notifications
- Dark web sources
- Surface web sources
- OSINT IoCs sources
Kaspersky Threat Intelligence Portal displays whether an object is in Good, Bad, or Not categorized zones, while providing a rich set of contextual data to answer
the who, what, where, and when questions that help you respond to or investigate threats more effectively.
Key features
The following are the key features of Kaspersky Threat Intelligence Portal:
- APT Intelligence reports and Crimeware (previously Financial) Threat Intelligence reports
Increase your awareness and knowledge of high profile cyber-espionage campaigns with
wide-ranging and practical advanced persistent threat (APT) reporting from Kaspersky. Download reports in any
available format.
- Data feeds
Security Threat Intelligence Services from Kaspersky
give you access to the intelligence you need to mitigate cyber threats, provided by our world-class team of
researchers and analysts.
- Trusted threat intelligence
The key benefit of threat intelligence
is the reliability of data enriched with actionable context.
- Comprehensive and real-time coverage
Threat intelligence is
automatically generated in real time, based on findings across the globe, providing high coverage and
accuracy.
- Rich data
Threat intelligence delivered by Kaspersky Threat
Intelligence Portal includes a vast amount of different data types such as hashes, web addresses, IP
addresses, WHOIS, GeoIP, pDNS, file attributes, statistical and behavioral data, download chains, time stamps,
and much more. Empowered with this data, you have access to a diverse landscape of security threats.
- Continuous availability
Threat intelligence delivered by Kaspersky
Threat Intelligence Portal is generated and monitored by a highly fault-tolerant infrastructure, ensuring
continuous availability and consistent performance.
- Continuous review by security experts
Hundreds of experts,
including security analysts from across the globe, world-famous security experts from Global Research &
Analysis Team (GReAT), and leading-edge R&D teams, contribute to generating valuable and real-life threat
intelligence.
- Easy-to-use web portal or API
Use the service in manual mode
through a web portal or get access by means of a simple Kaspersky Threat Intelligence Portal API.
- SaaS solution
With software as a service (SaaS), there is no need
to integrate additional systems or services into your company’s infrastructure. Start using the service
immediately.
Key benefits
By using Kaspersky Threat Intelligence Portal you can do the following:
- Improve and accelerate your incident response and forensic capabilities by providing
security / SOC teams with meaningful information about threats and global insights into what lies behind
targeted attacks. Diagnose and analyze security incidents on hosts and the network more efficiently and
effectively. Prioritize signals from internal systems against various threats to minimize incident response time
and disrupt the kill chain before critical systems and data are compromised.
- Conduct deep searches into threat indicators such as IP addresses, malicious web
addresses, or file hashes with human-validated threat context. This helps prioritize attacks, improves IT staff
and resource allocation decisions, and supports you in focusing on mitigating threats that pose the greatest
risk to your business.
- Use threat intelligence to detect malicious content hosted in your networks and data
centers.
- Help to mitigate targeted attacks. Enhance your security infrastructure with tactical and
strategic threat intelligence by adapting defensive strategies to counter specific threats your organization
faces.
Page top
[Topic SupportedModes]
Supported modes
You can work with Kaspersky Threat Intelligence Portal in one of the following ways:
Kaspersky Threat Intelligence Portal web interface
You can work with Kaspersky Threat Intelligence Portal online by using any of the supported browsers.
After signing in, you can run requests, search for WHOIS information on domains and IP addresses, and execute objects in the Kaspersky
Sandbox. A history of your previous requests is also available. All investigation results can be exported in
CSV, OpenIOC, or Structured Threat
Information eXpression (STIX™) format. You can search for and download APT Intelligence reports and Crimeware Threat
Intelligence reports in the PDF, OpenIOC, or YARA Rules format. The Industrial Threat Intelligence
Reporting and Digital Footprint Intelligence functionality is also available. Furthermore, you can also
view and purchase licenses.
Kaspersky Threat Intelligence Portal Plugin
Kaspersky Threat Intelligence Portal Plugin is designed for Enterprise users subscribed to a
commercial version of Kaspersky Threat Intelligence Portal and enables users to lookup web addresses, IPs, hashes
(MD5, SHA1, and SHA256), and domains straight from the viewed web pages using the Kaspersky Threat Intelligence
Portal lookup functionality. The plugin also lets subscribers gain rich threat context around IoCs, enabling them
to make faster prioritization decisions. The goal of the plugin is to immediately provide your security teams with
as much data about IoCs as possible from any web page, allowing you to speed up your threat investigation
activities. IoCs are highlighted automatically.
You can add Kaspersky Threat Intelligence Portal Plugin to your Chrome browser via the Chrome Web Store.
Kaspersky Threat Intelligence Portal API
You can create lookup and report requests to Kaspersky Threat Intelligence Portal, as well as
execute objects in the Kaspersky Sandbox by using the Kaspersky Threat Intelligence Portal API. Investigation
results are provided in JSON format. The APT C&C Tracking, Industrial Threat
Intelligence Reporting, and Digital Footprint Intelligence API methods are also available.
Page top
[Topic Requirements]
Hardware and software requirements
Kaspersky Threat Intelligence Portal has the following hardware and software requirements:
Minimum general requirements:
- 2 GB of free disk space on the hard drive
- Internet connection for working with Kaspersky Threat Intelligence Portal online
- Open 443 (HTTPS) and 80 (HTTP) ports
- Monitor that supports display resolution of 1366x768
Minimum hardware requirements:
- Intel® Pentium® 1 GHz (or a compatible equivalent) for a 32-bit operating system
- Intel Pentium 2 GHz (or a compatible equivalent) for a 64-bit operating system
- 1 GB of free RAM
Supported browsers (the latest versions):
- Mozilla™ Firefox™
- Google™ Chrome
- Microsoft® Edge
- Safari
Software requirements for working with the Kaspersky Threat Intelligence Portal API:
Page top
[Topic GeneralAvailability]
General portal availability
We currently maintain at least 99.5% uptime for our general portal availability.
Portal unavailability is defined as the failure to verify and
authorize legitimate user access to the portal, resulting in an inability to access core functionalities.
Unavailability is only reported when such issues occur regardless of external factors beyond our control (such as
network-related issues) or user error scenarios.
Please be aware that general portal availability does not automatically extend to the individual
services within the portal. Each service is evaluated on its own terms, allowing us to customize performance
standards to suit distinct operational requirements.
Page top
[Topic WhatsNew]
What's new
Kaspersky Threat Intelligence Portal offers the following features and enhancements.
Release 07.2024
The Web Categories Feed is now available via API. This feed
is intended for web content filtering services. This feed contains regularly updated records consisting of domains
and/or domains with their categories.
General improvements:
- Minor enhancements.
- Minor bugfix.
- Documentation enhancement.
Release 04.2024
Support Multitenancy capabilities for Digital Footprint
Intelligence to meet the requirements of MSSP and multi-branch Enterprises, with additional support of Threat
Lookup and Reporting Services.
Multitenancy administrative capabilities:
- Tenant group management with seamless group switching
- Access control, including API tokens and TOTP (QR Codes)
- Capability to change tenant licenses
- Reports downloaded by tenant managers within a tenant group will now have a tenant
watermark
The new Tenant Center dashboard for the Digital Footprint
Intelligence service now displays key data for each tenant, including threat notifications and number of assets in
different statuses. Users can filter this information by various time periods and sort tenants based on total
notifications or assets. Additionally, tenant managers can seamlessly access detailed information on each tenant
through the Digital Footprint Dashboard.
Dashboards for Digital Footprint Intelligence
A Dashboard section is now available in Digital Footprint
Intelligence, providing quick identification and analysis of relevant threats within an organization. The
Dashboard is now the primary interface, replacing all previous statistical widgets. This update aims to enhance
user experience through more intuitive data presentation, detailed insights and improved navigation.
Digital Footprint Intelligence enhancement
- Improved Asset Management: Users can now upload multiple asset files simultaneously and
track their processing status
- A comprehensive list of all uploaded files with their current statuses ensures efficient
asset management
- Support token access for Digital Footprint API
- Enhanced User Notification and other UI/UX improvements
Korean UI localization
We are excited to announce the addition of Korean language UI support to enhance user experience
for our Korean-speaking users.
Improved Reports Visibility
Users now have the ability to view the names of all APT, Crimeware and ICS reports, regardless
of whether they hold a license for report services. This marks a significant change from previous versions, where
report names were entirely inaccessible without a corresponding license. Additionally, we have modified the way
reports are displayed and sorted to enhance the user experience.
UserGate Support
The API for NGFW feeds has been upgraded to support UserGate. This upgrade introduces a new "format" query parameter,
expanding the capabilities and customization options for NGFW feeds.
Data Feeds page
- Our new Sigma Rules Data Feed provides detection logic
definitions in the SIGMA rule format. This standardized approach allows users to comprehend the logic of the
MITRE ATT&CK framework techniques detection and create correlation rules to be adapted and used with SIEM or
XDR.
- The ICS Vulnerability Data Feed in OVAL format offers
XML-based OVAL (Open Vulnerability and Assessment Language) definitions for the automated detection of known
vulnerabilities across widely-used SCADA systems and various industrial software.
Enhanced Search Functionality
We have upgraded our search engine to deliver more relevant results for queries that include
email addresses, web addresses, domain names, and IP addresses, ensuring a more efficient and accurate search
experience.
Home page
- Our new Digital Footprint Global Threats widget replaces the Threat Alerts widget,
providing real-time updates of global threats, along with a comparative analysis of risk levels. It also
features intuitive graphical representations for visual trend analysis and the distribution of threat categories
over recent months.
- The Video Insights widget brings together videos about
our services, helping users to become familiar with the portal’s functionality.
General improvements:
- Minor enhancements.
- Minor bugfix.
- Documentation enhancement.
RELEASE 12.2023
Threat Lookup has been enhanced to showcase indicator
availability across our Data Feeds, thus helping to identify and prioritize the most dangerous, prevalent and
emerging threats.
Threat Lookup API now allows users to search the Dark and
Surface webs.
URL Sandbox. Phishing content analysis for web addresses has
been significantly enhanced, improving accuracy when identifying phishing threats.
File Sandbox. Now allows automatic type detection for file
names featuring multiple dots, thus optimizing the analysis process by improving accuracy and efficiency.
Reporting. User interface (UI) has been enhanced by
consolidating various report types into a single section, streamlining the user experience for easier access and
navigation (including Home page).
Data Feeds API. Introducing a new set of prevention-oriented
feeds that can be seamlessly integrated with network security appliances and accessed through an API.
Data Feeds tab updated to provide up-to-date information about
our Data Feeds (introducing new Feeds).
General improvements:
- Minor enhancements.
- Minor bugfix.
- Documentation enhancement.
RELEASE 10.2023
Similarity technology. New Similarity technology is available
both for Threat Lookup and Threat Analysis. Users can now submit a file (in Threat Analysis) or its hash (in
Threat Lookup) and receive a list of hashes for similar malicious files known to Kaspersky. Furthermore, users can
also get additional useful context to identify samples with similar functionality and understand their
characteristics and properties to better detect evolving cyberthreats. Making an intelligent decision based on
comprehensive file analysis is the optimal approach to understanding current sophisticated, targeted, and tailored
threats. Individual anti-virus or behavior analysis tools working in silos may yield only limited information
about recently modified malware. However, the combination of threat intelligence, dynamic analysis, threat
attribution and similarity technologies provide users with a powerful tool for the detection of malicious objects
that were not previously seen. To help security researchers stay informed about existing and emerging threats, the
technology has a customizable interface that allows users to filter search parameters to quickly prioritize and
address critical threats and thus remediate them more effectively.
The Threat Analysis User interface (UI), including History section, has been enhanced to support file analysis scenarios covering the
Similarity technology and results display speed.
Data Feeds tab updated. Data
Feeds tab now highlights proper use cases for available Data Feeds. It allows users to make a conscious
decision when selecting Data Feeds for their purposes.
Analysis of password-protected archives now supported.
Kaspersky Threat Attribution Engine technology has been updated to improve Threat Analysis by supporting the
option to analyze password-protected archives. After uploading, such archives are then extracted and all objects
are fully processed, like any other files that are not password protected.
New API specifications for Threat Lookup and Threat Analysis.
The new specifications adhere to industry OpenAPI standards and provide clear and standardized endpoints,
parameters, and responses for seamless integration. This allows developers to access comprehensive insights, thus
streamlining API consumption and integration.
API specification files are easy to navigate and are available from Kaspersky Threat
Intelligence Portal Help.
General improvements:
- Minor enhancements (such as Kaspersky Sandbox improvements).
- Minor bugfix.
- Documentation enhancement.
RELEASE 05.2023
New timeline of IoCs changes. Kaspersky Threat Intelligence
Portal now displays how and when zone and category changes were made for an IP address, web addresses or domain
over the last two months or two years. This significantly accelerates incident investigations and threat hunting
when identified IoCs are clean or not categorized at the moment of investigation.
Asset Management of Digital Footprint Intelligence
improvements. Service now supports new asset types:
- Keywords
- IIN/BIN
- Legitimate social account links
- Legitimate mobile app links
- Brand
- Product/Device Names
This extension of attack surface monitoring capabilities increases cyber underground visibility
and transparency, allowing you to identify a new class of previously hidden threats.
The user can also remove unnecessary assets to stop monitoring them.
New "Like" button for Threat Intelligence reports.
Users can now "Like" reports to provide anonymized feedback, helping experts to focus on developing
reports with the most popular formats or themes.
Data Feeds tab content updated. Users can now access
up-to-date information about our Data Feeds (introducing new Data Feeds) and tools designed for their seamless
integration with your security controls.
General improvements:
- Minor enhancements.
- Minor bugfix.
- Documentation enhancement.
RELEASE 02.2023
Improved UI/UX Research Graph. New nodes such as Actor and
Report names are now also supported. The user can now place a Report name or an Actor to the Graph to see their
relations with IoCs and vice versa. This accelerates incident investigations and threat hunting activities by
highlighting IoCs from high-profile attacks described in our APT, Crimeware or Industrial reports, as well as
Actor profiles.
Introduction of dark mode or theme. Users can now switch
between the current bright mode and a dark alternative, either to improve visibility in dim light or for
purely aesthetic reasons.
Improved Threat Lookup. More details are now available about
attachments in spam messages. The information is provided for a hash in the new File
was attached to email section and includes the following:
- Total hits
- Subjects of spam messages (Top 10)
- Names of attachments in spam messages (Top 10)
Categories for spam messages are also provided, such as phishing or spoofing.
Saved searches with filters are now supported. Users can now
specify different filters and criteria for automated scheduled searches to monitor and receive alerts about new
information for a particular IoC, keyword, phrase or intelligence report. This significantly improves proactive
uncovering of the following previously unknown or inactive threats:
- Threat Lookup—to monitor and provide alerts about changes within specific sections
of any indicator
- Dark and Surface Web—to monitor and provide alerts about new information for
specific keywords or phrases
- OSINT—to monitor and provide alerts about the availability of new information for a
specific indicator
- Threat Intelligence Reports—to notify the user about new available reports matched
to specific tags/filters (geo, industry, actor)
Users can manage (edit, delete) the list of created saved searches by specifying their names,
periods to check new data, and notifications about new data (via UI or email). Notifications about new findings
are also displayed on the Home page for a quick check. When opening the notification, users obtain new data
compared to the previous state.
Monthly subscriptions are now supported. This change was made
to meet MSSP license requirements.
The customer registration process to get user credentials for
the Portal has also been simplified.
RELEASE 07.2022
Threat Lookup now supports new categories for IP addresses:
- Denial of service attacks—IP addresses related to DDoS attacks.
- Intrusion attacks—IP addresses from which attempts to exploit external perimeter
vulnerabilities were detected.
- Password brute-force attempts—IP addresses from which password brute-force attempts
were detected.
- Network port scanning—IP addresses that scan networks to obtain sensitive system
information (system name, IP address, and installed software) so that adversaries can later potentially make a
more effective cyber-attack. This category extends the Threat Lookup coverage to IP addresses that usually
cannot be used in a form of deny-lists, but can provide useful context for completed attacks or potential
attacks in preparatory stages.
Threat Lookup now provides more classifications for APT- and
Crimeware-related objects (IP addresses, domains, web addresses, and hashes):
- IoCs from APT reports are now tagged as "APT".
- IoCs from Crimeware reports are now tagged as "Crimeware".
- IoCs from APT C&C Tracking are now tagged as "APT C&C Tracking".
Full context about for found objects is available via a link to the corresponding report
or service, which is next to the tag.
We updated Surface web and Dark Web search syntax in Threat
Lookup. See the Help for more information on syntax and working with search operators.
Improved Kaspersky Sandbox. Now you can download files
generated while the analyzed file is executed:
- Dropped files.
- Transferred files (files generated by the file and downloaded or uploaded in its network
traffic).
- Process dumps.
- API.log, which includes all registered API calls.
General improvements:
- Minor bugfix.
- Documentation enhancement.
RELEASE 06.2022
Improved Digital Footprint Intelligence. Now context for the
phishing, typosquatting, and combo-squatting real-time notifications is extended. Our phishing tracking service
actively tracks and alerts you in real time to the appearance of phishing websites targeting your brand, company
name, online services or trademarks, and provides you with relevant, accurate and detailed context about phishing
or fraudulent activity directly relevant to your business, including injected malware and phishing URLs that steal
credentials, sensitive information, financial information, and personal data from your users.
Every notification provides deep coverage, high accuracy, and reliable information about
phishing attacks, enabling you to react fast to dynamically generated phishing domains and URLs as well as to
phishing outbreaks. Provided intelligence enables you act swiftly and with precision to mitigate the impact of
phishing activity on your organization and your users, taking a proactive stance against fraud. Takedown service
is also available.
Phishing notifications now include the following context:
- Screenshot of the phishing URL.
- HTML-code of the phishing URL.
- Phishing URL.
- Brand name the phishing URL is targeted at.
- First seen timestamp.
- Last seen timestamp.
- Phishing URL popularity.
- Geolocation of users affected by the phishing URL.
- Type of stolen data (credit cards information, credentials for bank, email or social
network, personal data, and etc.).
- Phishkit (if available).
- Resolved IP addresses of the phishing URL.
- WHOIS data.
- And much more.
RELEASE 04.2022
Improved Cloud Threat Attribution Engine. Now clicking on an
Actor (on the analysis report page) initiates a search request to show available
related threat intelligence reports and actors.
Improved user experience for the search functionality. When
using the search functionality, the user stays on the tab where the search was initiated (previously the user was
always redirected to the Lookup tab).
Improved Kaspersky Sandbox:
- Android Sandbox is now supported. You can analyze
Android Application Packages (APKs) in a fully automated and controlled Android environment and monitor the
behavior of APK files for suspicious activities. All activities are compiled into comprehensive and detailed
analysis reports. The Android Sandbox API is also supported. For Windows execution environments, new
section values are added to differentiate results for specific Android and
Windows sections with the same section names. Certain values are still available for the backward compatibility
with previous API versions.
- Mapping to MITRE ATT&CK is now supported. Sandbox
execution results can now be viewed in a new format. You no longer need to search for identified tactics and
methods on the MITRE ATT&CK website. All identified suspicious activities recorded during emulation are
presented as a MITRE ATT&CK matrix on a Kaspersky Sandbox report page. Windows and Android environments are
supported.
- Command line parameters for launched processes are now
displayed on the execution map. This allows users to perform better behavior analysis on the execution map. Each
activity node now displays a specific event with key fields. Each suspicious activity also displays key data and
TTPs. Clicking on the node displays full event information. This data now makes it possible to clearly track the
actions of a specific sample, what it did, which commands it used, which registry keys it changed, etc.
- Network activities across all protocols, including IP,
TCP, UDP, DNS, HTTP(S), SSL, SOCKS, IRC, POP3, and FTP, are now supported.
- You can now specify a command to launch a file with
parameters, and/or specify whether various applications are available to be launched. Sandbox allows
you to pass command line parameters, which are used to run the object. You can also pass the execution command
and use environment variables.
- Kaspersky Sandbox now supports an expanded list of archive
formats. A complete list of supported formats can be found in the Help.
RELEASE 12.2021
Introduction of Dark web search. This is a source of
invaluable threat and brand intelligence that offers insights from a comprehensive range of deep and dark web
sources for threats to your organization, whether a planned attack, discussions around vulnerabilities, or a
successful data breach. This tailored information provides visibility over risks to your organization, enabling
security teams to reduce the attack surface, secure online brand value, and take actions on threats before, or
even after, they become incidents (to minimize impact).
With the service you can:
- Ensure visibility across the broadest possible range of deep and dark web validated
sources worldwide.
- Uncover exposed credentials, bank card details, data leaks and exploited vulnerabilities.
Benefits include Dark web monitoring, Digital Footprint tailored reports, real-time notification
about threats to your assets, and takedown services. The service also provides actionable and trusted threat and
brand intelligence, with human contextualized analysis, to ensure security teams move as swiftly as possible to
prevent, detect, respond to and mitigate external threats that pose the greatest danger to your assets, brand
organization, region or industry.
Introduction of Surface web search. Surface web offers
security practitioners a vast and potentially hugely valuable source of intelligence about threats. By introducing
this service, we inform you about how global security events can potentially impact or are already threatening
your assets, brand or organization. The service condenses and validates a comprehensive range of security-related
surface/open web sources (such as security news portals, blogs or forums) to provide access to information that
helps you identify critical events, access risks, anticipate disruptions to reduce security risks, keep employees
safe and boost security resilience.
Benefits include Surface web monitoring, Dark web monitoring, Digital Footprint tailored
reports, real-time notification about threats to your assets, and takedown services. You also receive actionable
and trusted threat and brand intelligence, with human contextualized analysis, to ensure security teams move as
swiftly as possible to prevent, detect, respond and mitigate external threats that pose the greatest danger to
your assets, brand organization, region or industry.
Threat Lookup is extended by Indicator of Compromises relating to a
wide range of high-confident OSINT sources. The results are displayed via the OSINT IoCs tab. This allows for the presenting of OSINT sources where looked-up IoCs
are mentioned, even if Kaspersky Threat Lookup does not provide any context. Hash IoC type is also supported now,
while URL, Domain and IP address IoC types will be available during 2022.
Introduction of Research Graph. The Graph (also known as Link
Analysis) is designed to explore data stored in TI Portal (Threat Lookup) visually, discover threat commonalities
and generate new related IoCs. It allows you to graphically visualize the relationship between URLs, domains, IPs,
files, and other context encountered during investigations, pivot to find additional relationships and view
in-depth information without the investigation losing context (no need to manually cross reference dozens of
indicators provided in tables). The graph includes the following features: transformations, mini graph, grouping
nodes, manual addition of links, addition of indicators and node searching.
Digital Footprint Intelligence service now allows the management of
an organization’s assets to be monitored. The user can specify or import a list of assets grouped
by their type (such as IP addresses or ranges, domains, brand names, employee names, emails, and so on) to be
automatically monitored by the service. Kaspersky experts can also contribute to the list of assets, for example,
by discovering your servers or services which are publicly exposed on the internet, intentionally or
unintentionally (shadow IT). An ignore list is also supported, allowing users to specify assets that should be
disregarded for monitoring. In the case that a specified asset is discovered across the surface, deep, or dark
web, the user receives a real-time notification with useful context, such as priority, timestamps and source.
Digital Footprint tailored reports also include analysis of all assets specified by the user.
Cloud Threat
Attribution Engine (TAE) is now provided as Software-as-a-Service (SaaS),
which runs completely on cloud TI Portal infrastructure (previously, only the on-premise deployment option was
available). TAE is an unrivaled malware analysis tool that provides insights into the origin of high-profile
malware and possible perpetrators and is now also integrated with Cloud Sandbox within the TI portal under the
Threat Analysis tab. The tab allows you to access the results of Dynamic,
Static, Anti-Virus and Attribution analysis for objects considered as suspicious enriched with Threat Intelligence
within one single place, thus providing a powerful tool for the detection of previously unseen malicious objects.
It saves the time of security analysts by preventing the need for files considered as suspicious to be run under
the platforms of different vendors — a requirement that yields disparate results that are difficult to
consolidate. Without accurate consolidation, it is hard to make correct decisions. As a result, the Threat Analysis tab helps SOC teams, security researchers, and malware analysts stay
informed about existing and emerging malware-related threats, thus allowing them to quickly prioritize and address
critical threats and remediate them more effectively.
The Threat Lookup service has been significantly improved by
extending coverage to support searches within the following services:
- APT Reports
- Crimeware Reports
- ICS Reports (now Industrial Reports)
- Actor Profiles
- APT CnC tracking (within last/actual daily feed)
- Digital Footprint Intelligence reports and notifications
- Dark web sources
- Surface web sources
- OSINT IoCs sources
- Addition of new context for IP addresses, web addresses and domains: similar domains,
related Spam and Phishing attacks
The service unifies all of our best-in-market Treat Intelligence services and sources, and cyber
reconnaissance capabilities within one single window. This allows you to leverage the synergy of these resources
to extend overall threat visibility and coverage, without the need to switch between services delivering different
results.
Improvement of Digital Footprint Intelligence by supporting
real-time notifications of typosquatting attacks. This allows organizations to be notified not only about phishing
websites, but also typosquatting. The current list of real-time notification types is the following:
- Vulnerabilities — information on new services discovered on the external perimeter
of the Customer.
- Malware samples and web addresses — information about malicious activity against
Customer assets.
- Email addresses — new discovered email addresses related to Customer.
- Dark web entries — new posts on Dark web related to Customer assets.
- Pastebin entries — new posts on Pastebin resources related to Customer assets.
- Compromised accounts.
- New subdomains — newly discovered subdomains related to Customer.
- Configuration flaws — information on new services discovered on the external
perimeter of the Customer.
- APT victim — Customer IP addresses associated with APT threats.
- Passive DNS records — malicious IP addresses resolved from Customer domains.
- Payment cards.
- Phishing and typosquatting tailored to Customer brands and web-resources.
The web interface has been significantly enhanced (new color
scheme, layout) to ensure a smooth user experience as new features are introduced. In addition, Kaspersky’s
new corporate user interface style is also supported.
General improvements:
- Minor bugfix.
- Documentation enhancement.
RELEASE 10.2021
- Suricata rules
Suricata rules have been introduced to accompany our APT, Crimeware and ICS (now
Industrial) Threat Intelligence reports. Threat Intelligence reports are provided with complementary files
that include related Indicators of Compromise (IOCs) and YARA rules. Additionally, Suricata rules are now
supported as well (see Download section for particular Threat Intelligence
report).
Cyberattacks have become so sophisticated that they can thwart even the best security
systems, especially those that still assume networks can be secured via firewall encryption. Kaspersky
security experts provide Suricata rules to detect network threats related to those in Threat Intelligence
reports. The rules can be used by Threat Intelligence report customers for network security appliances such as
network intrusion detection and prevention systems (IDS/IPS), next generation firewalls (NGFW), and other
network security or PCAP processing tools.
- One-time passwords
Services available through the Kaspersky Threat Intelligence Portal web interface can
now also be accessed using time-based one-time passwords (TOTP), as an alternative two-factor verification
method (instead of providing a Certificate). Previously, users had to have both a Login/Password and
Certificates (pfx) to access the Portal web interface. However, TOTP token service offers users the
flexibility to choose from a range of authentication applications like Google Authenticator or Microsoft
Authenticator.
- Minor bugfix.
- Documentation enhancement.
RELEASE 08.2021
- Public Roadmap
The public roadmap for Kaspersky Threat Intelligence services and features is now
available for Kaspersky Threat Intelligence Portal users. It provides users with information about recent
developments and what features and functionality can be expected over the coming quarters. With more
transparency on the future "roadmap", users can better adjust their work activities and existing
plans. The public roadmap page also offers the opportunity to submit new feedback or feature requests to
influence future plans.
- Kaspersky Crimeware Intelligence Reporting
Given the continuously evolving cyber threat landscape, businesses need to be more
proactive regarding ever more sophisticated and blended security attacks. In response, we decided to extend
the scope of our Financial Threat Intelligence Reporting service to provide all clients with a unified source
of information on cybercrime (not only specific to financial industries). Given the breadth of information
provided, we changed the name of the existing service to Kaspersky Crimeware Intelligence Reporting.
The service will cover the following types of reports:
- Crimeware Actor Profiles
Crimeware Intelligence Reporting users can now gain full access to crimeware actor
profiles. Similar to APT actor profiles, the new technical descriptions section for crimeware actors allows
security professionals to track actors and their networks, understand their own visibility and gaps, as well
as overlap TTPs against the MITRE ATT&CK matrix. Consequently, this helps companies understand what to
focus on to improve their defenses proactively.
Accurate information about a malevolent actor and their preferred tools and tactics are
essential, as it provides an understanding of the potential goal of an attack and what techniques may be used.
For each actor, we provide a general overview, different aliases used, victimology and previous targets,
descriptions of past operations, toolsets, and external references. We also provide all available reports on
the actor, as well as specific IOCs and YARA rules to detect and track their activity.
- Minor bugfix.
- Documentation enhancement.
RELEASE 06.2021
- Access to Threat Lookup through an API is now also available using only an API Token
(without providing Certificate). Previously, users had to have both a Login/Password and Certificates (pfx) to
gain access this way. The use of API Tokens instead of Certificates allows you to integrate Threat Lookup with
third-party solutions that do not accept Certificates for authentication. Now you can use both ways (Login/Password+Certificate or only API
Token) to gain access to Threat Lookup API.
- Maltego Transforms for Threat Lookup are also now available. Kaspersky Transforms are
available in Maltego Transform Hub for all Maltego users, providing them with transforms that give access to
data provided by Kaspersky Threat Lookup. Kaspersky Transforms for Maltego provides access to enriched and
actionable context about web addresses, hashes, and IP addresses known to Kaspersky. Maltego is a visual link
analysis and data mining tool that offers a library of plugins called "transforms". These are used to
execute queries on open or commercial sources in order to search for information about a certain target
(indicators) and present them via a clear and comprehensive graphical display. The Maltego Graphical User
Interface allows users to perform research and analyze all generated results. The goal of our solution is to
provide the customer with Kaspersky Transforms for Maltego to help visualize the relationship between threat
indicators (including web addresses, domains, file hashes, and IP addresses) and deliver actionable results. Our
transforms can be used in Maltego Classic, Community Edition (CE), XL, and Kali. Demo mode is also supported,
restricting use to indicator categories only and limiting the number of transforms to 200 per day.
- Lookup requests for hashes, web addresses, domains, and IP addresses via API now return a
new field (
HasRedZone) that indicates whether the requested object has
potentially dangerous relations. This provides valuable context for prioritization purposes, even if the
requested object is not categorized.
- New file relations have also been added: Archive(s)
<-> File(s) and MS/Adobe documents -> Macros. For example,
this feature indicates whether a file distributed inside archives or a document contains different macros.
- Minor enhancements (text markup for Digital Footprint Intelligence notifications, adjusted
file types for requested hashes).
- Minor bugfix.
- Documentation enhancement.
HOTFIX 08.2020
- RESTful API for TTPs and actor profiles is now available. It can be used to automate the
retrieval of information about APT actors and the TTPs used behind their campaigns. Please check below (RELEASE
04.2019) for a description of TTPs and actor profiles for more information about what data this feature
provides.
- RESTful API for executive summaries is also available.
It can be used to automate the retrieval of executive summaries for an easy-to-understand overview of
corresponding APT Intelligence or Financial Threat Intelligence (now Crimeware Threat Intelligence) reports.
RELEASE 04.2020
- Digital Footprint Intelligence is introduced. Digital Footprint monitors a widely
distributed digital presence and sends notifications about threats and attacks that are found. It helps security
analysts explore the adversary's view of their company resources, exposed digital assets, provides timely
discovery of potential attack vectors that they may use, and adjust defenses accordingly. Our experts piece
together a comprehensive picture of the current attack status, identifying weak spots ripe for exploitation, and
revealing evidence of past, present, and planned attacks. Human-readable reports, as well as near-real-time
notifications are available. Users can specify which digital assets to monitor, as well as compose an Ignore
list to exclude some assets, if needed.
- APT C&C Tracking service is introduced. The service delivers IP addresses of
infrastructure connected to advanced threats. This helps security analysts (primarily National Security
Agencies) monitoring the deployment of new malicious infrastructures, so that they can take the required
measures to mitigate ongoing and upcoming attacks. The service is updated daily with recent findings, and
actionable context is provided for each IP, such as a name of an APT group, operation, malware it is associated
with, internet service provider, and much more. Exports in machine-readable formats and API are also available.
- ICS Threat Intelligence Reporting (now Industrial Threat Intelligence Reporting) is
introduced. ICS Threat Intelligence Reporting provides customers with heightened intelligence and awareness of
malicious campaigns targeting industrial organizations, as well as information on vulnerabilities found in the
most popular industrial control systems and underlying technologies. Human readable reports for ICS-dedicated
security problems, as well as related YARA rules, are provided. Reports contain exclusive deep technical diving
into attacks targeting industrial companies, IoT, IIoT, and automotive as well as vulnerability research
results, description of the researched product, research methodology, steps, identified vulnerabilities, and
conclusions.
- The web interface is updated to ensure a smooth user experience as new features are
introduced. Kaspersky’s corporate user interface style is also supported.
- The geography map (hit map) and Anti-Virus statistics graph are improved, and now
available not only for hashes, but also for domains, IP addresses, and web addresses.
- Kaspersky Sandbox improvements:
- Show Anti-Virus detects even if a dynamic analysis does not expose any behavior.
- Improved Anti-Virus detection rate for files, as well as for web addresses.
- Minor bug fixing.
- Documentation enhancement.
HOTFIX 06.2019
- Kaspersky Sandbox improvements, including:
- Execution of the extracted (dropped and downloaded) files in Kaspersky Sandbox is now
available.
- Detection names for files that were extracted from HTTP(S) requests and responses are
now displayed.
- Detection rate for downloaded and executed files is improved due to automatic file
type recognition.
- Minor improvements.
- Data Feeds tab content is updated, including:
- New Data Feeds: IoT URL Data Feed, Vulnerability Data Feed, pDNS Data Feed.
- New supplementary tool: Kaspersky CyberTrace for Log Scanner.
- Updated supplementary tools: Kaspersky Feed Utility, Kaspersky Data Feed Downloader.
- New SIEM connectors: Kaspersky Connector for McAfee® TIE, Kaspersky Connector for
ELK, Kaspersky Connect for MISP.
- Updated SIEM connectors: Kaspersky CyberTrace for ArcSight, Kaspersky CyberTrace for
Splunk®, Kaspersky CyberTrace for QRadar, Kaspersky CyberTrace for RSA NetWitness, Kaspersky Connector
for McAfee ESM.
- Minor bug fixing.
- Documentation enhancement.
RELEASE 04.2019
- Sandbox for web addresses and ability to execute files
downloaded from specified web addresses
Kaspersky Sandbox now supports dynamic analysis not only for files, but for web
addresses and the files accessed by web addresses as well. Web addresses are deeply analyzed in a secure
environment to provide their web category, threat and suspicious activities, network and operating system
activities, screenshots, downloaded files and scripts, and any other security threats hidden within legitimate
content or located on the web address. A comprehensive and detailed analysis report is generated for every
detonated web address to enable security professionals to accelerate incident response (IR) activities, or
implement appropriate defense strategies and protection measures.
- TTPs and actor profiles
Kaspersky’s APT Intelligence Reporting Service is the result of Kaspersky Global
Research and Analysis Team (GReAT) investigations. GReAT is a worldwide group of Kaspersky’s top-notch
cyber-security experts who have tracked the most sophisticated APT actors and their activity for the last 10
years.
Accurate information about an actor behind a campaign is essential, as it provides an
understanding of what might be the real goal of the attack and the techniques available for an adversary. The
knowledge of an actoÒ‘s origin, capabilities, past campaigns, techniques used in their operations, and
technical details is now one click away thanks to the new actor profiles provided in our APT Intelligence
Reporting Service.
For each actor, we provide a general overview, its suspected country of origin,
different aliases used, victimology and previous targets, descriptions of past campaigns, toolset, and
external references. We also provide all of the reports related to the actor, as well as specific IoCs and
YARA rules to detect their activity.
Additionally, we map all the actor's tactics, techniques and procedures (TTPs) with
MITRE threat model, showing in the ATT&CK Enterprise and PRE-ATT&CK matrix that the actor used in
previous campaigns. As we always do in our reports, we also map TTPs with our own descriptive methodology,
dividing them in Infection Vector, Implants, and Infrastructure for a quick and high-level understanding of
the threat.
Our technical description of threat actors provides the means for security
professionals to track actors in their networks, understand their own visibility and gaps, as well as overlap
TTPs against the MITRE ATT&CK matrix to know what to focus to improve your defense proactively.
- Feedback form
We are introducing a feedback form to receive customer feedback regarding our Kaspersky
Threat Intelligence Portal, accessible by an easy-to-use tray icon. Every feedback will be considered to
improve the Portal.
- New Data Feeds
The Data Feeds tab content is updated to provide up-to-date information about our Data
Feeds (introducing new Feeds) and tools designed for Data Feeds seamless integration with your security
controls (such as, SIEMs, ELK, MISP, and so on).
- Chrome plugin
The Chrome™ Plugin enables users to lookup web addresses, IPs, hashes (MD5, SHA1,
and SHA256), and domains straight from the viewed web pages, by using the Kaspersky Threat Intelligence Portal
lookup functionality.
The goal of the plugin is to immediately provide your security teams with as much data
about IoCs as possible, from any web page (without even opening Kaspersky Threat Intelligence Portal),
allowing you to speed up your threat investigation activities. IoCs are highlighted automatically.
A pop-up window (with the opt-out option) for the plug-in is shown when visiting the
Threat Lookup tab, for users who do not have this plug-in installed yet.
- General improvements:
- Kaspersky Sandbox: Ability to select an internet channel to emulate file execution
from different countries (useful for samples that reveal their malicious activities when executed on a
device located in a specific country).
- Kaspersky Sandbox and Threat Lookup: Geolocations for IP addresses are now displayed
in every report.
- REST API is now extended by providing an ability to retrieve APT Intelligence reports
and their related context for related IoCs.
RELEASE 08.2018
- APT Data Feeds are added to the Data Feeds tab.
- All APT-related indicators are automatically marked in Kaspersky Sandbox reports.
- Decryption of HTTPS traffic for an executed file in Kaspersky Sandbox to discover
malicious activities is added.
- The Threat Lookup quota is not decreased if a requested file was executed in Kaspersky
Sandbox.
- A Not trusted status for IP addresses with a threat
score ranging from 50 to 74 is added.
- Proxy, Phishing, Botnet C&C, and Tor® Node categories for IP addresses are added.
- Botnet C&C category for malicious web addresses and domains is added.
- When requesting reports using Kaspersky Threat Intelligence Portal API, the
id parameter in the get_list endpoint is
a string value now.
- Minor improvements (tooltip for the Geography map and Anti-Virus Statistics graph,
displaying web address masks that lead to detection of malicious and phishing web addresses, and so on).
- Minor bug fixing.
- Documentation enhancement.
RELEASE 05.2018
- General Data Protection Regulation (GDPR) compliance.
- Minor enhancements for Kaspersky Threat Intelligence Portal Kaspersky Sandbox.
- Documentation enhancement.
RELEASE 04.2018
Kaspersky Sandbox is now available for our customers.
Kaspersky Sandbox is an advanced, automated malware analysis system that has been developed out of Kaspersky
sandboxing technology and previously used only in Kaspersky internal infrastructure. The technology has been
evolving for more than 20 years of continuous threat research and release of the most industry-leading security
solutions. It offers a hybrid approach combining threat intelligence gleaned from petabytes of statistical data
(thanks to Kaspersky Security Network), behavioral analysis, and rock-solid anti-evasion and human-simulating
technologies such as auto clicker, document scrolling, and stub processes.
As a result, Kaspersky Sandbox provides a high detection rate—thousands of new malicious
files are detected every day. This advantage allows customers to detect advanced persistent threats (thanks to the
Kaspersky Anti-APT team) and targeted and complex threats that bypass traditional anti-virus tools.
Kaspersky Sandbox is designed to boost incident response and forensic activities, or can be used
as a cloud system for processing files automatically. Also available are capabilities such as data visualization
graphs, export to JSON / STIX / CSV formats, and REST API for automated integration into customer workflow.
A user-friendly interface allows customers to easily understand the actions and behaviors of
executed files, such as the following:
- Loaded and run DLLs.
- Created mutual exclusions (mutexes).
- Modified and created registry keys.
- External connections with domain names and IP addresses.
- HTTP and DNS requests.
- Processes created by the executed file.
- Created, modified, and deleted files.
- Detailed threat intelligence with actionable context for every revealed indicator of
compromise (IOC).
- Snapshots (dump files and packet capture (PCAP)) of network activity.
- Intuitive reports (objects operations, suspicious activities).
- Human-readable Kaspersky Sandbox log (for advanced users).
- Statistical information.
- Screenshots.
- And much more.
RELEASE 12.2017
RELEASE 11.2017
- Financial Threat Intelligence Reporting Service (now
Crimeware Threat Intelligence Reporting Service) is added. Be the first to know and get exclusive, in-depth
actionable intelligence reporting relevant to banks and financial organizations. Financial Threat Intelligence
reports provide customers with exclusive information on the following:
- Attacks on banks' infrastructure.
- Attacks on ATMs.
- Attacks on point-of-sale (POS) devices.
- Mobile Trojan bankers.
- New cyber-criminal techniques to bypass modern security solutions.
- Hybrid attacks with monitoring of cyber-criminal activities at early stage (registered
domains, and so forth).
An executive summary, technical analysis of an attack, and indicators of compromise
(IOCs) in CSV and YARA Rules formats are available for every report. RESTful API and comprehensive full-text
search are also supported.
- Administrators are now able to manage accounts and view
user account settings and all in one place.
Two types of accounts are supported:
- Minor bug fixing.
- Documentation enhancement.
RELEASE 09.2017
- New and improved web interface.
- Home page is added.
The Home page displays a worldwide cyber-map with data visualization of global
cyber-attacks, and provides information about the top 10 threats for each country. The Home page contains a tagged events list to notify users about new articles on
the Securelist website and new
APT Intelligence reports. WHOIS Tracking notifications are also available.
- A new Incident Response Tools section is added to the
Data Feeds page.
This section includes links to the
tools developed by Kaspersky to help users to detect and remove malware during incident response activities.
An Incident Response Guide from Kaspersky in PDF is also available. This guide provides basic explanations and
recommendations for responding to information security incidents. This guide aims to do the following:
- Systematize information about an attack lifecycle and the actions involved in an
incident response (IR) process.
- Provide a recommended sequence of actions for IR.
- Describe a range of tools and utilities (including third-party) that can be used at
each phase of the IR process.
- Provide information about IR best practices.
- Customers can now use their WL-info certificate to access Kaspersky Threat Intelligence
Portal.
- A new Adware and other category for IP addresses, web
addresses, and domains is added (yellow zone).
- Kaspersky Feed Utility is now available for downloading on the Data Feeds page.
This utility is a multifunction
high-performance tool that allows downloading, converting, and filtering of Threat Data Feeds from Kaspersky
according to a specified set of rules.
- SIEM connectors for RSA NetWitness and LogRhythm are now available for downloading on the
Data Feeds page.
- Information about Kaspersky Transforms for Maltego software is now available on the Data Feeds page.
- A link to an advanced persistent threat (APT) report is provided when you look up objects
on the Threat Lookup page (if the object relates to an APT attack). This
feature is available for APT Intelligence Reporting Service customers.
- Safari® browser is now officially supported.
- Minor bug fixing.
- Documentation enhancement.
HOTFIX 06.2017
- Executive summaries (in PDF) are added to the Reporting
page.
Executive summaries provide an easy-to-understand overview of an attack and are
C-level oriented.
- Demo access to Reporting page is available for all
Kaspersky Threat Intelligence Portal users.
Demo mode provides full access (including
IOCs and executive summaries) to some selected APT Intelligence reports. All other reports (in the Demo mode)
are shown but not available (names of these reports are substituted with the following phrase—Available for commercial license only).
- In case a user does not have a valid certificate to access Kaspersky Threat Intelligence
Portal, the Welcome page will be shown (instead of a page with the 403
error).
- The Welcome page contains a short description of
Kaspersky Threat Intelligence Portal, a link to download its leaflet, and a button to contact the Kaspersky
sales team.
- Licensed Threat Data Feeds can be now downloaded from the Data
Feeds page of Kaspersky Threat Intelligence Portal.
The Licenses page can also provide license information about licensed Threat Data
Feeds. You can contact Business Development Managers (BDMs) to activate this feature.
- It is now required to accept our Terms and Conditions (T&C) when signing in to
Kaspersky Threat Intelligence Portal for the first time. To accept the T&C, some user personal data should
be provided (name, email address, position, and organization name).
- Minor bug fixing.
- Documentation enhancement.
RELEASE 04.2017
- Reporting page is added.
Be the
first to know and get exclusive, in-depth actionable intelligence reporting on advanced persistent threats
(APTs). APT Intelligence Reporting Service provides customers with exclusive, proactive access to the
descriptions of high-profile cyber-espionage campaigns, including associated indicators of compromise (IOCs)
available in CSV and YARA Rules formats. APT Intelligence reports and associated IOCs can now be automatically
requested using RESTful API. Comprehensive full-text search and search by tags is also implemented.
- A new page with Threat Data Feeds, their descriptions, related materials, supplementary
tools, and SIEM connectors is added.
- Licenses page is added.
Purchase
access to new services, renew existing licenses, get information about remaining quotas, set notifications
about expiring licenses, and much more.
- User information window is added.
Change your Kaspersky Threat Intelligence Portal password and configure email
notifications for new or updated APT Intelligence reports and WHOIS tracking rules.
- Results of RESTful API requests are now available through the web interface.
Now you can look up several objects in a single request using RESTful API, and see the
result of each lookup in the web interface as well.
RELEASE (GA) 10.2016
- Lookup by hashes (MD5, SHA1, SHA256), web addresses,
domains, and IP addresses.
- Contextual and relationship-rich data are available:
associated malicious hashes, web addresses, IP addresses, WHOIS data, GeoIP, files attributes, statistical and
behavioral data, download chains, timestamps, and much more.
- Reverse WHOIS Lookup: you can find domains and IP
addresses by setting specific search criteria within WHOIS data (domain contact, creation date, etc.).
- WHOIS Tracking: you can submit specific fields of WHOIS
data for regular and automatic search of records that meet your criteria. Email notifications about new records
in the WHOIS database that match search criteria are automatically sent to required recipients. For example, you
can be notified about new domains registered by a person with specific contact information (name, email, etc.).
- APT-related indicators are available.
- Passive DNS data is available.
- RESTful API is available: automate your work through
the use of a simple RESTful API and get the result of your queries in the form of a JSON file.
- Crisp and easy-to-use web interface.
- Support of export to CSV, STIX, and OpenIOC files.
- Online Help and context-sensitive Help are available.
Page top
[Topic ObtainingCertificate]
Obtaining certificate, user name, and password
A certificate, user name, and password are required to work with Kaspersky Threat Intelligence
Portal.
You must obtain a certificate, user name, and password from Kaspersky. To obtain a certificate,
contact your dedicated Technical Account Manager at Kaspersky. A certificate and your credentials will be provided
in a secure way.
WL-info certificate can also be used to access Kaspersky Threat Intelligence Portal.
After you receive a certificate, you must import it to the computer you plan to use for working with
Kaspersky Threat Intelligence Portal if you use Google Chrome™ or Microsoft Edge browsers. If you use
Mozilla Firefox, you also have to import the certificate to the browser.
The certificate has a limited term. The certificate term countdown starts from the date it has
been issued.
When the certificate expires, the service becomes unavailable. To continue using the service,
you must request a new certificate. You will receive a new certificate and a certificate password for it from your
dedicated Kaspersky Technical Account Manager. Your user name and password remain the same and do not need to be
updated.
If a Technical Account Manager changes your type of access (through web portal, API, or both) to
Kaspersky Threat Intelligence Portal during your certificate term, your certificate and credentials remain the
same.
There is no limit in place regarding the number of computers on which you can install a
certificate.
Page top
[Topic ImportingCertificate]
Importing certificate
Importing certificate to a computer
If you use Google Chrome or Microsoft Edge browsers, you can import a certificate to your
computer using the Certificate Import Wizard.
To import a certificate to your computer:
- Save an attachment with the certificate you received from the dedicated Kaspersky
Technical Account Manager on the computer that you will use to work with Kaspersky Threat Intelligence Portal.
- Open the certificate to start the Certificate Import
Wizard.
- On the File to Import page, select the required certificate.
- Enter the certificate password provided by the dedicated Kaspersky Technical Account
Manager.
- Select the Include all extended properties check box.
- Specify the location for the certificate on your computer:
- If you want your operating system to automatically choose the certificate store,
select Automatically select the certificate store based on the type of
certificate.
- If you want to specify the location for the certificate manually, select Place all certificates in the following store.
- Click Finish.
- To complete the certificate import process, restart the browser.
Your certificate is now imported, and you can start working with Kaspersky Threat
Intelligence Portal online.
Importing certificate to Mozilla Firefox
If you use Mozilla Firefox, you must also import a certificate to this browser.
To import a certificate to Mozilla Firefox:
- Open Mozilla Firefox.
- Open the Certificates tab in one of the following ways:
- In the lower part of Mozilla Firefox Start Page, click the Options button, and then select Advanced →
Certificates.
- Click the Menu button, and then select Options → Advanced → Certificates.
- Click the View Certificates button and select the Your Certificates tab.
- Click Import.
The Certificate File to Import window opens.
- Select your certificate and click Open.
- Enter your certificate password in the Password
Required window and click OK.
A message
confirming that the import was successful appears.
Your certificate is now imported, and you can start working with Kaspersky Threat
Intelligence Portal using Mozilla Firefox.
Page top
[Topic ViewingImportedCertificates]
Viewing imported certificates
Viewing certificate on computer
To view certificates imported to your computer:
- Click the Start button, type
mmc in the Search box, and press Enter to open Microsoft Management Console.
- Select File → Add/Remove
Snap-in and double-click Certificates in the Available snap-ins list.
The Certificates snap-in window opens.
- Select My user account and click Finish.
- Click OK to close the Add/Remove Snap-ins window.
- In Console Root, select Certificates → Current User → Personal → Certificates.
- Make sure your certificate from Kaspersky is displayed in the console workspace.
Viewing certificate in Mozilla Firefox
To view the certificate imported to Mozilla Firefox:
- Open Mozilla Firefox.
- Open the Certificates tab in one of the following ways:
- In the lower part of the Mozilla Firefox Start Page, click the Options button, and then select Advanced →
Certificates.
- Click the Menu button, and then select Options → Advanced → Certificates.
- Click the View Certificates button and select the Your Certificates tab.
- Make sure your certificate from Kaspersky is displayed in the Certificate Manager window.
If a certificate is not imported, try to import it again or contact
your administrator.
Page top
[Topic OTP]
Setting up one-time password protection
Kaspersky Threat Intelligence Portal provides the ability to use one-time passwords instead of certificates for
authentication, if allowed by your organization.
To use one-time passwords, you have to set up two-factor verification via an authenticator app
that supports the Time-based One-time Password (TOTP) algorithm (for example Google Authenticator or Microsoft
Authenticator). One-time passwords are generated locally on your device with no need for an internet or
mobile network.
We recommend that you also set up an authenticator app on a device other than your mobile
phone. This will allow you to sign in to your Kaspersky Threat Intelligence Portal account if your mobile phone is
ever lost or stolen.
To set up two-factor verification via your authenticator app:
- Download and install an authenticator app on your device.
- Contact your Kaspersky Threat Intelligence Portal administrator and request a QR code to
set up the two-factor verification.
Your administrator will provide the QR code via a
PGP™-encrypted email or as a password-protected .zip archive. In this case, the archive and password are
provided via separate secure channels (for example, the archive is sent via email and its password via SMS
message).
- Add your Kaspersky Threat Intelligence Portal account to your authenticator app by
scanning the provided QR code. Please follow your in-app instructions for more information.
Your authentication app is set up. You can now use one-time passwords generated in the app
on the Kaspersky Threat Intelligence Portal sign-in page.
Page top
[Topic SigningIn]
Signing in to Kaspersky Threat Intelligence Portal
This section explains how to sign in to Kaspersky Threat Intelligence Portal. When you sign in
to the portal for the first time, or you purchase a new Kaspersky Threat Intelligence Portal service, you must accept the Terms and
Conditions and the Statement about Data Provision. You must also accept any new Terms and Conditions, in the
case they were changed by Kaspersky.
You can choose to use a certificate as the second factor of authentication. In this case,
before signing in to Kaspersky Threat Intelligence Portal, make sure that your certificate is imported
to the computer and browser (if you use Mozilla Firefox) that you will use to work with Kaspersky Threat
Intelligence Portal online.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms
and Conditions online in your browser at https://tip.kaspersky.com.
To sign in to Kaspersky Threat Intelligence Portal:
- Open Kaspersky Threat Intelligence Portal at https://tip.kaspersky.com in your browser.
- Perform the following steps depending on the second two-factor authentication method (certificate
or one-time password):
Expand all | Collapse all
- If you use a certificate (click to view steps)
- Select the required certificate to authenticate on the web portal, and then click
OK.
The supported browsers only
display Kaspersky certificates that can be used to authenticate on Kaspersky Threat Intelligence Portal.
- Enter the user name and password that you received from Kaspersky.
A user name and password can be used for authentication on only one computer
at a time.
- Click Sign in.
- If you are allowed to work with Kaspersky Threat Intelligence Portal without a
certificate, you must pass through the reCAPTCHA test.
Select the I'm not a robot check box in the reCAPTCHA widget and follow the
instructions.
- If you use a one-time password (click to view steps)
- Enter the user name and password that you received from Kaspersky.
A user name and password can be used for authentication on only one computer
at a time.
- Click Sign in.
- Check the authentication app on your device for a 6-digit one-time password (security
code) and enter it in the corresponding fields.
The one-time password is valid for
30 seconds.
- If you want to learn more about product services, click the Get
more information about Kaspersky Threat Intelligence Portal link.
This link is
not available for users of Kaspersky Anti Targeted Attack and Kaspersky Endpoint Detection and Response.
- If you want to request a call from Kaspersky representatives, click the Request Access button.
On the page that opens, complete
the form. A Kaspersky representative will then contact you within one business day.
Kaspersky Threat Intelligence Portal returns error 403 (Access is
denied) if a valid certificate is not imported to the computer.
Signing in to Kaspersky Threat Intelligence Portal may fail for one of the following reasons:
- User name or password is incorrect.
- Your certificate is invalid, corrupted, or expired.
- Entered one-time password is incorrect or expired.
- Your user account or a group that your account belongs to is blocked.
After you have successfully signed in to Kaspersky Threat Intelligence Portal, you can run requests about
hashes, IP addresses, web addresses, or domains. You can also perform a WHOIS search for domains and IP addresses, as well as use
other Kaspersky Threat Intelligence Portal services.
Page top
[Topic AcceptingTC]
Accepting Terms and Conditions and Statement About Data Provision
This section explains how to accept the Terms and Conditions and the Statement about Data
Provision.
Before signing in to Kaspersky Threat Intelligence Portal for the first time or using a new
service, you have to accept the Terms and Conditions and the Statement about Data Provision. You must also accept
the Terms and Conditions, in case they have changed.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms
and Conditions online in your browser at https://tip.kaspersky.com.
To accept the Terms and Conditions and the Statement about Data Provision:
- Clicking the Sign in button at https://tip.kaspersky.com in
your browser. In the window that opens, carefully read the Terms and Conditions and the Statement about Data
Provision.
If you sign in to Kaspersky Threat Intelligence Portal for the first time,
the Terms and Conditions and the Statement about Data Provision for all purchased services are displayed.
If you open a page for a newly purchased service, only the Terms and Conditions and the
Statement about Data Provision for this service are displayed.
- If you agree with all the Terms and Conditions and the Statement about Data Provision, in
the I confirm that I have fully read, understand, and accept the following
section select the following check boxes:
- Terms and Conditions of
<services>
- Statement About Data Provision
If you do not agree with the Terms and Conditions and the Statement about Data
Provision, click the Cancel link to cancel the sign-in.
- Click the Confirm button.
The
Confirm button becomes available only if you scroll through the Terms and
Conditions text and select both check boxes.
- If necessary, you can click the Terms and Conditions
link in the lower part of the Kaspersky Threat Intelligence Portal page to read the Terms and Conditions and the
Statement about Data Provision at any time.
Page top
[Topic HomePage]
Home page
On the Kaspersky Threat Intelligence Portal Home page (
), an overview of current cyber threats around the world and various types of
information concerning your organization are displayed. The data provided allows you to start threat investigation
as soon as you sign in.
In the Search field, you can request data from Kaspersky
databases for indicators (hash, IP address, domain, web address) and actor profiles. Also, you can perform
full-text requests in this field.
The Digital Footprint Global Threats section provides the
overall threat landscape detected for all Digital Footprint Intelligence service users. Charts display the total
number of detected threats and their distribution by risk levels and categories.
Depending on the licenses your organization has purchased and the permissions set by your
administrator, the following sections are displayed on the Home page:
- Reports—Latest APT Intelligence, Crimeware Threat
Intelligence, and Industrial Threat Intelligence report headers (sometimes shortened for a better view). If your
license stipulates viewing reports, headers of available reports are clickable and take you to the corresponding
report page. This page contains the report name, a brief description, and download links.
Demo reports (marked as 
) are available
for viewing and downloading without a commercial license. Clicking the View demo
reports link takes you to the Reporting page, where demo reports
are filtered out.
Unavailable reports (marked as 
) are also
displayed on the Home page, but their headings are not clickable. When you
hover your mouse over a specific report name, a tooltip is displayed with the name of the service that must be
purchased
to view the full version of the report.
Clicking the See more reports link takes you to the
Reporting page containing all reports available to you.
- Investigation history—Your most recent requests in
Kaspersky Threat Intelligence Portal, including Threat Intelligence search and object analysis in Kaspersky
Sandbox. Clicking the View request history link takes you to a page containing
a complete list of your requests.
- Threat Attribution Updates—Total number of actors
and other attribution entities for the current time, number of new and updated actors, and other attribution
entities for the last 30 days. Attribution entities include actors, their tools, related malware, and campaigns.
Clicking the View available actor profiles link takes you to the Reporting → Actors page with detailed descriptions of available actor profiles.
- News—Latest news headers (sometimes shortened
for a better view). News headers are clickable and take you to the news source page (for example, the Securelist website). Clicking the
View news link takes you to the News page
containing links to all news available to you.
- Video Insights—Links to video tutorials about Kaspersky
Threat Intelligence Portal and the its services.
- Cybermap—Worldwide cybermap showing threats around
the world. When you hover your mouse over a specific country, the country rating and the percentage of users
whose Kaspersky products have blocked threats in that country are shown. To the right of the cybermap, a list of
the most attacked countries is displayed.
When you click a specific country on the
cybermap, threat ratings and statistics are displayed for the selected country. The country's rating in the
most frequently attacked countries list and the number of detected dangerous objects are displayed. The Top 10
lists for all threat types (threats, C&Cs, web addresses, and MD5 hashes of files) are shown below the
cybermap. All items are clickable. Clicking an item in the threats list takes you to the Kaspersky threats
website. Clicking items in the Top 10 CC, Top 10 URLs, and Top 10 files lists takes you
to the Threat Lookup page, which has various results for the corresponding
object.
For both the worldwide and individual country cybermap, filtering by type and time is
available.
By selecting the information type in the drop-down list, you can display the
information for the following types:
- OAS—Shows malware detection flow during
On-Access Scan, i.e. when objects are accessed during open, copy, run, or save operations.
- WAV—Shows malware detection flow during a Web
Anti-Virus scan when a website opens or a file is downloaded. This checks the ports specified in the Web
Anti-Virus settings.
- MAV—Shows malware detection flow during the
Mail Anti-Virus scan when new objects appear in a mail client. The MAV scans incoming messages and calls OAS
when saving attachments to a disk.
- ODS—Shows malware detection flow during
On-Demand Scan, when the user manually selects the Scan for viruses
option in the application context menu.
- IDS—Intrusion Detection System shows network
attacks detection flow.
- KAS—Shows malicious and other email traffic
discovered by Kaspersky's Reputation Filtering technology (Kaspersky Anti-Spam).
- VUL—Vulnerability Scan shows vulnerability
detection flow.
By selecting the time period in the drop-down list, you also can filter the displayed
information for a specific period:
- Day—Cybermap and other threat statistics for
the past 24 hours are displayed.
- Week—Cybermap and other threat statistics for
the past seven days are displayed.
- Last month—Cybermap and other threat
statistics for the past month are displayed.
- Top Threats—Leading threats for the selected
threat type. The rating list is made up of the threats most frequently blocked by Kaspersky products.
- Threat Dynamics—Graphic of the changes in the
total number of incidents recorded by Kaspersky for different threat types. When you hover your mouse over a
certain column on the graph, the number of incidents for this date are displayed.
Page top
[Topic Roadmap]
What's New and Upcoming page
The What's New and Upcoming (
) page of the Kaspersky Threat Intelligence Portal displays information about released and expected
features. Descriptions are provided during the same quarter development is approved, or when the feature is
released.
You can also view information about features that were implemented earlier.
Via the Feedback form, you can leave feature requests for
Kaspersky Threat Intelligence Portal. We encourage you to send ideas and suggestions to help us improve our
services and website usability.
Page top
[Topic NewsPage]
News page
The News (
) page of Kaspersky
Threat Intelligence Portal displays a list of Kaspersky news items available to you.
For each news item, its publication date and header are provided. News headers are clickable and
take you to the source page for the news (for example, the Securelist website).
Page top
[Topic VideoInsights]
Video Insights
This section contains videos about Kaspersky Threat Intelligence Portal services, helping you to
become familiar with the portal's functionality.
To watch the videos, you have to sign in to Kaspersky Threat Intelligence Portal.
Page top
[Topic VideoAbout]
About Kaspersky Threat Intelligence Portal
To watch the video below, you have to sign in to Kaspersky Threat Intelligence Portal.
Subscribers to Kaspersky Threat Intelligence Portal gain instant access to both immediate and
historic threat intelligence, helping you to combat cyberattacks as they arise. This enables SOC and IR teams to
build a comprehensive threat intelligence workÂflow, by providing rich and meaningful context throughout the
entire incident management cycle. See how this works in practice.
Page top
[Topic DFIvideo]
Working with Digital Footprint Intelligence service
To watch the video below, you have to sign in to Kaspersky Threat Intelligence Portal.
Digital Footprint Intelligence service is a comprehensive digital risk protection service that
helps you to monitor your organization's digital assets and detect threats. With real-time alerts, Digital
Footprint Intelligence enables organizations to respond quickly and effectively to potential threats. Analytical
reports complement these data with finished intelligence from Kaspersky experts providing insights into cyber
security risks and recommendations on how to mitigate them. The following video explains how you can work with
Digital Footprint Intelligence service.
Page top
[Topic UsingThreatAnalysisVideo]
Using Threat Analysis
To watch the video below, you have to sign in to Kaspersky Threat Intelligence Portal.
Kaspersky Threat Analysis is a flexible set of tools for comprehensive malicious file research.
Combining together Kaspersky Sandbox, Kaspersky Threat Attribution Engine, and Similarity technologies, it enables
to expose the most advanced unknown and evasive threats. Their synergy makes it possible to identify a
sophisticated threat much faster than in case when file analysis is performed using only one of these
technologies.
In this video, we demonstrate how to identify the malware behavior and objectives, reveal its
various modifications, and establish its association with a known APT group and its techniques and tactics using
Threat Analysis section on Kaspersky Threat Intelligence Portal.
Page top
[Topic OpenAPIspec]
OpenAPI specification
OpenAPI specification describes endpoints, required parameters, responses, and usage examples.
In this version of Kaspersky Threat Intelligence Portal, OpenAPI specification is available for
the following services:
Page top
[Topic Interface]
Kaspersky Threat Intelligence Portal interface
This section describes the main elements of the Kaspersky Threat Intelligence Portal interface.
The right part of the page contains the contents of the selected Kaspersky Threat Intelligence
Portal service.
On each Kaspersky Threat Intelligence Portal page, the Search field is
available.
Kaspersky Threat Intelligence Portal allows you to choose a dark or light background web
interface. You can use the toggle switch in the upper right corner of the page to select the mode (see picture
below).
The left part of the Kaspersky Threat Intelligence Portal page contains a menu that provides you
with access to the services and other functions.
This menu consists of two sections that you can collapse or expand (
/ 
) independently of each other at any time, for more convenient
viewing of the relevant section or elements of the menu:
Page top
[Topic AboutTnC]
About the Terms and Conditions
The Terms and Conditions are a binding agreement between you and AO Kaspersky Lab, stipulating
the conditions under which you may use the service.
Please read the Terms and Conditions carefully before you start using the service.
You accept the Terms and Conditions by confirming that you agree with them when signing in to
Kaspersky Threat Intelligence Portal. If you do not accept the Terms and Conditions, you cannot sign in to
Kaspersky Threat Intelligence Portal.
If necessary, you can click the user icon (
) at the bottom
of the Kaspersky Threat Intelligence Portal page, and select the Terms and
Conditions option to read the Terms and Conditions at any time.
Page top
[Topic AboutLicense]
About the license
A license is a time-limited right to use Kaspersky Threat
Intelligence Portal services, granted under your contract with Kaspersky.
A license entitles you to the following kinds of services:
- The right to use Kaspersky Threat Intelligence Portal
- Assistance from your dedicated technical account manager
To use Kaspersky Threat Intelligence Portal services, you must purchase a license.
The scope of the service usage term depends on which of the following licenses you opt for.
For Kaspersky Sandbox
- Trial: Provides limited access to Kaspersky Sandbox.
The trial license has a limited term and the following restrictions:
- A quota for file executions and web address analysis in the Kaspersky Sandbox is
provided for the entire license term, including the commercial license term.
- Up to 1000 of the latest file executions and web address analysis results for a user
are stored. When the maximum number of stored results is reached, the oldest results are assigned Archived status. For archived tasks, you can only view or delete a brief
summary. For more details about archived tasks, refer to the About archived (discarded)
tasks section.
- A trial license is usually only short term. When a trial license expires, you cannot
execute files or analyze web addresses in Kaspersky Sandbox. Previous file execution results remain
available. To continue using Kaspersky Sandbox, you need to purchase a commercial license.
- Commercial: A license that is provided when you
purchase Kaspersky Threat Intelligence Portal services. The commercial license has a limited term and provides
daily quotas or quotas for the entire period.
Up to 1000 of the latest file executions
and web address analysis results for a user are stored. When the maximum number of stored results is reached,
the oldest results are assigned Archived status. For archived tasks, you
can only view or delete a brief summary. For more details about archived tasks, refer to the About archived (discarded)
tasks section.
Running a threat lookup request for a hash does not reduce the Threat Lookup daily
quota for your group if the completed execution task for this hash is in Kaspersky Sandbox.
The number of service users for your company and other limited terms and conditions
including quotas are specified in your contract with Kaspersky.
After the commercial license expires, you cannot upload, execute and analyze files. We
recommend renewing the license before it expires.
For Crimeware Threat Intelligence Reporting Service
If you have not purchased the Crimeware Threat Intelligence Reporting Service license,
notifications are not available.
Kaspersky Threat Intelligence Portal allows you to view and download reports marked as DEMO, regardless of the license. For more details, see the Reporting section.
For APT Intelligence Reporting Service
If you have not purchased the APT Intelligence Reporting Service license, notifications are not
available.
Kaspersky Threat Intelligence Portal allows you to view and download reports marked as DEMO, regardless of the license. For more details, see the Reporting section.
For Kaspersky Industrial Threat Intelligence Reporting
Service
If you do not purchase the Kaspersky Industrial Threat Intelligence Reporting Service license,
notifications are not available.
Kaspersky Threat Intelligence Portal allows you to view and download reports marked as DEMO, regardless of the license. For more details, see the Reporting section.
For Kaspersky Threat Lookup / WHOIS Lookup / WHOIS Hunting /
Research Graph / OSINT IoCs / Saved Searches
- Trial: Quotas for Threat Lookup and WHOIS Lookup
services are provided for the license term.
A separate quota for creating rules is
provided for the WHOIS Hunting service.
A separate quota for creating saved search requests is provided for the Saved Searches
service.
After the trial license expires, you cannot create lookup and saved search requests.
The created saved search requests remain available to you but no updates are received for them.
- Commercial: A license that is provided when you
purchase Kaspersky Threat Intelligence Portal services. The commercial license has a limited term and provides
daily quotas or quotas for the entire period.
Daily quotas and quotas for the entire
period (depending on the contract with Kaspersky) are provided for Threat Lookup and its services.
A separate quota for creating rules is provided for the WHOIS Hunting service.
A separate individual quota for creating research graphs is provided to each user of
the group.
A separate quota for creating saved search requests is provided for the Saved Searches
service.
After the commercial license expires, you cannot create lookup requests, saved search
requests, or tracking rules. Also, no new research graphs can be saved. The created saved search requests
remain available, but no updates are received until you renew the license.
Kaspersky Threat Intelligence Portal offers integration with the external Kaspersky
Transforms for Maltego service. A separate quota is provided for Maltego lookup requests: access to this
service is provided only via the API. General information about an object and its zone are provided in the
response. After the commercial license expires, you cannot create requests to Kaspersky Threat Lookup using
Maltego.
Daily quota usage
If a user repeats a threat
lookup request on the same day, the Threat Lookup daily quota for your group is not reduced.
Running a
threat lookup request for a hash does not reduce the Threat Lookup daily quota for your group if the completed
execution task for this hash is in Kaspersky Sandbox.
The number of service users for your company and other limited terms and conditions including
quotas are specified in your contract with Kaspersky. You may find information about the license on the Licenses page.
We recommend renewing the license before it expires.
For APT C&C Tracking Service
- Trial: Provides limited access to the APT C&C
Tracking Service. The trial license has a limited term and the following restrictions:
- The feeds are only available for the country selected by a Kaspersky employee when the
contract was entered into.
- A trial license is usually only short term. Upon expiry, the service becomes
unavailable to the user. To continue using the APT C&C Tracking Service, you need to purchase a
commercial license.
- Commercial: This license is provided when you purchase
Kaspersky Threat Intelligence Portal services and has a limited term. The number of service users for your
company and other quotas are specified in your contract with Kaspersky. After the commercial license expires,
the service becomes unavailable to the user.
For Digital Footprint Intelligence Service
- Demo: Allows you to try out the Digital Footprint
Intelligence Service.
The demo license has a limited term and the following
restrictions:
- Only an anonymized demo report is available to view and download.
- Only a limited list of anonymized threat notifications is available for viewing.
- Other functions are available only for demo data.
- Commercial: This license is provided when you purchase
Kaspersky Threat Intelligence Portal services and has a limited term. The number of service users for your
company and other limited terms and conditions including quotas are specified in your contract with Kaspersky.
If you do not renew your commercial license, you can still access data received during
the license period. You can search for reports and notifications, filter and export notifications. However, no
new reports and notifications will be provided until you renew your license
Dark Web / Surface Web
- Commercial: A license that is provided when you
purchase Kaspersky Threat Intelligence Portal services. The commercial license has a limited term and provides
daily quotas or quotas for the entire period. The number of service users for your company and other limited
terms and conditions including quotas are specified in your contract with Kaspersky.
If
you do not renew your commercial license, you can still access data received during the license period.
However, no new data will be provided until you renew your license. Also, no Dark Web / Surface Web updates
for the created saved search requests are received. Note that, if the Threat Lookup license remains valid, you
can still create and save new search requests for which the updates are based on the Lookup data.
Cloud Threat Attribution Engine
- Trial: Provides limited access to the Cloud Threat
Attribution Engine. The trial license has a limited term.
- Commercial: A license that is provided when you
purchase Kaspersky Threat Intelligence Portal services. The commercial license has a limited term and provides
daily quotas or quotas for the entire period. The number of service users for your company and other limited
terms and conditions including quotas are specified in your contract with Kaspersky.
After the commercial license expires, you can still access data received during the license period. However,
you cannot analyze the uploaded files and no new data will be provided until you renew your license.
We recommend renewing the license before it expires.
Page top
[Topic ViewLicenses]
Viewing your current and available licenses
The following procedure tells you how to view your current
and available Kaspersky Threat Intelligence Portal service licenses.
The current license entitles you to use the service.
In Kaspersky Threat Intelligence Portal, an expired, None, or Trial license for which the
request quota is exceeded, is considered as an available license.
To view current licenses,
Click the user icon () at the bottom of the Kaspersky Threat
Intelligence Portal page, and select the Licenses option.
The Licenses → Current
licenses tab opens. For your current licenses, the data described in the table below is displayed.
Current licenses
|
Field
|
Description
|
|
Service
|
Service name. If necessary, expand the service name to view feature names. Service
names are clickable, and navigate you to the corresponding service page.
|
|
Type
|
Type of your current license for the service (Commercial, Demo, or Trial).
|
|
Quotas
|
Request limit for the service.
|
|
Expiration
|
Date and time your current license expires. When the current license expires, it is
moved to the Available licenses tab, where you can apply for license
purchase.
|
|
Conditions
|
Link that opens the corresponding service Terms and Conditions.
|
To view available licenses:
- Click the user icon () at the bottom of the Kaspersky Threat
Intelligence Portal page, and select the Licenses option.
- Open the Licenses → Available
licenses tab.
For licenses available to you, the data described in the table below is displayed.
Available licenses
|
Field
|
Description
|
|
Service
|
Service name. If necessary, expand the service name to view feature names. Service
names are clickable, and navigate you to the corresponding service page.
|
|
Type
|
Type of the license for the service (Commercial, Demo, Trial, or None).
|
|
Quotas
|
Request limit for the service.
|
|
Expiration
|
Date and time the license expired.
|
|
Purchase
|
Button that you can use to apply for a license purchase.
|
Page top
[Topic PurchasingLicense]
Purchasing license
The following procedure tells you how to purchase a license.
To purchase a license:
- Click the user icon () at the bottom of the Kaspersky Threat
Intelligence Portal page, and select the Licenses option.
The Licenses page opens.
- On the Available licenses tab, click the Purchase license button next to the Kaspersky Threat Intelligence Portal service
that you want to purchase a license for.
The request form opens.
- Make sure the intended service is specified in your request.
- If necessary, enter a comment to your request.
- Click Send.
Page top
[Topic DataProvision]
Data provision
When using Kaspersky Threat Intelligence Portal, in addition to the data that you provide in
accordance with the Terms and Conditions, the following types of data are automatically obtained and processed for
the purposes described below.
Kaspersky protects any information received in accordance with law and applicable Kaspersky
rules. Data is transmitted over a secure channel.
All obtained data is stored during the license term. When a storage period expires, the data is
deleted from online transaction processing (OLTP) databases.
You can withdraw your consent to the provision of the data described below at any time.
To withdraw your consent, contact your dedicated Kaspersky Technical Account Manager by ktlsupport@kaspersky.com.
Processed data:
General user actions
For detection services improvement and processing user requests to Kaspersky Threat Intelligence
Portal services in accordance with license terms, on any user action during
work with Kaspersky Threat Intelligence Portal, the portal obtains the following data according to the Terms and
Conditions:
- Date and time when an action was performed
- IP address (also used for blocking accounts that make frequent attempts to sign in to
Kaspersky Threat Intelligence Portal)
- User agent string
- User name (login)
Terms and Conditions confirmation
For processing user requests to Kaspersky Threat Intelligence Portal services in accordance with
license terms, the portal obtains the following data:
- Confirmation (the I confirm that I have fully read, understand,
and accept the following: Terms and
Conditions of <list of available services> check box
selection)
Statement About Data Provision confirmation
For processing user requests to Kaspersky Threat Intelligence Portal services in accordance with
license terms, the portal obtains the following data:
- Confirmation (the I confirm that I have fully read, understand,
and accept the following: Statement About Data Provision check box
selection)
Signing in to Kaspersky Threat Intelligence Portal
For purposes of user authentication and verification of compliance with the current license, on signing in to Kaspersky Threat Intelligence Portal, the portal obtains the
following data according to the Terms and Conditions:
- Certificate
- Password (salt and hash)
- User name (login)
- Session identifier (ID, user name), also stored in the local storage of the user's browser
- API Key (Token, when using Kaspersky Threat Intelligence Portal API)
APT Intelligence Reporting, Crimeware Threat Intelligence Reporting,
and Industrial Threat Intelligence Reporting services
For purposes of generating user input hints and searching for requested text (full text search),
the requests to the Reporting service are received, stored, and processed in
accordance with the Terms and Conditions.
Threat lookup service
For purposes of searching requested objects, display of recent user requests, and verification
of compliance with the current license, when the Threat lookup service is used,
Kaspersky Threat Intelligence Portal obtains the following data:
- Request
- Viewing recent requests (only action, no data is received)
- Request results
Dark web and Surface web search
For purposes of investigating issues, verifying compliance with the current license, and
notifying the user, when the WHOIS hunting functionality is used in the Kaspersky Dark web and Surface web search,
the following information are processed:
- Requested object or full-text request
- User name (login)
WHOIS hunting service
For purposes of issue investigations, verification of compliance with the current license, and
user notification, when the WHOIS hunting service is used, Kaspersky Threat
Intelligence Portal obtains the following data according to the Terms and Conditions:
- User full name
- User name (login)
WHOIS lookup service
For purposes of issue investigations, display of user recent requests, and verification of
compliance with the current license, when the WHOIS lookup service is used,
Kaspersky Threat Intelligence Portal obtains the following data:
- Request
- Viewing recent requests (only action, no data is received)
- Request results
Kaspersky Sandbox: Uploaded or downloaded files execution
For purposes of issue investigations, display of recent user requests, and verification of
compliance with the current license, when executing a file in Kaspersky
Sandbox, Kaspersky Threat Intelligence Portal obtains the following data:
- Request (executed file)
- File download parameters (web address, HTTP requests, HTTPS requests)—for downloaded
files only
- File execution parameters (execution environment, execution time, specified file
extension, execution type, HTTPS traffic decryption)
- File execution results (sandbox detection names, triggered network rules, execution map,
suspicious activities, screenshots, loaded PE images, file operations, registry operations, process operations,
synchronize operations, downloaded files, dropped files, HTTP requests, HTTPS requests, DNS requests)
- Viewing recent requests (hash of the executed file, date and time when the file was
executed and analyzed, file size, file type, MD5 hash)
Cloud Threat Attribution Engine
For purposes of investigating issues, verifying compliance with the current license, and
notifying the user about a file analysis results that extracted with Cloud Threat Attribution Engine, the
information from the file are processed.
Kaspersky Sandbox: Browse URL
For purposes of issue investigations, display of recent user requests, and verification of
compliance with the current license, when analyzing a web address in Kaspersky
Sandbox, Kaspersky Threat Intelligence Portal obtains the following data:
- Request (web address)
- Web address analysis parameters (emulation environment, emulation time, HTTPS traffic
decryption)
- Web address analysis results (sandbox detection names, triggered network rules, suspicious
activities, hosts, WHOIS information, screenshots, HTTP requests, HTTPS requests, DNS requests)
- Viewing recent requests (analyzed web address, date, and time when the web address was
analyzed)
Account management
For the purpose of verification of compliance with the current license, when a new account is created, Kaspersky Threat Intelligence Portal obtains the
following data according to the Terms and Conditions:
- Role (Admin or User)
- Type (access using web interface, RESTful API, or both)
- User full name
- User name (login)
- User name (login) of changes author
Digital Footprint Intelligence service
For the purpose of detecting immediate threats to the organization and provide the user with
information about them, to perform text searches from the user and to filter those results, Kaspersky Threat
Intelligence Portal receives the following data when you use the Digital Footprint Intelligence service:
- Company names
- Brand names
- Full-qualified domain names
- IP addresses, version 4 (IPv4) or version 6 (IPv6)
- IP address ranges, version 4 (IPv4) or version 6 (IPv6)
- CIDRs, version 4 (IPv4) or version 6 (IPv6)
- Email addresses
- Employee names
- Information about the organization
- Information about the vulnerabilities found for the organization
- Search queries from the user (word or phrase uniquely related to the company)
- IIN/BIN
- Legitimate social account links
- Legitimate mobile app links
Page top
[Topic TISearch]
Threat Intelligence search feature
Kaspersky Threat Intelligence Portal allows you to search threat intelligence information about
various types of objects in all Kaspersky services databases in parallel:
- Indicators of compromise: lookup results for hashes (MD5, SHA1, SHA256), IP addresses,
domains, web addresses.
- Full-text search: Actor Profiles, APT Intelligence Reporting, Crimeware Threat
Intelligence Reporting, Industrial Threat Intelligence Reporting, Digital Footprint Intelligence, Surface web,
and Dark web search results.
- Simple Elasticsearch queries: Surface web, Dark web, and Digital Footprint Intelligence
information only. For other services, the search is performed by a complete match with the entered query.
The search field (Search) is located on each Kaspersky Threat
Intelligence Portal page: you do not need to navigate to a certain service section to request specific
information.
If you start a search on one of the Threat Lookup tabs (for
example, Dark web or Surface web), the
selected page remains active when the search results are displayed.
The Threat Lookup page contains the following sections:
- Lookup—Lookup results for hashes, IP addresses, domains, and web addresses.
- Dark web—Search results against a limited set of
Dark web and
other hidden publications.
- Surface web—Search results against a limited set
of publications in various social media.
- OSINT IoCs—Open-source intelligence:
information about posts that mention the requested hash.
- Reporting—Search results against APT Intelligence reports, Crimeware
Threat Intelligence reports, Industrial Threat Intelligence reports (including search in report names and
descriptions, contents of the report in PDF format, IOC and YARA files).
If necessary,
you can use filters (
) to narrow the amount of displayed results:
- In the Date column, use the date pickers (calendar)
or predefined filters (Month or Year) to
specify a certain period and click Apply.
- In the Group column, you can select groups that the
report belongs to: APT for APT Intelligence reports, Crimeware for Crimeware Threat Intelligence reports, Industrial for Industrial reports. By default, all types of reports are
selected.
- In the Report column, you can select whether you
want to view all reports or only demo reports: All option for all reports
and Demo option for demo reports only.
- In the Tags column, you can specify required tags. The
number of selected tags of each type is displayed by the type name. If necessary, clear tags selection by
clicking the Clear filters button.
- Actors—Search results against actor names and tags.
- Digital Footprint—Search results against names and
contents of Digital Footprint Intelligence reports, names and descriptions of vulnerabilities, and
recommendations for solving the vulnerability.
If necessary, you can use filters () to narrow the amount of displayed results.
On the Threats tab:
- In the Date column, select a specific date or time
interval when a threat was detected, or use predefined filters Week or
Month.
- In the Risk column, select one or several threat
risk levels (Info, Critical, High, Medium, Low).
- In the Category column, select one or several threat
categories, for example Vulnerability, Malware, Person, Leakage, Dark web.
- In the Object column, select one or several objects
associated with detected threats.
- In the Tags column, select one or several tags
associated with threats.
On the Reports tab, in the Date column, select a specific date or time interval when a report was
published, or use the predefined Week or Month filters.
By section names, the number of results is displayed.
Page top
[Topic DarkWebSection]
Dark web section
Kaspersky Threat Intelligence Portal allows you to run a full-text search against a limited set
of Dark web and other hidden publications.
To search for a Dark web post:
- In Search field on any Kaspersky Threat Intelligence
Portal page, enter search criteria (one or several words) and press Enter.
Kaspersky Threat Intelligence Portal displays search results on the Threat Lookup (
) → Dark web page.
- If necessary, use the filter buttons to specify the search categories. For each category,
the number of matching Dark web publications is displayed.
By default, Kaspersky Threat
Intelligence Portal searches Forums, Messengers, Ransomware blogs, and News categories.
If the category selection changes, Kaspersky Threat Intelligence Portal performs the
search again with the new filters.
- Click the post name in the Preview column.
In the window that opens, detailed information about the post and its text are
displayed.
Dark web section
|
Field
|
Description
|
|
Date
|
Dark web post publication date and time.
|
|
Preview
|
Dark web post title and post preview.
|
|
Source
|
Source of the Dark web post.
Please be aware, links to sources, as well as links within sources, can navigate
to dangerous resources.
|
|
Category
|
The category of the source in which the post was found:
- Forums
- Forums (archived)
- Messengers
- Ransomware blogs
- IT forums
- News
|
Page top
[Topic SurfaceWebSection]
Surface web section
Kaspersky Threat Intelligence Portal allows you to run a full-text search against a limited set
of publications in various social media.
To search a social media publication:
- In the Search field on any Kaspersky Threat Intelligence
Portal page, enter search criteria (one or several words) and press Enter.
Kaspersky Threat Intelligence Portal displays search results on the Threat Lookup () → Surface web page.
- Click the post name in the Preview column.
In the window that opens, the post is displayed.
Surface web section
|
Field
|
Description
|
|
Date
|
Social media post publication date and time.
|
|
Preview
|
Social media post title and post preview.
|
|
Source
|
The source of the social media post.
Please be aware, links to sources, as well as links within sources, can navigate
to dangerous resources.
|
Page top
[Topic ThreatLookup]
Threat Lookup
This section explains how you can run requests by using Kaspersky Threat Intelligence Portal.
Also, the concept of zones and detailed descriptions of object investigation results are provided.
All lookup results available to you are displayed in the Threat
Lookup () → History table.
You can also run search requests by using the Kaspersky Threat Intelligence
Portal API.
Page top
[Topic RunningRequests]
Running lookup requests
The following procedure tells you how to run a request on Kaspersky Threat Intelligence Portal.
For Kaspersky Anti Targeted Attack and Kaspersky Endpoint Detection and Response users,
free lookup requests on Kaspersky Threat Intelligence Portal are available under the extended trial license. You
can apply for this feature in one of the following ways: contact your manager (Kaspersky employee) or Kaspersky
partner, send an email to ktlsupport@kaspersky.com, or click the Request Access
button on the login
page. Also, you can request a quota increase for lookup requests by clicking the support icon (
) in the main menu.
To run a request:
- In the Search field on any Kaspersky Threat Intelligence
Portal page, enter an object you want to investigate and press Enter.
Kaspersky Threat Intelligence Portal recognizes the type of the requested object and
displays investigation results in separate fields on the Threat Lookup () → Threat Lookup
results page.
Note that you might enter the object to search in a defanged form. Such requests
are transformed to revert them to their original form. The supported defang sample items are specified in the
example below.
If you enter a defanged domain, IP address, or web address, we recommend to check that after
transformation the lookup was conducted for the required object.
See example
The supported defang sample items and their original forms that Kaspersky Threat
Intelligence Portal displays after transformation are specified in the table below.
Original and defang forms
|
Original form
|
Defang form
|
Transformation example
|
|
http://
|
hxxp://
|
hXXp://example.com → http://example.com
|
|
https://
|
hxxps://
|
HXXPs://example.com → https://example.com
|
|
.
|
[.]
|
104.132.161[.]0 → 104.132.161.0
|
Note that refanging is case-insensitive.
If you start a search on one of the Threat Lookup
tabs (for example, Lookup, Dark web or
Surface web), the selected page remains active when the search results are
displayed.
For a web address, it's length is limited to a maximum of 2000 characters. Other
characters will be ignored during a web address investigation.
- If necessary, click the Load more button and use the
pagination to view more items in any data field on the report page.
You can export investigation results as an archive.
After the request is run, results on the report page may differ from
the results shown in the Threat Lookup () → History table for the same object because Kaspersky expert
systems update information about objects in real time. Investigation results depend on the threat landscape.
You can also run search requests by using the Kaspersky Threat Intelligence Portal API.
Page top
[Topic LookupResultsPage]
Threat lookup results page
After you run a threat lookup request, Kaspersky Threat Intelligence Portal displays a report for the
investigated object on the Threat Lookup () → Threat Lookup results page.
General information about the investigated object is displayed at the top of the page. The panel
with the requested object and its status appears in one of the following colors, depending on the zone of the
investigated object:
- Red—Investigated object can be classified as malicious.
- Gray—No data is available for the investigated object.
- Green—Investigated object cannot be classified as malicious.
- Yellow—Investigated object has Adware and other
status (Adware, Pornware, and other programs).
- Orange—Investigated object has Not trusted status
(categorized as Infected or Compromised).
Also, for IP addresses, the flag of the country to which the requested IP address belongs is
displayed. When you hover your mouse over a flag, a tooltip with the country name appears. For IP addresses that
do not belong to any country, the flag with a question mark (
)
and tooltip No information are displayed.
You can use the following buttons:
- Open in research graph
Opens the research graph for the object.
- Copy request
Copies your request to clipboard.
- Export all results
Exports all investigation results into a CSV, OpenIOC, or STIX format.
Kaspersky Threat Intelligence Portal displays detailed information in separate tables below the
report panel. Tables contain up to 10 entries. In most tables, entries are clickable—you can click them to
further investigate the object displayed. The number and contents of the tables differ for each request type.
When you click the hint icon (
), a tooltip appears
with a brief description of data displayed in the selected table.
The scissors icon (
) indicates that some private data in a
displayed web address was filtered out.
In the History table, your local task creation time is displayed. In
reports, date and time are displayed in Coordinated Universal Time (UTC) format.
You can use the following buttons located near the table:
- Download data
Exports data from the table. The button is displayed if the table contains data.
- Load more
Opens a window with up to 100 entries for the selected table. The button is displayed
if there are more than 10 entries in the table.
Page top
[Topic SavedSearches]
Saved searches service
Kaspersky Threat Intelligence Portal allows you to create search requests which are repeated
periodically, so you can track and analyze changes for specific objects. Search requests can be created for one of
the following objects:
- Hash
- Web address
- IP address
- Domain
- Text input: Specify a word or phrase for the full-text search
The search is conducted through one or several Threat Lookup
services. If you select Lookup / Dark web, you
can also specify one or several sections/categories for the search.
The table below provides possible types of requests supported by the service.
Types of saved search requests
|
Object
|
Lookup
|
Dark web
|
Surface web
|
OSINT IoCs
|
|
Hash
|
|
|
|
|
|
Web address
|
|
|
|
|
|
IP address
|
|
|
|
|
|
Domain
|
|
|
|
|
|
Text input
|
|
|
|
|
When Kaspersky Threat Intelligence Portal receives updates for your saved search requests, the
information is displayed in the web interface and sent to you by email (if you configured email
notifications).
Page top
[Topic CreatingSavedSearch]
Creating a saved search request
To create a saved search request:
- On the Threat Lookup → Saved
Searches page, in the Request field specify the object or text for
which you want to create a saved search request.
- In the Services to search in drop-down list, select at
least one service for the search from the following options:
The list of available services depends on the type of requested object that you
specified.
Note that Dark web and Surface web are available for selecting only if permitted by your organization's
license.
- In the Section and Category drop-down lists, select one or several Lookup sections and one or several Dark web
categories (if you specified Lookup and Dark
web as the services to search in).
- In the Saved search request name field, enter the name
of your request.
The name of the request must be unique, you cannot save several
search requests with the same name.
- Click the Save search button.
The search request is added to your list of saved search requests.
Page top
[Topic SectionNamesCorrelations]
Section names correlations
Some section names in the Lookup service are shortened or
renamed for better viewing of the saved search requests in the web interface. The table below displays the
correlation between regular and modified Lookup section names.
Regular and modified section names
|
|
|
Regular name
|
Modified name
|
|
Hash
|
|
Overview
|
General info
|
|
File downloaded from URLs and domains
|
Downloaded from
|
|
File accessed the following URLs
|
Accessed URLs
|
|
File started the following objects
|
Started objects
|
|
File was started by the following objects
|
Started by
|
|
File downloaded the following objects
|
Downloaded objects
|
|
File was downloaded by the following objects
|
Downloaded by
|
|
File signatures and certificates
|
Certificates
|
|
Container signatures and certificates
|
Container certificates
|
|
File was unpacked from the following objects
|
Unpacked from
|
|
File contains the following objects
|
Unpacked objects
|
|
Web address
|
|
Overview
|
General info
|
|
Files that accessed requested URL
|
Files accessing URL
|
|
Files downloaded from requested URL
|
Files downloaded
|
|
Referrals to requested URL
|
Referrals
|
|
Requested object linked, forwarded, or redirected to the following URLs
|
Referred to
|
|
DNS resolutions for domain
|
DNS resolutions
|
|
Spam attacks
|
Spam info
|
|
Phishing attacks
|
Phishing info
|
|
IP address
|
|
Overview
|
General info
|
|
Files related to IP address
|
Files related to IP
|
|
DNS resolutions for IP address
|
DNS resolutions
|
|
Spam attacks
|
Spam info
|
|
Phishing attacks
|
Phishing info
|
|
Domain
|
|
Overview
|
General info
|
|
Files that accessed the requested domain
|
Files accessing domain
|
|
Files downloaded from requested domain
|
Files downloaded
|
|
Referrals to domain
|
Referrals
|
|
Domain referred to the following URLs
|
Referred to
|
|
DNS resolutions for domain
|
DNS resolutions
|
|
Spam attacks
|
Spam info
|
|
Phishing attacks
|
Phishing info
|
Page top
[Topic ViewingSavedSearch]
Viewing a saved search request
Kaspersky Threat Intelligence Portal allows you to view the saved search requests you created
and their updates.
The following information is displayed for each saved search request:
- Saved search request and its name
- Last update of the saved search request
- Number of updates
To view the details of a specific saved search request and updates,
Click the required saved search request.
Kaspersky Threat Intelligence Portal displays the following information in the opened
side-bar:
- Saved search request and its name
- Frequency of search runs and email notifications
- Selected services and sections
- Date and time of the update
- Service for which changes were seen
Page top
[Topic EditingSavedSearch]
Editing a saved search request
You can edit your saved search requests.
To edit a saved search request:
- In the list of saved search requests, click the pen icon (
) for the request that you want to edit.
- Edit the details of the request. You only have the following editing options for the saved
search request:
- Click the Save button.
Page top
[Topic DeletingSavedSearch]
Deleting a saved search request
You can delete your saved search requests.
If you delete a request, all its update history is also deleted. The history is not restored if
you later create an identical request.
To delete one or more saved search requests:
- Select saved search requests that you want to delete and click the Delete button.
A warning that all the history for the
selected requests will be deleted is displayed.
- Click the Delete button to confirm the deletion.
Page top
[Topic UpdateNotifications]
Update notifications
Kaspersky Threat Intelligence Portal notifies you about updates received for your saved search
requests through the web interface and by email.
Notifications in the web interface
Kaspersky Threat Intelligence Portal displays the number of updates in the following ways:
- On the Home page, in Threat
Alerts
- On the Saved Searches page, in the Number of updates column of the Saved search
requests table
The details of updates are available for viewing.
Email notifications
Kaspersky Threat Intelligence Portal allows you to configure email
notifications about updates for your saved search requests.
Page top
[Topic HistoryPage]
History page
The Threat Lookup () → History page displays a list of your recent lookup requests.
For each request, the information described in the table below is provided.
Request history table
|
Field
|
Description
|
|
Status
|
Status of the requested object.
|
|
Date
|
Date when the request was submitted. In the History
table, your local task creation time is displayed. In the reports, date and time are displayed in
Coordinated Universal Time (UTC) format.
You can use the filter () to narrow
the amount of displayed results. Use the date pickers (calendar) or predefined filters to specify a certain
period and click Apply.
|
|
Type
|
Automatically detected type of request.
|
|
Request
|
Object or text you requested. The items are clickable and navigate you to the
corresponding results page.
|
The request history list displays the objects in the form they were entered and looked up. If
you submitted a defanged lookup request, the list of your recent requests will contain its original form.
Page top
[Topic AboutZones]
About zones and statuses
All investigated objects are assigned to zones. A zone
indicates the danger level of the object. All related objects are assigned to their own zones. Their zones and the
zone of the investigated object may not match.
The list of zones is common for all types of objects, but not all zones can be applied to all
types of objects.
Each type of object has its own set of statuses that most accurately describe the danger of
objects of this type.Statuses and zones can vary depending on the type of objects and the section of the service.
For example, the No threats detected status is shown only for IP addresses, domains and web addresses in the Timeline section.
The relationship between the zones and statuses for all object types are provided in the table
below.
Zones and statuses
|
Zone
|
Danger level
|
Hash status
|
IP address status
|
Domain status
|
Web address status
|
|
Red
|
High
|
Malware
|
Dangerous
|
Dangerous
|
Dangerous
|
|
Orange
|
Medium
|
n/a*
|
Not trusted
|
Not trusted
|
Not trusted
|
|
Yellow
|
Medium
|
Adware and other
|
Adware and other
|
Adware and other
|
Adware and other
|
|
Gray
|
Info
|
Not categorized
|
Not categorized
|
Not categorized
|
Not categorized
|
|
Green
|
Low
|
Clean
|
Good / No threats detected
|
Good / No threats detected
|
Good / No threats detected
|
* n/a – Not applicable
Page top
[Topic HashInvestigation]
Hash investigation
Kaspersky Threat Intelligence Portal enables you to search for information about objects by MD5, SHA1, and SHA256 hashes.
Now Kaspersky Threat Intelligence Portal additionally provides the ability to obtain information
on hash from various open sources. This allows you to find more information on the hash, for example, in posts and
articles that mentioned the requested hash. For more details, please refer to the OSINT IoCs section
description.
General information about hash
Kaspersky Threat Intelligence Portal provides the following general information about hashes:
General information about hash
|
Field name
|
Description
|
|
Status
|
Shows whether the requested hash can be classified as malicious.
The investigated hash may have one of the following statuses:
Clean—Object is not malicious.
Adware and other—Object can be classified as
Not-a-virus.
Malware—Object is malicious.
Not categorized—No or not enough information
about the object is available to define the category.
|
|
Hits
|
Number of hits (popularity) of the requested hash detected by Kaspersky expert
systems.
Number of hits is rounded to the nearest power of 10.
|
|
Format
|
Format of the object being investigated by hash.
|
|
Size
|
Size of the object being investigated by hash (in bytes).
|
|
Packed by
|
Packer name (if any).
|
|
Signed by
|
Organization that signed the requested hash.
|
|
Signature trust
|
Trust level (zone) of object signature: Discredited
( ), Not trusted ( ), Trusted ( ).
|
|
First seen
|
Date and time when the requested hash was detected by Kaspersky expert systems for
the first time, according to your computer local time zone.
|
|
Last seen
|
Date and time when the requested hash was detected by Kaspersky expert systems for
the last time, according to your computer local time zone.
|
|
MD5
|
MD5 hash of the file requested by hash.
|
|
SHA1
|
SHA1 hash of the file requested by hash.
|
|
SHA256
|
SHA256 hash of the file requested by hash.
|
|
Categories
|
Categories
of the requested hash. If the hash does not belong to any of defined categories, the General category is displayed.
|
|
Reports
|
Available APT Intelligence, Crimeware Threat Intelligence, and Industrial reports. If
you have a valid commercial license for the corresponding service and the requested hash is related to an
APT attack and/or mentioned in a report, links to the corresponding reports on the Reporting page are displayed.
|
|
Data Feeds
|
List of Threat Data Feeds that contain information about the requested hash. You can
click a link to view the list of available feeds on the Threat Data Feeds
page.
|
Graphical information about hash
The Hash Hit Map (a graphical representation) displays the requested hash spread across the
world if the number of hits is larger than 10. Data obtained from users participating in Kaspersky Security
Network is used to build the map.
The Detection Statistics shows the hash activity statistics—daily hit statistics.
Additional information about hash
Kaspersky Threat Intelligence Portal displays, in separate tables, additional information about
the hash that is being investigated. You can export data from these tables as separate archives.
Additional information about hash
|
Table name
|
Description
|
Table fields
|
Comments
|
|
Detection names
|
Detected objects related to the requested hash (for example,
HEUR:Exploit.Script.Blocker).
|
—
|
In this table, the following information is displayed:
Color of the zone that the detection object belongs to (red, yellow, gray, green).
Date and time when the object was last detected by Kaspersky expert systems.
Name of the detected object. You can click any entry to view its description in the
Kaspersky threats
website.
|
|
File signatures and certificates
|
Shows detailed information about signatures and certificates of the file identified
by the requested hash.
|
Status—Status of the file certificate.
Vendor—Owner of the certificate.
Publisher—Publisher of the certificate.
Signed—Date and time when the certificate was
signed.
Issued—Date and time when the certificate was
issued.
Expires—Expiration date of the certificate.
Serial number—Serial number of the
certificate.
|
Items in the table are sorted by the Signed field
in descending order.
|
|
Container signatures and certificates
|
Information about the signatures and certificates of a container.
|
Status—Status of the container's certificate.
Container MD5—MD5 hash of the container's
file.
Signed—Date and time when the container's
certificate was signed.
Issued—Date and time when the container's
certificate was issued.
Expires—Expiration date of the container's
certificate.
|
Items in the table are sorted by the Signed field
in descending order.
|
|
File names
|
Known names of the file identified by the requested hash on computers using Kaspersky
software.
Private data is not displayed. For example, a file or folder will not be displayed if
its name contains a user name.
|
Hits—Number of file name detections by
Kaspersky expert systems.
File names—Name of the file identified by the
requested hash.
|
Items in the table are sorted by the Hits field in
descending order.
|
|
File paths
|
Known paths of the file identified by the requested hash on computers using Kaspersky
software.
Private data is not displayed. For example, a file or folder will not be displayed if
its name contains a user name.
|
Hits—Number of path detections by Kaspersky
expert systems.
Path—Path to the file on user computers
identified by the requested hash.
Location—Root folder or drive where the file
identified by the requested hash is located on user computers.
|
Items in the table are sorted by the Hits field in
descending order.
The Path and Location fields can be empty if the file is located in the registry.
|
|
File downloaded from URLs and domains
|
Web addresses and domains from which the file identified by the requested hash was
downloaded.
|
Status—Status of web addresses or domains
used to download the file identified by the requested hash.
URL—Web addresses used to download the file
identified by the requested hash. Items are clickable and take you to the Threat
Lookup page, where you can search for information about the web address. The length of
the web addresses to be investigated is limited to a maximum of 2000 characters; other characters will be
ignored. In the message window that opens, you will be asked to confirm that you still want to investigate
the shortened web address.
Last downloaded—Date and time when the file
identified by the requested hash was last downloaded from the web address / domain.
Domain—Upper domain of the web address used
to download the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information
about the domain.
IP count—Number of IP addresses that the
domain resolves to.
|
Items in the table are grouped by status. Items in each group are sorted by the Last downloaded field in descending order.
|
|
File accessed the following URLs
|
Web addresses that were accessed by the file identified by the requested hash.
|
Status—Status of accessed web addresses.
URL—Web addresses accessed by the file
identified by the requested hash. Items are clickable and take you to the Threat
Lookup page, where you can search for information about the web address. The length of
the web address to be investigated is limited to a maximum of 2000 characters; other characters will be
ignored. In the message window that opens, you will be asked to confirm that you still want to investigate
the shortened web address.
Last accessed—Date and time when the file
identified by the requested hash last accessed the web address.
Domain—Upper domain of the web address
accessed by the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information
about the domain.
IP count—Number of IP addresses that the
domain resolves to.
|
Items in the table are grouped by status. Items in each group are sorted in
descending order by the Last accessed field.
|
|
File started the following objects
|
Objects that were started by the file identified by the requested hash.
|
Status—Status of started objects.
Hits—Number of times the file identified by
the requested hash started the object, as detected by Kaspersky expert systems.
File MD5—MD5 hash of the started object.
Items are clickable and take you to the Threat Lookup page, where you can
search for information about the hash.
Location—Root folder or drive where the
started object is located on user computers.
Path—Path to the object on user computers.
File name—Name of the started object.
Last started—Date and time when the object
was last started by the file identified by the requested hash.
Detection name—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
|
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last started
field in descending order.
The Path and Location fields can be empty if the file is located in the registry.
|
|
File was started by the following objects
|
Objects that started the file identified by the requested hash.
|
Status—Status of objects that started the
file identified by the requested hash.
Hits—Number of times the file identified by
the requested hash was started as detected by Kaspersky expert systems.
File MD5—MD5 hash of the object that started
the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash.
Location—Root folder or drive where the
object is located on user computers.
Path—Path to the object on user computers.
File name—Name of the object that started the
file identified by the requested hash.
Last started—Date and time when the file
identified by the requested hash was last started.
Detection name—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
|
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last started
field in descending order.
The Path and Location fields can be empty if the file is located in the registry.
|
|
File downloaded the following objects
|
Files that were downloaded by the file identified by the requested hash.
|
Status—Status of downloaded objects.
Hits—Number of times the object was
downloaded as detected by Kaspersky expert systems.
File MD5—MD5 hash of the downloaded object.
Items are clickable and take you to the Threat Lookup page, where you can
search for information about the hash.
Location—Root folder or drive where the
downloaded object is located on user computers.
Path—Path to the downloaded object on user
computers.
File name—Name of the downloaded object.
Last downloaded—Date and time when the object
was last downloaded by the file identified by the requested hash.
Detection name—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
|
Items in the table are grouped by status. Items in each group are sorted by the Last downloaded field in descending order.
The Path and Location fields can be empty if the file is located in the registry.
|
|
File was downloaded by the following objects
|
Objects that downloaded the file identified by the requested hash.
|
Status—Status of objects that downloaded the
file identified by the requested hash.
Hits—Number of times the file identified by
the requested hash was downloaded as detected by Kaspersky expert systems.
File MD5—MD5 hash of the object that
downloaded the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash.
Location—Root folder or drive where the
object is located on user computers.
File name—Name of the object that downloaded
the file identified by the requested hash.
Path—Path to the object on user computers.
Last downloaded—Date and time when the file
identified by the requested hash was last downloaded.
Detection name—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
|
Items in the table are grouped by status. Items in each group are sorted by the Last downloaded field in descending order.
The Path and Location fields can be empty if the file is located in the registry.
|
|
File was unpacked from the following objects
|
Parent objects of file identified by the requested hash.
|
Status—Status of the parent object.
Parent MD5—MD5 hash of the parent object.
Child MD5—MD5 hash of the child object. For
direct parent objects (level=0), the MD5 hash of the requested object
is displayed.
Parent size—Size of the parent object (in
bytes).
Parent type—File type of the parent object.
Parent detection name—Detected objects
related to the parent object (for example, HEUR:Exploit.Script.Blocker).
Level—Parent level. The direct parent of the
requested object has level=0. The parent of the requested object's
parent has level=1, and so on. The maximum possible level is 5.
|
Items in the table are grouped by parent object status.
Items in each group are sorted by the Level field
in ascending order.
|
|
File contains the following objects
|
Child objects of file identified by the requested hash.
|
Status—Status of the child object.
Child MD5—MD5 hash of the child object.
Parent MD5—MD5 hash of the parent object. For
direct child objects (level=0), the MD5 hash of the requested object
is displayed.
Child size—Size of the child object (in
bytes).
Child type—File type of the child object.
Child detection name—Detected objects
related to the child object (for example, HEUR:Exploit.Script.Blocker).
Level—Child level. The direct child of the
requested object has level=0. The child of the requested object's
child has level=1, and so on. The maximum possible level is 5.
|
Items in the table are grouped by child object status.
Items in each group are sorted by the Level field
in ascending order.
|
|
File was attached to email
|
Information about spam attacks in which the requested object was attached to email
messages.
|
—
|
—
|
|
Similar files
|
Files that are similar to the requested object. Using machine-learning (ML) methods, Kaspersky systems extract the requested file
features and detect similar malicious files. Information about similar files can be used in an incident
response to search more extensively for modifications and variations of a malicious object. Also, this
information allows you to optimize perimeter protection from certain threats and take into account different
modifications and variations of a malicious object.
|
Status—Status of the object similar to the
file identified by the requested hash.
Detection name—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
Confidence—Level of confidence that the
object is similar to the file identified by the requested hash. Kaspersky Threat Intelligence Portal
displays similar files with a confidence level from 8 to 11.
First seen—Date and time when the similar
object was detected by Kaspersky expert systems for the first time (for your local time zone).
Last seen—Date and time, accurate to one
minute, when the similar object was detected by Kaspersky expert systems for the last time (for your local
time zone).
Hits—Number of hits (popularity) for the
object similar to the identified file (by requested hash) detected by Kaspersky expert systems (rounded to
nearest power of 10).
MD5—MD5 hash of the object similar to the
file identified by the requested hash. Items are clickable, you can select the following actions:
- Copy to copy the hash to the clipboard.
- Lookup to start the hash lookup and view
results on the Threat Lookup page.
- Lookup in a new tab—to start the hash
lookup and view results on the Threat Lookup page in a new tab.
Type—Type of the object similar to the file
identified by the requested hash.
Size—Size of the object similar to the file
identified by the requested hash (in bytes).
|
Items in the table are grouped and sorted by confidence in descending order.
Items in groups with the same confidence are sorted by the Status field in descending order, and then by the Last seen field in descending order.
|
Page top
[Topic OSINTsection]
OSINT IoCs section
In addition to lookup results, Kaspersky Threat Intelligence Portal provides open-source
intelligence (OSINT) for the requested hash. This allows you to find more information on the hash, for example, in
posts in which the hash is mentioned.
To search for open-source intelligence for a hash,
In the Search field on any Kaspersky Threat Intelligence
Portal page, enter a hash (MD5, SHA1, SHA256) you want to investigate and press Enter.
On the Threat Lookup ()→ OSINT IoCs page, Kaspersky Threat Intelligence Portal displays a list of posts in
which the requested hash or files identified by the hash are mentioned.
The search results include not only posts found for the requested hash, but also those ones
found by other hashes known for the identified file. For example, if you search for MD5 hash, posts on MD5, SHA1
and SHA256 hashes of the file are also shown.
OSINT IoCs section
|
Field
|
Description
|
|
Date
|
Post publication date.
|
|
Source
|
Link to a post. In some cases, the requested hash is not mentioned in the post by the
direct link, but mentioned in posts accessed by links in the first post.
|
|
Hash
|
Hash type by which the article was found (MD5, SHA1 or SHA256).
|
Page top
[Topic IpInvestigation]
IP address investigation
Kaspersky Threat Intelligence Portal enables you to search for information about IP addresses.
For reserved IP addresses, only general and WHOIS information is displayed. Detailed reports are
not provided.
General information about IP address
Kaspersky Threat Intelligence Portal provides the following general information about IP
addresses:
General information about IP address
|
Field name
|
Description
|
|
Status
|
Shows whether the requested IP address generates malicious activity.
The IP address can have one of the following statuses:
Good—IP address does not generate malicious
activity.
No threats detected—IP address was scanned
and/or analyzed by Kaspersky, and no threats were detected. This status is used only in the Timeline section.
Not trusted—IP address may host malicious
objects. Its threat score is from 50 to 74.
Adware and other—There are objects related
to the IP address, which can be classified as Not-a-virus.
Dangerous—IP address hosts malicious
objects.
Not categorized—No or not enough information
about the IP address is available to define the category.
|
|
Country flag
|
Flag of the country that the requested IP address belongs to. When you hover your
mouse over a flag, a tooltip with the country name appears.
For IP addresses that do not belong to any country, the flag with a question mark
() and the tooltip No
information are displayed.
|
|
Hits
|
Hit number (popularity) of the requested IP address.
Hit number is rounded to the nearest power of 10.
|
|
First seen
|
Date and time when the requested IP address first appeared in Kaspersky expert
systems statistics, according to your computer local time zone.
|
|
Threat score
|
Probability that the requested IP address will appear dangerous (0 to 100). An IP
address is classified by Kaspersky expert systems as dangerous if its threat score is greater than 74.
|
|
Owner name
|
Name of the requested IP address owner.
|
|
Owner ID
|
ID of the requested IP address owner according to the register's base.
|
|
Created
|
Date when the requested IP address was registered.
|
|
Updated
|
Date when information about the requested IP address was last updated.
|
|
Categories
|
Categories of the requested IP address. If the IP address does not belong to any
defined categories, the General category is displayed.
|
|
Reports
|
Available APT Intelligence, Crimeware Threat Intelligence, and ICS reports. If you
have a valid commercial license for the corresponding service and the requested IP address is related to an
APT attack and/or mentioned in a report, links to the corresponding reports on the Reporting page are displayed.
|
|
Data Feeds
|
List of Threat Data Feeds that contain information about the requested IP address.
You can click a link to view the list of available feeds on the Threat Data
Feeds page.
|
If you want an IP address to be processed as a web address, run a request using Kaspersky Threat Intelligence
Portal API.
Graphical information about IP address
A timeline shows detection statistics for certain historical periods. The changes in the zone of
a categorized object are displayed for two months (by default) or two years. The timeline is generated only when
the detection statistics for the period is available for a specific object.
The timeline shows changes only for the following statuses:
- Dangerous
- Not trusted
- Adware and other
- No threats detected
If you pause the mouse pointer on a certain point of the timeline, Kaspersky Threat Intelligence
Portal displays the date and time of the detection and category of the object.
The category and status of the object on the timeline might not match the category in Categories and status in the object lookup results due to different methods applied.
Additional information about IP address
Kaspersky Threat Intelligence Portal provides additional information about the requested IP
address displayed in separate tables. You can export data from these tables as separate archives.
Additional information about IP address
|
Table name
|
Description
|
Table fields
|
Comments
|
|
WHOIS
|
WHOIS information for the requested IP address.
|
IP range—Range of IP addresses in the network
that the requested IP address belongs to.
Net name—Name of the network that the
requested IP address belongs to.
Net description—Description of the network
that the requested IP address belongs to.
Created—Date when the requested IP address
was registered.
Changed—Date when information about the
requested IP address was last updated.
AS description—Autonomous system description.
ASN—Autonomous system number according to RFC 1771 and RFC 4893.
Contact—Contact type (person or
organization).
Name—Contact name.
Role—Role of a contact (for example, owner).
Address—Postal address that is registered for
the IP address.
Phone / Fax—Phone/fax number of a contact.
Email—Email address of a contact.
|
—
|
|
DNS resolutions for IP address
|
pDNS information for the requested IP address.
|
Status—Status of domains.
Hits—Number of times that the domain resolved
to the requested IP address.
Domain—Domain that resolves to the requested
IP address. Items are clickable and take you to the Threat Lookup page,
where you can search for information about the domain.
First resolved—Date and time when the domain
first resolved to the requested IP address, according to your computer local time zone.
Last resolved—Date and time when the domain
last resolved to the requested IP address, according to your computer local time zone.
Peak date—Date of maximum number of domain
resolutions to the requested IP address.
Daily peak—Maximum number of domain
resolutions to the requested IP address per day.
|
Items in the table are grouped by status. Items in each group are sorted in
descending order by the Last resolved field.
|
|
Files related to IP address
|
MD5 hashes of files that are related to web addresses containing domains that resolve
to the requested IP address. Also, MD5 hashes of files that accessed the requested IP address are displayed.
|
Status—Status of downloaded files.
Hits—Number of times that a file was downloaded
from the requested IP address as detected by Kaspersky expert systems.
File MD5—MD5 hash of the downloaded file.
Items are clickable and take you to the Threat Lookup page, where you can
search for information about the hash.
Detection name—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
URL—Web addresses used to download the file.
Items are clickable and take you to the Threat Lookup page, where you can
search for
information about the web address. The length of the web address to be investigated is limited to a
maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be
asked to confirm that you still want to investigate the shortened web address.
Last seen—Date and time that the file was
last downloaded from the requested IP address, according to your computer local time zone.
First seen—Date and time the file was first
downloaded from the requested IP address, according to your computer local time zone.
|
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last seen field
in descending order.
|
|
Hosted URLs
|
Web addresses that contain the requested IP address and web addresses of the domain
that resolves to the requested IP address.
|
Status—Status of web addresses and domains.
Hits—Number of web address detections by
Kaspersky expert systems.
URL—Detected web address. Items are clickable
and take you to the Threat Lookup page, where you can search for information about
the web address. The length of the web address to be investigated is limited to a maximum of 2000
characters; other characters will be ignored. In the message window that opens, you will be asked to confirm
that you still want to investigate the shortened web address.
First seen—Date and time when the web address
was first detected, according to your computer local time zone.
Last seen—Date and time when the web address
was last detected, according to your computer local time zone.
|
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last seen field
in descending order.
|
|
URL masks
|
Masks detected by Kaspersky expert systems addresses that contain the requested IP
address and web addresses of the domain that resolves to the requested IP address. If a mask is included in
Threat Data Feeds, the feed names are also displayed.
|
Status—Status of web addresses covered by the
corresponding mask (Dangerous, Not
trusted, or Adware and other).
Type—Type of the mask.
Mask—Web address mask.
Each item in the list is clickable—you can click it to navigate to the Threat Lookup results page, which shows investigation results for the web
address mask. Investigation results are available only if you have a valid Threat Lookup license and have
not exceeded your quota for object investigation.
Feeds—Threat Data Feeds that contain the web
address mask. In this field, any of the following Threat Data Feeds can be displayed: Malicious URL Data Feed, Phishing URL Data
Feed, Botnet CC URL Data Feed, APT
URL Data Feed, and APT IP Data Feed. If a mask is detected by
Kaspersky expert systems, but not included in any of these Threat Data Feeds, "—" is
displayed.
Each item in this list is clickable—you can click it to navigate to the
corresponding Threat Data Feed on the Data Feeds page.
|
—
|
|
Spam attacks
|
Information about spam attacks associated with the requested IP address.
|
Number of attacks—Number of spam attacks.
Spam ratio—The ratio of spam to other
content.
Attack type—Types of attacks (Unknown, Phishing, Spoofing).
|
—
|
|
Spam attack statistics
|
Graph showing the number of spam attacks in the last six months.
|
—
|
—
|
|
Phishing attacks
|
Information about phishing attacks associated with the requested IP address.
|
Number of attacks—Number of phishing attacks.
Phishing kit—Name of a phishing kit (a set of
materials and tools) used during the phishing attack.
Stolen data type—Type of data stolen during
phishing attack, for example, user names, passwords.
Attacked industry—Target industry of a
phishing attack.
Attacked organization—Target organization of
a phishing attack.
|
—
|
|
Phishing attack statistics
|
Graph showing the number of phishing attacks in the last six months.
|
—
|
—
|
Page top
[Topic DomainInvestigation]
Domain investigation
Kaspersky Threat Intelligence Portal enables you to search for information about domains.
General information about domain
Kaspersky Threat Intelligence Portal provides the following general information about domains:
General information about domain
|
Field name
|
Description
|
|
Status
|
Shows whether the requested domain can be classified as malicious, good, or not
categorized.
The domain can have one of the following statuses:
Good—Domain is not malicious.
No threats detected—Domain was scanned
and/or analyzed by Kaspersky, and no threats were detected. This status is used only in the Timeline section.
Dangerous—There are malicious objects
related to the domain.
Adware and other—There are objects related
to the domain, which can be classified as Not-a-virus.
Not trusted—Domain is categorized as Infected or Compromised.
Not categorized—No or not enough information
about the domain is available to define the category.
|
|
IPv4 count
|
Number of IP addresses related to the domain.
|
|
File count
|
Number of known malicious / all files.
|
|
Owner name
|
Domain owner name.
|
|
Owner ID
|
Domain owner ID.
|
|
Created
|
Domain creation date.
|
|
Updated
|
Domain update date.
|
|
Categories
|
Categories
of the requested domain. If the domain does not belong to any defined categories, the General category is displayed.
|
|
Reports
|
Available APT Intelligence, Crimeware Threat Intelligence, and ICS reports. If you
have a valid commercial license for the corresponding service and the requested domain is related to an APT
attack and/or mentioned in a report, links to the corresponding reports on the Reporting page are displayed.
|
|
Data Feeds
|
List of Threat Data Feeds that contain information about the requested domain. You
can click a link to view the list of available feeds on the Threat Data
Feeds page.
|
Graphical information about domain
A timeline shows detection statistics for certain historical periods. The changes in the zone of
a categorized object are displayed for two months (by default) or two years. The timeline is generated only when
the detection statistics for the period is available for a specific object.
The timeline shows changes only for the following statuses:
- Dangerous
- Not trusted
- Adware and other
- No threats detected
If you pause the mouse pointer on a certain point of the timeline, Kaspersky Threat Intelligence
Portal displays the date and time of the detection and category of the object.
The category and status of the object on the timeline might not match the category in Categories and status in the object lookup results due to different methods applied.
Additional information about domain
Kaspersky Threat Intelligence Portal provides additional information, displayed in separate
tables, about the domain that is being investigated. You can export data from these tables as separate archives.
Additional information about domain
|
Table name
|
Description
|
Table fields
|
Comments
|
|
WHOIS
|
WHOIS data about the domain that is being investigated.
|
Domain name—Name of the requested domain.
Domain status—Status of the requested domain.
Created—Date when the requested domain was
registered.
Updated—Date when registration information
about the requested domain was last updated.
Paid until—Expiration date of the prepaid
registration term.
Registrar info—Name of the requested domain
registrar.
IANA ID—IANA ID of the registrar.
Email—Email of the registrar.
Name servers—List of name servers of the
requested domain.
Contacts—Contact type (person or
organization).
Name—Contact name.
Role—Role of a contact (for example, owner).
Address—Postal address that is registered for
the IP address.
Phone/Fax—Phone/fax number of a contact.
Email—Email address of a contact.
|
—
|
|
DNS resolutions for domain
|
IP addresses that the requested domain resolves to.
|
Status—Status of IP address.
Threat score—Probability that the requested
IP address will be dangerous (0 to 100).
Hits—Number of IP address detections by
Kaspersky expert systems.
IP—IP addresses. Items are clickable and take
you to the Threat Lookup page, where you can search for information about
the IP address. The flag of the country to which the IP address belongs is displayed. When you hover
your mouse over a flag, a tooltip with a country name appears.
First resolved—Date and time when the
requested domain first resolved to the IP address.
Last resolved—Date and time when the
requested domain last resolved to the IP address.
Peak date—Date of maximum number of requested
domain resolutions to the IP address.
Daily peak—Maximum number of requested domain
resolutions to the IP address per day.
|
Items in the table are grouped by status. Items in each group are sorted by the Threat score field in descending order.
|
|
Files downloaded from requested domain
|
MD5 hashes of files that were downloaded from the requested domain and web addresses
of the requested domain.
|
Status—Status of files that were downloaded.
Hits—Number of file downloads from the
requested domain as detected by Kaspersky expert systems.
File MD5—MD5 hash of the downloaded file.
Items are clickable and take you to the Threat Lookup page, where you can
search for information about the hash.
Last seen—Date and time when the file was last
downloaded from the requested domain, according to your computer local time zone.
First seen—Date and time when the file was first
downloaded from the requested domain, according to your computer local time zone.
URL—Web addresses used to download the file.
Items are clickable and take you to the Threat Lookup page, where you can
search for
information about the web address. The length of the web address to be investigated is limited to a
maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be
asked to confirm that you still want to investigate the shortened web address.
Detection name—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
|
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last seen field
in descending order.
|
|
Files that accessed the requested domain
|
MD5 hashes of files that accessed the requested domain.
|
Status—Status of files that accessed the
requested domain.
Hits—Number of times the file accessed the
requested domain.
File MD5—MD5 hash of the file that accessed
the requested domain. Items are clickable and take you to the Threat
Lookup page, where you can search for information about the hash.
Last seen—Date and time when the file last
accessed the requested domain, according to your computer local time zone.
First seen—Date and time when the file first
accessed the requested domain, according to your computer local time zone.
Detection name—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
|
—
|
|
Subdomains
|
Hosts related to the requested domain (subdomains).
|
Status—Status of subdomains.
Subdomain name—Name of the detected
subdomain.
URL count—Number of web addresses related to
the subdomain.
Hosted files—Number of files hosted on the
detected subdomain.
First seen—Date and time when the subdomain
was first detected, according to your computer local time zone.
|
Items in the table are grouped by status. Items in each group are sorted in
descending order by the First seen field.
|
|
Referrals to domain
|
Web addresses that refer to the requested domain.
|
Status—Status of web addresses that refer to
the requested domain.
URL—Web address that refers to the requested
domain. Items are clickable and take you to the Threat Lookup page, where
you can search for information about the web address. The length of the web address to be
investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message
window that opens, you will be asked to confirm that you still want to investigate the shortened web
address.
Last reference—Date and time when the
requested domain was last referred to by listed web addresses.
|
Items in the table are grouped by status. Items in each group are sorted by the Last reference field in descending order.
|
|
Domain referred to the following URLs
|
Requested domain links, forwards, or redirects to following web addresses.
|
Status—Status of web addresses that the
requested domain links, forwards, or redirects to.
URL—Web address accessed by the requested
domain. Items are clickable and take you to the Threat Lookup page, where
you can search for information about the web address. The length of the web address to be
investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message
window that opens, you will be asked to confirm that you still want to investigate the shortened web
address.
Last reference—Date and time when the
requested domain last linked, forwarded, or redirected to listed web addresses.
|
Items in the table are grouped by status. Items in each group are sorted by the Last reference field in descending order.
|
|
URL masks
|
The requested domain masks detected by Kaspersky expert systems. If a mask is
included in Threat Data Feeds, the feed names are also displayed.
|
Status—Status of web addresses covered by the
corresponding mask (Dangerous, Not
trusted, or Adware and other).
Type—Mask type.
Mask—Requested domain mask.
Each item in the list is clickable—you can click it to navigate to the Threat Lookup results page, which shows investigation results for the domain
mask. Investigation results are available only if you have a valid Threat Lookup license and have not
exceeded your quota for object investigation.
Feeds—Threat Data Feeds that contain the
requested domain mask. In this field, any of the following Threat Data Feeds can be displayed: Malicious URL Data Feed, Phishing URL Data
Feed, and Botnet CC URL Data Feed. If a mask is detected by
Kaspersky expert systems, but not included in any of these Threat Data Feeds, "—" is
displayed.
Each item in this list is clickable—you can click it to navigate to the
corresponding Threat Data Feed on the Data Feeds page.
|
—
|
|
Similar domains
|
Information about domains with names similar to those of the requested domain.
|
Status—Status of a similar domain.
Domain—Similar domain name.
Registered—Date when a similar domain was
registered.
Expires—Expiration date of a similar domain.
Port status—Information about open ports.
|
—
|
|
Spam attacks
|
Information about spam attacks associated with the requested domain.
|
Number of attacks—Number of spam attacks.
Spam ratio—The ratio of spam to other
content.
Attack type—Types of attacks (Unknown, Phishing, Spoofing).
|
—
|
|
Spam attack statistics
|
Graph showing the number of spam attacks in the last six months.
|
—
|
—
|
|
Phishing attacks
|
Information about phishing attacks associated with the requested domain.
|
Number of attacks—Number of phishing attacks.
Phishing kit—Name of a phishing kit (a set of
materials and tools) used during the phishing attack.
Stolen data type—Type of data stolen during
phishing attack, for example, user names, passwords.
Attacked industry—Target industry of a
phishing attack.
Attacked organization—Target organization of
a phishing attack.
|
—
|
|
Phishing attack statistics
|
Graph showing the number of phishing attacks in the last six months.
|
—
|
—
|
Page top
[Topic URLinvestigation]
Web address investigation
Kaspersky Threat Intelligence Portal enables you to search for information about web addresses.
General information about web address
Kaspersky Threat Intelligence Portal provides the following general information about web
addresses.
General information about web address
|
Field name
|
Description
|
|
Status
|
Shows whether the requested web address can be classified as malicious, good, or not
categorized.
The web address can have one of the following statuses:
Good—Web address is not malicious.
No threats detected—Web address was scanned
and/or analyzed by Kaspersky, and no threats were detected. This status is used only in the Timeline section.
Dangerous—There are malicious objects
related to the web address.
Adware and other—There are objects related
to the web address, which can be classified as Not-a-virus.
Not trusted—Web address is categorized as
Infected or Compromised.
Not categorized—No or not enough information
about the web address is available to define the category.
|
|
IPv4 count
|
Number of known IP addresses related to the requested web address.
|
|
File count
|
Number of known malicious / all files.
|
|
Created
|
Web address creation date.
|
|
Expires
|
Web address expiration date.
|
|
Domain
|
Name of the upper-level domain.
|
|
Registration organization
|
Name of the registration organization.
|
|
Registrar name
|
Name of the domain name registrar.
|
|
Categories
|
Categories
of the requested web address. If the web address does not belong to any defined categories, the General category is displayed.
|
|
Reports
|
Available APT Intelligence, Crimeware Threat Intelligence, and ICS reports. If you
have a valid commercial license for the corresponding service and the requested web address is related to an
APT attack and/or mentioned in a report, links to the corresponding reports on the Reporting page are displayed.
|
|
Data Feeds
|
List of Threat Data Feeds that contain information about the requested web address.
You can click a link to view the list of available feeds on the Threat Data
Feeds page.
|
Graphical information about web address
A timeline shows detection statistics for certain historical periods. The changes in the zone of
a categorized object are displayed for two months (by default) or two years. The timeline is generated only when
the detection statistics for the period is available for a specific object.
The timeline shows changes only for the following statuses:
- Dangerous
- Not trusted
- Adware and other
- No threats detected
If you pause the mouse pointer on a certain point of the timeline, Kaspersky Threat Intelligence
Portal displays the date and time of the detection and category of the object.
The category and status of the object on the timeline might not match the category in Categories and status in the object lookup results due to different methods applied.
Additional information about web address
Kaspersky Threat Intelligence Portal provides additional information, displayed in separate
tables, about the web address that is being investigated. You can export data from these tables as separate
archives.
Additional information about web address
|
Table name
|
Description
|
Table fields
|
Comments
|
|
WHOIS
|
WHOIS information about domain for the requested we address.
|
Contact—Contact type (person or
organization).
Name—Contact name.
Role—Role of a contact (for example, owner).
Address—Postal address that is registered for
the IP address.
Phone / Fax—Phone/fax number of a contact.
Email—Email address of a contact.
|
—
|
|
DNS resolutions for domain
|
IP addresses that the domain for the requested web address resolves to.
|
Status—Status of IP addresses that the domain
for the requested web address resolves to.
Threat score—Probability that the requested
IP address will be dangerous (0 to 100).
Hits—Number of IP address detections by
Kaspersky expert systems.
IP—IP addresses. Items are clickable and take
you to the Threat Lookup page, where you can search for information about
the IP address. The flag of the country to which the IP address belongs is displayed. When you hover
your mouse over a flag, a tooltip with a country name appears.
First resolved—Date and time when the domain
for the requested web address first resolved to the IP address.
Last resolved—Date and time when the domain
for the requested web address last resolved to the IP address.
Peak date—Date of maximum number of domain
resolutions to the IP address.
Daily peak—Maximum number of domain
resolutions to the IP address per day.
|
Items in the table are grouped by status. Items in each group are sorted by the Threat score field in descending order.
|
|
Files downloaded from requested URL
|
Objects that were downloaded from the requested web address.
|
Status—Status of downloaded files.
Hits—Number of file downloads from the
requested web address as detected by Kaspersky expert systems.
File MD5—MD5 hash of the downloaded file.
Items are clickable and take you to the Threat Lookup page, where you can
search for information about the hash.
Last seen—Date and time when the file was last
downloaded from the requested web address, according to your computer local time zone.
First seen—Date and time when the file was first
downloaded from the requested web address, according to your computer local time zone.
Detection name—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
|
Items in the table are grouped by status. Items in each group are sorted by the Last downloaded field in descending order.
|
|
Files that accessed requested URL
|
MD5 hashes of files that accessed the requested web address.
|
Status—Status of MD5 hashes of files that
accessed the requested web address.
Hits—Number of times the file accessed the
requested web address.
File MD5—MD5 hash of the file that accessed
the requested web address. Items are clickable and take you to the Threat
Lookup page, where you can search for information about the hash.
Last accessed—Date and time when the file
last accessed the requested web address.
First accessed—Date and time when the file
first accessed the requested web address.
Detection name—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
|
—
|
|
Referrals to requested URL
|
Web addresses that refer to the requested web address.
|
Status—Status of web addresses that refer to
the requested web address.
URL—Web address that refers to the requested
web address. Items are clickable and take you to the Threat Lookup page,
where you can search for information about the web address. The length of the web address to be
investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message
window that opens, you will be asked to confirm that you still want to investigate the shortened web
address.
Last reference—Date and time when the
requested web address was last referred to.
|
Items in the table are grouped by status. Items in each group are sorted by the Last reference field in descending order.
|
|
Requested object linked, forwarded, or redirected to the
following URLs
|
Requested object links, forwards, or redirects to following web addresses.
|
Status—Status of web addresses that the
requested object links, forwards, or redirects to.
URL—Web address accessed by the requested web
address. Items are clickable and take you to the Threat Lookup page, where
you can search for information about the web address. The length of the web address to be
investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message
window that opens, you will be asked to confirm that you still want to investigate the shortened web
address.
Last reference—Date and time when the
requested web address last linked, forwarded, or redirected to listed web addresses.
|
Items in the table are grouped by status. Items in each group are sorted by the Last reference field in descending order.
|
|
URL masks
|
Masks of the requested web address domain, which were detected by Kaspersky expert
systems. If a mask is included in Threat Data Feeds, the feed names are also displayed.
|
Status—Status of web addresses covered by the
corresponding mask (Dangerous, Not
trusted, or Adware and other).
Type—Mask type.
Mask—Mask related to the domain of the
requested web address.
Each item in the list is clickable—you can click it to navigate to the Threat Lookup results page, which shows investigation results for the domain
mask. Investigation results are available only if you have a valid Threat Lookup license and have not
exceeded your quota for object investigation.
Feeds—Threat Data Feeds that contain the
domain mask of the requested web address. In this field, any of the following Threat Data Feeds can be
displayed: Malicious URL Data Feed, Phishing
URL Data Feed, and Botnet CC URL Data Feed. If a mask is
detected by Kaspersky expert systems, but not included in any of these Threat Data Feeds,
"—" is displayed.
Each item in this list is clickable—you can click it to navigate to the
corresponding Threat Data Feed on the Data Feeds page.
|
—
|
|
Spam attacks
|
Information about spam attacks associated with the requested web address.
|
Number of attacks—Number of spam attacks.
|
—
|
|
Phishing attacks
|
Information about phishing attacks associated with the requested web address.
|
Phishing status—Shows whether the requested
web address can be considered as a phishing one.
Number of attacks—Number of phishing attacks.
Phishing kit—Name of a phishing kit (a set of
materials and tools) used during the phishing attack.
Stolen data type—Type of data stolen during
phishing attack, for example, user names, passwords.
Attacked industry—Target industry of a
phishing attack.
Attacked organization—Target organization of
a phishing attack.
|
—
|
|
Phishing attack statistics
|
Graph showing the number of phishing attacks in the last six months.
|
—
|
—
|
Page top
[Topic GettingFullPath]
Getting full path of a file
To get a full path of a file,
Add the Path field value to an environment variable
based on the Location field value.
See example
For example, Kaspersky Threat Intelligence Portal displays the Location value for a file as ProgramFiles,
and the Path value as unchecky\bin, then
the full path to the file is C:\Program Files\unchecky\bin.
Full path of a file
|
Location value
|
Environment variables
|
|
Desktop
|
%PUBLIC%\desktop
%USERPROFILE%\desktop
|
|
Downloads
|
%PUBLIC%\downloads
%USERPROFILE%\downloads
%windir%\downloaded installations
|
|
Drive
|
A hard drive letter
|
|
InternetCache
|
%USERPROFILE%\local settings\temporary internet files
|
|
ProgramData
|
%ProgramData%
|
|
ProgramFiles
|
%ProgramFiles%
%ProgramFiles(x86)%
%ProgramW6432%
|
|
ProgramFilesCommon
|
%CommonProgramFiles%
%CommonProgramFiles(x86)%
%CommonProgramW6432%
|
|
RecycleBinFolder
|
%SystemDrive%\$Recycle.Bin\%SID%
|
|
RoamingAppData
|
%USERPROFILE%\appdata\roaming
|
|
Startup
|
%APPDATA%\microsoft\windows\start menu\programs\startup
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup
%ALLUSERSPROFILE%\start menu\programs\startup
|
|
System
|
%SystemRoot%
|
|
Windows®
|
%windir%
|
Page top
[Topic MaskTypes]
Mask type mapping
Expand all | Collapse all
This section contains descriptions of masked and non-masked domain and web address types. Click
the links in the Mask examples column to expand or collapse mapping
example blocks.
Descriptions of masked types
|
Mask class
|
Mask type
|
Blocks
|
Does not block
|
Mask examples
|
|
Domain mask
|
MASK_TYPE_DOMAIN
|
Content of the third and higher-level domains.
|
Content of the second-level domain and other domains.
|
*.subdomain.domain.com
Normalized blocked links
sub1.subdomain.domain.com
sub1.subdomain.domain.com/folder1/script.php?p1=1&p2=2
sub1.subdomain.domain.com/folder1/subfolder1/index.html
sub1.subdomain.domain.com/index.html
subdomain.domain.com/index
subdomain.domain.com
Normalized non blocked links
domain.com
domain.com/folder/
google.com/search?q=subdomain.domain.com/index.html
subdomain1.domain.com
|
|
Common mask
|
MASK_TYPE_FOLDER
|
Content of the folder which has other subfolders.
|
Content of subdomains and other folders.
|
subdomain.domain.com/folder/*
Normalized blocked links
subdomain.domain.com/folder/index.html
subdomain.domain.com/folder/folder1/index.html
subdomain.domain.com/folder/folder1/folder2/index.html
subdomain.domain.com/folder/
subdomain.domain.com/folder
Normalized non blocked links
subdomain.domain.com/index.html
subdomain.domain.com/folder2/index.html
subdomain1.subdomain.domain.com/folder/index.html
google.com/search?q=subdomain.domain.com/folder/index.html
google.com/search?q=domain.subdomain.domain.com/folder/
domain.com/folder/
172.12.168.2/folder/*
Normalized blocked links
Normalized non blocked links
|
|
Common mask
|
MASK_TYPE_SCRIPT
|
- Script with parameters.
- Script without parameters, but with a question mark (?).
|
- Content of subdomains and other folders.
- Scripts with no parameters and no question mark (?) at the end.
- Web addresses, which contain a substring that is not a part of the domain name.
For example,
http://www.domain.com/search?q=investigation§ion=all.
Here, q=investigation§ion=all is the query substring that was
generated when the "investigation" term was searched on the www.domain.com website.
|
domain.com/folder/load.php?*
Normalized blocked link examples
domain.com/folder/load.php?id=12&num=8
domain.com/folder/load.php?
Normalized non blocked links examples
domain.com/folder/domain.com/folder/folder/load.php
domain.com/folder/load.php
domain.com
google.com/search?q=domain.com/folder/load.php?id=12&num=8
domain.com/folder/load.jpg?*
Normalized blocked link examples
domain.com/folder/load.jpg?id=12&num=8
domain.com/folder/load.jpg?
Normalized non blocked links examples
domain.com
domain.com/folder/domain.com/folder/folder/load.jpg
domain.com/folder/load.jpg
172.12.168.2/load.php?*
Normalized blocked link examples
172.12.168.2/load.php?id=12&num=8
172.12.168.2/load.php?
Normalized non blocked links examples
172.12.168.2/folder/load.php
google.com/search?q=172.12.168.2/sp/fragus/load.php?
172.12.168.2
domain.com/.sys/?*
Normalized blocked link examples
domain.com/.sys/?id=4&num=5
domain.com/.sys/?
Normalized non blocked links examples
domain.com
domain.com/.sys/
google.com/search?q=piamedia.com/.sys/?id=12&num=8
domain.com/.sys/folder/??id=12&num=8
|
|
Common mask
|
MASK_TYPE_WILDCARD
|
Any sequence of characters other than an asterisk (*) that may appear. Any matches
with the mask are blocked.
|
- Web address if it does not have a match with the fixed part of the record.
- Web address if it does not start from the fixed (non-masked) part of the record.
|
domain.com/*/abc*.exe
Normalized blocked link examples
domain.com/folder1/abc.exe
domain.com/folder1/folder2/index.html/abc/file.exe
domain.com/folder/abcFile.exe
domain.com/folder/abcfolder/file.exe
Normalized non blocked links examples
sub.domain.com/folder1/abc.exe
google.com/search?q=domain.com/folder1/abc.exe
domain.com/abc.exe
domain.com/folder1/ab.exe
domain.com/folder1/abc.exe1
domain.com/folder1/abc.html
*.domain.com/*.php
Normalized blocked link examples
sub.domain.com/file.php
sub.domain.com/folder/file.php
sub.domain.com/folder1/folder2/index.php
sub1.sub2.domain.com/file.php
google.com/search?q=domain.com/folder/.domain.com/file.php
google.com/search?q=domain.com/folder/subdomain.domain.com/file.php
Normalized non blocked links examples
domain.com/script.php
domain.com/folder/script.php
sub.domain.com/script.php?id=3
sub.domain.com/folder/index.html
google.com/search?q=domain.com/run.php
domain.com/fol*.exe
Normalized blocked link examples
domain.com/folder1/file.exe
domain.com/fol.exe
domain.com/folder1/folder2/file.exe
domain.com/fol/script.php?id=.exe
Normalized non blocked links examples
sub1.domain.com/folder1/file.exe
domain.com/folder/index.html
google.com/search?q=domain.com/folder1/abc.exe
domain.com/abc*/file.exe
Normalized blocked link examples
domain.com/abcfolder/file.exe
domain.com/abcfolder1/folder2/folder3/file.exe
domain.com/abc/file.exe
Normalized non blocked links examples
sub1.domain.com/file.exe
domain.com/abcfile.exe
domain.com/abc/file.html
domain.com/abc/file.exe?id=4
google.com/search?q=domain.com/abc/file.exe
domain.com/abc
google.com/search?q=abc.com/folder/domain.com/file.php
*.domain.com/file.exe
Normalized blocked link examples
sub1.domain.com/file.exe
google.com/search?q=sub.domain.com/file.exe
172.12.168.2/folder/...domain.com/file.exe
Normalized non blocked links examples
sub.domain.com/file.exe/script.php
domain.com/file.exe
|
Descriptions of non-masked types
|
Mask class
|
Mask type
|
Blocks
|
Does not block
|
Mask examples
|
|
Second-level domain
|
MASK_TYPE_DOMAIN2_OBJECTS
|
Domain, all its subdomains, all contents of the domain and of all its subdomains.
|
Links containing the domain as a substring that is not a domain of any level.
|
domain.com
Normalized blocked links
domain.com/folder
www2.a.domain.com
www2.a.domain.com/index.php
www2.a.domain.com/folder/start.html
a.a.a.dfdfdf.fsdfsdf.a.a.domain.com/dsd.exe/asd.jpg
domain.com/script.php?p1=1&p2=2
Normalized non blocked links
google.com/search?q=a.domain.com/1.exe
domain.ru/folder/a.domain.com/index.html
|
|
Third-level and higher-level domains
|
MASK_TYPE_DOMAIN3_OBJECTS
|
All objects (files, folders, scripts), encountered on the domain level only.
|
Links to sites located on other domain levels.
|
subdomain.domain.com
Normalized blocked links
subdomain.domain.com/1.txt
subdomain.domain.com/somefolder/1.txt
subdomain.domain.com/folder
Normalized non blocked links
mydomain.subdomain.domain.com
mydomain.subdomain.domain.com/folder
mydomain.subdomain.domain.com/folder/index.html
domain.com/search.php
domain.com/folder
google.com/search?q=subdomain.domain.com
chat.subdomain.domain.com
Normalized blocked links
chat.subdomain.domain.com/mychat
chat.subdomain.domain.com/script.php
chat.subdomain.domain.com/script.php?p1=1
chat.subdomain.domain.com/script.php?p1=1&p2=2
chat.subdomain.domain.com/mychat/script.php?p1=1
Normalized non blocked links
www2.chat.subdomain.domain.com
www2.chat.subdomain.domain.com/folder
www2.chat.subdomain.domain.com/folder/index.html
subdomain.domain.com/ololo.exe
subdomain.domain.com/chatfolder
subdomain.domain.com/mychat
google.com/search?q=subdomain.domain.com
|
|
Domain with folder or file
|
MASK_TYPE_DOMAIN_FOLDER
|
Exact matches or links that contain the match with a subfolder or file. It is
intended to prohibit the download or execution from a specific folder or file.
|
Links to items in folders that are lower than the level of the last folder or file in
the record.
|
domain.com/script.php
Normalized blocked links
domain.com/script.php
domain.com/script.php/subfolder
domain.com/script.php/file.exe
domain.com/script.php/run.php?id=1
domain.com/script.php/run.php?p1=1&p2=2
domain.com/script.php/?p1=1&p2=2
Normalized non blocked links
domain.com/script.php/subfolder/page.html
domain.com/script.php/subfolder1/folder2/file.cgi
domain.com/script.php?p1=1&p2=2
www2.domain.com/script.php
subdomain.domain.com/script.php/subfolder
domain.www.domain.com/script.php/file.exe
domain.com/script.php.php
domain.com/script.php.php?id=2
google.com/search?q=domain.com/script.php
172.17.0.1/setup.exe
Normalized blocked links
172.17.0.1/setup.exe
172.17.0.1/setup.exe/folder
172.17.0.1/setup.exe/file.exe
172.17.0.1/setup.exe/run.php?id=2
172.17.0.1/setup.exe/run.php?p1=1&p2=2
Normalized non blocked links
subdomain.172.17.0.1/setup.exe
172.17.0.1
172.17.0.1/setup.exe?id=5&num=5
google.com/search?q=172.17.0.1/setup.exe
172.17.0.1/pid=1000/setup.exe
Normalized blocked links
172.17.0.1/pid=1000/setup.exe
172.17.0.1/pid=1000/setup.exe/index.html
172.17.0.1/pid=1000/setup.exe/run.php?id=2
172.17.0.1/pid=1000/setup.exe/run.php?p1=1&p2=2
Normalized non blocked links
172.17.0.1/pid=1000
172.17.0.1/pid=1000/setup.exe?id=5&num=5
subdomain.172.17.0.1/pid=1000/setup.exe
172.17.0.1/pid=1000/setup.exe/folder/index.html
google.com/search?q=172.17.0.1/pid=1000/setup.exe
google.com/search?q=172.17.0.1/pid=1000/setup.exe/index.html
google.com/search?q=172.17.0.1/pid=1000/setup.exe/folder/index.html
domain.com/d/12
Normalized blocked links
domain.com/d/12
domain.com/d/12/index.html
domain.com/d/12/folder
domain.com/d/12/script.php?p1=1&p2=2
Normalized non blocked links
domain.com/d/12/folder/script.aspx
domain.com/d/12/34/index.html
www2.domain.com/d/12
subdomain.www2.domain.com/d/12
domain.com/d/12.php
domain.com/d/12.php?id=2
google.com/search?q=domain.com/d/12
google.com/search?q=domain.com/d/12/script.php?p1=1&p2=2
172.17.0.1/x
Normalized blocked links
172.17.0.1/x
172.17.0.1/x/folder
172.17.0.1/x/index.html
172.17.0.1/x/script.php?p1=1&p2=2
Normalized non blocked links
172.17.0.1
172.17.0.1/x/folder/script.aspx
subdomain.172.17.0.1/x
172.17.0.1/x/12/index.html
172.17.0.1/x/12/script.php?p1=1&p2=2
google.com/search?q=172.17.0.1/x
domain.com/script.php?
Normalized blocked links
domain.com/script.php?
domain.com/script.php?/index.html
domain.com/script.php?/script.php?p1=1&p2=2
Normalized non blocked links
domain.com/script.php
domain.com/script.php?id=2
domain.com/script.php/folder/index.html
sub.domain.com/script.php?
google.com/search?q=domain.com/script.php?
domain.com/folder/?
Normalized blocked links
domain.com/folder/?
domain.com/folder/?/index.html
domain.com/folder/?/folder
Normalized non blocked links
domain.com/folder/
domain.com/folder/?id=4&count=7
sub.domain.com/folder/?
google.com/search?q=domain.com/folder/?
|
|
Script with specific parameters
|
MASK_TYPE_SCRIPT_PARAMS
|
Links with a matching set of parameters that are located in the specific domain.
|
- Links that contain additional parameters (other than those indicated in the
record).
- Script without any parameters.
- Script with the parameters specified in the record, provided that it is located
on another domain level.
|
domain.com/get.php?p=4&id=2
Normalized blocked links
domain.com/get.php?p=4&id=2
Normalized non blocked links
www3.domain.com/get.php?p=4&id=2
subdomain.domain.com/get.php?p=4&id=2
domain.com/get.php?p=4&id=2&p1=333
www3.domain.com/get.php?p=4&id=2&p1=333
subdomain.domain.com/get.php?p=4&id=2&p1=333
google.com/search?q=domain.com/get.php?p=4&id=2
domain.com/get.php?p=4&id=2/subpath/file
domain.com/get.php?id=2&p=4
|
Page top
[Topic Exporting]
Exporting investigation results
Kaspersky Threat Intelligence Portal enables you to export investigation results about requested
objects for further analysis. You can export the following data:
- Investigation results from all tables that are available for the requested object.
- Specific investigation results from a selected table.
You can run another request in a separate browser tab or window while Kaspersky Threat
Intelligence Portal prepares and downloads a file with the investigation results of your previous request.
To export all investigation results:
- On the Threat Lookup () → Threat Lookup results page, click Export results at the top of the Threat Lookup
results page.
- In the drop-down list, select the file format that you want to export investigation
results to: CSV
archive, OpenIOC, or STIX.
For reserved IP addresses, only CSV archive
format is available. The archive will only contain IpProperties.csv and WHOIS.csv files.
The Save As window opens.
Preparing a file with all investigation results for download may take several minutes.
Kaspersky Threat Intelligence Portal exports up to 1000 items from each data
group.
- Select the location and click Save.
The file with investigation results for the requested object from all available data
groups is saved to the specified location.
Detailed information about exporting results in various formats is provided in the following
sections in Appendices.
To export investigation results from a selected data group:
- On the Threat Lookup () → Threat Lookup results page, click the Download data button near the name of the table that contains data you want to
export.
The Save As window opens.
Kaspersky Threat Intelligence Portal exports up to 1000 items from a data group.
- Select the location and click Save.
You can change the file name if necessary.
See a file name example
If you export investigation results for the hash 7F1698BAB066B764A314A589D338DAAE in the File
paths data group, the file will have the following name by default:
7F1698BAB066B764A314A589D338DAAE-FilePaths-en.zip
Here:
7F1698BAB066B764A314A589D338DAAE is the
requested hashFilePaths is the name of the data group
The archive containing a CSV file with investigation results from the data group is saved to the
specified location.
Page top
[Topic ResearchGraph]
Research graph
Kaspersky Threat Intelligence Portal research graph is an analytical tool for visualizing
relationships between various types of objects (files, web addresses, domains, IP addresses, actors, or reports)
analyzed and detected during the research.
The information in graphs is presented as nodes (for objects)
and relationships that show connection between the nodes. Each object on the
research graph can be represented by only one node. Node types are described in the table below.
Research graph nodes
|
Node
|
Description
|
|
Object
|
Node for representing an object on a research graph.
|
|
Section
|
Additional node for displaying different variants of the parent object (file) node
relationship to derived nodes.
|
|
Group
|
Group nodes that unite several objects of the same type related to one parent object
(for example, a group of files extracted from one archive).
|
When the research graph represents analysis results for the object submitted to Kaspersky Threat
Intelligence Portal, this object is shown as the node of the research graph. This includes group nodes for the
files transferred or dropped during file execution in the Kaspersky Sandbox, groups of web addresses and domains
accessed during execution.
You can create your own research graphs or edit existing graphs for the analyzed objects. Your
personal limit for graphs is displayed on the Research Graph (
)
page. When you exceed your limit, you need to delete unnecessary research graphs or apply for a quota increase.
The research graph data is updated only based on the results of lookups initiated by the user
editing the research graph.
Page top
[Topic ViewGraphList]
Viewing a list of research graphs
Kaspersky Threat Intelligence Portal allows you to view a list of available research graphs on
the Research Graph () page.
You can select a list or tiles view mode.
In the list view mode, research graph information described in the table below is displayed.
Research graphs list
|
Table field
|
Description
|
|
Name
|
Research graph name.
|
|
Created by
|
User name (login) of the user who created a research graph.
|
|
Date created
|
Date and time when a research graph was created.
|
|
Last modified
|
Date and time when the research graph was last modified.
|
|
Actions
|
Actions you can perform to a research graph depending on your access rights.
|
In the tiles view mode, research graph names, names of users who created a graph, previews, and
available actions are displayed.
Page top
[Topic CreatingGraph]
Creating a research graph
Kaspersky Threat Intelligence Portal allows you to create a research graph automatically or
manually.
To create a research graph automatically:
- On the Threat Lookup () → Lookup page, select the object you want to create a research
graph for, and click the Open in research graph button.
The research graph editor window opens.
- Enter a name for a new research graph and edit its elements if necessary.
- Click the Save this graph button (
).
To create a research graph manually:
- On the Research Graph () page, click the Create graph button.
- Enter a name for a new research graph.
- Add required nodes and relationships between them.
- Click the Save this graph button ().
Page top
[Topic ViewingGraph]
Viewing a research graph
You can view available research graphs on the Research Graph
() page.
To view a research graph, perform one of the following actions:
- In the list view mode, click the required research graph name.
- In the tile view mode, click the required research graph preview.
The selected research graph opens.
To search for a certain node in a research graph:
- In the research graph editor window, click the Find node
button (
).
- In the Node name field, enter the node you want to find.
- Click Find.
Kaspersky Threat Intelligence Portal locates the requested node in the center of the research
graph editor window and marks it with a blue circle.
To zoom in or out:
- Use a mouse wheel or touch pad scroll movement.
- Move the mouse pointer to the scale icon (N%) in the
lower right corner on the graph editor window. In the toolbar that opens, click the plus button (
) to zoom in or click the minus button (
) to zoom out.
To view a research graph in full screen mode,
Move the mouse pointer to the scale icon (N%) in the
lower right corner of the graph editor window. In the toolbar that opens, click the full screen mode button (
).
To go back to regular view mode,
Click Esc or move the mouse pointer to the scale icon
(N%) and click the regular view mode button (
) in the toolbar that opens.
Page top
[Topic RenamingGraph]
Renaming a research graph
You can rename research graphs you created.
To rename a research graph in a graphs list:
- On the Research Graph () page, click the Rename button () for the required research graph.
The Rename
graph window opens.
- In the Name field, edit the research graph name.
- Click the Rename button.
To rename a research graph while editing:
- Open the required research graph.
- Edit the research graph name at the top of the page.
- Click the Save this graph button ().
Page top
[Topic GraphCopy]
Copying a research graph
You can copy an existing research graph.
To copy a research graph in a graphs list:
- On the Research Graph () page, click the Create a copy button (
) for the required research graph.The Copy
graph window opens.
- In the Name field, enter a name for a new research
graph.
By default, the new name has the following format: <original research graph name> (Copy).
- Click the Copy graph button.
The new research graph appears in the list of research graphs.
To rename a research graph while editing:
- Open the required research graph.
- Click the Create a copy button () for the required research graph.
The Copy
graph window opens.
- In the Name field, enter a name for a new research
graph.
By default, the new name has the following format: <original research graph name> (Copy).
- Click the Copy graph button.
The new research graph is displayed in the editor window, you can start editing it, if
necessary. Also, it appears in the list of research graphs on the Research Graph
() page.
Page top
[Topic DeletingGraph]
Deleting a research graph
Kaspersky Threat Intelligence Portal allows you to delete one or several research graphs
simultaneously.
You can delete only the graphs you created. Only a group administrator can delete graphs
created by other users.
To delete one or several research graphs:
- On the Research Graph () page, select one or several research graphs that you want to delete.
- Click the Delete button (
).The button becomes available if at least one research graph is selected.
You can also delete a research graph while editing it.
To delete a graph:
- Open the required research graph.
- Click the Delete this graph button at the top of the research graph page.
Please
distinguish between the Delete this graph button () for deleting the research graph (at the top) and Delete selected
nodes button () for deleting the nodes (on the left).
- In the window that opens, click the Delete this graph
button to confirm research graph deletion.
Page top
[Topic EditGraph]
Editing a research graph
You can edit research graphs you created.
You cannot edit the research graph of another user: you only can save it with another name
after editing, or create a copy of a graph before editing.
To edit a research graph:
- Open the required research graph.
- Edit the research graph elements.
- Click the Save this graph button ().
Page top
[Topic AddElement]
Adding a new research graph element
This section explains how you can add objects and relationships to a research graph.
Adding objects to research graphs
The following objects can be added to research graphs:
To add an object through Object lookup:
- Create a new research graph or open an existing research graph for editing.
- In the Object lookup field, specify the object you want
to add to the research graph.
- In the Search only in subsection, select the section for
the object search from the following options:
- IOC (selected by default)
- Reports
- Actors
The specified object is added to a research graph with the related objects.
If the specified object is not found, you can add a custom object manually (see the
procedure below) or edit the search request. For actors, Kaspersky Threat Intelligence Portal searches for an
exact name match.
Note that the Threat Lookup quota is reduced when you specify the object to look
for and then add it to the research graph. The number of available quotas is displayed under the filled-in
Object lookup field.
To add an object manually:
- Create a new research graph or open an existing research graph for editing.
- Click the Create object button (
) on the left side of the graph editor window.If you search for an object
and it is not found, the Create object button is also displayed in the Object lookup field.
- In the window that opens, select the type of new object in the Object type drop-down list: Hash, Host, URL, IP,
Actor, Report, or Custom.
- Select the status of the new object in the Node status drop-down
list.
- Enter the new node name.
- If necessary, enter a comment for the node.
- Click Create node to add the object node to the graph.
Please note, the Summary and other sections are not
displayed when you add a node manually.
If you try to add a node of the object that is already presented in the graph (for example,
a file with the same hash), this new node will not be created. Instead, the existing node with the same parameter
will be highlighted in the research graph for your attention. The existing nodes are highlighted regardless of the
way you added objects to the research graph - through Object lookup or
manually.
Adding relationships to research graphs
To add a new relationship:
- Click the wand button (
) on the left
side of the graph editor window to turn the relationships creation mode on.
- Click the node you want to start a relationship from.
- Click another node you want the relationship to reach.
The
relationship is created.
- Click the wand button () to turn the
relationships creation mode off.
Page top
[Topic ViewElementInfo]
Viewing an element's details
Kaspersky Threat Intelligence Portal allows you to view detailed information about specific
objects represented by nodes on research graphs.
Detailed information is not displayed for the following:
- Group nodes
- Section nodes
- Manually added object nodes
To view an object's detailed information,
Right-click the node and select Show detailed info.
In the window that opens, the lookup information for the object represented by this node is displayed.
You can like or unlike a report using the like (
) icon.
Also, when you hover your mouse over a specific object node, brief information for this node is
displayed. Brief information about group nodes and section nodes is not provided.
Page top
[Topic ViewConnectedObjects]
Viewing connected objects
This section explains how to view connected objects for object nodes on research graphs.
To view connected objects:
- Find a required object node.
- Right-click on it and select Show connected objects.
Available data groups and corresponding object numbers are listed.
- Select the section you want to expand on the research graph.
If
the section contains four or less objects, they are linked to the group node as separate object nodes.
If the section contains more than four objects, the extra objects can be found in the
group node +(N) items, where N is the number of objects hidden in the group
node.
Depending on the confidence level, similar files for a hash are displayed on a graph as separate section nodes.
- If necessary, right-click the group node and select the Show
grouped nodes option to open a table with the parameters of the objects.
If you
click the open lookup page (
) icon in the Actions column, Kaspersky Threat Intelligence Portal opens a side-bar with the
lookup data for the specific object. At the top of the side-bar, click the open lookup page () icon again to display the Threat Lookup page
with detailed information about the object.
You can search specific items in the list by typing the identifier or part of it in the
Search field.
- If necessary, select one or several required objects and click the Move to graph button.
Selected objects will be added to
the research graph and deleted from the table.
Page top
[Topic MovingElements]
Moving research graph nodes
To move a node,
Place the mouse pointer on the node and drag it.
To move several nodes:
- Select nodes in one of the following ways:
- Press and hold Ctrl, click in the empty area near one
of the nodes and drag the rectangular selector to cover all required nodes. Release the mouse button to
finish the selection.
- Click the required nodes one by one. All previously selected nodes remain selected.
The nodes are unselected if you click in the empty area of the graph.
- Place the mouse pointer on one of the selected nodes and drag it.
All the selected nodes will move.
Page top
[Topic DeleteElement]
Deleting a research graph element
To delete a node,
Right-click the node and select Remove node.
The node is deleted. If the selected node is part of a section node, it is deleted and
other nodes in the section remain on the graph.If you delete an object node related to a section node, it is moved
to the group node of this section. If the group node does not exist, Kaspersky Threat Intelligence Portal creates
it.
To delete a section node,
Right-click the node and select Remove section with
nodes.
All nodes in the section node are deleted.
If you delete a section node, the following information about the nodes remains hidden on the
graph:
- Group node of the section
- Object nodes related to the section, if they have no other relationships
A group node is also automatically deleted if you move all its member nodes to the graph.
To delete a relationship,
Right-click the relationship and select Delete.
You can delete only manually added relationships.
If you delete elements from the research graph created for the analyzed file, it will not
affect the file analysis report. This means that the next time you use the Create
graph button in the file report or Object lookup functionality in the
graph editor, you will obtain the original graph again.
Page top
[Topic Reporting]
Reporting
This section explains how you can search for APT Intelligence, Crimeware Threat Intelligence,
and Industrial reports using Kaspersky Threat Intelligence Portal. You will also know how to view actor profiles.
If you are using a demo version of the service, the Reporting service has several
limitations. For more information, see section About the license.
APT Intelligence reports
Provides you with exclusive, proactive access to the descriptions of high-profile
cyber-espionage campaigns, including associated indicators of compromise (IOCs).
APT actor profiles
General overview, actor's suspected country of origin, different aliases used, victimology and
previous targets, descriptions of past campaigns, toolset, and external references. All of the reports related to
the actor are also provided.
Crimeware Threat Intelligence report
Provides exclusive, in-depth actionable intelligence reporting covering the following types of
reports: detailed description of malware (popular, widespread or made noise/hype malware); malware campaigns
(widespread, dangerous); researcher notes/early warnings (sneak peek at warnings on new or updated malware
threats); detailed description of threats targeting financial institutions and tools used by cybercriminals to
attack banks, payment processing companies, ATMs and POS systems.
Crimeware actor profiles
Similar to APT actor profiles, the new technical descriptions section for crimeware actors
allows security professionals to track actors and their networks, understand their own visibility and gaps, as
well as overlap TTPs against the MITRE ATT&CK matrix.
Industrial Threat Intelligence reports
Heightened intelligence and awareness of malicious campaigns targeting industrial organizations,
as well as information on vulnerabilities found in the most popular industrial control systems and underlying
technologies.
Page top
[Topic ViewingAllReports]
Viewing all available reports
If you are using a demo version of the service, the Reporting service has several
limitations. For more information, see section About the license.
Report files in any format, including Master YARA and Master IOC, are marked TLP:AMBER.
Downloaded reports can only be shared within your company, and must not be distributed externally, unless
specified otherwise in the downloaded file.
Available reports are displayed on the Reporting (
) page.
For each report, the following information is displayed:
- Date—Date when a report was published. Reports in
the list are sorted by the publication date from most recent to earliest. If necessary, you can use the filter
() to narrow the amount of displayed results. Use the date pickers (calendar) or
predefined filters (Month or Year) to
specify a certain period and click Apply.
- Group—Group that the report belongs to: APT for APT Intelligence reports, Crimeware for
Crimeware Threat Intelligence reports, Industrial for Industrial reports. If
necessary, you can add or remove other report types using the filter () in the Group column. By default, all types of reports are selected.
- Report ID—Report identifier. You can click the
item to copy it or open a new tab with detailed report description.
- Report—Report name, a brief summary, and links for
downloading a report for further analysis in various formats. If necessary, you can use the filter () to display all (the All option), only commercial
reports (the Commercial option) or only demo reports (the Demo option).
Reports that appeared after your last visit
to the Reporting page are marked as New.
Reports that were updated after your last visit are marked as Updated.
Reports that are available for viewing and downloading without a commercial license are marked as DEMO.
Some of the displayed reports may not be available if you do not have the appropriate
license. You
can view information about these reports by following the link in the unavailability notice (), or by selecting the Demo option in the filter in the Report column.
You can like or unlike a report using the like () icon.
Summary and links for downloading are displayed only for reports that are available to you according to your
organization's license.
- Tags—Tags related to reports. You can specify required tags
using the filter () to narrow the report search. The number of selected tags of each type
is displayed by the type name. If necessary, clear tags selection by clicking the Clear filters button.
You can download reports in any of the available formats using links under the report summary
for further analysis.
Available formats depend on the permissions, set by your administrator, to download
reports. If you do not have permissions to download reports, no links will be displayed.
- YARA Rule (if available)
A
report in YARA Rules format is displayed.
For more information on YARA Rules, see https://yara.readthedocs.io.
By default, the format of the file name is as follows: <REPORT_NAME>.yara.
- Suricata (if available)
A file
that contains Suricata rules associated with the report.
By default, the format of the file name is as follows: <REPORT_NAME>.rules.
- IOC (if available)
An OpenIOC
file that includes a description of IOCs (indicators of compromise) for the following object types: MD5
hashes, domains, web addresses, and IP addresses.
Kaspersky Threat Intelligence Portal supports IOC files that use open standard for IOC
description—OpenIOC version 1.0. For more information on OpenIOC files, see http://www.openioc.org.
By default, the format of the file name is as follows: <REPORT_NAME>.ioc.
- Report (if available)
A PDF
report. You can select the required language from a drop-down list if a report is available in several
languages.
By default, the format of the file name is as follows:
<REPORT_NAME_language>.pdf.
- Executive summary () (if available)
A brief report summary for business purposes in PDF. You can select the required
language from a drop-down list if an executive summary is available in several languages.
By default, the format of the file name is as follows:
<SUMMARY_NAME_language>.pdf.
If you download an updated version of the report that you downloaded before, the number of
available downloads does not decrease.
If necessary, you can download the following reports if you have the corresponding permissions:
- Master YARA
A report that includes all available reports at Kaspersky Threat Intelligence Portal in
YARA Rules format.
Click the Master YARA button and select the required
report type in the drop-down list:
- Master YARA APT
for APT Intelligence reports
- Master YARA Crimeware for Crimeware Threat Intelligence reports
- Master YARA Industrial for Industrial reports
By default, the file name is master.yara.
- Master IOC
A report that includes descriptions of IOCs (indicators of compromise) for the
following object types: MD5 hashes, domains, and IP addresses in CSV file format. The file contains
information from reports.
Click the Master IOC button and select the required
report type in the drop-down list:
- Master IOC APT for
APT Intelligence reports
- Master IOC Crimeware for Crimeware Threat Intelligence reports
- Master IOC Industrial for Industrial reports
The first string in the file contains columns names:
UID—ID of a reportPublication—Name of a reportIndicator—Object's type: md5-hash, domain, or IPDetectionDate—Detection date in YYYY-MM-DD formatIndicatorType—Type of indicator: md5Hash or networkActivity
Starting from the third string, each string contains a description of a separate
indicator of compromise.
By default, the file name is master.ioc.
Page top
[Topic SearchingReports]
Searching for a specific report
If you are using a demo version of the service, the Reporting service has several
limitations. For more information, see section About the license.
Report files in any format, including Master YARA and Master IOC, are marked TLP:AMBER.
Downloaded reports can only be shared within your company, and must not be distributed externally, unless
specified otherwise in the downloaded file.
To search for a specific report,
In the Search field on any Kaspersky Threat Intelligence
Portal page, enter search criteria (report name or certain words) and press Enter.
You can put double quotes around the entire search string you enter to search for a report
by its full name or by an exact phrase in a description.
Kaspersky Threat Intelligence Portal displays search results on the Reporting () page.
Page top
[Topic ViewReportDescription]
Viewing report description
If you are using a demo version of the service, the Reporting service has several
limitations. For more information, see section About the license.
To view a report detailed description:
- Open the Reporting () page of Kaspersky Threat Intelligence Portal.
Kaspersky Threat
Intelligence Portal will display a list of all available reports.
- If necessary, use filters in the Group column
to search for a specific report group.
- In the Report ID column, click the required report ID
and select View in new tab in the drop-down list.
The report description opens in new tab.
You can like or unlike a report using the like () icon.
Kaspersky Threat Intelligence Portal provides the following information about reports.
Report details
|
Field
|
Description
|
|
Report name
|
Report name.
|
|
Published
|
Date and time when the report was published.
|
|
Tags
|
Tags related to the report.
|
|
Details
|
Brief summary of the report.
|
|
Download
|
Links for downloading the report for further analysis in various formats.
Available formats depend on the permissions, set by your administrator, to download
reports. If you do not have permissions to download reports, no links will be displayed.
|
Page top
[Topic SearchingProfiles]
Searching for actor profiles
If you are using a demo version of a reporting service, viewing actor profiles may be
limited. For more information, see section About the license.
All APT and Crimeware actor profiles that are available for you, according to your group's
license and your permissions, are displayed on the Actors tab of the (Reporting () page. You can view all available actor profiles
(All actors) or select a certain type of actor profile (APT actors or Crimeware actors). For each actor,
general information is displayed.
General information about an actor
|
Field
|
Description
|
|
General information
|
General information about actor:
|
|
Aliases
|
Number of actor aliases.
|
|
Industries
|
Number of industries related to the actor.
|
|
Countries
|
Number of countries related to the actor.
|
|
TTPs
|
Number of TTPs descriptions for the actor.
|
|
Reports
|
Number of reports, in which the actor is mentioned.
|
Clicking a certain actor profile takes you to the page with the detailed description.
To search for a specific actor profile:
- On any Kaspersky Threat Intelligence Portal page, in the Search field, type an actor name or part of the name and press Enter.
The Threat Lookup
page opens. On the Actor tab, all actor profiles matching your search
criteria are displayed.
- If necessary, you can filter displayed actor profiles by type:
- Select APT actors to display profiles for
APT-related actors
- Select Crimeware actors to display profiles for
Crimeware actors
- Click the actor profile you want to open.
On the actor profile page, detailed information for an actor is displayed.
Actor profile sections
|
Section
|
Description
|
|
General information
|
General information about actor, including the name, unique icon, aliases, and
industries.
|
|
Description
|
Information about actor:
- General description
- Main activity
- Main malware families used
- Main external references (clickable)
|
|
Geography
|
Worldwide cybermap, countries mentioned in the reports for the actor are marked with
color. When you hover your mouse over a specific country, the number of reports for that country is shown.
To the right of the cybermap, countries and number of reports for the selected
country are displayed.
|
|
TTPsMITRE
|
Known TTPs and mapping with the MITRE ATT&CK classification for the actor
displayed in MITRE ATT&CK and MITRE PRE-ATT&CK matrices.
All items in the matrices and in the table are clickable and navigate you to the TTPs
descriptions on the MITRE website.
Descriptive TTPS tab displays direct links to TTPs
descriptions at the MITRE
website. For easier searching, links are divided into three sections: Implants, Infrastructure, Intrusion vectors.
|
|
Actor YARA / Actor
IOC
|
Buttons for downloading Master files that contain information about
the reports:
Actor YARA—Actor Master YARA file
Actor IOC—Actor Master IOC file
Buttons for downloading Master files are available if you have purchased the
corresponding commercial license and permissions to download files, set by your administrator.
|
|
Reports
|
Reports, in which the actor is mentioned. For each report, the following information is
displayed:
- Date—Date when a report was published.
Reports in the list are sorted by the publication date from most recent to earliest.
- Group—Report group: APT for APT Intelligence reports, Crimeware for Crimeware Threat Intelligence reports, Industrial for Industrial reports.
- Report—Report name, its brief summary,
and links for downloading a report for further analysis in various formats. You can like or unlike a report
using the like () icon.
- Tags—Tags related to reports.
|
Page top
[Topic DownloadingMasteFiles]
Downloading Master files for actor profiles
If you are using a demo version of the service, the Reporting service has several
limitations. For more information, see section About the license.
Master files are ZIP archives that contain all YARA/IOC files from all reports related to the
selected Actor profile and which are available depending on the user's permissions.
To download Master files:
- Open the actor profile that you want download Master files for.
The
Actor YARA and Actor IOC buttons are
displayed.
Actor YARA and Actor
IOC buttons are active (clickable) if there are files to be included in the archives and you have
permissions to download Master files for Actor profiles.
- Download Master files:
Page top
[Topic LikingReports]
Liking a report
Kaspersky Threat Intelligence Portal allows you to like or unlike reports. You can like a report
on the following pages:
To like a specific report:
- Click the like () icon next to the information about the
report.
The icon shows selected status.
- If necessary, click the selected like (
)
icon to unlike the report.
Page top
[Topic ThreatAnalysis]
Threat Analysis
This section explains how you can execute files and emulate opening of web addresses in safe
environments that are isolated from your corporate network using Kaspersky
Sandbox, Similarity, and Kaspersky Threat Attribution Engine technologies.
After you upload a file to the selected environment or start the web address analysis, Kaspersky
Threat Intelligence Portal displays various results, including a graphical representation. Execution results can
be downloaded as archives. All results, or data from certain sections, can be downloaded for
further analysis.
During file execution, screenshots are taken for each change in the file execution environment.
You can view screenshots online, or you can download all of them as an archive.
You can also analyze objects by using the Kaspersky Threat Intelligence Portal API.
Using Kaspersky Threat Attribution Engine technology, Kaspersky Threat Intelligence Portal
automatically analyzes the "genetics" of malware, looking for code similarities with previously
investigated advanced persistent threat (APT) samples and linked attribution entities. The portal compares the
"genotypes" (small binary pieces of analyzed files) with the APT malware samples database and provides a
report on malware origin, attribution entities, and file similarity with known APT samples.
When you send a file for analysis, Kaspersky Threat Intelligence Portal uses the Kaspersky
Threat Attribution Engine technology to find genotypes and strings, and compares them with known genotypes and
strings. As a result of this comparison, the analyzed file can be associated with one or more known attribution entities. An attribution entity is an actor, campaign, or known
malware, or a combination of these three aspects.
For more information, please see Kaspersky Threat Attribution Engine documentation.
Using machine-learning (ML) methods, Kaspersky Threat Intelligence Portal searches for files
that are similar to the analyzed file. Kaspersky systems extract the analyzed file features and detect similar
malicious files. Information about similar files can be used in an incident response to search more extensively
for modifications and variations of a malicious object. Also, this information allows you to optimize perimeter
protection from certain threat and take into account different modifications and variations of a malicious object.
On the Threat Analysis (
) page, available usage quotas for Kaspersky Sandbox, Similarity, and Kaspersky Threat Attribution
Engine technologies are displayed. If necessary, you can apply for a quota increase for a corresponding technology
by clicking the Increase your quota link. In the side-bar that opens, you have
to add a comment if necessary, and click Send.
Analysis results are displayed in the History table on the
Threat Analysis page. You can click the required task area to expand it and view
more details.
The Active tab displays the latest 1000 task results. Older task
results are displayed on the Archived tab.
Result history table
|
Table field
|
Description
|
|
Created
|
Date and time when a task was created.
|
|
Object
|
Submitted object name.
When expanded, the following information is displayed:
|
|
Details
|
Task execution state, and the status of Kaspersky Sandbox, Similarity, and Kaspersky
Threat Attribution Engine technologies for the analyzed object.
Displayed status depends on the technology you selected for object execution.
The History table displays the object status
defined at the moment the request was processed.
Task execution state is displayed near the corresponding technology name. If the task
execution fails, the error reason is displayed.
For Kaspersky Sandbox, status can be one of the following:
- Good/Clean—Object is not malicious.
- Dangerous/Malware—There are malicious objects related to the analyzed object.
- Adware and other—There are objects
related to the analyzed objects, which can be classified as Not-a-virus.
- Not trusted—Object is categorized as Infected or Compromised.
- Not categorized—No or insufficient
information about the object is available to define status, or task execution failed.
For Kaspersky Threat Attribution Engine, status can be one of the following:
- Found—Object is assigned to an attribution
entity.
- Not found—Object is not assigned to an
attribution entity.
- Not categorized—No or insufficient
information about the object is available to define status, or task execution failed.
For Similarity technology, status can be one of the following:
- Similar files found—Files that are
similar to the submitted file have been detected.
- Similar files not found—Files that are
similar to the submitted file have not been detected.
- Not categorized—No or insufficient
information about the object is available to define status, or task execution failed.
When expanded, the following information about task parameters is displayed:
For Kaspersky Sandbox technology:
- MD5—MD5 hash of the executed file. You
can click the item to copy it to the clipboard, and then search for information about the MD5 hash on the
Threat Lookup page.
- SHA1—SHA1 hash of the executed file. You
can click the item to copy it to the clipboard, and then search for information about the SHA1 hash on the
Threat Lookup page.
- SHA256—SHA256 hash of the executed file.
You can click the item to copy it to the clipboard, and then search for information about the SHA256 hash
on the Threat Lookup page.
- File name—Name of the executed file.
- File type—Automatically detected
type of the executed file.
- File size—Size of the executed file in
bytes.
- Execution environment—Selected
environment (operating system) for file execution. If you did not specify the execution environment,
Kaspersky Threat Intelligence Portal automatically selects the optimal environment for executing your
object and displays Auto.
- Execution time—Specified time of file
execution, in seconds.
If you did not specify the execution time, Kaspersky
Threat Intelligence Portal automatically selects the optimal execution time for your object and displays
Auto.
- Database update—Date and time when the
anti-virus databases were updated.
- HTTPS decryption—Information about
whether the HTTPS traffic generated by the object was decrypted during execution.
- Click links—Information about whether
the links in opened documents were followed during the file execution.
- Internet access options—Region of a
network channel that the file used to access the internet.
If you selected the
Tarpit item when creating the execution task, a warning that the file
was executed in the environment without access to the internet is displayed. For more details about
channels, refer to Internet channel values.
- File extension—Specified file extension.
- Command line parameters—Command line
parameters that were used to execute the object in the Sandbox.
For Kaspersky
Threat Attribution Engine technology:
- Reset similarity thresholds—Indicates
whether similarity thresholds for compared samples were ignored.
- Unpack—Indicates whether contents of the
attached file were unpacked before analysis.
|
|
Actions
|
Action you can perform to object execution results.
For recent tasks (the Active tab):
|
When you click on the item in the History table, brief
information about the analyzed object is displayed. Displayed fields depend on the analyzed object.
Page top
[Topic ExecutingFile]
Executing a file
This section describes file execution in Kaspersky Threat Intelligence Portal.
Files can be uploaded manually (Executing a file, Starting a file upload and execution) or downloaded from a web
address.
Analysis results are displayed in the History table on the
Threat Analysis () page. When you
click on the item in the History table, brief information about the analyzed
object is displayed.
Brief information about analyzed object
|
Parameter
|
Description
|
|
MD5
|
MD5 hash of the analyzed object.
|
|
SHA1
|
SHA1 hash of the analyzed object.
|
|
SHA256
|
SHA256 hash of the analyzed object.
|
|
File name
|
Name of the analyzed object.
|
|
File size
|
Size of the analyzed object.
|
|
Execution environment
|
Operating system that was used as an execution environment.
|
|
Execution time
|
Object execution time in seconds.
|
|
Action
|
Object execution type: only executed or unpacked before execution.
|
|
HTTPS decryption
|
Specifies whether HTTPS traffic generated by the executed object was decrypted.
|
|
Click links
|
Specifies whether the links in the opened documents were browsed.
|
|
Internet access options
|
Region or individual country of a network channel specified by the user for the
executed object to access the internet.
|
|
File extension
|
Automatically detected type of the executed file.
|
Page top
[Topic StartingFileUploadExecution]
Starting a file upload and execution
Before executing a file in Kaspersky Threat Intelligence Portal, you can upload it and select
execution options.
To upload a file:
- On the Threat Analysis () → Upload and execute file page, select an object you want to
execute in one of the following ways:
- Click the Select file button, and in the window that
opens select the required object.
- Drag and drop the required object to the drop zone. The drop zone is displayed when
you start dragging an object.
When the object is selected, its file name and size (in megabytes) are displayed.
The maximum size of an object that can be uploaded is 256 MB.
If you execute a multi-file (packed) object, make sure it contains less than 1000
files. Kaspersky Threat Intelligence Portal scans all files in the object, but only 1000 files are available
for downloading. We recommend that you execute objects that contain less than 1000 files. The
size of individual files in the packed object must not exceed 256 MB. The total size of all files when
unpacked must not exceed 1 GB.
- If necessary, delete the uploaded file by clicking the delete button ().
- If you want to execute an archive, make sure its format is supported.
If necessary, enter a password for the archive in the Archive
password (optional) field. Password length must be up to 256 characters. Any characters are allowed,
although double-quote (") and backslash (\) characters must be escaped to ensure they are not interpreted
as control characters in JSON.
If you do not enter a password for a password-protected archive, Kaspersky Threat
Intelligence Portal tries to unpack an archive using default passwords. You can show or hide the password by clicking
the eye icon.
- Turn on the Sandbox toggle switch to execute a file in
Kaspersky Sandbox.
- If necessary, click Advanced options to specify advanced
settings in the opened side-bar:
- In the File execution environment drop-down list,
select the operating system that you want to use as an execution environment.
Available values:
- Auto (Kaspersky Threat Intelligence Portal
automatically determines the optimal operating system for the uploaded file type)
- Microsoft Windows XP SP3 x86
- Microsoft Windows 7 x86
- Microsoft Windows 7 x64
- Microsoft Windows 10 x64
- Android x86
- Android Arm
The Auto execution environment is selected by
default.
- In the File execution time (sec) field, specify the
object execution time in seconds.
By default, the Auto value is selected: Kaspersky Threat Intelligence Portal automatically
selects the optimal execution time for your object.
To specify the execution time manually (from 30 to 500 seconds), click the Auto field and use the slider.
To return to the recommended value, click the Reset to
Auto button.
An uploaded object will be executed in the selected environment during the
specified execution time. The specified time does not include the time required for analysis and
displaying results.
- If you want to specify the region of a network channel that the file uses to access
the internet, select the required region in the Internet access options
drop-down list.
Available values:
- Auto—The internet channel belongs to any
region and does not direct traffic through the TOR network. If no region is available, the Tarpit value is selected.
- Tor—The internet channel that does not
belong to any region and directs traffic through the TOR network.
- Tarpit—The access to the internet is
emulated. This option is used when internet is not available or the analyzed object should not have
access to the internet.
- Countries and regions (for example, AU, DE). The list of channels for countries is
not fixed, and can be modified.
The Auto item is selected by default. For more
details about channels, refer to Internet channel values.
The list of available regions can contain individual countries through which
the executed file can access the internet.
- If necessary, in the Change file name and extension
to field, specify another name and extension for the uploaded file. In this case, Kaspersky Threat
Intelligence Portal attempts to execute the file according to the specified extension. Also, Kaspersky
Threat Intelligence Portal determines the file type after uploading the file to Kaspersky Sandbox, and
processes the file accordingly. The results page displays the extension determined by Kaspersky Threat
Intelligence Portal.
You can use the portable executable (PE) format to process
files that are not images. To do this, you must explicitly specify a file extension in the file name or in
the Change file name and extension to field.
Most characters can be used to specify a file extension. Reserved characters <,
>, :, ", /, \, |, ?, * cannot be used.
You can enter up to 254 characters to specify a file name and extension.
If the file extension is not specified, Kaspersky Threat Intelligence Portal
attempts to determine it automatically and then executes the file.
For more details about file types, refer to the Automatically detected
file types section.
- You can use Kaspersky Threat Intelligence Portal to open password-protected documents
during execution. To do this, enter the password in the Document password
(optional) field. You can show or hide the password by clicking the eye icon. This field is empty
by default.
- Kaspersky Threat Intelligence Portal can start object execution with specific
parameters. To do this, enter the required parameters in the Command line
parameters field.
This field is optional and available only when a
Microsoft Windows execution environment is selected. Command line examples are described in the Appendices.
- If you want to decrypt HTTPS traffic that is generated by the object during execution,
select the Decrypt HTTPS check box. The check box is selected by default.
The check box is unavailable if Microsoft Windows XP SP3 x86 is selected as the
file execution environment.
Disabling HTTPS traffic decryption may reduce the probability of malware
detection. This functionality allows you to obtain artifacts with information about the object interaction
via HTTPS during the task execution. We recommend disabling HTTP traffic decryption only if you are sure
that it for some reason will interfere with a certain object analysis.
- If you want Kaspersky Threat Intelligence Portal to follow the links in documents
opened in the Kaspersky Sandbox, select the Click links check box.
Selecting this option can increase the level of detection of malicious objects and
malicious object behavior. This check box is selected by default.
- Turn on the Attribution toggle switch to use Kaspersky
Threat Attribution Engine technology to find attribution entities related to the analyzed file.
- If necessary, click Advanced options to specify advanced
settings in the opened side-bar:
- If you want Kaspersky Threat Intelligence Portal to unpack the contents of the
attached file before analysis using Kaspersky Threat Attribution Engine technology, select the Unpack check box. If a password you specified in the Archive password (optional) field does not match, Kaspersky Threat
Intelligence Portal tries to unpack an archive using default passwords. If no password matches, then only the archive
will be analyzed, and the Error status will be assigned to the task. The
report will be available and contain information only about the archive.
The check
box is selected by default.
- If you want the Kaspersky Threat Intelligence Portal to ignore similarity thresholds
for compared samples, select the Reset similarity thresholds check box.
The check box is cleared by default.
If this check box is cleared, Kaspersky Threat
Intelligence Portal considers your sample to be a similar to a previously analyzed actor's sample if they
have a number of common genes or strings greater than or equal to a
threshold value set by Kaspersky experts. For each actor, a threshold is specified separately. In
this case, Kaspersky Threat Intelligence Portal returns fewer results, but the proportion of useful
results is higher.
If you select this check box, Kaspersky Threat Intelligence Portal considers your
sample to be a similar to a previously analyzed actor's sample if they have at least one common gene or string. In this case, Kaspersky Threat
Intelligence Portal returns more results. It is useful to enable this parameter if all parts of the code
in your sample are malicious, and you want to find more similar actor samples.
- Turn on the Similarity toggle switch to search for
similar files. This toggle switch is available only if you turn on the Sandbox
toggle switch. Kaspersky Threat Intelligence Portal searches for similar files only if a single file or an
archive containing one file is uploaded. If you upload an archive containing more than one file, Kaspersky
Threat Intelligence Portal searches for similar files for the uploaded archive, but not for the files in the
archive.
- Click the Start analysis button to start the file
execution process.
Kaspersky Threat Intelligence Portal displays the object execution
results.
If an error occurs during the upload process, you can try to upload the object again,
or select another object.
If you terminate the upload process for some reason, you can try to upload the same
object again later, or you can select another object.
An entry describing execution results for each analysis technology appears separately
in the History table. You can start to analyze results when the process ends
and the Execution state field is Completed.
- If you want to upload and execute more files, click the Select
another file button and repeat steps 3–6 of this procedure.
- If you want to execute a previously analyzed file, in the History → Active table, click the rescan button
(
) by the required object, and repeat steps 3–7 of this procedure. For archived
tasks (the History → Archived tab),
rescan is not available. You have to upload the file and start execution again.If
the previously specified internet channel is no longer available, the Auto
item is selected by default.
If the file is executed again later, results may differ from those shown in the
History table for the same file because Kaspersky expert systems update
information about objects in real time. Therefore, execution results depend on the threat landscape.
Up to 1000 of the latest file executions and web address analysis results for a user are
stored. When the maximum number of stored results is reached, the oldest results are assigned Archived status. For more details about archived tasks, refer to the About archived
(discarded) tasks section.
Page top
[Topic StartingFileDownloadExecution]
Starting file download and execution
Before executing a file, you can download it from a web resource and select execution options.
To download and execute a file:
- On the Threat Analysis () → Download and execute file page, in the URL field, specify a link to a file that you want to download and execute.
You can download files only from HTTP or HTTPS web addresses.
If you execute a multi-file (packed) object, make sure it contains less than 1000
files. Kaspersky Threat Intelligence Portal scans all files in the object, but only 1000 files are available
for downloading. We recommend that you execute objects that contain less than 1000 files. The
size of individual files in the packed object must not exceed 256 MB. The total size of all files when
unpacked must not exceed 1 GB.
- If you want to execute an archive, make sure its format is supported.
If necessary, enter a password for the archive in the Archive
password (optional) field (up to 256 characters). Any characters are allowed, although double-quote
(") and backslash (\) characters must be escaped to ensure they are not interpreted as control characters
in JSON.
If you do not enter a password for a password-protected archive, Kaspersky Threat
Intelligence Portal tries to unpack an archive using default passwords. You can show or hide the password by clicking
the eye icon.
- Turn on the Sandbox toggle switch to execute a file in
Kaspersky Sandbox.
- If necessary, click Advanced options to specify advanced
settings in the opened side-bar:
- In the File execution environment drop-down list,
select the operating system that you want to use as an execution environment.
Available values:
- Auto (Kaspersky Threat Intelligence Portal automatically determines the optimal
operating system for the type of downloaded file)
- Microsoft Windows XP SP3 x86
- Microsoft Windows 7 x86
- Microsoft Windows 7 x64
- Microsoft Windows 10 x64
- Android x86
- Android Arm
The Auto execution environment is selected by
default.
- In the File execution time (sec) field, specify the
object execution time in seconds.
By default, the Auto value is selected: Kaspersky Threat Intelligence Portal automatically
selects the optimal execution time for your object.
To specify the execution time manually (from 30 to 500 seconds), click the Auto field and use the slider.
To return to the recommended value, click the Reset to
Auto button.
A downloaded object will be executed in the selected environment during the
specified execution time. The specified time does not include the time required for analysis and
displaying results.
- If you want to specify the region of a network channel that the file uses to access
the internet, select the required region in the Internet access options
drop-down list.
Available values:
- Auto—The internet channel belongs to any
region and does not direct traffic through the TOR network. If no region is available, the Tarpit value is selected.
- Tor—The internet channel that does not
belong to any region and directs traffic through the TOR network.
- Tarpit—The access to the internet is
emulated. This option is used when internet is not available or the analyzed object should not have
access to the internet.
- Countries and regions (for example, AU, DE). The list of channels for countries is
not fixed, and can be modified.
The Auto item is selected by default. For more
details about channels, refer to Internet channel values.
The list of available regions can contain individual countries through which
the executed file can access the internet.
- In the Change file name and extension to field, you
can specify another name and extension for the downloaded file. In this case, Kaspersky Threat Intelligence
Portal attempts to execute the file according to the specified extension. Also, Kaspersky Threat
Intelligence Portal determines the file type after downloading the file to Kaspersky Sandbox, and processes
the file accordingly. The results page displays the extension determined by Kaspersky Threat Intelligence
Portal.
You can use the portable executable (PE) format to process files that
are not images. To do this, you must explicitly specify a file extension in the file name or in the Change file name and extension to field.
Most characters can be used to specify a file extension. Reserved characters <,
>, :, ", /, \, |, ?, * cannot be used.
You can enter up to 254 characters to specify a file name and extension.
If the file extension is not specified, Kaspersky Threat Intelligence Portal
attempts to determine it automatically, and then executes the file.
For more details about file types, refer to the Automatically detected
file types section.
- You can use Kaspersky Threat Intelligence Portal to open password-protected documents
during execution. To do this, enter the password in the Document password
(optional) field. You can show or hide the password by clicking the eye icon. This field is empty
by default.
- Kaspersky Threat Intelligence Portal can start object execution with specific
parameters. To do this, enter the required parameters in the Command line
parameters field.
This field is optional and available only when a
Microsoft Windows execution environment is selected. Command line examples are described in the Appendices.
- If you want to decrypt HTTPS traffic that is generated by the object during execution,
select the Decrypt HTTPS check box. The check box is selected by default.
The check box is unavailable if Microsoft Windows XP SP3 x86 is selected as the
file execution environment.
Disabling HTTPS traffic decryption may reduce the probability of malware
detection. This functionality allows you to obtain artifacts with information about the object interaction
via HTTPS during the task execution. We recommend disabling HTTP traffic decryption only if you are sure
that it for some reason will interfere with a certain object analysis.
- If you want Kaspersky Threat Intelligence Portal to follow the links in documents
opened in the Kaspersky Sandbox, select the Click links check box.
Selecting this option can increase the level of detection of malicious objects and
malicious object behavior. This check box is selected by default.
- Turn on the Attribution toggle switch to use Kaspersky
Threat Attribution Engine technology to find attribution entities related to the analyzed file.
- If necessary, click Advanced options to specify advanced
settings in the opened side-bar:
- If you want Kaspersky Threat Intelligence Portal to unpack the contents of the
attached file before analysis using Kaspersky Threat Attribution Engine technology, select the Unpack check box. If a password you specified in the Archive password (optional) field does not match, Kaspersky Threat
Intelligence Portal tries to unpack an archive using default passwords. If no password matches, then only the archive
will be analyzed, and the Error status will be assigned to the task. The
report will be available and contain information only about the archive.
The check
box is selected by default.
- If you want the Kaspersky Threat Intelligence Portal to ignore similarity thresholds
for compared samples, select the Reset similarity thresholds check box.
The check box is cleared by default.
If this check box is cleared, Kaspersky Threat
Intelligence Portal considers your sample to be a similar to a previously analyzed actor's sample if they
have a number of common genes or strings greater than or equal to a
threshold value set by Kaspersky experts. For each actor, a threshold is specified separately. In
this case, Kaspersky Threat Intelligence Portal returns fewer results, but the proportion of useful
results is higher.
If you select this check box, Kaspersky Threat Intelligence Portal considers your
sample to be a similar to a previously analyzed actor's sample if they have at least one common gene or string. In this case, Kaspersky Threat
Intelligence Portal returns more results. It is useful to enable this parameter if all parts of the code
in your sample are malicious, and you want to find more similar actor samples.
- Turn on the Similarity toggle switch to search for
similar files. This toggle switch is available only if you turn on the Sandbox
toggle switch. Kaspersky Threat Intelligence Portal searches for similar files only if a single file or an
archive containing one file is downloaded. If you download an archive containing more than one file, Kaspersky
Threat Intelligence Portal searches for similar files for the downloaded archive, but not for the files in the
archive.
- Click the Start analysis button to start the file
execution process.
Kaspersky Threat Intelligence Portal will display object execution
results.
An entry describing execution results for each analysis technology appears separately
in the History table. You can start to analyze results when the process
finishes and the Execution state field is Completed.
- If you want to execute a previously analyzed file, in the History table, click the rescan button () by the required
object, and repeat steps 2–6 of this procedure. The file will be downloaded again. For archived tasks (the History → Archived tab), rescan is not
available. You have to specify the link and start execution again.
If the
previously specified internet channel is no longer available, the Auto item
is selected by default.
If the file is executed again later, results may differ from those shown in the
History table for the same file. This is because Kaspersky expert systems
update information about objects in real time. Therefore, execution results depend on the threat landscape.
Up to 1000 of the latest file executions and web address analysis results for a user are
stored. When the maximum number of stored results is reached, the oldest results are assigned Archived status. For archived tasks, you can only view or delete a brief summary.
For more details about archived tasks, refer to the About archived (discarded) tasks section.
Page top
[Topic SandboxReportFiles]
Report page for Kaspersky Sandbox
On the Sandbox page, the file execution and analysis results
for Kaspersky Sandbox are displayed. The status of the executed file (Malware,
Adware and other, Clean, or Not categorized) is displayed under the file name.
The Sandbox page contains the following:
- Summary section—Displays the execution task details
and graphics of detected items, suspicious activities, extracted files, and network interactions that were
detected during the file execution.
- Results tab—Displays information about detected threats,
triggered network rules, and suspicious activities. A file execution map and a set of screenshots are also
displayed. For downloaded files, information about the submitted web address and file download method is
displayed.
- Static Analysis tab—Displays an object's static
analysis results. This tab is available only for objects that were executed in the mobile (Android) operating
system environment.
- System activities tab—Displays information about
loaded PE images and various operations that were registered during the file execution.
- Extracted files
tab—Displays information about files that were downloaded and dropped by the executed file.
- Network activities tab—Displays information
about HTTP, HTTPS, and DNS requests that were registered during the file execution.
Execution results for multi-file (packed) objects are described in the Multi-file report page section.
A file execution in Kaspersky Sandbox may end with an error after Kaspersky expert systems have
detected a threat related to the file. In this case, Kaspersky Threat Intelligence Portal displays only the
abridged version of a report that contains the following information:
- Summary section. Only the Detects chart (total number of threats detected by Kaspersky expert systems)
presents statistical information.
- Detection names table.
The History table displays your local task creation time. In
reports, date and time are displayed in Coordinated Universal Time (UTC) format.
Your Kaspersky Sandbox quota is not affected by a failed file execution. Abridged reports cannot
be exported to STIX format. For abridged reports, exporting to STIX format is not available.
You can click the Download data button located by each section
(except the Summary section) to export the
corresponding data. The button is available if the section contains data.
Page top
[Topic SummarySection]
Summary section
The Summary section represents general information about the
results of a file execution.
The following charts are displayed:
- Detects
The total number of threats detected during the file execution, and the proportion of
threats with Malware (red) and Adware and
other (yellow) status.
The name of the chart is clickable—you can click Detects to navigate to the Detection names
table on the Results tab.
- Suspicious activities
The total number of suspicious activities registered during the file execution, and the
proportion of activities with High (red), Medium (yellow), and Low (gray) levels.
The name of the circle chart is clickable—you can click Suspicious activities to navigate to the Suspicious
activities table on the Results tab.
This chart is not available for multi-file (packed) objects.
- Extracted files
The total number of files downloaded or dropped by the file during the execution
process, and the proportion of files with the status of Malware (extracted
files that can be classified as malicious, in red), Adware and other
(extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green),
and Not categorized (the category cannot be determined due to insufficient
information about the extracted files, in gray).
The name of the chart is clickable—you can click Extracted files to navigate to the Extracted files
tab.
- Network activities
The total number of registered network interactions that the file performed during the
execution process, and the proportion of network interactions with the status of Dangerous (requests to resources with Dangerous status, in red), Adware and
other (requests to resources with Adware and other status, in
yellow), Good (requests to resources with Good status, in green), and – (requests to resources with Not categorized status, in gray).
The name of the circle chart is clickable—you can click Network activities to navigate to the Network
activities tab.
This chart is not available for multi-file (packed) objects.
The number of detected files or activities with specific status is displayed below each chart.
Small values are displayed out of proportion. For better viewing, small values are displayed as 1% of the entire
circle chart.
You can download the file execution results as an archive by clicking the Export all results button.
The Summary section also displays the execution task details:
- Uploaded
Date and time when the file was uploaded or downloaded.
- Analyzed
Date and time when the file analysis was completed.
- Database update
Date and time when the anti-virus databases were updated.
- File size
Size of the executed file in bytes.
- File type
Automatically detected type of the executed file.
- Execution environment
Selected environment (operating system) for the file execution.
If you did not specify the execution environment, Kaspersky Threat Intelligence Portal
automatically selects the optimal environment for executing your object and displays Auto.
- Execution time
Specified time of the file execution, in seconds.
If you did not specify the execution time, Kaspersky Threat Intelligence Portal
automatically selects the optimal execution time for your object and displays Auto.
- File extension
Specified file extension.
- HTTPS decryption
Information about whether the HTTPS traffic generated by the object was decrypted
during execution.
- Click links
Information about whether the links in opened documents were followed during the file
execution.
- Internet access options
Region of a network channel that the file used to access the internet.
If you selected the Tarpit item when creating the
execution task, a warning that the file was executed in the environment without access to the internet is
displayed. For more details about channels, refer to Internet channel values.
- MD5
MD5 hash of the executed file. This item is clickable and takes you to the Threat Lookup page, where you can search for information about the MD5 hash.
- SHA1
SHA1 hash of the executed file. This item is clickable and takes you to the Threat Lookup page, where you can search for information about the SHA1 hash.
- SHA256
SHA256 hash of the executed file. This item is clickable and takes you to the Threat Lookup page, where you can search for information about the SHA256 hash.
- Document password
Information about whether the password for the protected document was specified.
- Command line parameters
Command line parameters that were used to execute the object in the Sandbox.
Running a threat lookup request for a hash (MD5, SHA1, or SHA256) of the executed file does
not count against the Threat Lookup quota for your group.
Page top
[Topic ResultsTab]
Results tab
Kaspersky Threat Intelligence Portal provides information about detected items and activities
that were registered during file execution. The execution results are displayed in separate tables, each of which
contains up to 10 entries.
Results
|
Table name
|
Description
|
Table fields
|
Comments
|
|
Detection names
|
Detections registered during file execution.
|
Status—Status of the detected object
(Malware or Adware and other).
Name—Name of the detected object (for example,
HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view a
description on the Kaspersky threats website.
|
Items in the table are sorted by status.
|
|
Triggered network rules
|
SNORT and Suricata rules triggered during analysis of traffic from the executed file.
|
Status—Danger zone (level) of the network
traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info).
Rule—SNORT or Suricata rule name.
|
Items in the table are sorted in the Status field
from High to Info status.
|
|
File download information
|
Information about the file download process.
This table is available only when an object was downloaded from
a web address.
|
Method—Method of sending an HTTP request. The
HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH.
User agent—Identification string of the user
agent (browser) that was used to open the specified web address (for example, Mozilla/5.0 (X11; Linux
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36).
|
—
|
|
Download request
|
Information about the request that was made to the submitted web address, from which
the file was downloaded.
This table is available only when an object was downloaded from
a web address.
|
Name—The Key attribute of the request.
Value—The Value attribute of the request.
|
Only information about the Host and User-Agent headers is provided.
|
|
Download responses
|
Detailed information about responses for the web address from which the file was
downloaded.
This table is available only when an object was downloaded from
a web address.
|
Status—Status (threat level)of the
web address in the request.
Categories—Category of the web address from
which the file was downloaded.
Protocol—Protocol that was used (HTTP or
HTTPS).
URL—Web address to which the request was
registered. Items are clickable and navigate to the Threat Lookup page,
where you can search for information about the web address.
Response code—Response code of the HTTP
request.
Response length—Size of the response to the
HTTP request in bytes.
Response headers—Additional fields displayed
as key:value. Standard header names are based on the RFC2616 Hypertext Transfer Protocol --
HTTP/1.1.
|
—
|
|
Execution map
|
Graphical representation of the sequence of file activities and relationships between
them. The root node of the tree represents the executed file.
|
—
|
Each tree element is marked according to its danger level (High, Medium, or Low).
You can view the execution map in full-screen ( ) or normal ( )
mode.
You can also zoom in on the execution map by scrolling the map area.
For each element, a brief and detailed description is available. Use the minus/plus
buttons ( / ) to expand or
collapse the description for all elements. You can also expand or collapse an element description separately
by clicking the drop-down icon. Clicking the element opens the tab with a detailed description.
|
|
Suspicious activities
|
Registered suspicious activities.
|
Status—Danger zone (level) of the registered
activity (High, Medium, Low).
Severity—Numerical value of the danger level
of the registered activity (integer 1–999).
Description—Description of suspicious
activity. For example, "Executable has obtained the privilege", "The file has been dropped
and executed", or "The process has injected binary code into another process". Certain
descriptions include a mapping to the MITRE ATT&CK™ threat classification. For example,
"MITRE: T1082 System Information Discovery".
|
—
|
|
MITRE ATTCK matrix
|
Information about known tactics, techniques and procedures (TTPs), and mapping with
MITRE ATT&CK classification for the executed object.
|
—
|
All elements in the matrix are clickable and take you to the MITRE ATT&CK web site.
To view sub-techniques (if available), you can expand certain elements.
|
|
Screenshots ()
|
Set of screenshots taken during file execution.
Screenshots are taken for each action the object performs.
|
—
|
Screenshots are available as a gallery with preview images, and as full-size images.
To view a full-size image, click the desired screenshot. You can zoom in and out on images for a better
view.
You can also download screenshots by clicking the Download
data button.
|
Page top
[Topic StatAnalysisTab]
Static analysis tab
The Static Analysis tab is available only for objects
that were executed in the mobile (Android) operating system environment.
Kaspersky Threat Intelligence Portal provides the object's static analysis results.
The results are displayed in separate tables. Each table contains up to 10 entries.
Static analysis results
|
Table name
|
Description
|
Table fields
|
Comments
|
|
Manifest
|
Android app manifest in XML format.
|
—
|
The displayed version of a file is recovered from the application and may differ from
the original file.
|
|
Modules
|
Android app modules detected through static analysis.
|
Path—Path to the app module.
Description—Description of the app module.
|
Items in the table are listed in the order in which they were received.
You can filter items in this table by specifying search criteria in the Search field below the table name.
|
|
Permissions
|
Android app permissions detected by using the static analysis.
|
Status—Status (danger level) of the
permission.
Severity—Severity of the permission's danger.
Permission—Permission value.
Description—Detailed description of the
permission.
|
Items in the table are listed in the order in which they were received.
You can filter items in this table by specifying search criteria in the Search field below the table name.
|
|
Component
|
Android app components detected through static analysis.
|
Status—Status (danger level) of the
component.
Severity—Severity of the component's danger.
Component—Component name.
Description—Detailed description of the
component.
Intent filters—List of filters applied to the
component. You can click the link to view the component's filters. The pane that opens displays the
following data for each filter: priorities, actions, and categories.
|
Items in the table are listed in the order in which they were received.
You can filter items in this table by specifying search criteria in the Search field below the table name.
|
|
Bundle
|
Android App Bundle (APK).
|
Type—File type (Module, Icon, or Picture).
Path—File path and name.
Size—File size.
MD5—MD5 hash of the file. Each item in the
list is clickable—you can click it to navigate to the Threat Lookup
results page, which has investigation results for the file detected by the MD5 hash. Investigation results
are available only if you have a valid Threat Lookup license and have not exceeded your quota for object
investigation. If you requested this hash in the past 24 hours, the Threat Lookup quota for your group is
not affected.
Investigation results for certain hashes in this section may be unavailable on the
Threat Lookup results page.
|
—
|
|
Bundle images
|
Android App Bundle images.
|
—
|
—
|
Page top
[Topic SystemActivitiesTab]
System activities tab
Kaspersky Threat Intelligence Portal provides information about activities that were registered
during the file execution. The results are displayed in separate tables, each of which contains up to 10 entries.
Execution environments with Microsoft Windows operating systems installed
System activities for Microsoft Windows
|
Table name
|
Description
|
Table fields
|
|
Loaded PE Images
|
Loaded PE images detected during file execution.
|
Path—Full path to the loaded PE image.
Size—Size of the loaded PE image in bytes.
|
|
File operations
|
File operations registered during file execution.
|
Operation—Operation name.
Name—Name of the file related to the
registered operation.
Size—Size of the file related to the
registered operation.
|
|
Registry operations
|
Operations performed on the operating system registry detected during file execution.
Operations that have led to suspicious activities are shown first.
|
Operation—Operation name.
Details—Operation attributes.
|
|
Process operations
|
Interactions of the file with various processes registered during file execution.
|
Interaction type—Type of interaction between
the executed file and a process.
Process name—Name of the process that
interacted with the executed file.
|
|
Synchronize operations
|
Operations of created synchronization objects: mutual exclusions (mutexes),
semaphores, and events registered during the file execution.
|
Type—Type of the created synchronization
object.
Name—Name of the created synchronization
object.
|
Execution environments with Android operating systems installed
System activities for Android
|
Table name
|
Description
|
Table fields
|
|
Loaded modules
|
Modules that the file downloaded during the execution.
|
Status—Status (danger level) of the module.
Severity—Severity of the module's danger
level.
Timestamp—Date and time when the module was
loaded, specified in UNIX time: number of seconds elapsed since 00:00:00 (UTC), 1 January 1970.
Path—Full path to the loaded module.
Description—Description of the loaded module.
|
Page top
[Topic NetworkActivitiesTab]
Network activities tab
Kaspersky Threat Intelligence Portal provides information about activities that were registered
during the file execution. The results are displayed in separate tables, each of which contains up to 10 entries.
For easier navigation to certain sections, you can select the required protocol on the panel
above the sections. Also, you can select the required section by clicking the button with three dots (
). The panel is frozen and remains visible when you scroll the page.
Network interactions
|
Table name
|
Description
|
Table fields
|
|
IP sessions
|
IP sessions that were registered during file execution.
|
Threat score—Probability that the destination
IP address is dangerous (0 to 100). An IP address is classified by Kaspersky expert systems as dangerous if
its threat score is greater than 74.
Destination IP—Destination IP address.
Started—Date and time when the IP session
started.
Ended—Date and time when the IP session
ended.
Size—Size of data that was sent and received
within the IP session (in bytes).
Packets—Number of packets that were sent and
received within the IP session.
|
|
TCP sessions
|
TCP sessions that were registered during file execution.
|
Threat score—Probability that the IP address
is dangerous (0 to 100).
Destination IP—Destination IP address.
Source port—Source port number
(0–65536).
Destination port—Destination port number
(0–65536).
Size—Size of data that was sent and received
within the TCP session (in bytes).
Packets—Number of packets that were sent and
received within the TCP session.
SYN packets—Number of SYN packets that were
sent and received within the TCP session.
FIN packets—Number of FIN packets that were
sent and received within the TCP session.
Out-of-order packets—Number of out-of-order
packets that were sent and received within the TCP session.
Lost ACK packets—Number of lost ACK packets
that were sent and received within the TCP session.
Duplicated ACK packets—Number of duplicated
ACK packets that were sent and received within the TCP session.
Window In—Number of incoming segments (bytes)
that can be sent from server to client before an acknowledgment (ACK packet) is received.
Window Out—Number of outgoing segments
(bytes) that can be sent from client to server before an acknowledgment (ACK packet) is received.
|
|
UDP sessions
|
UDP sessions that were registered during file execution.
|
Threat score—Probability that the IP address
is dangerous (0 to 100).
Destination IP—Destination IP address.
Source port—Source port number
(0–65536).
Destination port—Destination port number
(0–65536).
Size—Size of data that was sent and received
within the UDP session (in bytes).
Packets—Number of packets that were sent and
received within the UDP session.
|
|
DNS requests
|
DNS requests that were registered during file execution.
|
Id—DNS message ID.
QR—Request/response indicator (0—DNS
query, 1—DNS response).
RCode—DNS response code.
Size—Size of data that was sent and received
within the DNS session (in bytes).
Packets—Number of packets that were sent and
received within the DNS session.
Records—Records in the message. You can click
the link to view detailed information about records. For each record, its name, section, type, and APT
categories are displayed. If available, TTL and Data fields are available.
|
|
TLS sessions
|
TLS sessions that were registered during file execution.
|
Status—Status of the domain.
APT categories—List of APT categories of the
domain.
Version—TLS protocol version.
Cipher—Cryptographic algorithm.
Curve—Curve class.
Server name—Name of the server.
Subject—Subject name.
Issuer—Issuer name.
|
|
FTP sessions
|
FTP sessions that were registered during file execution.
|
Status—Danger level.
APT categories—List of APT categories of the
IP address.
Command—Command name.
Reply—Reply code and reply message from a
server.
MD5—File that was transferred when the
command was executed.
Channel—Information about FTP client address,
FTP server address and port number.
|
|
IRC sessions
|
IRC sessions that were registered during file execution.
|
Command—Command name.
User—User name.
Nick—User's nickname.
Sender—Nickname of the command's sender.
Channel—Name of the channel to send the
message to during the IRC session.
Text—Text that was sent during the IRC
session.
|
|
POP3 sessions
|
POP3 sessions that were registered during file execution.
|
Type—Command type.
Command—Command result.
Arguments—Command arguments.
Text—Description of the result of the
command.
|
|
SMB sessions
|
SMB sessions that were registered during file execution.
|
Status—Status of the IP address.
APT categories—List of APT categories of the
IP address.
Destination IP—Session's destination IP
address.
Destination port—Destination port number
(0–65536).
Version—Protocol version.
MD5—MD5 of the file transferred during the
command execution.
|
|
SMTP sessions
|
SMTP sessions that were registered during file execution.
|
Status—Status of the hash.
APT categories—List of APT categories of the
hash.
From—Sender's name and address.
To—Receivers' names and addresses.
Subject—Message subject.
MD5—List of MD5 hashes of attached files.
|
|
SOCKS sessions
|
SOCKS sessions that were registered during file execution.
|
Status—Status of the IP address.
APT categories—List of APT categories of the
IP address.
Version—SOCKS protocol version.
Request host/port—IP address or fully
qualified domain name (FQDN) and port (0-65536), to which the connection request was made via the SOCKS
protocol.
Bound host/port—IP address or fully qualified
domain name (FQDN) and port (0-65536), to which the connection was established.
|
|
HTTP(S) requests
|
HTTP requests registered during file execution.
|
Status—Status of the web address in the HTTP
request. The web address can belong to one of the following zones:
- Dangerous (there are malicious objects
related to the web address).
- Not trusted (categorized as Infected or Compromised).
- Adware and other (there are objects that can
be classified as Not-a-virus, which are related to the web address).
- Good (the web address is not malicious).
- Not categorized (the web address cannot be
categorized due to insufficient information).
If the web address is related to an APT attack or mentioned in threat intelligence
reports, the corresponding category is displayed by the web address zone.
You can click the web address to navigate to the Threat
Lookup results page. If you have a valid commercial APT Intelligence Reporting Service
license, and the file is related to an APT attack, a link to the corresponding APT Intelligence report on
the Reporting page is displayed in the Categories field. If the requested object is related to several APT attacks,
all related links are displayed.
APT categories—List of APT categories of the
web address.
URL—Web address to which the request was
registered. Investigation results for certain web addresses in this section may be unavailable on the Threat Lookup results page.
Method—Method of sending the HTTP request.
The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or
PATCH.
Response code—Response code of the HTTP
request.
Response length—Size of the response to the
HTTP request in bytes.
Fields—Additional fields (Request headers, Response headers, Request body, and Response body) displayed
as key:value. Standard header names are based on the RFC2616 Hypertext
Transfer Protocol -- HTTP/1.1. Custom headers (for example, x-ms-request-id) are highlighted in blue.
|
|
HTTPS requests
|
HTTP requests registered during file execution.
|
Status—Status of the web address in the HTTPS
request. The web address can belong to one of the following zones:
- Dangerous (there are malicious objects
related to the web address).
- Not trusted (categorized as Infected or Compromised).
- Adware and other (there are objects that can
be classified as Not-a-virus, which are related to the web address).
- Good (the web address is not malicious).
- Not categorized (the web address cannot be
categorized due to insufficient information).
If the web address is related to an
APT attack or mentioned in threat intelligence reports, the corresponding category is displayed by the
web address zone.
You can click the web address to navigate to the Threat
Lookup results page. If you have a valid commercial APT Intelligence Reporting Service
license, and the file is related to an APT attack, a link to the corresponding APT Intelligence report
on the Reporting page is displayed in the Categories field. If the requested object is related to several APT
attacks, all related links are displayed.
APT categories—List of APT categories of
the web address.
URL—Web address to which the request was
registered. Investigation results for certain web addresses in this section may be unavailable on the
Threat Lookup results page.
Method—Method of sending the HTTPS
request. The HTTPS method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS,
TRACE, or PATCH.
Response code—Response code of the HTTP
request.
Response length—Size of the response to
the HTTP request in bytes.
Fields—Additional fields (Request headers, Response headers, Request body, and Response body)
displayed as key:value. Standard header names are based on the RFC2616
Hypertext Transfer Protocol -- HTTP/1.1. Custom headers (for example, x-ms-request-id) are highlighted in blue.
|
Page top
[Topic MultiFileReport]
Multi-file report page
Kaspersky Threat Intelligence Portal allows you to execute multi-file (packed) objects. In this
case, Kaspersky Threat Intelligence Portal processes the object as a group of files. The report differs from the
report for a single file and contains the following sections.
Multi-file execution results
|
Table name
|
Description
|
Table fields
|
|
Status
|
Danger level of the object.
|
Malware—Execution task completed; the object
is malicious.
Adware and other—Execution task completed;
the object can be classified as Not-a-virus.
Clean—Execution task completed; the object is
not malicious.
Not categorized—Execution task completed; no
information about the object is available.
— (no information)—Execution task is
in progress or completed with errors.
|
|
Summary
|
General information about object execution results.
|
Detects—Total number of objects detected
during object execution, and the proportion of objects classified as: Malware (red), Adware and other
(yellow).
Extracted files—Total number of files
downloaded or dropped by the object during the execution process, and the proportion of files with Malware (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean
(extracted files that can be classified as not malicious, in green), and Not
categorized (no information about extracted files is available, in gray) statuses.
|
|
General information
|
General information about the object.
|
Uploaded—Date and time the object was
uploaded.
Analyzed—Date and time the object analysis
was completed.
Database update—Date and time the anti-virus
databases were updated.
File size—Size of the executed file in bytes.
File type—Automatically detected
type of the executed file.
Execution environment—Selected environment
(operating system) for object execution. If you did not specify the execution environment, Kaspersky Threat
Intelligence Portal automatically selects the optimal environment for your object execution and displays
Auto.
Execution time—Specified time of object
execution (seconds). If you did not specify the execution time, Kaspersky Threat Intelligence Portal
automatically selects the optimal execution time for your object, and displays Auto.
File extension—Specified file extension.
HTTPS decryption—Information about whether
the HTTPS traffic generated by the object was decrypted during execution.
Internet access options—Name of the network
channel used by the object to access the internet.
Click links—Information about whether
Kaspersky Research Sandbox followed the links in the documents that were opened in the Sandbox.
Document password— Information whether the
password for the protected document was specified.
Command line parameters—Command line
parameters that were used to execute the object in the Sandbox.
MD5—MD5 hash of the executed object. This
item is clickable. You can copy the item to the clipboard (Copied to
clipboard drop-down list option) or navigate to the Threat Lookup
page (Lookup drop-down list option).
SHA1—SHA1 hash of the executed object. This
item is clickable. You can copy the item to the clipboard (Copied to
clipboard drop-down list option) or navigate to the Threat Lookup
page (Lookup drop-down list option).
SHA256—SHA256 hash of the executed object.
This item is clickable. You can copy the item to the clipboard (Copied to
clipboard drop-down list option) or navigate to the Threat Lookup
page (Lookup drop-down list option).
|
|
Packed object content
|
Information about each file in the uploaded object.
|
Status—Danger level of the file.
MD5—MD5 hash of the file. This item is
clickable. Hover your mouse over the required item and click Lookup to
navigate to the Threat Lookup page. This will display investigation
results for the file detected by the MD5 hash. Investigation results are available only if you have a valid
Threat Lookup license and have not exceeded your object investigation quota. If you requested this hash in
the past 24 hours, the Threat Lookup quota for your group is not affected.
Investigation results for certain hashes in this section may be unavailable on the
Threat Lookup results page.
Click Download to download the item as a
password-protected .zip archive. Use a default password infected to
unpack an archive.
The archive may contain objects that could harm your device or data, if handled
improperly. By downloading, you accept full responsibility for the handling of downloaded objects contained
in the archive. You can only use the downloaded content to increase the level of protection of your devices
and systems.
Path—File name and path from the root of the
uploaded object.
Packer—Name of the packer used to pack the
uploaded object.
Type—Automatically detected file type.
Detect—Names of detected objects.
|
Page top
[Topic TAEReportPage]
Report page for Kaspersky Threat Attribution Engine
The Attribution page displays the results of the file analysis
using Kaspersky Threat Attribution Engine technology. Kaspersky Threat Intelligence Portal provides information on
the possible origin of the file based on its similarity with known APT samples. The attribution entities listed in
the report are either malicious actors that can be owners of this file, or APT tools and malware that can be
related to the analyzed file.
All results obtained during file analysis by Kaspersky Threat Attribution Engine technology must
be evaluated and cannot be considered or used as evidence. Threats and attribution entities classified as advanced
persistent threats (APT) by Kaspersky Threat Attribution Engine technology may not necessarily be classified as
APT by other security experts. It is up to you to make a final decision about the status of any threat or actor.
The Attribution report page contains the sections described in
the table below.
TAE page
|
Table
|
Description
|
Fields
|
|
Summary
|
General information about the file analysis results.
|
MD5—MD5 hash of the analyzed file.
File size—Size of the analyzed file, in
bytes.
Reset similarity thresholds—Indicates whether
similarity thresholds for compared samples were ignored, i.e. the corresponding parameter (check box) was
selected while creating a task.
Matched attribution entities—List of
malicious actors or tools matched with the submitted file (if found).
Extracted path—Path to the file in the
archive (for files that were unpacked for analysis).
Unpack—Indicates whether contents of the
attached file were unpacked before analysis, i.e. the corresponding parameter (check box) was selected while
creating a task.
|
|
Sample & Content
|
Information about files extracted from the packed file that is submitted for
Kaspersky Threat Attribution Engine analysis.
|
Status—Status of the extracted file.
MD5—MD5 hash of the extracted file. Clicking
the item navigates you to the Threat Lookup page where lookup results for
this file are displayed.
File name—Name of the extracted file.
Size—Size of the extracted file, in bytes.
Bad genotypes (matched/total)—Number of
genotypes in the analyzed file that match the genotypes in the similar attribution entity samples.
Bad strings (matched/total)—Number of strings
in the analyzed file that match the strings in the similar attribution entity samples.
Attribution entities—Attribution entities
related to the extracted file. Actor names are presented as clickable tags. When you click a tag,
Kaspersky Threat Intelligence Portal searches for the respective actor and opens the Reporting tab of the Threat Lookup page with
search results.
|
|
Similar samples
|
Information about attribution entity samples similar to the analyzed file.
|
Status—Status of the sample.
MD5—MD5 hash of a similar sample. Clicking
the item navigates you to the Threat Lookup page where lookup results for
this file are displayed.
Size—Size of a similar sample, in bytes.
Genotypes matched (total)—Number of genotypes
in the similar attribution entity sample that match the analyzed file. This is followed by the total number
of genotypes in the similar sample that are related to the attribution entity.
Strings matched (total)—Number of strings in
the similar attribution entity sample that match the analyzed file. This is followed by the total number of
strings in the similar sample that are related to the attribution entity.
Similarity—Percentage of similarity between
the analyzed file and the similar attribution entity sample.
Attribution entities—Malicious actors or
tools matched with the sample. Actor names are presented as clickable tags. When you click a tag,
Kaspersky Threat Intelligence Portal searches for the respective actor and opens the Reporting tab of the Threat Lookup page with
search results.
Aliases—Known aliases for the attribution
entity related to this sample.
|
|
Matched genotypes
|
Information about the genotypes matched with the analyzed file.
|
Genotype—Genotype in the analyzed file that
matches genotypes of similar attribution entity samples.
Matched—Number of all known attribution
entity samples with this genotype.
Used by—Attribution entities related to
samples with this genotype.
|
|
Matched strings
|
Information about strings matched with the analyzed file.
|
String—String in the analyzed file that
matches strings of similar attribution entity samples.
Matched—Number of all known attribution
entity samples with this string.
Used by—Attribution entities related to
samples with this string.
|
Page top
[Topic SimilarityReportPage]
Report page for Similarity
The Similarity page displays information about files that are
similar to the analyzed file.
Using machine-learning (ML) methods, Kaspersky systems extract the requested file features
and detect similar malicious files. Information about similar files can be used in an incident response to search
more extensively for modifications and variations of a malicious object. This information allows you to optimize
perimeter protection from certain threats and take into account different modifications and variations of a
malicious object.
Please note, Kaspersky Threat Intelligence Portal and Kaspersky Threat Attribution Engine use
different approaches to detect file similarity. Kaspersky Threat Intelligence Portal searches for similarity by
special hashes, while Kaspersky Threat Attribution Engine searches by genotypes and strings extracted from the
body of the file. For more information, please see Kaspersky Threat Attribution Engine documentation.
The Similarity report page contains the sections described in
the table below.
Similarity page
|
Section
|
Description
|
Fields
|
|
Analyzed file
|
Name of the analyzed file and whether similar files were found: Similar files found or Similar files not
found.
You can download information about detected similar files as an archive by clicking
the Export results button.
|
—
|
|
Summary
|
Date and time when the file analysis started.
|
—
|
|
Sample & Content
|
Information about similar files. Contains the data described in the table below.
Depending on the submitted object, this section contains the following:
- Not an archive—Section with analysis results for the submitted file.
- Archive containing one file—Section with analysis results for the
submitted archive and section with analysis results for the extracted file.
- Archive containing more than one file—Section with analysis results for
the submitted archive and section with a list of extracted files, without analysis results.
|
—
|
|
Info
|
General information about the analyzed file.
|
MD5—MD5 hash of the executed file. This item
is clickable and takes you to the Threat Lookup page, where you can search
for information about the MD5 hash.
SHA1—SHA1 hash of the executed file. This
item is clickable and takes you to the Threat Lookup page, where you can
search for information about the SHA1 hash.
SHA256—SHA256 hash of the executed file. This
item is clickable and takes you to the Threat Lookup page, where you can
search for information about the SHA256 hash.
File name—Name of the analyzed file.
Size—Size of the executed file in bytes.
|
|
Similar files
|
Information about detected similar files.
You can click the Download data button located by
this section to export the corresponding data. The button is available if the section contains data.
|
Status—Status of the file that is similar to
the analyzed file. If necessary, use the filter to view files with a specific status: Malware, Good, Not categorized.
Detection name—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
Confidence—Level of confidence that the
object is similar to the submitted file. Kaspersky Threat Intelligence Portal displays similar files with a
confidence level from 8 to 11.
First seen—Date and time when the similar
file was detected by Kaspersky expert systems for the first time (for your local time zone).
Last seen—Date and time, accurate to one
minute, when the similar file was detected by Kaspersky expert systems for the last time (for your local
time zone).
Hits—Number of hits (popularity) for the file
similar to the analyzed file that was detected by Kaspersky expert systems (rounded to nearest power of 10).
MD5—MD5 hash of the file similar to the
analyzed file. Items are clickable, you can select the following actions:
|
|
Statistics for similar files
|
Statistical information about detected similar files.
|
Similarity—Total number of detected similar
files.
Confidence summary—Chart that displays the
total number of similar files, and the proportion of confidence levels.
Status summary—Chart that displays the total
number of similar files, and the proportion of files with Malware (red)
and Clean (green), Adware and other
(yellow), and Not categorized (gray) status.
Detection names—Detected objects (for example,
HEUR:Exploit.Script.Blocker):
- Name—Name of the detected object.
- Number—Number of similar files that
contain the detected object.
|
|
Archive content
|
Information about files extracted from the submitted archive. This section is
displayed if the archive contains more than one file.
|
- MD5—MD5 hash of the extracted file.
- File name—Name of the extracted file.
- Type—Type of the extracted
file.
|
Page top
[Topic ExportingObjectExecutionResults]
Exporting file execution results
Kaspersky Threat Intelligence Portal enables you to export file execution results for further
analysis.
The execution result structure may change after the Kaspersky Sandbox database update. In
addition to the described fields, other fields may appear in the exported results.
You can export the following data:
Page top
[Topic ExportingAllExecutionResults]
Exporting all file execution results
The following procedure tells you how to export all file execution results.
Kaspersky Sandbox, Kaspersky Threat Attribution Engine, and Similarity investigation results are
exported separately.
To export all file execution results:
- On the Threat Analysis () page of Kaspersky Threat Intelligence Portal, do one of the following:
- In the History table, click the download button
(
) in the row that contains a file execution result that you want to
export.
- In the History table, click the View details → Sandbox / Attribution / Similarity in the row that
contains a file execution result that you want to export, and then click the Export all results button on the page that opens.
- In the drop-down list, select the file format for exporting execution results:
- For Kaspersky Sandbox:
- CSV archive (.zip).
- JSON archive (.zip).
- PCAP (.pcap)—archive (.zip) containing
JSON files and the network.pcap file.
- STIX (.stix).
- Debug report (.zip), if it is available. Debug
report is provided as a password-protected .zip archive. Use the password infected to unpack the archive.
- For Kaspersky Threat Attribution Engine:
- For Similarity:
- JSON archive (.zip).
- STIX (.stix).
- CSV archive (.zip).
The file with execution results for the executed object are saved. Preparing a file with
all investigation results for downloading may take several minutes.
Page top
[Topic ExportingExecutionResultsCSV]
Exporting execution results to a CSV archive
If you select the CSV archive (.zip) option when exporting
all execution results, Kaspersky Threat Intelligence Portal saves execution results as a .zip archive. The
.zip archive contains files in comma-separated values (CSV) format, with commas used as field separators. Up to
10,000 entries can be exported to most files, with the exception of the sample-and-execution-properties.csv file,
which contains only one entry.
Information about network traffic is exported to a network.pcap file.
Screenshots are exported as a folder.
Exported results for multi-file objects contain only the sample-and-execution-properties.csv,
sample-content.csv, and detection-names.csv (if available) files. The sample-content.zip archive is not included
in the CSV archive (.zip) file and can be exported separately.
For the , only the
sample-and-execution-properties.csv and detection-names.csv files are included in the CSV archive.
By default, the format of the archive name is as follows:
- <file MD5>-csv.zip for files that were uploaded manually
- Downloaded_<file MD5>-csv.zip for files that were downloaded from a web address
You can change the archive name if necessary.
Each .zip archive contains the files described in the table below. The first row in all files
contains column names.
CSV archive contents
|
File name
|
Description
|
Column name
|
|
sample-and-execution-properties.csv
|
Information about object parameters and execution settings (Executing a file, Starting a file upload and execution).
The file contains only one entry.
|
Uploaded—Date and time when the object
execution started (for example, 2018-01-17T15:30:16.077Z).
Analyzed—Date and time when the object
execution completed (for example, 2018-01-17T15:39:02.673Z).
State—Execution task state (for example,
completed).
Error—Task execution error description.
If the task completed successfully, an empty string is returned.
AvBasesVersion—Date and time when
anti-virus databases were updated (for example, 2018-01-17T18:36:00Z).
Zone—Zone of the executed file (for
example, Red).
Status—Status of the executed file
(for example, Malware).
HasApt—Shows whether the file is related
to an advanced persistent threat (APT) attack.
FileName—Name of the executed file (for
example, 0xDC2ED1E657AEE092B63DC3BB9EAEECA8).
FileExtension—Extension of the executed
file (for example, js).
FileType—Automatically detected type of
the executed file.
Length—Size of the executed file, in
bytes (for example, 539136).
Md5—MD5 hash of the executed object (for
example, DC2ED1E657AEE092B63DC3BB9EAEECA8).
Sha1—SHA1 hash of the executed object
(for example, B617DF5EBC4381305B7268C1ECD4B4DF6A0A02BC).
Sha256—SHA256 hash of the executed object
(for example, 47BB3B7EA8CA384E459BC7D4B69D9DBA638EDEBF1BE837E81DCA1D81FEE703C3).
ExecutionEnvironment—Execution
environment of the file (for example, Win7_x64).
Channel—Specified region of a network
channel that the object should use to access the internet (for example, any_channel).
ChannelUsed—Region of a network
channel that the object actually used to access the internet (for example, US).
ExecutionTime—Object execution time, in
seconds (for example, 500).
DecryptHTTPS—Boolean parameter. Indicates
whether HTTPS traffic generated by the executed object was decrypted.
ClickOnLinks—Boolean parameter. Indicates
whether the links in the opened documents were followed during the file execution.
|
|
sample-download-info.csv
|
Information about downloading the file from the submitted link.
This file is available only for files that were downloaded from a web address.
|
Started—Date and time when the file
download started (for example, 2018-01-17T15:30:16.077Z).
Method—Method of sending an HTTP request.
The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or
PATCH.
RequestFields—Standard request header
names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1, including the Name, Value, and the IsDefault indicator.
DownloadRequests—Information about the
request, including:
Zone—Zone of the web address from
which the file was downloaded (for example, Red).
Status—Status of the web address from
which the file was downloaded (for example, Dangerous).
HasApt—Shows whether the web address is
related to an APT attack.
Protocol—Protocol which was used (HTTP
or HTTPS).
Url—Web address used to download a file.
ResponseCode—HTTP response status code
(for example, 200 means the request was completed successfully).
ResponseLenght—Size of the response to
the HTTP request in bytes.
ResponseHeaders—Standard response header
names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1, including the Name, Value, and the IsDefault indicator.
Categories—Array with unnamed objects
containing information about categories of the web address from which the file was downloaded:
Zone—Zone of the category (for
example, Grey).
Name—Name of the category.
|
|
detection-names.csv
|
Information about objects detected during file execution.
|
Zone—Danger zone to which the object
refers (for example, Malware).
Threat—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
|
|
triggered-network-rules.csv
|
Information about SNORT and Suricata rules triggered during analysis of traffic from
executed object.
|
Zone—Danger zone (level) of the network
traffic detected by the SNORT or Suricata rule (for example, High).
RuleName—SNORT or Suricata rule name (for
example, Trojan.Agent.HTTP.C&C).
|
|
screens (folder)
|
Set of screenshots (PNG images) that were taken during the file execution.
|
—
|
|
suspicious-activities.csv
|
Information about registered suspicious activities.
|
Type—Type of a suspicious activity (for
example, RegistryValueUpdate).
Zone—Danger zone (level) of the
registered activity (for example, High).
Severity—Numerical value of the danger
level of the registered activity (for example, 555).
Image—Extracted object (for example,
$selfpath\$selfname.exe).
|
|
suspicious-activities-android.csv
|
Information about registered Android suspicious activities.
|
ComponentClass—Component class (for
example, action).
ComponentType—Component type (for
example, DEFAULT).
Zone—Danger zone (level) of the
registered activity (for example, Medium).
Severity—Numerical value of the danger
level of the registered activity (for example, 400).
Name—Name of the registered activity (for
example, Copy file).
Description—Description of the registered
activity (for example, Copy file).
|
|
loaded-pe-images.csv
|
Information about loaded images that were detected during the file execution.
|
Path—Full path to the loaded image (for
example, \\Windows\\SysWOW64\\rpcrt4.dll).
Size—Size of the loaded image, in bytes
(for example, 555).
|
|
file-operations.csv
|
Information about file operations that were registered during the file execution.
|
Operation—Operation name (for example,
FILE_CREATED).
Name—The Name attribute of the operation (for example,
$selfpath\\KL_APT_SANDBOX_TEST_MARKER_FILE).
NewName—The NewName attribute of the operation (for example,
selfpath\\KL_APT_SANDBOX_TEST_MARKER_FILE_NEW).
|
|
registry-operations.csv
|
Information about operations performed on the operating system registry detected
during file execution.
|
Operation—Operation name (for example,
REG_CREATE_KEY).
Key—The Key attribute of the operation (for example,
\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution
Options\\DisableUserModeCallbackFilter).
Value—The Value attribute of the operation (for example, 1).
|
|
process-operations.csv
|
Information about interactions of the file with various processes registered during
file execution.
|
Operation—Operation name (for example,
PROCESS_STARTED).
ProcessName—Name of the process that
interacted with the executed file (for example, $windir\\explorer.exe).
|
|
synchronize-operations.csv
|
Information about operations of created synchronization objects registered during
file execution.
|
Type—Type of created synchronization
object (for example, mutex).
Name—Name of created synchronization
object (for example, Skyz.Messaging.ThreadPooling.MyAppSingleInstance).
|
|
network.pcap
|
Information about activities registered during file execution.
|
—
|
|
downloaded-files.csv
|
Information about files extracted from network traffic during file execution.
|
Zone—Zone of the file (for example,
Red).
Status—Status of the file (for
example, Malware).
Md5—MD5 hash function of the downloaded
file (for example, B136E08794A896FDB28C13A5F9D27D4A).
HasApt—Shows whether the file is related
to an advanced persistent threat (APT) attack.
DetectionName—Name of the detected object (for
example, Trojan-Downloader.Script.Generic).
Traffic—Traffic that the downloaded file
was extracted from (HTTP or HTTPS).
|
|
dropped-files.csv
|
Information about files saved by executed file.
|
Zone—Zone of the dropped file (for
example, Red).
Status—Status of the dropped file
(for example, Malware).
Md5—MD5 hash function of the dropped file
(for example, B136E08794A896FDB28C13A5F9D27D4A).
HasApt—Shows whether the file is related
to an advanced persistent threat (APT) attack.
DetectionName—Name of the detected object (for
example, Trojan-Downloader.Script.Generic).
FileName—File name of the dropped file
(for example, sample.exe).
|
|
dumps.csv
|
Dump files (snapshots) of the file execution process and loaded modules.
Available only for execution environments that have the Android operating system
installed.
|
Zone—Zone of the dump file (for
example, Red).
Md5—MD5 hash function of the dump file.
Sha1—SHA1 hash function of the dump file.
Sha256—SHA256 hash function of the dump
file.
DetectionName—Name of the detected object
(for example, Trojan-Downloader.Script.Generic).
Name—Name of the dump file.
Size—Size of the dump file.
Type—Type of the dump file.
IsHttpsTraffic—Traffic that the
downloaded file was extracted from (HTTP or HTTPS).
|
|
matrix.csv
|
Information about known tactics, techniques and procedures (TTPs), and a mapping to
the MITRE ATT&CK classification for the executed object.
|
Id—ID of a tactic.
Name—Name of a tactic.
Url—Web address to the tactic's
description on the MITRE ATT&CK web site.
|
|
sample-content.csv
|
Information about the content of the packed file. Unpack the archive using default
passwords.
|
Zone—Color of the danger zone (level) of
the file.
MD5—MD5 hash of the file.
SHA1—SHA1 hash of the file.
SHA256—SHA256 hash of the file.
Path—File name and path to it from the
uploaded object's root.
Packer—Name of the packer used to pack
the uploaded object.
Type—Automatically detected type of the
file.
DetectionNames—Names of the detected
objects (for example, HEUR:Exploit.Script.Blocker).
Size—Size of the file in bytes.
|
|
sample-content.zip
|
Archive that contains files included in the packed object. Unpack the archive using
default
passwords.
This archive can only be exported separately. It is not exported, when you export all task results.
|
—
|
|
manifest.zip
|
Information about Android app manifest.
|
—
|
|
static-modules.csv
|
Android app modules detected through the static analysis.
|
Status—Status (danger level) of the
permission.
Severity—Severity of the permission's
danger.
File—Path to the app module and its
module.
Md5—MD5 hash of the file contents.
Description—Description of the app
module.
|
|
static-permissions.csv
|
Android app permissions detected through the static analysis.
|
Status—Status (danger level) of the
permission.
Severity—Severity of the permission's
danger.
Permission—Permission's value.
Description—Detailed description of the
permission.
|
|
static-components.csv
|
Android app components detected through the static analysis.
|
Status—Status (danger level) of the
component.
Severity—Severity of the component's
danger.
Component—Component name.
Description—Detailed description of the
component.
Intent filters—List of filters applied to
the component:
Priority—Filter priority.
Actions—Performed action.
Categories—Component category.
|
|
static-bundle.csv
|
Android App Bundle (APK).
|
Type—File type (Module, Icon, or
Picture).
Path—File path and name.
Size—File size.
MD5—MD5 hash of the file.
|
|
static-images.csv
|
Android App Bundle images.
|
—
|
|
dynamic-modules.csv
|
Android app modules detected through the dynamic analysis.
|
Status—Status (danger level) of the
module.
Severity—Severity of the module's danger.
File—Path to the module and its name.
Md5—MD5 hash.
Description—Detailed description of the
module.
Timestamp—Date and time when a module was
loaded, specified in the UNIX time: number of seconds elapsed since 00:00:00 (UTC), 1 January 1970.
|
|
network-traffic-tables-ip-sessions.csv
|
Array that contains information about IP sessions that were registered during file
execution.
|
DestinationIP—Destination IP address.
ThreatScore—Probability that the
destination IP address is dangerous (0 to 100). An IP address is classified by Kaspersky expert systems as
dangerous if its threat score is greater than 74.
Started—Date and time when the IP session
started.
Ended—Date and time when the IP session
ended.
Size—Size of data that was sent and
received within the IP session (in bytes).
Packets—Number of packets that were sent
and received within the IP session.
|
|
network-traffic-tables-tcp-sessions.csv
|
Array that contains information about TCP sessions that were registered during file
execution.
|
DestinationIP—Destination IP address.
ThreatScore—Probability that the
destination IP address is dangerous (0 to 100).
SourcePort—Source port number
(0–65536).
DestinationPort—Destination port number
(0–65536).
Size—Size of data that was sent and
received within the TCP session (in bytes).
Packets—Number of packets that were sent
and received within the TCP session.
SYNPackets—Number of SYN packets that
were sent and received within the TCP session.
FINPackets—Number of FIN packets that
were sent and received within the TCP session.
OutOfOrderPackets—Number of out-of-order
packets that were sent and received within the TCP session.
LostAckPackets—Number of lost ACK packets
that were sent and received within the TCP session.
DuplicatedAckPackets—Number of duplicated
ACK packets that were sent and received within the TCP session.
WindowIn—Number of incoming segments
(bytes) that can be sent from server to client before an acknowledgment (ACK packet) is received.
WindowOut—Number of outgoing segments
(bytes) that can be sent from client to server before an acknowledgment (ACK packet) is received.
|
|
network-traffic-tables-udp-sessions.csv
|
Array that contains information about UDP sessions that were registered during file
execution.
|
DestinationIP—Destination IP address.
ThreatScore—Probability that the
destination IP address is dangerous (0 to 100).
SourcePort—Source port number
(0–65536).
DestinationPort—Destination port number
(0–65536).
Size—Size of data that was sent and
received within the UDP session (in bytes).
Packets—Number of packets that were sent
and received within the UDP session.
|
|
network-traffic-tables-dns-sessions.csv
network-traffic-tables-dns-messages.csv
|
Array that contains information about DNS sessions that were registered during file
execution.
|
Id—DNS message ID.
Qr—Request/response indicator
(0—DNS query, 1—DNS response).
RCode—DNS response code.
Size—Size of data that was sent and
received within the DNS session (in bytes).
Packets—Number of packets that were sent
and received within the DNS session.
Records—Records in the message. For each
record, its status, name, section, and type are displayed. If available, TTL and Data fields are available.
|
|
network-traffic-tables-ftp-sessions.csv
|
Array that contains information about FTP sessions that were registered during file
execution.
|
CommandName—Command name.
CommandArg—Command argument.
ReplyCode—Reply code.
ReplyMsg—Reply message from a server.
DataChannelClientIp—FTP client address.
DataChannelServerIp—FTP server address.
DataChannelServerPort—Port number of the
FTP server.
|
|
network-traffic-tables-http-sessions.csv
|
Array that contains information about HTTP requests that were registered during the
file execution.
|
Status—Danger zone (level) of a URL in
the HTTP request.
Method—Method of sending the HTTP
request. The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE,
or PATCH.
URL—URL to which the request was
registered.
ResponseCode—Response code of the HTTP
request.
ResponseLength—Size of the response to
the HTTP request in bytes.
RequestHeaders—Standard request header
names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Provided as
<name>:<value> pairs.
ResponseHeaders—Standard response header
names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Provided as
<name>:<value> pairs.
RequestBody—Body of the request (Md5,
Name, Size).
ResponseBody—Body of the response (Md5,
Name, Size).
|
|
network-traffic-tables-tls-sessions.csv
|
Array that contains information about TLS sessions that were registered during file
execution.
|
Status—Domain status.
Version—TLS protocol version.
Cipher—Cryptographic algorithm.
Curve—Curve class.
ServerName—Name of the server.
Subject—Subject name.
Issuer—Issuer name.
|
|
network-traffic-tables-irc-sessions.csv
|
Array that contains information about IRC sessions that were registered during file
execution.
|
Command—Command name.
User—User name.
Nick—User's nickname.
Channels—Names of channels to connect to
during the IRC session.
Sender—Nickname of the command's sender.
Channel—Name of the channel to send the
message to during the IRC session.
Text—Text that was sent during the IRC
session.
|
|
network-traffic-tables-pop3-sessions.csv
|
Array that contains information about POP3 sessions that were registered during file
execution.
|
Type—Command type.
Command—Command result.
Arguments—Command arguments.
Message—Description of the result of the
command.
|
|
network-traffic-tables-smb-sessions.csv
|
Array that contains information about SMB sessions that were registered during file
execution.
|
Status—Status of the IP address.
DestinationIP—Session's destination IP
address.
DestinationPort—Destination port number
(0–65536).
Version—Protocol version.
Files—File transferred during the command
execution.
|
|
network-traffic-tables-smtp-sessions.csv
|
Array that contains information about SMTP sessions that were registered during file
execution.
|
Status—Status of the hash.
From—Sender's name and address.
To—Receivers' names and addresses.
Subject—Message subject.
Files—List of MD5 hashes of attached
files.
|
|
network-traffic-tables-socks-sessions.csv
|
Array that contains information about SOCKS sessions that were registered during file
execution.
|
Status—Status of the IP address.
Version—SOCKS protocol version.
RequestHost—IP address or fully qualified
domain name (FQDN), to which the connection request was made via the SOCKS protocol.
RequestPort—Number of the TCP port to
which a connection request was made via the SOCKS protocol (0–65536).
BoundHost—IP address or fully qualified
domain name (FQDN), to which the connection was established.
BoundPort—Number of the TCP port to which
the connection was established (0–65536).
|
|
network-traffic-tables-https-sessions.csv
|
Array that contains information about HTTPS requests that were registered during the
file execution.
|
Status—Danger zone (level) of a URL in
the HTTPS request.
Method—Method of sending an HTTPS
request. The HTTPS method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS,
TRACE, or PATCH.
URL—URL to which the request was
registered.
ResponseCode—Response code of the HTTPS
request.
ResponseLength—Size of the response to
the HTTPS request in bytes.
RequestHeaders—Standard request header
names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Provided as
<name>:<value> pairs.
ResponseHeaders—Standard response header
names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Provided as
<name>:<value> pairs.
RequestBody—Body of the request (Md5,
Name, Size).
ResponseBody—Body of the response (Md5,
Name, Size).
|
Page top
[Topic ExportingExecutionResultsJSON]
Exporting execution results to a JSON archive
If you select the JSON archive (.zip) option when exporting
all execution results, Kaspersky Threat Intelligence Portal saves execution results as a .zip archive. The
archive contains .json files. Files can contain up to 10,000 JSON objects, except for the
sample-and-execution-properties.json file. This file contains only one JSON object.
Information about network traffic is exported to a network-traffic.pcap file.
Screenshots are exported as a folder.
Exporting results for multi-file objects contain only sample-and-execution-properties.json,
sample-content.json, and detection-names.json (if available) files. The sample-content.zip archive is not included
in JSON archive (.zip) file, and can be exported separately.
For the , only
sample-and-execution-properties.json and detection-names.json files are included in the JSON archive.
By default, the format of the archive name is as follows:
- <file MD5>.zip for files that were uploaded manually
- Downloaded_<file MD5>.zip for files that were downloaded from a web address
You can change the archive name if necessary.
Each .zip archive contains files described in the table below.
JSON archive contents for Kaspersky Sandbox
|
File name
|
Description
|
JSON attribute
|
|
sample-and-execution-properties.json
|
Information about object parameters and execution settings (Executing a file, Starting a file upload and execution).
The file contains only one JSON object.
|
Uploaded—Date and time when the object
execution started (for example, 2018-01-17T15:30:16.077Z).
Analyzed—Date and time when the object
execution completed (for example, 2018-01-17T15:39:02.673Z).
State—Execution task state (for example,
completed).
Error—Task execution error description.
If the task completed successfully, an empty string is returned.
AvBasesVersion—Date and time when
anti-virus databases were updated (for example, 2018-01-17T18:36:00Z).
Zone—Zone of the executed file (for
example, Red).
Status—Status of the executed file
(for example, Malware).
HasApt—Shows whether the file is related
to an advanced persistent threat (APT) attack.
FileName—Name of the executed file (for
example, 0xDC2ED1E657AEE092B63DC3BB9EAEECA8).
FileExtension—Extension of the executed
file (for example, js).
FileType—Automatically detected type of
the executed file.
Length—Size of the executed file, in
bytes (for example, 539136).
Md5—MD5 hash of the executed object (for
example, DC2ED1E657AEE092B63DC3BB9EAEECA8).
Sha1—SHA1 hash of the executed object
(for example, B617DF5EBC4381305B7268C1ECD4B4DF6A0A02BC).
Sha256—SHA256 hash of the executed object
(for example, 47BB3B7EA8CA384E459BC7D4B69D9DBA638EDEBF1BE837E81DCA1D81FEE703C3).
ExecutionEnvironment—Execution
environment of the file (for example, Win7_x64).
Channel—Specified region of a network
channel that the object should use to access the internet (for example, any_channel).
ChannelUsed—Region of a network
channel that the object actually used to access the internet (for example, US).
ExecutionTime—Object execution time, in
seconds (for example, 500).
DecryptHTTPS—Boolean parameter. Indicates
whether HTTPS traffic generated by the executed object was decrypted.
ClickOnLinks—Boolean parameter. Indicates
whether the links in the opened documents were followed during the file execution.
|
|
sample-download-info.json
|
Information about downloading the file from the submitted link.
This file is available only for files that were downloaded from a web address.
|
Started—Date and time when the file
download started (for example, 2018-01-17T15:30:16.077Z).
Method—Method of sending an HTTP request.
The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or
PATCH.
RequestFields—Standard request header
names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1, including the Name, Value, and the IsDefault indicator.
DownloadRequests—Information about the
request, including:
Zone—Zone of the web address from
which the file was downloaded (for example, Red).
Status—Status of the web address from
which the file was downloaded (for example, Dangerous).
HasApt—Shows whether the web address is
related to an APT attack.
Protocol—Protocol which was used (HTTP
or HTTPS).
Url—Web address used to download a file.
ResponseCode—HTTP response status code
(for example, 200 means the request was completed successfully).
ResponseLenght—Size of the response to
the HTTP request in bytes.
ResponseHeaders—Standard response header
names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1, including the Name, Value, and the IsDefault indicator.
Categories—Array with unnamed objects
containing information about categories of the web address from which the file was downloaded:
Zone—Zone of the category (for
example, Grey).
Name—Name of the category.
|
|
detection-names.json
|
Information about objects detected during file execution.
|
Zone—Danger zone to which the object
refers (for example, Malware).
Threat—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
|
|
triggered-network-rules.json
|
Information about SNORT and Suricata rules triggered during analysis of traffic from
executed object.
|
Zone—Danger zone (level) of the network
traffic detected by the SNORT or Suricata rule (for example, High).
RuleName—SNORT or Suricata rule name (for
example, Trojan.Agent.HTTP.C&C).
|
|
screens (folder)
|
Set of screenshots (PNG images) that were taken during the file execution.
|
—
|
|
suspicious-activities.json
|
Information about registered suspicious activities.
|
Type—Type of a suspicious activity (for
example, RegistryValueUpdate).
Zone—Danger zone (level) of the
registered activity (for example, High).
Severity—Numerical value of the danger
level of the registered activity (for example, 555).
Properties—Attributive description of the
registered activity.
|
|
suspicious-activities-android.json
|
Information about registered Android suspicious activities.
|
ComponentClass—Component class (for
example, action).
ComponentType—Component type (for
example, DEFAULT).
Zone—Danger zone (level) of the
registered activity (for example, Medium).
Severity—Numerical value of the danger
level of the registered activity (for example, 400).
Name—Name of the registered activity (for
example, Copy file).
Description—Description of the registered
activity (for example, Copy file).
|
|
loaded-pe-images.json
|
Information about loaded images that were detected during the file execution.
|
Path—Full path to the loaded image (for
example, \\Windows\\SysWOW64\\rpcrt4.dll).
Size—Size of the loaded image, in bytes
(for example, 555).
|
|
file-operations.json
|
Information about file operations that were registered during the file execution.
|
Operation—Operation name (for example,
FILE_CREATED).
Details—Array of the operation attributes
represented as key-value pairs. Includes the following:
Name—The Name attribute of the operation (for example,
$selfpath\\KL_APT_SANDBOX_TEST_MARKER_FILE).
Size—The Size attribute of the operation (for example, 555).
|
|
registry-operations.json
|
Information about operations performed on the operating system registry detected
during file execution.
|
Operation—Operation name (for example,
REG_CREATE_KEY).
Details—Array of the operation attributes
represented as key-value pairs. Includes the following:
Key—The Key attribute of the operation (for example,
\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution
Options\\DisableUserModeCallbackFilter).
Value—The Value attribute of the operation (for example, 1).
|
|
process-operations.json
|
Information about interactions of the file with various processes registered during
file execution.
|
Operation—Operation name (for example,
PROCESS_STARTED).
ProcessName—Name of the process that
interacted with the executed file (for example, $windir\\explorer.exe).
|
|
synchronize-operations.json
|
Information about operations of created synchronization objects registered during
file execution.
|
Type—Type of created synchronization
object (for example, mutex).
Name—Name of created synchronization
object (for example, Skyz.Messaging.ThreadPooling.MyAppSingleInstance).
|
|
network.pcap
|
Information about activities that were registered during the file execution.
This file is included in the archive if the PCAP
(.pcap) option is selected during the results export.
|
—
|
|
matrix.json
|
Information about known tactics, techniques and procedures (TTPs), and mapping with
MITRE ATT&CK classification for the executed object.
|
Matrix—MITRE ATT&CK matrix type.
Tactics—Information about tactics,
contains the following:
Id—ID of a tactic.
Name—Name of a tactic.
Url—Web address to the tactic's
description on MITRE ATT&CK web site.
Technique—Information about techniques,
contains the following:
Id—ID of a technique.
Name—Name of a technique.
Url—Web address to the technique's
description on MITRE ATT&CK web site.
|
|
sample-content.json
|
Information about the content of the packed file. Use default passwords infected, password, pass, god, 123456, 123456789, 12345678, 111111, or qwertyto unpack the archive.
|
Zone—Color of the danger zone (level) of
the file.
MD5—MD5 hash of the file.
SHA1—SHA1 hash of the file.
SHA256—SHA256 hash of the file.
Path—File name and path to it from the
uploaded object's root.
Packer—Name of the packer with which the
uploaded object is packed.
Type—Automatically detected type of the
file.
DetectionNames—Names of the detected
objects (for example, HEUR:Exploit.Script.Blocker).
Size—Size of the file in bytes.
|
|
sample-content.zip
|
Archive that contains files included in the packed object. Use default passwords
infected, password, pass, god, 123456, 123456789, 12345678, 111111, or qwertyto unpack the archive.
Archive can be exported separately only. It is not exported, when you export all task results.
|
—
|
|
downloaded-files.json
|
Information about files extracted from network traffic during file execution.
|
Zone—Zone of the file (for example,
Red).
Status—Status of the file (for
example, Malware).
Md5—MD5 hash function of the downloaded
file (for example, B136E08794A896FDB28C13A5F9D27D4A).
HasApt—Shows whether the file is related
to an advanced persistent threat (APT) attack.
DetectionName—Name of the detected object (for
example, Trojan-Downloader.Script.Generic).
Traffic—Traffic that the downloaded file
was extracted from (HTTP or HTTPS).
|
|
dropped-files.json
|
Information about files saved by executed file.
|
Zone—Zone of the dropped file (for
example, Red).
Status—Status of the dropped file
(for example, Malware).
Md5—MD5 hash function of the dropped file
(for example, B136E08794A896FDB28C13A5F9D27D4A).
HasApt—Shows whether the file is related
to an advanced persistent threat (APT) attack.
DetectionName—Name of the detected object (for
example, Trojan-Downloader.Script.Generic).
FileName—File name of the dropped file
(for example, sample.exe).
|
|
dumps.json
|
Dump files (snapshots) of the file execution process and loaded modules.
Available only for execution environments that have the Android operating system
installed.
|
Zone—Zone of the dump file (for
example, Red).
Md5—MD5 hash function of the dump file.
Sha1—SHA1 hash function of the dump file.
Sha256—SHA256 hash function of the dump
file.
DetectionName—Name of the detected object
(for example, Trojan-Downloader.Script.Generic).
Name—Name of the dump file.
Size—Size of the dump file.
Type—Type of the dump file.
IsHttpsTraffic—Traffic that the
downloaded file was extracted from (HTTP or HTTPS).
|
|
manifest.zip
|
Information about Android app manifest.
|
—
|
|
static-modules.json
|
Android app modules detected by using the static analysis.
|
Status—Status (danger level) of the
permission.
Severity—Severity of the permission's
danger.
File—Path to the app module and its
module.
Md5—MD5 hash of the file contents.
Description—Description of the app
module.
|
|
static-permissions.json
|
Android app permissions detected by using the static analysis.
|
Status—Status (danger level) of the
permission.
Severity—Severity of the permission's
danger.
Permission—Permission's value.
Description—Detailed description of the
permission.
|
|
static-components.json
|
Android app components detected by using the static analysis.
|
Status—Status (danger level) of the
component.
Severity—Severity of the component's
danger.
Component—Component name.
Description—Detailed description of the
component.
IntentFilters—List of filters applied to
the component:
Priority—Filter priority.
Actions—Performed action.
Categories—Component category.
|
|
static-bundle.json
|
Android App Bundle (APK).
|
Type—File type (Module, Icon, or
Picture).
Path—File path and name.
Size—File size.
MD5—MD5 hash of the file.
|
|
static-images.json
|
Android App Bundle images.
|
—
|
|
dynamic-modules.json
|
Android app modules detected by using the dynamic analysis.
|
Status—Status (danger level) of the
module.
Severity—Severity of the module's danger.
File—Path to the module and its name.
Md5—MD5 hash.
Description—Detailed description of the
module.
Timestamp—Date and time when a module was
loaded, specified in the UNIX time stamp system: number of seconds elapsed since 00:00:00 (UTC), 1 January
1970.
|
|
network-traffic-tables.json
|
Information about network activities that were registered during the file execution.
The data is saved in the root JSON object with the attributes described below in this
table, or in separate CSV files with corresponding names.
|
—
|
|
IpSessions section
|
Array that contains information about IP sessions that were registered during file
execution.
|
DestinationIP—Destination IP address.
ThreatScore—Probability that the
destination IP address will appear dangerous (0 to 100). An IP address is classified by Kaspersky expert
systems as dangerous if its threat score is greater than 74.
Started—Date and time when the IP session
started.
Ended—Date and time when the IP session
ended.
Size—Size of data that was sent and
received within the IP session (in bytes).
Packets—Number of packets that were sent
and received within the IP session.
|
|
TcpSessions section
|
Array that contains information about TCP sessions that were registered during file
execution.
|
DestinationIP—Destination IP address.
ThreatScore—Probability that the
destination IP address will appear dangerous (0 to 100).
SourcePort—Source port number
(0–65536).
DestinationPort—Destination port number
(0–65536).
Size—Size of data that was sent and
received within the TCP session (in bytes).
Packets—Number of packets that were sent
and received within the TCP session.
SYNPackets—Number of SYN packets that
were sent and received within the TCP session.
FINPackets—Number of FIN packets that
were sent and received within the TCP session.
OutOfOrderPackets—Number of out-of-order
packets that were sent and received within the TCP session.
LostAckPackets—Number of lost ACK packets
that were sent and received within the TCP session.
DuplicatedAckPackets—Number of duplicated
ACK packets that were sent and received within the TCP session.
WindowIn—Number of incoming segments
(bytes) that can be sent from server to client before an acknowledgment (ACK packet) is received.
WindowOut—Number of outgoing segments
(bytes) that can be sent from client to server before an acknowledgment (ACK packet) is received.
|
|
UdpSessions section
|
Array that contains information about UDP sessions that were registered during file
execution.
|
DestinationIP—Destination IP address.
ThreatScore—Probability that the
destination IP address will appear dangerous (0 to 100).
SourcePort—Source port number
(0–65536).
DestinationPort—Destination port number
(0–65536).
Size—Size of data that was sent and
received within the UDP session (in bytes).
Packets—Number of packets that were sent
and received within the UDP session.
|
|
DnsSessions section
|
Array that contains information about DNS sessions that were registered during file
execution.
|
Id—DNS message ID.
Qr—Request/response indicator
(0—DNS query, 1—DNS response).
RCode—DNS response code.
Size—Size of data that was sent and
received within the DNS session (in bytes).
Packets—Number of packets that were sent
and received within the DNS session.
Records—Records in the message. For each
record, its status, name, section, and type are displayed. If available, TTL and Data fields are available.
|
|
FtpSessions section
|
Array that contains information about FTP sessions that were registered during file
execution.
|
CommandName—Command name.
CommandArg—Command argument.
ReplyCode—Reply code.
ReplyMsg—Reply message from a server.
DataChannelClientIp—FTP client address.
DataChannelServerIp—FTP server address.
DataChannelServerPort—Port number of the
FTP server.
|
|
HttpSessions section
|
Array that contains information about HTTP requests that were registered during the
file execution.
|
Status—Danger zone (level) of a URL in
the HTTP request.
Method—Method of sending an HTTP request.
The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or
PATCH.
URL—URL to which the request was
registered.
ResponseCode—Response code of the HTTP
request.
ResponseLength—Size of the response to
the HTTP request in bytes.
RequestHeaders—Standard request header
names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Provided as
<name>:<value> pairs.
ResponseHeaders—Standard response header
names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Provided as
<name>:<value> pairs.
RequestBody—Body of the request (Md5,
Name, Size).
ResponseBody—Body of the response (Md5,
Name, Size).
|
|
TlsSessions section
|
Array that contains information about TLS sessions that were registered during file
execution.
|
Status—Domain status.
Version—TLS protocol version.
Cipher—Cryptographic algorithm.
Curve—Curve class.
ServerName—Name of the server.
Subject—Subject name.
Issuer—Issuer name.
|
|
IrcSessions section
|
Array that contains information about IRC sessions that were registered during file
execution.
|
Command—Command name.
User—User name.
Nick—User's nickname.
Channels—Names of channels to connect to
during the IRC session.
Sender—Nickname of the command's sender.
Channel—Name of the channel to send the
message to during the IRC session.
Text—Text that was sent during the IRC
session.
|
|
Pop3Sessions section
|
Array that contains information about POP3 sessions that were registered during file
execution.
|
Type—Command type.
Command—Command result.
Arguments—Command arguments.
Message—Description of the result of the
command.
|
|
SmbSessions section
|
Array that contains information about SMB sessions that were registered during file
execution.
|
Status—Status of the IP address.
DestinationIP—Session's destination IP
address.
DestinationPort—Destination port number
(0–65536).
Version—Protocol version.
Md5—MD5 hashes of files transferred
during the command execution.
|
|
SmtpSessions section
|
Array that contains information about SMTP sessions that were registered during file
execution.
|
Status—Status of the hash.
From—Sender's name and address.
To—Receivers' names and addresses.
Subject—Message subject.
Md5—List of MD5 hashes of attached files.
|
|
SocksSessions section
|
Array that contains information about SOCKS sessions that were registered during file
execution.
|
Status—Status of the IP address.
Version—SOCKS protocol version.
RequestHost—IP address or fully qualified
domain name (FQDN), to which the connection request was made via the SOCKS protocol.
RequestPort—Number of the TCP port to
which a connection request was made via the SOCKS protocol (0–65536).
BoundHost—IP address or fully qualified
domain name (FQDN), to which the connection was established.
BoundPort—Number of the TCP port to which
the connection was established (0–65536).
|
|
HttpsSessions section
|
Array that contains information about HTTPS requests that were registered during the
file execution.
|
Status—Danger zone (level) of a URL in
the HTTPS request.
Method—Method of sending an HTTPS
request. The HTTPS method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS,
TRACE, or PATCH.
URL—URL to which the request was
registered.
ResponseCode—Response code of the HTTPS
request.
ResponseLength—Size of the response to
the HTTPS request in bytes.
RequestHeaders—Standard request header
names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Provided as
<name>:<value> pairs.
ResponseHeaders—Standard response header
names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Provided as
<name>:<value> pairs.
RequestBody—Body of the request (Md5,
Name, Size).
ResponseBody—Body of the response (Md5,
Name, Size).
|
JSON archive contents for Similarity
|
File name
|
Description
|
JSON attribute
|
|
<file MD5>_similarity.json
|
Information about files that are similar to the requested file.
|
general_info—Object that contains general
information about submitted file. This section includes the following:
file_name—Name of the analyzed file.
analyzed—Date and time when the file
analysis started.
sample_type—Type of the submitted file:
simple—A single file, not an
archive, was submitted.empty_arch—An empty archive was
submitted.single_file_arch—An archive
containing one file was submitted.multi_file_arch—An archive
containing more than one file was submitted.
original_file—Object that contains
detailed information about submitted file and detected similar files:
MD5—MD5 hash of the analyzed file.
SHA1—SHA1 hash of the analyzed file.
SHA256—SHA256 hash of the analyzed
file.file_name—Name of the analyzed file.
file_size—Size of the analyzed file.
similar_files—Object that contains
information about detected similar files:total_count—Total number of detected
files that are similar to the analyzed file.items—Array of detected similar
files:md5—MD5 hash of the file similar to
the analyzed file.status—Status of the file that is
similar to the analyzed file.confidence—Level of confidence that
the object is similar to the analyzed file. Kaspersky Threat Intelligence Portal displays similar files,
with a confidence level from 8 to 11.detection_name—Name of the detected
object (for example, HEUR:Exploit.Script.Blocker).hits—Number of hits (popularity) for
the file similar to the analyzed file detected by Kaspersky expert systems (rounded to nearest power of
10).first_seen—Date and time when the
similar file was detected by Kaspersky expert systems for the first time (for your local time zone).last_seen—Date and time, accurate to
one minute, when the similar file was detected by Kaspersky expert systems for the last time (for your
local time zone).file_type—Type of the object similar
to the analyzed file.file_size—Size of the object similar
to the analyzed file.unpacked_file—Object that contains detailed information about a
file extracted from the submitted file and similar files. The array structure is similar to the original_file array structure described above.
archive_content—Array that contains
information about files extracted from the submitted archive, if it contains more than one file (sample_type=multi_file_arch):
total_count—Total number of detected
files that are similar to the extracted file.items—Array of detected similar
files:md5—MD5 hash of the file similar to
the extracted file.file_name—Name of the object similar
to the extracted file.file_size—Size of the object similar
to the extracted file.
|
Page top
[Topic ExportingExecutionResultsSTIX]
Exporting execution results to STIX
If you select the STIX (.xml) option when exporting all
execution results, Kaspersky Threat Intelligence Portal saves execution results as a file in STIX format.
For the , exporting
to STIX format is not available.
By default, the format of the file name is as follows: <object MD5>.stix. You can change
the file name if necessary. For similar files, the default file name is <object MD5>_similarity.stix.
Each STIX file contains sections described in the tables below.
STIX file sections for Sandbox
|
Section
|
Description
|
Comment
|
|
Description
|
Information about object parameters and execution settings (Executing a file, Starting a file upload and execution), threats that were detected
during the file execution, and SNORT or Suricata rules that were triggered during analysis of traffic from the
executed object.
|
—
|
|
Download URLs
|
Information about the specified web address and web addresses to which the file
redirected during the downloading process.
|
This section is available only for files that were downloaded from a web address.
|
|
Files
|
Information about files that were extracted from network traffic or saved by the
executed file during the execution.
|
This section is included to the export file, if there is at least one extracted or
saved file was detected.
Each extracted or saved file is described in a separate subsection within this
section.
|
|
PE images
|
Information about loaded images that were detected during the file execution.
|
This section is included to the export file, if there is at least one PE image
detected.
Each loaded PE image is described in a separate subsection within this section.
|
|
Synchronization objects
|
Information about synchronization object registered during the file execution.
|
This section is included to the export file, if there is at least one synchronization
object registered.
Each synchronization object is described in a separate subsection within this
section.
|
|
Similarity
|
Information about files that are similar to the analyzed object.
|
—
|
Page top
[Topic ExportingSpecificExecutionResults]
Exporting specific execution results
The following procedure tells you how to export file execution results from a separate data
group.
To export object execution results from a selected data group:
- On the Threat Analysis () page of Kaspersky Threat Intelligence Portal, in the History
table, click the View details → Sandbox /
Attribution / Similarity in the raw that
contains a file execution result that you want to export.
- Click the Download data button next to the table that
contains data that you want to export. The button is available only if the table contains at least one item.
Kaspersky Threat Intelligence Portal exports up to 10,000 items from a data group.
The file containing execution results from the data group will be saved.
Default file names are represented in the table below. You can change the file name if
necessary.
Default file names
|
|
|
Table name
|
Default downloaded file name
|
|
Results
tab
|
|
Detection names
|
<executed file MD5>.detection-names.json
|
|
Triggered network rules
|
<executed file MD5>.triggered-network-rules.json
|
|
Download responses
Available only for files that were downloaded from a web address.
|
<executed file MD5>.download-responses.zip
|
|
Suspicious activities
|
<executed file MD5>.suspicious-activities.json
|
|
Screenshots ()
|
<executed file MD5>.screenshots.zip
|
|
System activities tab
|
|
Loaded PE Images
|
<executed file MD5>.loaded-pe-images.json
|
|
File operations
|
<executed file MD5>.file-operations.json
|
|
Registry operations
|
<executed file MD5>.registry-operations.json
|
|
Process operations
|
<executed file MD5>.process-operations.json
|
|
Synchronize operations
|
<executed file MD5>.synchronize-operations.json
|
|
Extracted files
tab
|
|
Transferred files
|
<executed file MD5>.downloaded-files.json
|
|
Dropped files
|
<executed file MD5>.dropped-files.json
|
|
Network activities tab
|
|
HTTP(S) requests
DNS requests
|
<executed file MD5>.network-traffic.zip (contains only network.pcap file)
|
|
Similarity
page
|
|
Similarity
|
<executed file MD5>_similarity.json
|
Page top
[Topic BrowsingURL]
Browsing a web address
This section describes the emulation of a web address opening in Kaspersky Sandbox.
Analysis results are displayed in the History table on the
Threat Analysis () page. When you
click on the item in the History table, a brief information about the analyzed
web address is displayed.
Brief information about analyzed web address
|
Parameter
|
Description
|
|
Emulation environment
|
Operating system that was used as a browsing environment.
|
|
Emulation time (sec)
|
Web address browsing time in seconds.
|
|
Internet access options
|
Region or individual country of a network channel specified by the user for the
executed object to use to access the internet.
|
|
Decrypt HTTPS
|
Specifies whether HTTPS traffic generated by the executed object was decrypted.
|
Page top
[Topic StartingURLbrowse]
Starting web address browsing
Kaspersky Threat Intelligence Portal allows you to emulate browsing of a web address in a safe
Kaspersky Sandbox environment.
To browse a web address in Kaspersky Sandbox:
- On the Threat Analysis () → Browse URL page, enter the required web address in the URL field.
- If necessary, click Advanced options to specify advanced
settings in the opened side-bar:
- In the Emulation environment drop-down list, select
the operating system that you want to use as an execution environment.
Available
values:
- Microsoft Windows 7 x86
- Microsoft Windows 7 x64
- Microsoft Windows 10 x64
Microsoft Windows 10 x64 is selected by default.
- In the Emulation time (sec) field, specify the
execution time (in seconds) by using the slider.
You can specify the execution time,
from 30 to 500 seconds. The default value is 100 seconds.
The web address will only be browsed in the selected environment during the
specified execution time. The specified time does not include the time required for analysis and
displaying results.
- In the Internet access options drop-down list, you
can specify the region for a network channel that the web address uses to access the internet.
Available values:
- Auto—The internet channel belongs to any
region and does not direct traffic through the TOR network. If no region is available, the Tarpit value is selected.
- Tor—The internet channel that does not
belong to any region and directs traffic through the TOR network.
- Tarpit—The access to the internet is
emulated. This option is used when internet is not available or the analyzed object should not have
access to the internet.
- Countries and regions. The list of channels for countries is not fixed, and can be
modified.
The Auto item is selected by default. For more
details about channels, refer to Internet channel values.
The list of available regions can contain individual countries through which
the executed file can access the internet.
- Select the Decrypt HTTPS check box, if you want to
decrypt HTTPS traffic that is generated during web address browsing.
The check box
is selected by default.
Disabling HTTPS traffic decryption may reduce the probability of malware
detection. This functionality allows you to obtain artifacts with information about the object interaction
via HTTPS during the task execution. We recommend disabling HTTP traffic decryption only if you are sure
that it for some reason will interfere with a certain object analysis.
- Click the Start analysis button to start emulating the
web address opening process.
An entry describing results appears in the History table. You can start to analyze results when the process finishes and
the Execution state field is Completed.
- If necessary, click the rescan button () to browse the
web address again, and repeat steps 2–5 of this procedure. For archived tasks (the History → Archived tab), rescan is not
available. You have to specify the web address and start analysis again.
If the
previously specified internet channel is no longer available, the Auto item
is selected by default.
If the web address is opened again later, results may differ from those shown in
the History table for the same web address because Kaspersky expert systems
update information about objects in real time. Results depend on the threat landscape.
Up to 1000 of the latest file executions and web address analysis results for a user are
stored. When the maximum number of stored results is reached, the oldest results are assigned Archived status. For archived tasks, you can only view or delete a brief summary.
For more details about archived tasks, refer to the About archived (discarded) tasks section.
Page top
[Topic SandboxReportPageURL]
Report page for web addresses
On the Sandbox page, the web address analysis results are
displayed. The zone of the web address's status (Dangerous, Adware and other, Good, or Not categorized) is displayed under the web address.
The analysis results are displayed in separate sections (tables). Each table contains up to 10
entries.
The Sandbox page contains the following sections:
- Summary
Graphically presented (icons) statistical information, task details, information about
certificate, categories of the requested web address, and links to the related APT Intelligence reports and
Crimeware Threat Intelligence reports.
- Detection names
Detected items that were registered during the web address analysis.
- Triggered network rules
SNORT and Suricata rules that were triggered during the web address traffic analysis.
- Connected hosts
IP addresses that were accessed in all HTTP(S) requests after the FQDN resolved.
- WHOIS
WHOIS information about domain for the analyzed web address.
- HTTP(S) requests
HTTP/HTTPS requests that were registered during the web address analysis.
- DNS requests
DNS requests that were registered during the web address analysis.
- Screenshots ()
Set of screenshots that were taken during the web address analysis.
In the History table, your local task creation time is displayed. In
reports, date and time are displayed in Coordinated Universal Time (UTC) format.
You can click the Download data button located by each section
(except the Summary section) to export data from
the section. The button is available if the section contains data.
Page top
[Topic SummarySectionURL]
Summary section
The Summary section represents general information about web
address analysis results.
The following charts are displayed:
- Detects
The total number of threats that were detected during the web address browsing, and the
proportion of threats with Malware (red) and Adware and other (yellow) statuses.
The name of the chart is clickable—you can click Detects to navigate to the Detection names
table on the Results tab.
- Suspicious activities
The total number of suspicious activities that were registered during the web address
browsing, and the proportion of activities with High (red), Medium (yellow), and Low (gray) levels.
The name of the circle chart is clickable—you can click Suspicious activities to navigate to the Suspicious
activities table on the Results tab.
- Extracted files
The total number of files that were downloaded or dropped by the file during the web
address browsing, and the proportion of files with the status of Malware
(extracted files that can be classified as malicious, in red), Adware and
other (extracted files that can be classified as Not-a-virus, in
yellow), Clean (extracted files that can be classified as not malicious, in
green), and Not categorized (no or not enough information about the
extracted files is available to define the category, in gray).
The name of the chart is clickable—you can click Extracted files to navigate to the Extracted files
tab.
- Network activities
The total number of registered network interactions that the file performed during the
web address browsing, and the proportion of network interactions with the status of Dangerous (requests to resources with the Dangerous status, in red), Adware and
other (requests to resources with the Adware and other status, in
yellow), Good (requests to resources with the Good status, in green), and – (requests to resources with the Not categorized status, in gray).
The name of the circle chart is clickable—you can click Network activities to navigate to the Network
activities tab.
The number of detected files or activities with specific status is displayed below each chart.
Small values are displayed out of proportion. For better viewing, small values are displayed as 1% of the entire
circle chart.
You can download results of the web address browsing as an archive by clicking the Export all results button.
Web address information
The following general information about an analyzed web address is displayed:
Web address information
|
Field name
|
Description
|
Comments
|
|
Host
|
Part of the analyzed web address that indicates the host.
Available values:
- Fully qualified domain name (FQDN).
- IP address in dot-decimal notation.
|
Item is clickable and takes you to the Threat
Lookup page, where you can search for information about the domain or IP address.
|
|
Browsing environment
|
Operating system that was used as an emulation environment.
|
—
|
|
Browsing time
|
Web address emulation time in seconds.
|
—
|
|
HTTPS decryption
|
Boolean parameter that specifies whether HTTPS traffic generated by the executed
object was decrypted.
|
—
|
|
Internet access options
|
Region (or individual country) of a network channel specified by the user for the web
address to use to access the internet.
|
—
|
|
Database update
|
Date and time when the anti-virus databases were updated.
|
—
|
Categories
Categories of the
analyzed web address. Category labels are marked with a color of the zone, to which the category belongs
(red, orange, yellow, or gray). If the web address does not belong to any of defined categories, the - category is displayed. Category labels are not clickable.
Page top
[Topic SandboxDetectionNames]
Sandbox detection names section
Kaspersky Threat Intelligence Portal provides information about detected items that were
registered during the web address analysis.
Sandbox detection names section
|
Field name
|
Description
|
Comments
|
|
Status
|
Danger zone (level) to which the threat refers (High, Medium, Low, Info).
|
Items in the table are sorted in the Status field
from High to Info status.
|
|
Name
|
Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is
clickable—you can click it to view its description at Kaspersky threats website.
|
—
|
Page top
[Topic TriggeredNetworkRules]
Triggered network rules section
Kaspersky Threat Intelligence Portal provides information about SNORT and Suricata rules that
were triggered during the web address traffic analysis.
Triggered network rules section
|
Field name
|
Description
|
Comments
|
|
Status
|
Danger zone (level) of the network traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info).
|
Items in the table are sorted in the Status field
from High to Info status.
|
|
Rule
|
SNORT or Suricata rule name.
|
—
|
Page top
[Topic Hosts]
Connected hosts section
Kaspersky Threat Intelligence Portal provides information about IP addresses that were accessed
in all HTTP(S) requests after the FQDN resolved.
Hosts section
|
Field name
|
Description
|
Comments
|
|
Status
|
Status (danger level) of IP addresses that the domain for the requested web address resolved to
(Dangerous, Not trusted, Not categorized, Good).
|
Items in the table are grouped by status (1—Dangerous, 2—Not trusted,
3—Not categorized, 4—Good).
|
|
IP
|
IP address to which a domain from the Resolved from
domain column in this table resolved.
|
The flag of the country that the IP address belongs to is displayed. When you hover
your mouse over a flag, a tooltip with the country name appears.
Items are clickable and take you to the Threat
Lookup page, where you can search for information about the IP address.
|
|
ASN
|
Autonomous system number according to RFC 1771 and RFC 4893.
|
—
|
|
Hits
|
Number of IP address detections by Kaspersky expert systems.
|
—
|
|
Resolved from domain
|
Fully qualified domain name (FQDN) that resolved to the IP address from the IP column in this table.
|
Items are clickable and take you to the Threat
Lookup page, where you can search for information about the domain.
|
Page top
[Topic WHOISsectionURL]
WHOIS section
Kaspersky Threat Intelligence Portal provides WHOIS information about host of the analyzed web
address.
Host indicated by IP address
WHOIS section for IP address as a host
|
Table field
|
Description
|
|
IP range
|
Range of IP addresses in the network that the requested host belongs to. Also, the
flag of the country the network of the IP address belongs is displayed. When you hover your mouse over a
flag, a tooltip with the country name appears.
|
|
Net name
|
Name of the network that the IP address belongs to.
|
|
Net description
|
Description of the network that the IP address belongs to.
|
|
Created
|
Date when the IP address was registered.
|
|
Changed
|
Date when information about the IP address was last updated.
|
|
AS description
|
Autonomous system description.
|
|
ASN
|
Autonomous system number according to RFC 1771 and RFC 4893.
|
|
Contact
|
Section containing the contact (organization or person) name, role, address, phones /
faxes, and emails.
|
Host indicated by FQDN
WHOIS section for FQDN as a host
|
Field name
|
Description
|
|
Domain name
|
Name of the domain for the analyzed web address.
|
|
Domain status
|
Status of the domain for the analyzed web address.
|
|
Created
|
Date when the domain for the analyzed web address was registered.
|
|
Updated
|
Date when the registration information about the domain for the analyzed web address
was last updated.
|
|
Paid until
|
Expiration date of the prepaid domain registration term.
|
|
Registrar info
|
Name of the registrar of the domain for the analyzed web address.
|
|
IANA ID
|
IANA ID of the domain registrar.
|
|
Email
|
Email of the domain registrar.
|
|
Name servers
|
List of name servers of the domain for the analyzed web address.
|
|
Contact
|
Section containing the contact (organization or person) name, role, address, phones /
faxes, and emails.
|
Page top
[Topic HTTPrequests]
HTTP(S) requests section
Kaspersky Threat Intelligence Portal provides information about HTTP and HTTP over TLS (HTTPS)
requests that were registered when browsing the web address.
HTTP requests section
|
Table fields
|
Description
|
|
Status
|
Status of a web address in the HTTP(S) request. The web address can be assigned one of
the following statuses:
Dangerous (there are malicious objects related to
the web address).
Not trusted (categorized as Infected or Not trusted).
Adware and other (there are objects related to the
web address, which can be classified as Not-a-virus).
Good (the web address is not malicious).
Not categorized (no or not enough information
about the web address is available to define the category).
|
|
Scheme
|
Web address scheme that identifies the protocol which was used (HTTP or HTTPS).
|
|
URL
|
Web address to which the request was registered.
|
|
IP
|
IP address that indicates the host. The corresponding flag and the status of the IP
address are also displayed.
|
|
Request
|
HTTP(S) request details:
Method—Method of sending an HTTP request. The
HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH.
Scheme—Web address scheme that identifies the
protocol which was used (HTTP or HTTPS).
Request body—MD5 hash of a file in the
HTTP(S) request. Item is clickable, and navigates to hash investigation results on the Threat Lookup results page.
Status—Status of a file in the
HTTP(S) request.
Detection names—Names of the detected objects (for
example, HEUR:Exploit.Script.Blocker).
Size—Size of a file in the HTTP(S) request in
bytes.
Type—Content type of the HTTP(S) request.
File type—File type in the HTTP(S) request,
which was detected by Kaspersky expert systems.
Request headers—Additional fields displayed
as key:value. Standard header names are based on the RFC2616 Hypertext
Transfer Protocol -- HTTP/1.1. Custom headers (for example, x-ms-request-id) are highlighted in blue.
|
|
Response
|
Response details:
Code—Response code for the HTTP(S) request.
Response body—MD5 hash of a file in the
HTTP(S) response. The item is clickable and navigates to the hash investigation results on the Threat Lookup results page.
Status—Status of a file in the
HTTP(S) response.
Detection names—Names of the detected objects (for
example, HEUR:Exploit.Script.Blocker).
Size—Size of a file in the HTTP(S) response
in bytes.
Type—Content type of the HTTP(S) response.
File type—File type in the HTTP(S) response,
which was detected by Kaspersky expert systems.
Response headers—Additional fields displayed
as key:value. Standard header names are based on the RFC2616 Hypertext
Transfer Protocol - HTTP/1.1. Custom headers (for example, x-ms-request-id) are highlighted in blue.
|
Page top
[Topic DNSrequests]
DNS requests section
Kaspersky Threat Intelligence Portal provides information about DNS requests that were
registered when browsing the web address.
DNS requests
|
Table field
|
Description
|
|
Status
|
Status of an object in DNS request.
|
|
Type
|
DNS request type.
|
|
Response
|
Contents of the DNS response.
For A, CNAME, PTR, MX, and NS types of DNS requests, items in this column are
clickable and navigate to investigation results on the Threat Lookup
results page. If you requested this object during the past 24 hours, the Threat Lookup quota for your group
is not decreased.
Investigation results for certain web addresses may be unavailable on the Threat Lookup results page.
|
Page top
[Topic Screenshots]
Screenshots section
Set of screenshots that were taken when browsing the web address. Screenshots are available as a
gallery with preview images, and as full size images.
You can view screenshots online, or you can download all of them as an archive.
Page top
[Topic ExportingUrlBrowsingResults]
Exporting browsing results
Kaspersky Threat Intelligence Portal enables you to export web address browsing results for
further analysis.
You can export the following data:
Page top
[Topic ExportingAllUrlResults]
Exporting all browsing results
The following procedure tells you how to export all web address browsing results.
To export all web address browsing results:
- On the Sandbox page of Kaspersky Threat Intelligence
Portal, do one of the following:
- In the History table, click the download button
() in the section that contains a web address browsing results that
you want to export.
- In the History table, click the View details → Sandbox in the section that
contains a web address browsing results that you want to export, and then in the opened page click the Export all results button.
- In the drop-down list, select the file format that you want to export investigation
results to:
- CSV archive (.zip).
- JSON archive (.zip).
- PCAP (.pcap)—archive (.zip) containing JSON
files and the network.pcap file.
- STIX (.stix).
- Debug report (.zip), if it is available. Debug
report is provided as a password-protected .zip archive. Use the password infected to unpack the archive.
The file with results for the browsed web address will be saved. Preparing a file with all
investigation results for download may take several minutes.
Page top
[Topic ExportingBrowsingResultsCSV]
Exporting browsing results to a CSV archive
If you select the CSV archive (.zip) option when exporting all
execution results, Kaspersky Threat Intelligence Portal saves web address browsing results as a .zip
archive. The .zip archive contains files in comma-separated values (CSV) format, with commas used as field
separators. Up to 10,000 entries can be exported to most files, with the exception of the
url-and-analysis-properties.csv file, which contains only one entry.
Information about network traffic is exported to a network.pcap file.
Screenshots are exported as a folder.
By default, the format of the archive name is as follows: <web address MD5>-csv.zip. You
can change the archive name if necessary.
Each .zip archive contains the files described in the table below. The first string in all files
contains column names.
CSV archive contents
|
File name
|
Description
|
Column name
|
|
url-and-analysis-properties.csv
|
Information about web address browsing parameters.
The file contains only one entry.
|
Created—Date and time when the web
address browsing started (for example, 2018-01-17T15:30:16.077Z).
Analyzed—Date and time when the browsing
results analysis completed (for example, 2018-01-17T15:39:02.673Z).
AvBasesVersion—Date and time when
anti-virus databases were updated (for example, 2018-01-17T18:36:00Z).
Zone—Zone of the web address (for
example, Red).
Status—Status of the web address (for
example, Malware).
State—Browsing task state (for example,
completed).
ErrorCode—Task error description. If the
task completed successfully, an empty string is returned.
Url—Web address that was browsed in
Kaspersky Sandbox (for example, http://example.com/path/to/page.html).
HasApt—Shows whether the file is related
to an advanced persistent threat (APT) attack.
|
|
categories.csv
|
Information about browsed and redirected web addresses categories.
|
Zone—Zone of the web address (for
example, Green).
Category—Name of a category to which the
web address belongs (for example, CATEGORY_SOCIAL_NETS).
|
|
publications.csv
|
Information about Crimeware Threat Intelligence and/or APT Intelligence reports to
which the analyzed web address is related.
|
Id—ID of a Crimeware Threat Intelligence
and/or APT Intelligence report (for example, 216456).
Name—Name of a Crimeware Threat
Intelligence and/or APT Intelligence report (for example, Sofacy - New AZZY
backdoor).
|
|
detection-names.csv
|
Information about threats that were detected during the web address emulation.
|
Zone—Danger zone to which the object
refers (for example, Malware).
Threat—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
|
|
hosts-ips.csv
|
Information about IP addresses that were accessed in all HTTP(S) requests after the
FQDN resolved.
|
Zone—Zone of the IP address (for
example, Green).
Ip—IP address to which FQDN resolved.
IpStatus—Status of a country's region
detection (Reserved, Known, NoInfo).
IpCountryCode—Two-letter country code (ISO
3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP
addresses, the NULL value is exported.
ASN—Autonomous system number according to
RFC 1771 and RFC 4893.
Hits—Number of times when the IP address
was detected by Kaspersky expert systems.
Domain—Fully qualified domain name (FQDN)
that resolved to the IP address.
|
|
WHOIS-ips.csv
|
WHOIS information about host of the analyzed web address.
|
For IP addresses:
ASN—Autonomous system number according to
RFC 1771 and RFC 4893.
Net—Array of descriptions of the networks
that the IP address belongs to.
Contacts—Contacts that are registered for
the IP address.
For FQDN:
DomainName—Name of the domain for the
analyzed web address.
Created—Date and time when the domain for
the analyzed web address was registered.
Updated—Date and time when registration
information about the domain for the analyzed web address was last updated.
Expires—Date when the domain expires.
NameServers—Name servers of the domain
for the analyzed web address.
Contacts—Contact that are registered for
the IP address.
Registrar—Name of the registrar of the
domain for the analyzed web address.
DomainStatus—Status of the domain for the
analyzed web address (for example, clientTransferProhibited).
RegistrationOrganization—Name of the
registration organization.
|
|
triggered-network-rules.csv
|
Information about SNORT and Suricata rules that were triggered during analysis of
traffic from the web address.
|
Zone—Danger zone (level) of the network
traffic detected by the SNORT or Suricata rule (for example, High).
RuleName—SNORT or Suricata rule name (for
example, Trojan.Agent.HTTP.C&C).
|
|
screens (folder)
|
Set of screenshots (PNG images) that were taken during the web address browsing.
|
—
|
|
network.pcap
|
Information about activities that were registered during the web address browsing.
|
—
|
Page top
[Topic ExportingBrowsingResultsJSON]
Exporting browsing results to a JSON archive
If you select the JSON archive (.zip) option when exporting all
execution results, Kaspersky Threat Intelligence Portal saves web address browsing results as a .zip
archive. The archive contains .json files. Files can contain up to 10,000 JSON objects, except for the
url-and-analysis-properties.json file. This file contains only one JSON object.
Information about network traffic is exported to a network.pcap file.
Screenshots are exported as a folder.
By default, the format of the archive name is as follows: <web address>.zip. You can
change the archive name if necessary.
Each .zip archive contains files described in the table below. The first string in all files
contains column names.
JSON archive contents
|
File name
|
Description
|
Column name
|
|
url-and-analysis-properties.json
|
Information about web address browsing parameters.
The file contains only one entry.
|
Created—Date and time when the web
address browsing started (for example, 2018-01-17T15:30:16.077Z).
Analyzed—Date and time when the browsing
results analysis completed (for example, 2018-01-17T15:39:02.673Z).
AvBasesVersion—Date and time when
anti-virus databases were updated (for example, 2018-01-17T18:36:00Z).
Zone—Zone of the web address (for
example, Red).
Status—Status of the web address (for
example, Malware).
State—Browsing task state (for example,
completed).
ErrorCode—Task error description. If the
task completed successfully, an empty string is returned.
Url—Web address that was browsed in
Kaspersky Sandbox (for example, http://example.com/path/to/page.html).
HasApt—Shows whether the file is related
to an advanced persistent threat (APT) attack.
|
|
categories.json
|
Information about browsed and redirected web addresses categories.
|
Zone—Zone of the web address (for
example, Green).
Category—Name of a category to which the
web address belongs (for example, CATEGORY_SOCIAL_NETS).
|
|
dns-requests.json
|
Information about DNS requests that were registered when browsing the web address.
|
Status—Status of an object in DNS
request.
Type—DNS request type.
Response—Contents of the DNS response.
|
|
publications.json
|
Information about Crimeware Threat Intelligence and/or APT Intelligence reports to
which the analyzed web address is related.
|
Id—ID of a Crimeware Threat Intelligence
and/or APT Intelligence report (for example, 216456).
Name—Name of a Crimeware Threat
Intelligence and/or APT Intelligence report (for example, Sofacy - New AZZY
backdoor).
|
|
detection-names.json
|
Information about threats that were detected during the web address emulation.
|
Zone—Danger zone to which the object
refers (for example, Malware).
Threat—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
|
|
hosts-ips.json
|
Information about IP addresses that were accessed in all HTTP(S) requests after the
FQDN resolved.
|
Zone—Zone of the IP address (for
example, Green).
Ip—IP address to which FQDN resolved.
IpStatus—Status of a country's region
detection (Reserved, Known, NoInfo).
IpCountryCode—Two-letter country code (ISO
3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP
addresses, the NULL value is exported.
ASN—Autonomous system number according to
RFC 1771 and RFC 4893.
Hits—Number of times when the IP address
was detected by Kaspersky expert systems.
Domain—Fully qualified domain name (FQDN)
that resolved to the IP address.
|
|
http-requests.json
|
Information about HTTPS requests that were registered during the file execution.
|
Status—Status of a web address in the
HTTP(S) request.
Scheme—Web address scheme that identifies
the protocol which was used (HTTP or HTTPS).
URL—Web address to which the request was
registered.
IP—IP address that indicates the host.
The corresponding flag and the status of the IP address are also displayed.
Request—HTTP(S) request details.
Response—Response details.
|
|
WHOIS-ip.json
|
WHOIS information about host of the analyzed web address.
This file is available for IP address as a host.
|
ASN—Autonomous system number according to
RFC 1771 and RFC 4893.
Net—Array of descriptions of the networks
that the IP address belongs to.
RangeStart—Start IP address in the
network that the host IP address belongs to.
RangeEnd—End IP address in the network
that the host IP address belongs to.
Changed—Date when information about the
network was last updated.
Name—Name of the network that the host
IP address belongs to.
Description—Description of the network
that the host IP address belongs to.
Contacts—Contacts that are registered for
the IP address.
Address—Postal address that is
registered for the IP address (array of strings).
Name—Name of an organization or a person
to whom the a network is registered.
ContactType—Type of a contact
(organization or person).
ContactRole—Role of a contact (for
example, owner).
Phone—Phone number of a contact.
Email—Email address of a contact.
|
|
WHOIS-domain.json
|
WHOIS information about host of the analyzed web address.
This file is available for FQDN as a host.
|
DomainName—Name of the domain for the
analyzed web address.
Created—Date and time when the domain for
the analyzed web address was registered.
Updated—Date and time when registration
information about the domain for the analyzed web address was last updated.
Expires—Date when the domain expires.
NameServers—Name servers of the domain
for the analyzed web address.
Contacts—Contact that are registered for
the IP address.
Registrar—Name of the registrar of the
domain for the analyzed web address.
DomainStatus—Status of the domain for the
analyzed web address (for example, clientTransferProhibited).
RegistrationOrganization—Name of the
registration organization.
|
|
triggered-network-rules.json
|
Information about SNORT and Suricata rules that were triggered during analysis of
traffic from the web address.
|
Zone—Danger zone (level) of the network
traffic detected by the SNORT or Suricata rule (for example, High).
RuleName—SNORT or Suricata rule name (for
example, Trojan.Agent.HTTP.C&C).
|
|
screens (folder)
|
Set of screenshots (PNG images) that were taken during the web address browsing.
|
—
|
|
network.pcap
|
Information about activities that were registered during the web address browsing.
|
—
|
Page top
[Topic ExportingBrowsingResultsSTIX]
Exporting browsing results to STIX
If you select the STIX (.xml) option when exporting all web address
browsing results, Kaspersky Threat Intelligence Portal saves results as a file in STIX format.
By default, the format of the file name is as follows: <web address>.stix. You can change
the file name if necessary.
Each STIX file contains sections described in the table below.
STIX file sections
Page top
[Topic ExportingSpecificBrowsingResults]
Exporting specific browsing results
The following procedure tells you how to export web address browsing results from a separate
data group.
To export web address browsing results from a selected data group:
- On the Sandbox page of Kaspersky Threat Intelligence
Portal, in the History → Sandbox page, click
the View details link in the section that contains the web address browsing
result that you want to export.
- Click a link next to the table that contains data that you want to export. A link is
available only if a table contains at least one item.
Kaspersky Threat Intelligence
Portal exports up to 10,000 items from a data group.
The file containing execution results from the data group will be saved. Default file
names are represented in the table below. You can change the file name if necessary.
Default file names
Page top
[Topic AboutArchivedTasks]
About archived (discarded) tasks
Kaspersky Threat Intelligence Portal stores up to 1000 of the latest task results for a user.
When the maximum number of stored results is reached, Archived (previously Discarded) status is assigned to the oldest object analysis results. Archived
task results are displayed in the History → Archived table on the Threat Analysis () page.
For archived tasks, detailed results are not available. Instead, you only can view a brief
summary. Also, you can delete information about a specific task that has been archived, or all archived tasks,
from the Archived table.
To execute a file from an archived task, you have to start execution again. For uploaded files, you
need to upload the file again. Keep in mind that the oldest file execution result will acquire Archived status.
To delete archived tasks, do one of the following:
- To delete a specific archived task, on the Threat
Analysis page of Kaspersky Threat Intelligence Portal, in the History
→ Archived table, click the Delete link next
to the task you want to delete.
- To delete all archived tasks, on the Threat Analysis →
History → Archived page of Kaspersky Threat
Intelligence Portal, click the Delete all button.
Page top
[Topic TaskErrors]
Execution task errors
This section describes errors that may occur during an object execution.
Upload canceled
User canceled the object upload.
To execute the object, upload it again and make sure the upload process is complete.
Unpacking failed
Error occurred when unpacking the archive.
To execute the object, try to compress the object into a .zip archive again, or upload it
unpacked.
Incorrect password
Failed to unpack the archive because of incorrect password.
To execute the object, try to compress the object into a supported archive format again,
or upload it unpacked.
Invalid archive
Failed to identify the archive format.
To execute the object, try to compress the object into a supported archive format again,
or upload it unpacked.
Upload timeout
Failed to upload the object within the time limit (5 minutes).
To execute the object, upload the object using a faster network connection.
Processing timeout
Failed to process the object because Kaspersky Sandbox is busy.
Try to execute the file or browse the web address later. If the problem recurs, please
contact your dedicated Kaspersky Technical Account Manager.
Processing failed
Error occurred during the object execution.
Try to execute the object again later. If the problem reoccurs, please contact your
dedicated Kaspersky Technical Account Manager.
Object size exceeded
Failed to execute the object that exceeds a size limit.
To execute the object, make sure object size does not exceed 256 megabytes.
Sandbox overload
Kaspersky Sandbox is currently overloaded.
Try to execute the object again later. If the problem recurs, please contact your
dedicated Kaspersky Technical Account Manager.
Unknown file type
Failed to automatically detect the object type, the object was not executed.
If you know the object type, manually enter the object extension in the Change file name and extension to field in the Advanced
options section, and start the execution task.
For more detail about object types, refer to section Automatically detected file
types.
Selected internet channel is no longer available
The internet channel that you selected is no longer available.
Select another channel and start the task again. Your Kaspersky Sandbox quota will not be
decreased for the failed object execution.
For more details about channels, refer to Internet channel values.
Download failed
Failed to download the object from the specified web address, the object was not executed.
Make sure the web address is correct and the object size does not exceed 256 megabytes,
and then try again or specify another file to download.
Page top
[Topic AssetManagement]
Asset management
Kaspersky Threat Intelligence Portal allows you to customize assets—objects that contain information associated with your organization's
infrastructure. These are used by Kaspersky experts to monitor potential external vulnerabilities concerning your
organization and provide notifications about related threats.
You can specify assets with one of the following roles: assets used to include related threats in monitoring results, or assets used to exclude threats that are not relevant to your company from monitoring results.
For example, you can exclude the following information by adding assets:
Specifying assets with different roles allows you to narrow monitoring results.
You can only add assets related to your company for monitoring. Kaspersky Threat
Intelligence Portal does not provide information about threats related to other organizations. When validating
assets, Kaspersky experts check if the assets are related to your company.
In previous versions of Kaspersky Threat Intelligence Portal, this feature was called
"Changing organization's information". As before, users, depending on their license and access rights,
can view and change information about the organization, presented as asset sets. Now, the possibilities for
managing assets have been significantly expanded, and assets categories and statuses have been added for easier
management.
Assets can be specified using predefined categories. You can try adding assets for which the
predefined categories are not suitable, using a file. However, this case, it is not guaranteed that all
uncategorized assets will be added successfully.
Information displayed for each asset on the Digital Footprint
(
) → Asset management page is described in the table
below.
Asset parameters
|
Field
|
Description
|
|
Asset
|
Asset that is used during monitoring.
|
|
Category
|
Asset category.
Available values:
CIDR—Classless Inter-Domain Routing, a subnet
range.
Company/brand name—Your company or brand
name.
Domain—Domain or subdomain name.
IP (v4/v6)—IP address version 4 (IPv4) or
version 6 (IPv6).
Email—Email address. You can specify one
email address to include threats related to the whole organization domain.
Employee name—Organization's employee name.
IP range—Range of IP addresses.
Keywords—Any word or phrase uniquely related
to your company (for example product name, department name, conference name, brand, patent number, etc.).
IIN/BIN—IINs or BINs related to your bank
(six- or eight-digit code).
Account link—Link to an actual and legitimate
company account page on a social network (including accounts of top managers).
Mobile app link—Link to the actual and
legitimate page of the company mobile application (usually in mobile marketplaces).
See About asset categories for more information.
|
|
Status
|
Asset status.
Available values:
Pending validation—Asset is in process of
being validated by Kaspersky expert.
Confirmed—Asset is confirmed by Kaspersky
expert.
Rejected—Asset is rejected by Kaspersky
expert.
|
|
Role in monitoring
|
Indicator showing how the asset is used during monitoring.
Available values:
Include—Threats related to the asset are
included in monitoring results.
Exclude—Threats related to the asset are
excluded from monitoring results.
|
|
Status details
|
Comment on asset status. Available only for assets with Confirmed or Rejected status.
|
Page top
[Topic AssetCategories]
About asset categories
This section provides a description of asset categories and examples to help you create relevant
assets for your company.
Assets that you add must meet the following requirements common to all asset categories:
- If not determined by asset format and not explicitly specified in the table below, then
asset length must be 1–2000 characters.
- An asset cannot be empty or only consist of whitespace characters (spaces, tabs, etc.).
- Leading and trailing spaces are not allowed.
- An asset cannot contain non-printable characters (for example, line breaks).
Asset categories and examples are described in the table below.
Asset categories
|
Asset category in web interface
|
Description
|
Format
|
Examples
|
|
Domain
|
Domain names related to your company only.
As a result of processing domain assets, after the asset is validated, Kaspersky
Threat Intelligence Portal by default also adds subdomains and associated IP addresses to monitoring scope.
|
Domain format:
- Domain name without a scheme.
- Minimum four characters.
- Uppercase or lowercase Latin or Cyrillic letters, numbers, separators (dots,
dash and underscore characters).
- Must not start from a separator character.
- Must contain at least one dot character.
|
example.com
sub.example.org
*.example.com
|
|
IP (v4/v6)
|
IP addresses used in your company's external
network infrastructure.
You can specify IP address version 4 (IPv4) or version 6 (IPv6).
|
IPv4 format:
- String in dotted-decimal notation that consists of four decimal integers (from
0–255) separated by dots.
- Each integer is an octet (byte) in the address. Leading zeros are not allowed.
- IP address is not a private network address (RFC 1918).
IPv6 format:
- Numbers, uppercase or lowercase a-f letters, colons.
- Maximum of 39 characters.
|
IPv6:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
|
|
CIDR
|
Subnet ranges (CIDR) registered to your organization or used by your external network infrastructure.
|
CIDR format:
- Separate fields for specifying IP address and range.
- IP address field must contain IP address version 4 (IPv4) or version 6 (IPv6),
see IP (v4/v6) description above.
- Range field must only contain numbers (maximum of three numbers).
|
IPv6:
ff06::c3/7
|
|
IP range
|
Ranges of IP addresses registered to your organization or used by your external network infrastructure.
|
IP range format:
- Separate fields for specifying start and end IP addresses.
- IP address field must contain IP address version 4 (IPv4) or version 6 (IPv6),
see IP (v4/v6) description above.
|
IPv6:
2001:db8::-2001:db9::
|
|
Email
|
Email addresses used by employees.
You can specify one email address to include threats related to the whole
organization domain.
|
Email address format:
- Total address length must be 6–254 symbols.
- Part before @: maximum of 64 symbols.
- Part after a dot: maximum of 63 symbols.
- Part between @ and a dot: maximum of 63 symbols.
- Uppercase or lowercase Latin letters, numbers, @, dots, _ ! # $ % & ' + - =
? ^ { | } ~).
- Only one separator @.
- Must not start with @ or a dot.
- At least one dot.
|
test@email.com
|
|
Company/brand name
|
Keyword or phrase referring to company, brand name or employees. An asset of this
type will be used to monitor relevant threats on the dark web.
Kaspersky analyst will add the specified words or phrases to monitoring scope to
exclude false positives as much as possible. In addition, you can manually search for keywords in the dark
web using Threat Lookup.
|
Name format:
- Maximum of 1000 characters.
- Local languages are allowed.
|
AO "Company"
companyname
Slogan
Corporate message
|
|
Employee name
|
Employee names.
Specified names will be used to monitor relevant threats on the dark web. Kaspersky
Threat Intelligence Portal monitors not the specified persons, but mentions of them in the context of
threats to the company. So we recommend to add for monitoring employees mentioned publicly, for example top
managers.
Kaspersky analyst will add the specified words or phrases to monitoring scope to
exclude false positives as much as possible. In addition, you can manually search for keywords in the dark
web using Threat Lookup.
Local languages are also allowed.
|
Name format:
- Maximum of 1000 characters.
- Local languages are allowed.
|
John Smith
|
|
Keywords
|
Any word or phrase uniquely related to your company, for example product name,
department name, conference name, brand, patent number, etc.
All entered words are interpreted as a single monitoring object, not separately.
|
Keywords format:
- String of 1–2000 characters.
- Local languages are allowed.
|
Company Annual Conference
Conference 2023
|
|
IIN/BIN
|
IINs or BINs related to your bank (six- or eight-digit code).
An asset of this type will be used to monitor information about leaked customer
cards.
|
IIN/BIN format:
- Only numbers are allowed.
- Length must be 6-8 characters.
|
546789
|
|
Legitimate social account links
|
Link to an actual and legitimate company account page on a social network (including
accounts of top managers).
|
Link format:
- Decoded link without a scheme or with HTTP/HTTPS schemes.
- Host name in the link can be validated as a domain or IPv4 (see descriptions in
this table above).
|
https://example.com/page-777107_28406709
|
|
Legitimate mobile app links
|
Link to the actual and legitimate page of the company's mobile application (usually
in mobile marketplaces).
|
Link format:
- Decoded link without a scheme or with HTTP/HTTPS schemes.
- Host name in the link can be validated as a domain or IPv4 (see descriptions in
this table above).
|
https://apps.example.com/ru/app/who-calls-caller-id/id1144206312?l=en
|
Page top
[Topic AddAssetManually]
Adding a new asset
Kaspersky Threat Intelligence Portal allows you to add a new asset using a form. You can also
add a set of assets using a file.
To add a new asset:
- On the Digital Footprint () → Asset management page, click the Add asset button.
The Add
asset side-bar opens.
- In the Category drop-down list, select an asset category.
- In the Asset field, enter an asset that you want to
monitor.
For CIDR and IP
range categories, specify a range of IP addresses in the network.
- If you want to exclude threats related to the defined asset from monitoring results,
select the Assign excluding role in monitoring check box.
By default, the asset is added to include related threats (including role). You can
select to exclude related threats for the asset if you do not want to receive notifications about them.
- Click the Submit for validation button to save the
asset.
The added asset is sent for validation and appears in the table on the Digital
Footprint → Asset management page with Pending validation status.
As soon as Kaspersky experts validate the asset, it is given Confirmed or Rejected status. Confirmed assets are
added to monitoring scope with the including or excluding role. Validation of each asset may take up to five
business days.
You can change asset role so that related threats are included or excluded from monitoring results,
or delete
unnecessary assets.
Page top
[Topic AddingAssetsFile]
Adding set of assets as file
Kaspersky Threat Intelligence Portal allows you to add a set of assets using a file. With this
method, you can add assets from different categories in one file or try adding assets for which the predefined
categories are not suitable. However, in this case, it is not guaranteed that all uncategorized assets will be
added successfully.
This method is available if it is allowed by your organization.
To add a set of assets as a file:
- On the Digital Footprint () → Asset management page, in the Submitted files with assets section (click to expand it if necessary), click the
Add files button.
The Submit file with assets side-bar opens.
- Click the Add file button or drag and drop the required
file to the drop zone to upload it.
The file size must not exceed 256 MB.
- When the required files are successfully uploaded, click the Submit for validation button.
As soon as Kaspersky experts validate the assets in the file, the assets appear in the All assets table on the Digital Footprint → Asset management page with Confirmed or Rejected status. Confirmed assets are added to monitoring scope. Validation of each
asset may take up to five business days.
Page top
[Topic ChangingResearchStatus]
Changing asset role
Kaspersky Threat Intelligence Portal allows you to change asset role for monitoring so that you
only receive notifications about threats that are relevant to your company. You can set asset role to include
related threats in monitoring results, or exclude non-relevant threats from monitoring results and not receive
notifications about them.
You can edit roles only for confirmed assets (Confirmed
status).
To change the role of an asset:
- On the Digital Footprint () → Asset management page, click the required asset in the Asset column.
The Edit
asset side-bar opens.
- Select or clear the Assign excluding role in monitoring
check box.
- Click the Submit for validation button to save the
asset.
The changed asset is displayed in the table on the Digital
Footprint → Asset management page with Pending validation status.
As soon as Kaspersky experts validate the changed asset, Confirmed status is granted. Confirmed assets are added to monitoring scope with the
including or excluding role. Validation of each asset may take up to five business days.
Page top
[Topic ValidatingAssets]
Validating assets
After you add a new asset or edit an existing asset, it is sent for validation to Kaspersky
experts. They check if the asset is specified correctly and is related to your company. Validation of each asset
may take up to five business days.
If Kaspersky experts approve the asset, it is given Confirmed
status and added for monitoring. For confirmed assets that contain domains, Kaspersky experts can also add
subdomains and associated IP addresses for monitoring.
If Kaspersky experts do not approve the asset, it is given Rejected status and not added for monitoring. Kaspersky experts may reject a
specified asset because of the following reasons:
- Asset is not related to your company.
- IP addresses or ranges used in internal networks, as well as local IP addresses and domain
names, are specified.
- Specified IP address is allocated to public DNS servers (for example, 1.1.1.1, 8.8.4.4,
8.8.8.8, etc.).
- Kaspersky expert believes that the asset was sent in error (for example, incorrect IP
address format was used).
Page top
[Topic DeletingAsset]
Deleting assets
Kaspersky Threat Intelligence Portal allows you to delete assets if necessary. You can delete
assets regardless of their validation status.
To delete assets:
- On the Digital Footprint () → Asset management page, select assets you want to delete.
- Click the Delete button.
- In the Delete selected assets window that opens, click
the Delete button to confirm deletion.
- If necessary, you can also delete a certain asset while editing its role:
- Click the Delete this asset button in the Edit asset side-bar.
- Confirm the deletion.
The deleted asset is removed from the table on the Digital
Footprint → Asset management page and is not considered during
monitoring.
Page top
[Topic AboutThreatNotifications]
About threat notifications
Kaspersky Threat Intelligence Portal provides notifications about detected threats and
vulnerabilities that may reduce the level of protection of your organization.
Threat notifications may include information about
compromised credentials, data leakages, vulnerable services on the network perimeter, insider threats, and many
other issues. To receive threat notifications, you must add assets first.
Threat notifications are displayed on the Threats tab of the
Digital Footprint () page. The Threats section represents the total number of detected threats and their danger
level (Critical, High, Medium, Low, Info).
For each threat, the following data is displayed:
- Date
Date and time when the threat was detected.
- Risk
Danger level of the detected threat (Critical, High, Medium, Low, Info).
- Category
Category of the threat, for example Vulnerability, Malware, Person, Leakage, Dark web, Ransomware activity, Web vulnerability, Defacement, Compromised resource.
Other threat categories may also appear.
- Object
Object associated with the detected threat (domain, IP address, keyword).
- Threat ID
Threat notification identifier. You can click the item to copy it or open a new tab for
a detailed
description.
- Threat description
Description of the threat and recommendations on how to mitigate associated risks. You
can expand or collapse the description and recommendations for better viewing.
- Tags
Tags associated with the threat: for example, threat name according to the Kaspersky
classification, Common Vulnerabilities and Exposures (CVE), or keywords.
- Additional information
Link to download additional information associated with the vulnerability provided as
an encrypted archive, if available. Use the password infected to unpack the
archive.
The archive may contain objects that could harm your device or data, if handled
improperly. By downloading, you agree that you are informed and accept full responsibility for the handling of
downloaded objects contained in the archive. You can only use the downloaded content to increase the level of
protection of your devices and systems.
The archive may contain the following:
- JSON file including metadata about an attack
- Screenshot in PNG format (optional)
- HTML page downloaded using a phishing web address (optional)
Page top
[Topic SearchingNotification]
Searching for a specific threat notification
This section tells you how to search for a specific threat notification.
To search for a specific threat notification:
- In the Search field on any Kaspersky Threat Intelligence
Portal page, enter one or several words that you want to search for in notifications and press Enter.
Kaspersky Threat Intelligence Portal performs a
full-text search and displays results on the Threat Lookup () → Digital Footprint page.
- If necessary, on the Threats tab of the Digital Footprint () page, use
filters () in the corresponding fields to refine displayed results:
- Date—Select a specific date or time interval
when a threat was detected, or use predefined filters Week or Month
- Risk—Select one or several threat risk levels
(Info, Critical, High, Medium, Low)
- Category—Select one or several threat
categories, for example Vulnerability, Malware, Person, Leakage, Dark web
- Object—Select one or several objects
associated with detected threats
- Tags—Select one or several tags associated
with threats
- If necessary, click the Download button () in the Additional information column to download
additional information associated with the vulnerability as an encrypted archive, if available. Use the password
infected to unpack the archive.
The archive may
contain objects that could harm your device or data, if handled improperly. By downloading, you agree that you
are informed and accept full responsibility for the handling of downloaded objects contained in the archive.
You can only use the downloaded content to increase the level of protection of your devices and systems.
Kaspersky Threat Intelligence Portal displays notifications for threats according to specified
search criteria.
Page top
[Topic ViewThreatDescription]
Viewing threat notification description
To view a threat notification detailed description:
- Open the Threats tab of the Digital Footprint () page.
- If necessary, use filters to search for a notification for a specific
threat notification.
- In the Threat ID column, click the required threat
notification ID and select View in new tab in the drop-down list.
The threat notification description opens in a new tab.
At the top of the page, Kaspersky Threat Intelligence Portal provides a description of the
threat. Below the description, Kaspersky Threat Intelligence Portal displays the following information about the
notification and the detected threat.
Threat notification details
|
Field
|
Description
|
|
Threat ID
|
Threat notification identifier.
|
|
Date
|
Date and time when the threat was detected.
|
|
Risk
|
Danger level of the detected threat (Critical, High, Medium, Low, Info).
|
|
Category
|
Category of the threat, for example vulnerability,
malware, person, leakage, dark web. Other
threat categories may also appear.
|
|
Object
|
Object associated with the detected threat (domain, IP address, keyword).
|
|
Recommendation
|
Recommendations on how to mitigate risks associated with the threat.
|
|
Tags
|
Tags associated with the threat: for example, threat name according to the Kaspersky
classification, Common Vulnerabilities and Exposures (CVE), or keywords.
|
|
Additional information
|
Link to download additional information associated with the vulnerability provided as
an encrypted archive, if available. Use the password infected to unpack
the archive.
The archive may contain objects that could harm your device or data, if handled
improperly. By downloading, you agree that you are informed and accept full responsibility for the handling
of downloaded objects contained in the archive. You can only use the downloaded content to increase the
level of protection of your devices and systems.
The archive may contain the following:
- JSON file including metadata about an attack.
- Screenshot in PNG format (optional).
- HTML page downloaded using a phishing web address (optional).
|
Page top
[Topic ExportingNotifications]
Exporting threat notifications
This section tells you how to export threat notifications.
To export threat notifications,
On the Threats tab of the Digital Footprint () page, click the Export results button.
After after applying filters, up to 10,000 threat notifications can be exported.
Kaspersky Threat Intelligence Portal saves results as a .zip archive. Each .zip archive
contains a file in the comma-separated values (CSV) format.
Page top
[Topic AboutDFIreports]
About Digital Footprint Intelligence reports
Kaspersky Threat Intelligence Portal provides threat intelligence reporting that is specific for
your organization.
Digital Footprint Intelligence reports are developed by using
open source intelligence (OSINT), deep analysis of Kaspersky's expert systems, and databases.
Digital Footprint Intelligence reports cover the following:
- Identification of threat vectors
Identification and status analysis of externally available critical components of your
network, including ATMs, video surveillance, and other systems using mobile technologies, employee social
network profiles and personal email accounts, which are potential targets for attack.
- Malware and cyberattack tracking analysis
Identification, monitoring, and analysis of any active or inactive malware samples
targeting your organization, any past or present botnet activity, and any suspicious network-based activity.
- Third-party attacks
Evidence of threats and botnet activity specifically targeting your customers,
partners, and subscribers, whose infected systems could then be used to attack your organization.
- Information leakage
Through discreet monitoring of underground online forums and communities, Kaspersky
experts discover whether hackers are discussing attack plans with your organization in mind or, for example,
if an unscrupulous employee is trading information.
- Current attack status
APT attacks can continue undetected for many years. If a current attack affecting your
organization's infrastructure is detected, Kaspersky experts provide advice on effective remediation.
For each Digital Footprint Intelligence report, Kaspersky Threat Intelligence Portal displays
the following information on the Reports tab of the Digital Footprint () page:
- Date
Date when the Digital Footprint Intelligence report was added.
- Name
Digital Footprint Intelligence report name. For each Digital Footprint Intelligence
report, a brief description is available.
- Time interval
Time interval for which the Digital Footprint Intelligence report was generated
(quarter, by default).
- Action
Action you can perform to a Digital Footprint Intelligence report (for example,
download).
Page top
[Topic SearchingDFIReports]
Searching for a specific Digital Footprint Intelligence report
This section tells you how to search for a specific Digital Footprint Intelligence report.
To search for a specific Digital Footprint Intelligence report:
- In the Search field on any Kaspersky Threat Intelligence
Portal page, enter one or several words that you want to search for in Digital Footprint Intelligence reports
and press Enter.
Kaspersky Threat Intelligence Portal
performs a full-text search and displays results on the Threat Lookup () → Digital Footprint → Reports page.
- If necessary, on the Reports tab of the Digital Footprint () page, use
filters () in the Date column—select a specific date
or time interval when a report was published, or use the predefined Week or
Month filters.
- Click the Download button to download the Digital
Footprint Intelligence report.
Page top
[Topic AboutDFNotifications]
About Digital Footprint notifications
Kaspersky Threat Intelligence Portal notifies you about new vulnerabilities and reports from
Kaspersky experts, through the web interface, and by email.
Notifications in the web interface
When a new vulnerability or report appears, Kaspersky Threat Intelligence Portal displays the
total amount of updates in the notification section of the Digital Footprint
() page. The number of new vulnerabilities and reports by going to the corresponding
tabs are displayed.
A notification is displayed for vulnerabilities or reports that appeared after your last visit
to the Digital Footprint page. Notifications are labeled as new for
vulnerabilities that appeared within the last seven days, and reports that appeared within the last 14 days.
Email notifications
Kaspersky Threat Intelligence Portal allows you to configure email
notifications about new vulnerabilities and reports.
Page top
[Topic MultitenancyMode]
Multitenancy mode
Kaspersky Threat Intelligence Portal supports a multi-tenant architecture that allows you to
provide multiple clients with isolated access to Kaspersky TIP services.
Multitenancy mode is intended for clients of AO Kaspersky Lab (for example, Managed Security
Service Providers (MSSP) or enterprise companies) who want to monitor information security in several local
offices from headquarters.
Tenants are clients of a Kaspersky partner who purchased the
multitenancy feature:
- Tenants work with Kaspersky Threat Intelligence Portal independently under a license
purchased by the Kaspersky partner.
- Each tenant has its own independent service quotas.
- Tenants do not have access to each other's data.
Isolated access to Kaspersky Threat Intelligence Portal for tenants is achieved by providing a
separate user group for each tenant.
An administrator of a group for which multitenancy mode is enabled, can add tenant groups and
switch between them.
A tenant manager is a member of a group for which
multitenancy mode is enabled. Tenant manager, can perform the following:
- View the list of tenants in the managed group.
- Switch between tenants in the managed group.
- Manage personal API tokens for accessing tenant data via API.
- View information about licenses and quotas for tenants.
- Accept Terms and Conditions for services.
After you sign in to Kaspersky Threat Intelligence Portal to a group with enabled multitenancy
mode, the Digital Footprint () → Tenant Center page becomes available. The Switch
tenant option appears in the main menu in the upper-left corner of the page. By default, General is selected.
In the account menu, accessed by clicking the user icon () in the
lower-left corner of the page, the following links appear:
- Licenses → Tenant
takes you to the Tenant licenses page, where you can view current and
available for purchasing licenses.
- Access control → Tenants takes you to the Tenants tab of the
Access control page, where you can manage tenants and personal
API
tokens for accessing tenant data via API.
Page top
[Topic TenantCenter]
Tenant center
The Digital Footprint () → Tenant Center page displays information about all tenant groups in an MSSP group.
This dashboard is available when a tenant manager is working in the General
group, and there is at least one tenant group associated with the current tenant manager's MSSP group.
You can filter the displayed tenant information for a specific time period by using the date
pickers (calendar) or predefined filters (Day, Week, Month or Year). Selecting All time displays all available
results (selected by default).
The Threats section displays the total number of threat
notifications and their distribution by risk level (Critical, High, Medium, Low, Info) for all tenant groups for the
selected period.
The Assets section displays the total number of assets and
their distribution by verification status (Confirmed, Pending validation, Rejected) for all tenant
groups. Information on the number of assets does not depend on the specified period.
The list of tenant groups contains the following information:
- Name—Tenant group name. Clicking the name takes
you to the Digital
Footprint dashboard for the corresponding tenant group.
- Threats—Total number of threat notifications for
the tenant group. You can sort the list of tenant groups by the total number of threat notifications in
ascending or descending order. If the tenants have the same number of Critical threat notifications, the list will be sorted by other risk levels in
the following order: High, Medium, Low, Info (by default, in descending order).
Clicking the threat notification number takes you to the Threats
page for the corresponding tenant group.
- Threat details—Threat notification distribution by
risk level for the tenant group. You can sort the list of tenant groups by the number of Critical threat notifications in ascending or descending order.
- Assets—Total number of assets for the tenant
group. You can sort the list of tenant groups by the total number of assets in ascending or descending order. If
the tenants have the same number of Confirmed assets, the list will be sorted
by other verification status in the following order: Pending validation, and
then Rejected (by default, in descending order). Clicking the asset number
takes you to the Asset management page for the corresponding tenant group.
- Asset details—Asset distribution by verification
status for the tenant group. You can sort the list of tenant groups by the number of Confirmed assets in ascending or descending order.
If necessary, in the search field, you can search tenant groups by name.
Page top
[Topic TenantManagement]
Tenant management
To create a tenant:
- Click the user icon () in the lower-left corner of the page and
select Access control → Tenants.
The Tenants tab of the Access control page opens.
- Click the Add tenant button.
- Enter a tenant name.
The name must have a length of 2 to 64
characters and must not start or end with a space. It may contain uppercase or lowercase Latin letters,
numbers, underscore characters, dashes, spaces, and dots.
- If necessary, enter a tenant description.
The description length
must not exceed 2048 characters.
- Click Save.
Tenant is added. You can switch to this tenant in the main menu or on the Access control → Tenants tab by clicking the
required tenant. Also, you can manage user accounts for your tenant.
To edit a tenant:
- Click the user icon () in the lower-left corner of the page and
select Access control → Tenants.
The Tenants tab of the Access control page opens.
- Click the pen icon in the Actions column.
The Edit tenant side-bar opens.
- Edit a tenant description.
The description length must not exceed
2048 characters.
- If necessary, change the API token expiration date in the calendar.
- Click Save.
Page top
[Topic ViewinglicensesforTrenants]
Viewing licenses for tenant groups
You can view current and available for purchasing Kaspersky Threat Intelligence Portal service licenses for tenants
in your group.
To view licenses,
Click the user icon () at the bottom of the Kaspersky Threat
Intelligence Portal page, and select Licenses → Tenant.
The Tenant licenses page opens. The Current licenses tab displays information about licenses for services that tenant
users can work with. The Available licenses tab displays other Kaspersky Threat
Intelligence Portal services.
For more details, please refer to the Viewing your current and available licenses section.
Page top
[Topic ManagingAPItokensForTenants]
Managing API tokens for tenant groups
To work with tenant data via the API without having an account in the tenant, tenant manager
needs to use a personal API token. For the convenience, tenant managers can request personal API tokens on this
page, or also by switching to the tenant and signing into the personal account.
To request an API token:
- Click the user icon () in the lower-left corner of the page and
select Access control → Tenants.
The Tenants tab of the Access control page opens.
- Select tenant for which you want to request API tokens.
- Click the Request API token button.
- Specify the expiration date of the API token.
- Click the Request button.
Generated API tokens and their expiration dates appear in the table.
- If necessary, you can download required API tokens by clicking on the Download API token button.
Page top
[Topic SwitchingTenants]
Switching between tenant groups
As tenant manager, you can switch between tenants in your group. When you work in the general
group, the Tenant center page that displays information about all your tenants, becomes
available. To perform any actions in a certain tenant (for example, to add a new asset), you need to
switch to this tenant.
To switch to another tenant:
- Click the current tenant name in the Switch tenant
option in the upper-left corner of the page.
- In the list, select the tenant you want to switch to.
The Home page of the selected tenant opens. You can work with Kaspersky Threat
Intelligence Portal as a user of the selected tenant.
- To switch back to your general group, in the Switch
tenant option, select General.
Page top
[Topic CnCtracking]
APT C&C Tracking
This section explains how you can view and export a list of dangerous IP addresses using the
Kaspersky Threat Intelligence Portal web interface. API method for APT C&C Tracking service is also available.
APT C&C Tracking Service delivers IP addresses of
infrastructure connected to advanced threats. This helps security analysts working in CERTs, National SOCs, and
National Security Agencies monitoring the deployment of new malware, so that they can take the required measures
to mitigate ongoing and upcoming attacks. The service is updated daily with recent findings of the Kaspersky
Global Research and Analysis Team who have a proven track record in discovering APT campaigns across the world.
For each IP address, there is a name of an APT group, operation, or malware it is associated with, internet
service provider, and autonomous system, collection of associated IP addresses hosting information, and dates when
this was first and last seen. The IP addresses can be downloaded in a machine-readable format, so you can upload
it to existing security solutions to automate detection.
The table below shows comparison of available APT C&C Tracking features depending on the way
you work with Kaspersky Threat Intelligence Portal.
Comparison of available APT C&C Tracking features
|
Feature
|
Web interface
|
API
|
|
View a list of dangerous IP addresses
|
|
|
|
Filter a list of dangerous IP addresses by date
|
|
|
|
Filter a list of dangerous IP addresses by country
|
|
|
|
Export a list of dangerous IP addresses
|
|
|
Page top
[Topic ViewAPTCnC]
Viewing APT C&C Associated IP addresses
To view the APT C&C associated IP addresses,
Open the Active feed page (
APT CC Tracking).
Information about all available IP addresses is displayed.
Information about IP addresses
|
Field
|
Description
|
|
IP address
|
Detected IP address. The items are clickable and take you to the Threat Lookup () → Threat Lookup results page, where you can search for information about
the IP address.
|
|
First seen
|
Date when the IP address was first detected by the Kaspersky experts, according to
your computer local time zone.
|
|
Last seen
|
Date when the IP address was last detected by the Kaspersky experts, according to
your computer local time zone.
|
|
Domain
|
Domain that resolves to the detected IP address.
|
|
Country
|
Country that the detected IP address belongs to. You can filter the displayed list
using a filter ().
|
|
IP address type
|
Type of the detected IP address (for example, Derived or Organic).
|
|
Tags
|
Tags associated with the detected IP address. For certain IP addresses, a brief
description is available.
|
|
Activity periods
|
The View activity link opens the window where
activity periods for the selected IP address are displayed.
|
Page top
[Topic ExportAPTCnC]
Exporting APT C&C Associated IP addresses
To export information about the APT C&C associated IP addresses:
- Open the Active feed page ( APT CC Tracking).
Information about all
available IP addresses is displayed.
- If necessary, use the filter () to select a
country for which you want to export information.
IP addresses that belong to the
selected country are displayed.
- Click the Download data button.
- In the drop-down list, select the file format that you want to export information to:
CSV archive (.zip) or JSON archive (.zip).
The Save As window opens.
- Select the location and click Save.
The file in the selected format will be saved to the specified location.
Page top
[Topic ViewingActivityHistory]
Viewing activity history
To view the APT C&C associated IP addresses activity:
- Open the History page ( APT CC Tracking).
Information about all
activity periods of the IP addresses is displayed.
- If necessary, use the filter () to select a
country for which you want to view the activity periods of IP addresses.
Activity
periods of the IP addresses that belong to the selected country are displayed.
Page top
[Topic WhoIsTracking]
WHOIS Tracking
This section explains how you can search for WHOIS information and create rules to track the
WHOIS information about domains and IP addresses using Kaspersky Threat Intelligence Portal.
Page top
[Topic WHOISlookupDomain]
WHOIS lookup for domain
The following procedure tells you how to perform a WHOIS search for a domain.
To perform a WHOIS lookup for a domain:
- Open the WHOIS Lookup page (WHOIS Tracking (
) → WHOIS Lookup), and then select the Domain tab.Required and optional fields will be displayed.
- Fill in at least one of the required fields:
- Domain—Domain that you want to investigate.
You can use special search characters (such as *, ~, and ^).
Advanced searches can be performed only for ASCII domain names. A search for
internationalized domain names (IDNs) may be proceeded incorrectly.
- Contact—Name, email address, or organization
name of any of the contacts (registrant, administrative, technical, billing, or zone) to which the domain
belongs. Searches are word-based and case-insensitive.
You can perform different types of searches.
- Name server—Name server for the domain that
you want to investigate.
For name servers, the same types of search are possible as
for domain names: exact matching, substring matching, and approximate
string matching.
- If necessary, in the Advanced options section fill in
the following fields:
- Information checked date (range)—Date or
period of time when the information about the domain was last updated in Kaspersky expert systems.
- Creation date (range)—Date or period of time
when the domain was created.
- Expiration date (range)—Date or period of time
when the domain expires.
- Updated date (range)—Date or period of time
when the domain was last updated in the registry.
- Click the Search button.
Kaspersky Threat Intelligence Portal will display available results.
- If necessary, in the History table, click the Resend request button to repeat the WHOIS lookup search.
If more than 1000 results are available, Kaspersky Threat Intelligence Portal will ask you
to narrow your search by filling in more fields and/or using date pickers.
Page top
[Topic WHOISlookupIP]
WHOIS lookup for IP address
This section tells you how to perform a WHOIS search for an IP address.
To perform a WHOIS lookup for an IP address:
- Open the WHOIS Lookup page (WHOIS Tracking () → WHOIS Lookup), and then select the IP address
tab.
Required and optional fields will be displayed.
- Fill in at least one of the required fields:
- IP address—IP address or a range of IP
addresses you want to investigate.
- Organization—Name, email address of the
organization or person, or net description. The search is word-based and case-insensitive. You can search
for a phrase by putting your search terms (the entire string) in quotes that the IP address belongs to.
- ASN—Autonomous system number.
- If necessary, in the Advanced options section, specify
the following fields:
- Click the Search button.
Kaspersky Threat Intelligence Portal will display available results.
- If necessary, in the History table, click the Resend request button to repeat the WHOIS lookup search.
If more than 1000 results are available, Kaspersky Threat Intelligence Portal will ask you
to narrow your search by filling in more fields and/or using date pickers.
Page top
[Topic ViewingWhoIslookupRequests]
Viewing WHOIS lookup request history
The History table displays WHOIS lookup results for domains and IP addresses.
Request history table
|
Field
|
Description
|
|
Request
|
WHOIS lookup request (domain or IP address).
|
|
Type
|
Type of the requested object (Domain or IP address).
|
|
Date
|
Date and time when the request was created (according to your local time zone).
|
|
Action
|
Action you can perform to the corresponding request (repeat the WHOIS lookup search).
|
You can search for certain WHOIS lookup request results by entering search criteria in the Search field.
Page top
[Topic TrackingRulesDomain]
WHOIS hunting for domain
The following procedure tells you how to create a tracking rule for a regular WHOIS search for a
domain.
To create a tracking rule for regular WHOIS search for a domain:
- Open the WHOIS Hunting page (WHOIS Tracking () → WHOIS Hunting), and then select the Domain tab.
Required and optional fields will be displayed.
- In the Rule name field, specify a name for the tracking
rule.
A rule name must be unique.
- Select the Notifications enabled check box and specify
an email address if you want to receive email notifications when new information appears about the tracking
rule.
- Specify the priority of a tracking rule:
The number of available/all tracking rules is displayed for all Kaspersky Threat
Intelligence Portal users in your group.
- Fill in at least one of the required fields:
- Domain—Domain you want to investigate.
You can use special search characters (such as *, ~, and ^).
Advanced searches can be performed only for ASCII domain names. A search for
internationalized domain names (IDNs) may be proceeded incorrectly.
- Contact—Name, email address, or organization
name of any of the contacts (registrant, administrative, technical, billing, or zone) to which the domain
belongs. Searches are word-based and case-insensitive.
You can perform different types of searches.
- Name server—Name server for the domain you
want to investigate.
For name servers, the same types of search are possible as for
domain names: exact matching, substring matching, and approximate string matching.
- If necessary, specify the following fields in the Advanced
options section:
- Information checked date (range)—Date when the
information about the domain was last updated in Kaspersky expert systems.
- Creation date (range)—Period of time when the
domain was created.
- Expiration date (range)—Period of time when
the domain expires.
- Updated date (range)—Period of time when
information about the domain was updated in the registry.
- Click the Create tracking rule button.
Kaspersky Threat Intelligence Portal will create a tracking rule for a
domain.
Page top
[Topic TrackingRulesIP]
WHOIS hunting for IP address
The following procedure tells you how to create a tracking rule for a regular WHOIS search for
an IP address.
To create a tracking rule for a regular WHOIS search for an IP address:
- Open the WHOIS Lookup page (WHOIS Tracking () → WHOIS Hunting), and then select the IP address
tab.
- In the Rule name field, specify a name for the tracking
rule.
A rule name must be unique.
- Select the Notifications enabled check box and specify
an email address if you want to receive email notifications when new information appears about the tracking
rule.
- Specify the priority of a tracking rule:
The number of available/all tracking rules is displayed for all Kaspersky Threat
Intelligence Portal users in your group.
- Fill in at least one of the required fields:
- IP address—IP address or a range of IP
addresses you want to investigate.
- ASN—Autonomous system number.
- Organization—Name, email address of the
organization or the person, or net description. Searches are word-based and case-insensitive. You can search
for a phrase by putting your search terms (the entire string) in quotes that the IP address belongs to.
- If necessary, specify the following fields in the Advanced
options section:
- Click the Create tracking rule button.
Kaspersky Threat Intelligence Portal will create a tracking rule for an IP
address.
Page top
[Topic ViewingTrackingRules]
Viewing tracking rules
The Tracking rules table (WHOIS
Tracking () → WHOIS Hunting) contains
created tracking rules for domains and IP addresses.
Tracking rules table
|
Field
|
Description
|
|
Rule
|
Rule name.
|
|
Type
|
Type of an object (Domain or IP address) for which the tracking rule is created.
|
|
Created
|
Date and time when the tracking rule was created. In the Tracking rules table, your local rule creation time is displayed. In reports,
date and time are displayed in Coordinated Universal Time (UTC) format.
|
|
Priority
|
Priority of a tracking rule (Normal or High).
|
|
Notifications
|
Indicates whether notifications are enabled for the tracking rule.
|
|
New results
|
Number of new results for the tracking rule.
|
|
Actions
|
Actions you can perform to the tracking rule:
|
For each tracking rule, the following information is displayed when you click the View result button.
Tracking rule results for domains
|
Field
|
Description
|
|
Status
|
Status of the tracked domain.
|
|
Request
|
Domain which is being tracked.
|
|
Last checked
|
Date and time when information about the tracked domain was last checked in Kaspersky
expert systems.
|
|
IP count
|
Number of IP addresses that the tracked domain resolves to.
|
|
Updated
|
Date and time when information about the tracked domain was last updated in the
registry.
|
Tracking rule results for IP addresses
|
Field
|
Description
|
|
Request
|
IP address or range which is being tracked.
|
|
Organization
|
Name, email address of the organization or person, or net description. The search is
word-based and case-insensitive. You can search for a phrase by putting your search terms (the entire
string) in quotes that the IP address belongs to.
|
|
ASN
|
Autonomous system number.
|
|
IP count
|
Number of IP addresses that the domain resolves to.
|
|
Domain count
|
Number of domains which resolve to the tracked IP address.
|
|
Last checked
|
Date and time when information about the tracked IP address was last checked in
Kaspersky expert systems.
|
|
Updated
|
Date and time when information about the tracked IP address was last updated in the
registry.
|
Page top
[Topic UsingSpecialSearchCharacters]
Using special search characters
Expand all | Collapse all
You can use special search characters (such as *, ~, and ^) for WHOIS lookup and WHOIS hunting.
Exact matching
Searching for the exact domain or name server.
See example
Searching for company.com will return results for company.com domain.
Substring searching
Searching for domain names that contain the specified string.
For the search to be interpreted as a substring search, use the asterisk (*) as a
placeholder for one or more characters.
See example
Searching for *any.com will return results for the
following domains:
company.com
JohnSmithCompany.com
JaneSmithCompany.com
Approximate string matching (also called fuzzy string
searching)
Searching for domain names that approximately match the required domain name.
For the search to be interpreted as fuzzy, add the tilde (~) after the domain name. The
result will contain WHOIS lookup results for domain names that differ from the requested name when transposing,
deleting, or adding several characters.
See example
Searching for company.com~ will return the following
results:
company.com
ocmpany.com
company.cm
compony.com
Fuzzy searches cannot be used together with other types of search. For example, the
request *examp~ will not proceed correctly.
You can also perform the following types of search:
Phrase
Search for strings that contain a phrase, enclosed in quotation marks, in your search terms
(the entire string).
See example
Searching for "John Smith Company Ltd." will
return results for John Smith Company Ltd.
Set of words
Search for a set of words in arbitrary order.
See example
Searching for John Smith Company Ltd. will return the
following results:
John Smith Company Ltd.
Company John Smith Ltd.
Smith John Company Ltd.
Strings starting from a word
Search for strings that begin with a specific word. Insert a caret (^) before the search
term.
See example
Searching for ^John will return the following results:
John Smith Company Ltd.
John Smith Inc.
Strings starting from a phrase
Search for strings that begin with a specific phrase. Insert a caret (^) before the search
term.
See example
Searching for ^"John Smith Company" will return
the following results:
John Smith Company Ltd.
John Smith Company Inc.
Strings ending with a word
Search for strings that end with a specific word. Add a dollar sign ($) after the search
term.
See example
Searching for Company$ will return the following results:
John Smith Company
Jane Smith Company
Strings ending with a phrase
Search for strings that end with a specific phrase. Add a dollar sign ($) after the search
term.
See example
Searching for "Company Ltd."$ will return the
following results:
Company Ltd.
John Smith Company Ltd.
Jane Smith Company Ltd.
Page top
[Topic DataFeeds]
Threat Data Feeds
Kaspersky offers continuously updated Threat Intelligence Data Feeds to inform your business or
clients about cybersecurity risks, in a format suitable for automated processing. These continuous updates of Data
Feeds help you obtain up-to-date information about cyberthreats and make timely decisions about protecting against
them.
Kaspersky Threat Intelligence Portal allows you to view and download data feeds, supplementary
tools, SIEM connectors, delivery protocols, and additional documents on the Threat Data
Feeds (
) page.
Detailed information about data feeds, tools, and documents is available in the Kaspersky Threat Intelligence
Portal web interface. You can download required items from the web interface () or by using an external link (
).
You can also obtain Threat Data Feeds by using the Kaspersky Threat Intelligence Portal
API.
Page top
[Topic ThreatDataFeeds]
Data Feeds
The Data Feeds section lists data sources and links that you
can use to download Threat Data Feeds. Depending on your license, you can download a feed in one of the following versions:
- Full feed—Full version of the Threat Data Feed.
Available if you have a valid license for this feed.
- Demo—Demo version of the Threat Data Feed.
Available if you do not have a valid license for this feed. Demo versions contain fewer indicators, are updated
less frequently and have a significantly lower detection rate compared to the commercial version of the feed. We
do not recommend using demo versions of feeds in production.
- Sample—Shortened version of the feed that contains
the top 10 most popular records from the full feed version. Available if you do not have a valid license for
this feed.
For each Threat Data Feed, tags describing the intended use of the feed are displayed: Detection, Prevention, and Investigation.
The list also contains Threat Data Feeds marked with the META
label. META feeds are region-specific versions of the regular feeds in JSON format. These feeds provide the best
coverage for threats observed in META region, while regular feeds focus on worldwide coverage. We recommend that
you use META feeds when network traffic is limited by META region.
For each Threat Data Feed, the number of records and update frequency are displayed.
You can click the required Threat Data Feed to view its JSON structure and elements description.
In the window that opens, you can also click the Download ZIP archive button to
download the selected Threat Data Feed.
The Related Materials section lists additional documents
related to data feeds.
Page top
[Topic DeliveryProtocols]
Delivery protocols
The Delivery protocols section contains a list of Kaspersky
delivery protocols that can be used to download Data Feeds and indicators of compromise (IOC).
Page top
[Topic ImplementationGuide]
Implementation guide
Implementation
guide describes Kaspersky Threat Intelligence Data Feeds and their usage.
The guide also explains how feed updates are delivered, depending on the format of Data Feeds,
and how to integrate with SIEM systems.
Kaspersky Threat Intelligence Data Feeds implementation guide is available in English and Russian languages.
Page top
[Topic ManagingAccounts]
Managing accounts
This section explains how to manage your employees accounts.
The account management is available only for Kaspersky Threat Intelligence Portal users with
a group administrator privileges, including tenant group managers.
There are three account access types:
- FULL—User works with Kaspersky Threat Intelligence
Portal both online and with API.
- WEB—User works with Kaspersky Threat Intelligence
Portal only online.
- API—User works with Kaspersky Threat Intelligence
Portal only using the API.
You can view, create, edit, and delete accounts. Also, the account history is available.
Page top
[Topic RegisteringGroupAdmin]
Registering as a group administrator
You can register as the first administrator for your group. The administrator has all group
account management privileges including creating user accounts and defining user roles.
The link to the web registration is provided by your dedicated Kaspersky Technical Account
Manager through a PGP-encrypted email or in a password-protected .zip archive. In this case, the archive and
password are provided by separate secure channels (for example, the archive is sent by email and its password by
SMS message).
To register as the first administrator of your group:
- Follow the link to the registration form you received from your dedicated Kaspersky
Technical Account Manager.
- In the Registration form, specify the following:
- In the Administrator name field, fill in your
administrator name.
The administrator name must contain Latin letters, numbers, and
an underscore. The maximum length is 12 characters.
- In the Login field, fill in your unique user
identifier.
The login name is case-sensitive and may contain uppercase and lowercase
Latin letters, numbers, an underscore, and a minus sign. The length of this name must be between 2 and 64
characters.
- In the Password field, enter your password for the
administrator account.
The password must contain uppercase and lowercase letters,
numbers, and special characters. In addition, the use of other character types is also allowed. The
password length must be between 15 and 64 characters
- In the Password confirmation field, enter your
password again.
- Click the Registration using certificate button, and in
the form that opens specify the following:
- In the Certificate password field, enter your
password for the certificate.
- in the Certificate password confirmation field, type
in the certificate password again.
- Click the Registration button.
The password-protected container with the certificate automatically downloads to your computer.
- Open the container with the specified certificate password and import the certificate.
After you import the certificate, your registration as the group administrator is
completed and you can start administering user accounts for your group on Kaspersky Threat Intelligence
Portal.
Page top
[Topic ViewAccounts]
Viewing accounts
The following procedure shows you how to view a list of accounts for your group.
To view your group's accounts,
Click the user icon () at the bottom of the Kaspersky Threat
Intelligence Portal page, and select one of the following in the Access control
section:
The information for the group's accounts is described in the table below.
Accounts management
|
Table field
|
Description
|
|
User name
|
User name to sign in to Kaspersky Threat Intelligence Portal.
|
|
State
|
State of the user's account. You can change the account's state in this table,
without editing its
settings.
Enabled—User can work with Kaspersky Threat
Intelligence Portal.
Disabled—User does not have access to
Kaspersky Threat Intelligence Portal.
|
|
Full name
|
User's first and last name.
|
|
Role
|
User's role:
Admin—User with administrator privileges to
manage user accounts. Each group can have several administrators.
User—User who works with Kaspersky Threat
Intelligence Portal services according to permissions and licenses available for the group.
|
|
Type
|
Type of access to Kaspersky Threat Intelligence Portal:
FULL—User works with Kaspersky Threat
Intelligence Portal both online and with API.
WEB—User works with Kaspersky Threat
Intelligence Portal only online.
API—User works with Kaspersky Threat
Intelligence Portal only using the API.
|
|
Access control
|
Second two-factor authentication method:
Certificate—Certificate provided by Kaspersky
is used to sign in.
TOTP login—One-time password is used to sign
in.
|
|
Actions
|
The Generate QR code button allows the
administrators to generate and download a QR code for accounts with a one-time password as the second
two-factor authentication method.
|
You can sort items in the table by any column, except Actions.
Also, you can view detailed information for specific accounts.
To view a specific account:
- In the search field, type a name or user name.
Matching results
will be displayed, with the list automatically updating as you type.
- In the User name column, click the name of a user for
whom you want to view detailed information.
The side-bar containing the user's
information opens.
- If necessary, you can edit the account's settings.
Page top
[Topic AddingNewAccount]
Adding new account
The following procedure tells you how to add a new account.
To add an account:
- Click the user icon () at the bottom of the Kaspersky Threat
Intelligence Portal page, and select one of the following in the Access
control section:
- Click the Add account button.
The Add account side-bar opens.
- Use the Enabled / Disabled toggle button to specify the account status:
- Enabled—User can work with Kaspersky Threat
Intelligence Portal. The new account is enabled by default.
- Disabled—User does not have access to
Kaspersky Threat Intelligence Portal.
- In the User name field, specify the name of a user for
whom you want to add an account.
- In the Full name field, specify the user's first and
last name.
- In the Role drop-down list, select the user role:
- User—User who works with Kaspersky Threat
Intelligence Portal according to the granted user privileges. Users can create accounts only with the User role selected. To create an account with administrator privileges, please
contact your group administrator or your dedicated Kaspersky Technical Account Manager.
- Admin—User who works with Kaspersky Threat
Intelligence Portal and has administrator privileges. If you are the group administrator, you can create
accounts with the User or Admin role
selected.
- In the Type drop-down list, select the access type,
which can be one of the following:
- FULL—User who works with Kaspersky Threat
Intelligence Portal both online and with API.
- WEB—User who works with Kaspersky Threat
Intelligence Portal only online.
- API—User who works with Kaspersky Threat
Intelligence Portal only using the API.
- In the Access control field, the second two-factor
authentication method when signing in, is displayed:
- TOTP login—User will have to use a one-time
password to sign in.
The Access control field is not available for
editing.
- In the Password / Confirm
password fields, specify the account's password. You can use the eye icon to show/hide the password.
The password must contain uppercase and lowercase letters, numbers, and special
characters. In addition, the use of other character types is also allowed. The password length must be between
15 and 64 characters
- Click the Add account button to save changes.
Page top
[Topic EditAccount]
Editing account settings
The following procedure tells you how to view detailed information for a specific account.
To view account information:
- Click the user icon () at the bottom of the Kaspersky Threat
Intelligence Portal page, and select one of the following in the Access
control section:
- In the User name column, click the name of a user for
whom you want to view detailed information.
The side-bar containing user's information
opens.
- On the Account settings tab, you can edit the following
settings:
- Enabled / Disabled—Toggle button that indicates the account status:
- Enabled—User can work with Kaspersky
Threat Intelligence Portal.
- Disabled—User does not have access to
Kaspersky Threat Intelligence Portal.
- User name—User name used to sign in to
Kaspersky Threat Intelligence Portal.
This field cannot be edited. To change
the user name, you have to create a new account.
- Full name—User's first and last name.
- Role—User's role is displayed:
- Admin—User with administrator privileges.
Administrators manage user accounts. There can be several administrators for the group.
- User—User who works with Kaspersky Threat
Intelligence Portal services according to permissions and licenses available for the group.
The Role field is not available for editing.
- Type—Access type, which can be one of the
following:
- FULL—User who works with Kaspersky Threat
Intelligence Portal both online and with API.
- WEB—User who works with Kaspersky Threat
Intelligence Portal only online.
- API—User who works with Kaspersky Threat
Intelligence Portal only using the API.
- In the Access control field, the second two-factor
authentication method when signing in, is displayed:
- Certificate—User will have to use a
certificate to sign in.
- TOTP login—User will have to use a
one-time password to sign in. For tenant groups, only this option is available.
The Access control field is not available for
editing.
- New password / Confirm
password— Fields for changing account's password. You can use the eye icon to show/hide the
password.
The password must be 8 to 64 characters long. Leaving these fields empty
keeps the existing user password.
- On the Access rights tab, you can specify user's access
to Kaspersky Threat Intelligence Portal services.
This tab displays Kaspersky Threat
Intelligence Portal services and features that are available for your organization.
- If necessary, open the Change history tab that displays
the account
changes history. You cannot edit information on this tab.
- Click the Save button to save changes.
The Save button is not available on the Change history tab.
- If necessary, click the Delete this account button on
the Account settings to delete the account.
Page top
[Topic GenerateQRcode]
Generating QR code
For users with a one-time password specified as the
second two-factor authentication method, you must generate and provide a QR code so the user can sign in to Kaspersky Threat
Intelligence Portal.
To provide a QR code to a user:
- If necessary, switch to the required tenant group.
- Click the user icon () at the bottom of the Kaspersky Threat
Intelligence Portal page, and in the Access control section, select Accounts.
- For the required user with TOTP login specified in the
Access control column, click the Generate QR
code button in the Actions column.
The TOTP QR code window, that displays the generated QR code, opens.
- If necessary, click the Download QR code button.
The <user login>.png file is downloaded.
- Click the Close button.
- Provide the generated QR code to a user.
Page top
[Topic ViewingAccountHistory]
Viewing account history
The following procedure tells you how to view actions performed on an account (history).
To view account history:
- Click the user icon () at the bottom of the Kaspersky Threat
Intelligence Portal page, and select one of the following in the Access
control section:
The Access control page opens.
- In the User name column, click the name of a user for
whom you want to view account history.
The side-bar containing user's information opens.
- On the Change history tab, the following information is
displayed:
- Date—Date when changes in a user's account
settings were performed.
- User name—Person who made changes to the
account.
- Field—Settings that were changed.
- Old value—Previous setting value.
- New value—New setting value.
- If necessary, you can use the filter () to specify a
certain period by using date pickers (calendar) in the Date column.
Page top
[Topic DeletingAccount]
Deleting account
The following procedure tells you how to delete an account.
To delete an account:
- Click the user icon () at the bottom of the Kaspersky Threat
Intelligence Portal page, and select one of the following in the Access
control section:
- Delete the account in one of the following ways:
- In the accounts list, select the account you want to delete and click the Delete button. You can select and delete several accounts simultaneously.
- Click the user name of a user which account you want to delete, and on the Account settings tab, click the Delete this
account button.
Page top
[Topic CustomizingEmailNotifications]
Configuring email notifications
The following procedure shows how to configure email notifications that Kaspersky Threat
Intelligence Portal sends when certain events occur.
For APT Intelligence, Crimeware Threat Intelligence, and Industrial Threat Intelligence reports,
personal customization is available. Kaspersky Threat Intelligence Portal will send notifications only for reports
that match the options you specified.
The list of notification events depends on the licenses your organization has purchased.
The License expiration check box is available only for Admin accounts.
To configure email notifications:
- Click the user icon () at the bottom of the Kaspersky Threat
Intelligence Portal menu, and select the Notifications option in the Settings section.
The Notifications page opens.
- Enable email notifications by switching on the Receive email
notifications toggle button.
- In the Email address for notifications field, enter your
email.
- Specify events that you want to be informed about:
- To enable email notification for an event, select the corresponding check box.
If you select the License expiration check box,
email notifications will be sent 90, 60, 30, and 7 days before a license expires.
- To disable email notification for an event, clear the corresponding check box.
- Click Customize under the selected reports, and in the
opened side-bar configure the following:
- On the following tabs, select sections to search in the reports:
- Geo—List of countries and territories.
- Industries—List of industries, economic
sectors, and businesses.
- Actor—List of known actors.
- Specify the required options by selecting or clearing the corresponding check boxes in
the required sections. By default, all options are selected.
The options in each
section are provided in alphabetic order.
If necessary, click the Select all or Clear all button to select or clear all check boxes.
You can also use the search field to find an option and click the Add button to select it.
The number of selected options is displayed in the corresponding tabs. Click Show all / Show less to view the full or
collapsed option list.
- Click Save.
The side-bar
closes automatically.
- Click Save.
By selecting
any of the check boxes, specifying your email address, and clicking the Save
button, you agree to receive automatic email notifications from Kaspersky Threat Intelligence Portal about
selected events. Your user name (login), full name, and email address will be processed in accordance with our
Privacy
Policy. You can cancel email notifications and your email address storage at any time.
The email notifications settings are saved. You can configure or disable email
notifications at any time.
Page top
[Topic ChangePassword]
Changing user password
The following procedure shows how to change your password for Kaspersky Threat Intelligence
Portal.
To change a password for Kaspersky Threat Intelligence Portal:
- Click the user icon () at the bottom of the Kaspersky Threat
Intelligence Portal menu, and select the Account option in the Settings section.
The Account page opens.
- In the Current password field, enter your current
password for Kaspersky Threat Intelligence Portal.
- In the New password field, enter your new password for
Kaspersky Threat Intelligence Portal.
The password must be 8 to 64 characters in length
and should not be the same as the previous one.
- In the Confirm new password field, enter your new
password again.
- Click Save.
Page top
[Topic SendFeedback]
Sending feedback
By using the feedback form, you can send your comments and suggestions about services and our
website to the Kaspersky Threat Intelligence Portal team.
To send your feedback about Kaspersky Threat Intelligence Portal:
- In the main menu, click the feedback button (
).The Feedback form window opens.
- Enter your feedback about Kaspersky Threat Intelligence Portal services and website.
The feedback length is limited to 2000 characters.
- Click the Send button to send your feedback to the
Kaspersky Threat Intelligence Portal team.
The comment field must have a comment and
must not have only spaces entered. Otherwise, this button is unavailable.
- Click the Cancel button to cancel sending the feedback.
If you need more information about Kaspersky Threat Intelligence Portal services, want to
purchase a license for services, or apply for more APT Intelligence reports or Crimeware Threat Intelligence
reports formats available for downloading, you can click the support request icon (
) in the menu. A new message window in your mail client opens.
Page top
[Topic RequestingSupport]
Requesting support
If you need more information about Kaspersky Threat Intelligence Portal services, want to
purchase a license for services, or apply for more APT Intelligence reports or Crimeware Threat Intelligence
reports formats available for downloading, you can apply for support.
To request support:
Click the request support icon () in the menu.
A new message window in your mail client opens.
Also, you can purchase or renew the licenses at the Licenses page.
Page top
[Topic ConvertingCertToPEM]
Converting API certificate to PEM format
You must convert the certificate received from your dedicated Kaspersky Technical Account
Manager to PEM format before working with Kaspersky Threat Intelligence Portal API.
It is recommended that you use the OpenSSL toolkit to convert your certificate to PEM
format.
To convert your certificate to PEM format in Windows,
Type the following string at the command prompt:
openssl.exe pkcs12 -in <certificate name>.pfx -clcerts -out ktl_lookup.pem -nodes
To convert your certificate to PEM format in Linux,
Execute the following command:
openssl pkcs12 -in <certificate name>.pfx -clcerts -out ktl_lookup.pem -nodes
|
Argument
|
Description
|
|
<certificate name>
|
Name of your certificate.
|
|
ktl_lookup.pem
|
Name of your certificate in PEM format.
|
Your ktl_lookup.pem certificate must be stored in the same directory where you store the ktl_lookup
utility.
Page top
[Topic SolveSSL]
Solving SSL certificate problem
If you receive an error (60) SSL certificate problem: unable to get local issuer certificate, do the
following:
- Download the latest cacert.pem file from https://curl.haxx.se/ca/cacert.pem website.
- Add the downloaded certificate file to the cURL using the following option:
--cacert [certificate file name]
Page top
[Topic ManagingAPItoken]
Managing API token
You can use the Threat Lookup API, Digital Footprint Intelligence API, and Data Feeds API without a certificate if it is allowed by the
organization. In this case, the API token is required.
Only users with the Full account type can request an
API token by using Kaspersky Threat Intelligence Portal web interface. If the type of account is later changed to
API, you can continue using the requested valid API token.
To obtain an API token, you must sign in to Kaspersky Threat Intelligence Portal via your
browser, and then request an API token. You can also view and copy your API token.
The generated API token is used as the authorization parameter when you run requests using the
Kaspersky Threat Intelligence Portal API.
The maximum API token validity period is one year.
To request an API token:
- Click the user icon () at the bottom of the Kaspersky Threat
Intelligence Portal menu, and select the Account option in the Settings section.
The Account page opens.
- In the Request API token section, select the required
API token validity period in the Select period field (calendar).
The validity period for the API token cannot be changed after it is generated. You can
only request another API token, and then specify a new required date. If you request a new API token, the
previous one is deleted.
- Click the Request button.
The generated API token appears in the text field. You can view your API token at any time on
the Account page.
Information about the API token's validity period is displayed below the text field. A warning
is displayed if there is less than one week left until the API token expires.
If necessary, you can copy the API token by clicking on the text field or the Copied to clipboard icon ().
Page top
[Topic RequestingAPTreportsUsingAPI]
APT and Crimeware Threat Intelligence reporting API
This section explains how to request reports by using Kaspersky Threat Intelligence Portal API.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms
and Conditions online in your browser at https://tip.kaspersky.com.
The main purpose of the API is to give automated access for retrieving data from Kaspersky
Threat Intelligence Portal. More precisely, the API is used to export reports for further integration using other
external services. This documentation is valid for Kaspersky Threat Intelligence Portal API version 1.0.
To request reports by using Kaspersky Threat Intelligence Portal API:
- Make sure that the application you use for working with Kaspersky Threat Intelligence
Portal API uses the certificate you received from Kaspersky.
- In the Authorization field of the HEADER section, specify the user name and password that you received from
Kaspersky or your administrator.
- Specify the Basic authentication scheme.
- Specify the required HTTP method.
- Run your query by using one of the endpoints described below.
Obtaining certificate, user name, and password
A certificate, user name, and password are required to work with Kaspersky Threat Intelligence
Portal.
You must obtain a certificate, user name, and password from Kaspersky. The user name and
password are used to refer to the service through Kaspersky Threat Intelligence Portal API.
Converting certificate to PEM format
You must convert the certificate received from your dedicated Kaspersky Technical Account Manager to
PEM format before working with Kaspersky Threat Intelligence Portal API.
API Location
Unless otherwise instructed, you will access Kaspersky Threat Intelligence Portal API at the
following location:
https://tip.kaspersky.com/api/publications/<endpoint>
Authentication
Access to the API is obtained by two authentication methods:
- You must use the certificate information provided by the administrator.
- You must use the user name and password provided by the administrator.
Authentication error message
For invalid user login details, the server will return a 401 Unauthorized HTTP error message.
|
Request examples:
Expand all | Collapse all
Successful authentication:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/publications/<endpoint>'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": <...see below...>
}
Invalid authentication:
curl -u <invalid user_name or password> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/publications/<endpoint>'
See result example
{
"status": "error",
"status_msg": "Unauthorized"
}
|
Endpoint return data
Each endpoint will return a JSON encoded array that has three entries: status, status_msg, and return_data.
- The
status entry can be: ok or error.
- The
status_msg entry will describe the error string
(a text part according to section 10 of RFC 2616) in case status is not ok.
- The
return_data entry will be documented accordingly
by each endpoint.
Methods
APT and Crimeware Threat Intelligence reporting API methods
|
Method
|
Description
|
|
get_list
|
Obtains the list of reports published on Kaspersky Threat Intelligence Portal.
|
|
get_one
|
Obtains specific information for a publication.
|
|
get_master_ioc
|
Obtains a Master IOC file, that contains indicators of compromise in CSV file format.
|
|
get_master_yara
|
Obtains a Master YARA file.
|
Page top
[Topic get_list]
Get report list
The publications/get_list endpoint is used to display the
list of reports published on Kaspersky Threat Intelligence Portal between date_start and date_end (optionally). The
publications will be returned based on the type (access) of the API caller. By default, if date_start and date_end are not specified,
the API lists all reports.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/publications/get_list
Query parameters:
Expected parameters
|
Parameter
|
Description
|
|
date_start
|
Include only reports that were published starting from and including the specified
date onwards.
Optional parameter.
Default value: 1.
|
|
date_end
|
Include only reports that were published only until and including the specified date.
Optional parameter.
Default value: time()—current time.
|
The date_start and date_end parameters must be specified in the UNIX™ time stamp system (the
number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970). You can convert the date into UNIX
format at www.epochconverter.com.
If these parameters are not specified, Kaspersky Threat Intelligence Portal API returns a list
of all reports.
|
Request examples:
Get all publications:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_list'
Get publications within a specific timeframe:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_list?date_start=1490628942&date_end=1490628942'
|
Responses
Click the links below for information about possible responses.
Expand all | Collapse all
200 OK
Request processed successfully.
The endpoint returns a JSON object that contains information about the reports.
200 OK response parameters
|
Parameter
|
Description
|
|
publications
|
Array with the keys described in this table.
|
|
id
|
Report ID. This value can be used as a publication_id argument for the get_one
endpoint.
Now the id parameter is a string value. For
example, the new value format is ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt unlike the previous format
1234-fin. To determine the report group, consider the report_group parameter value, but not the id value suffix (-apt or -fin). The examples provided are not real publication IDs, but only show
the difference between the new and old value format.
|
|
updated
|
Time stamp when a report was updated.
|
|
published
|
Time stamp when a report was published.
|
|
name
|
Report name.
|
|
desc
|
Report description.
|
|
report_group
|
Report group. For example: "apt",
"fin".
|
|
tags
|
Array of all tags associated with the report. For example: ["turla", "epic turla"].
|
|
tags_industry
|
Array of industry tags associated with the report: industries that are involved in
APT attacks or mentioned in Crimeware Threat Intelligence reports. For example: ["Activists", "Zoo"].
|
|
tags_geo
|
Array of geography tags associated with the report: countries and regions that are
targeted by APTs or mentioned in Crimeware Threat Intelligence reports. For example: ["Egypt", "Iran",
"Jordan"].
|
|
tags_actors
|
Array of actor tags associated with the report: personalities or companies that are
involved in APT attacks or mentioned in Crimeware Threat Intelligence reports. For example: ["APT28"].
|
|
pdfs
|
Array of two-letter codes of the languages in which a report is available. The
value can be one of the following: ru (Russian), en (English), pt (Portuguese), or
es (Spanish). You can specify an available value as a value for the
lang parameter for the get_one
endpoint to fetch a report in the specific language.
|
|
exec_sums
|
Array of two-letter codes of the languages in which an executive summary is
available. The value can be one of the following: ru (Russian),
en (English), pt (Portuguese),
or es (Spanish). You can specify an available value as a value for
the lang parameter for the get_one
endpoint to fetch an executive summary in the specific language.
|
|
exec_sum_text
|
Text of the executive summary (only for APT Threat Intelligence reports). If the
executive summary is not available, this field is not included in the return data.
|
|
Count
|
Total number of returned reports.
|
Tag values can contain UTF-8 (Unicode Transformation Format 8-bit) symbols. The list of
values is not limited, and tags can be added or deleted without prior notification.
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"count": 2,
"publications": [
{
"id": "ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt",
"updated": 1489079546,
"published": 1489079546,
"name": "APT10 Spearphishes Japanese Policy Experts late 2016 to early
2017",
"desc": "In late January 2017, JPCERT/CC reported a spearphishing campaign
and related backdoor which they named ChChes. The campaign, which we have high confidence was carried out by
the APT10 actor, targeted multiple Japanese organizations.",
"report_group": "apt",
"tags": ["Japan", "Educational", "APT10"],
"tags_industry": ["Educational"],
"tags_geo": ["Japan"],
"tags_actors": ["APT10"],
"pdfs": ["pt", "en"],
"exec_sums": ["en"]
},
{
"id": "ac36f465-337b-4f91-4177-0c7b6bdf6a48-apt",
"updated": 1487783546,
"published": 1487783546,
"name": "Ismdoor - possible Shamoon attack vector found in Saudi
Arabia",
"desc": "Ismdoor is a family of malware which according to public sources
might be connected or used in relation to the Shamoon2 attacks. Although no solid proof of connections with
Shamoon have been identified so far, the distribution of the victims has a strong bias towards Saudi Arabia
and Qatar, as well as other countries from the Gulf region.",
"report_group": "apt",
"tags": ["Iraq", "Jordan", " Qatar", " Saudi
Arabia", "Energy"],
"tags_industry": ["Energy"],
"tags_geo": ["Iraq", "Jordan", "Qatar",
"Saudi Arabia"],
"pdfs": ["pt", "en"],
"exec_sums": ["en"],
"exec_sum_text": [Text of the executive summary]
}
]
}
}
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the
problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
403 Forbidden
Request not processed: running requests by using an API token is
forbidden for this service.
You can use an API token only for running Threat Lookup API requests.
For other Kaspersky Threat Intelligence Portal services, a certificate is required,
an API token usage is not available.
451 Unavailable For Legal Reasons
Page top
[Topic get_one]
Get specific report
The publications/get_one endpoint is used to display
specific information for a publication, identified by publication_id. For
each publication, a set of reports can be requested, such as: PDF report, summary report, YARA Rules, IOCs,
Suricata rules. If request is successful, the requested publication ID will be returned, alongside with the
publication metadata and reports to which the API user has access to. For example, if publication ID 1337 is requested with the following reports: PDF, Summary, YARA & IOCs, but
the API user has access only to YARA Rules, it will receive only the rules and nothing else. The request will have
status ok.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/publications/get_one
Query parameters:
Expected parameters
|
Parameter
|
Description
|
|
publication_id
|
Report ID: the id parameter (a string) returned
by the get_list
endpoint.
|
|
include_info
|
List of the optional parameters separated by comma:
all—All available formats.
pdf—Report in PDF format.
execsum—Brief report summary for business
purposes (executive summary) in PDF format.
yara—Report in YARA Rules format.
iocs—OpenIOC file that includes
description of indicators of compromise.
suricata—File that contains Suricata
rules associated with the report.
|
|
lang
|
Language for a report or an executive summary. The value can be one of the following:
ru (Russian), en (English),
pt (Portuguese), or es
(Spanish). A list of available languages for a report or an executive summary is returned by the pdfs or the exec_sums parameters in
the get_list
endpoint. If the lang parameter is not specified, an English version
of the report or executive summary will be returned.
|
|
Request examples:
Get specific information about publication ID ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt, requesting all formats:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_one?publication_id=ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt&include_info=all'
Get specific information about publication ID ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt, requesting IoC and YARA Rules
files:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_one?publication_id=ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt&include_info=iocs,yara'
|
Responses
Click the links below for information about possible responses.
Expand all | Collapse all
200 OK
Request processed successfully.
The endpoint returns a JSON object that contains information about the specific report.
200 OK response parameters
|
Parameter
|
Description
|
|
publications
|
Array with the keys described in this table.
|
|
id
|
Report ID.
|
|
updated
|
Time stamp when a report was updated.
|
|
published
|
Time stamp when a report was published.
|
|
name
|
Report name.
|
|
desc
|
Report description.
|
|
exec_sum_text
|
Text of the executive summary (only for APT Threat Intelligence reports). If the
executive summary is not available, this field is not included in the return data.
|
|
report_group
|
Report group. For example: "apt",
"fin".
|
|
tags
|
Array of all tags associated with the report. For example: ["turla", "epic turla"].
|
|
tags_industry
|
Array of industry tags associated with the report: industries that are involved in
APT attacks or mentioned in Crimeware Threat Intelligence reports. For example: ["Activists", "Zoo"].
|
|
tags_geo
|
Array of geography tags associated with the report: countries and regions that are
targeted by APTs or mentioned in Crimeware Threat Intelligence reports. For example: ["Egypt", "Iran",
"Jordan"].
|
|
tags_actors
|
Array of actor tags associated with the report: personalities or companies that are
involved in APT attacks or mentioned in Crimeware Threat Intelligence reports. For example: ["APT28"].
|
|
report_pdf
|
Optional element if available, base64 gzip encoded PDF report.
|
|
report_yara
|
Optional element if available, base64 gzip encoded YARA Rules.
|
|
report_suricata
|
Optional element if available, base64 gzip encoded file containing Suricata rules
associated with the report.
|
|
report_iocs
|
Optional element if available, base64 gzip encoded IoCs.
|
|
report_execsum
|
Optional element if available, base64 gzip encoded executive summary report.
|
Tag values can contain UTF-8 (Unicode Transformation Format 8-bit) symbols. The list of
values is not limited, and tags can be added or deleted without prior notification.
See result examples
Get information about publication ID ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt,
requesting all formats:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate
CERT_NAME.pem on your computer> -X POST
'https://tip.kaspersky.com/api/publications/get_one?publication_id=ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt&include_info=all'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"id": "ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt",
"updated": 1435010400,
"published": 1435010400,
"name": "Sofacy - New AZZY backdoor",
"desc": "Description of the AZZY backdoor used by the Sofacy group.",
"report_group": "apt",
"tags": ["APT28","Fancy
Bear","Sednit","Sofacy","Tsar Team"],
"tags_actors": ["APT28","Fancy
Bear","Sednit","Sofacy","Tsar Team"],
"report_iocs": "..base64(gzip())..",
"report_yara": "..base64(gzip())..",
"report_pdf": "..base64(gzip())..",
"report_execsum": "..base64(gzip()).."
}
}
Get specific information about publication ID
ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt, requesting IoC and YARA Rules files:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate
CERT_NAME.pem on your computer> -X POST
'https://tip.kaspersky.com/api/publications/get_one?publication_id=ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt&include_info=iocs,yara'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"id": "ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt",
"updated": 1435010400,
"published": 1435010400,
"name": "Sofacy - New AZZY backdoor",
"desc": "Description of the AZZY backdoor used by the Sofacy group.",
"report_group": "apt",
"tags": ["APT28","Fancy
Bear","Sednit","Sofacy","Tsar Team"],
"tags_actors": ["APT28","Fancy
Bear","Sednit","Sofacy","Tsar Team"],
"report_iocs": "..base64(gzip())..",
"report_yara": "..base64(gzip()).."
}
}
Get information about publication ID ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt, not
specifying the include_info parameter:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate
CERT_NAME.pem on your computer> -X POST
'https://tip.kaspersky.com/api/publications/get_one?publication_id=ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"id": "ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt",
"updated": 1435010400,
"published": 1435010400,
"name": "Sofacy – New AZZY backdoor",
"desc": "Description of the AZZY backdoor used by the Sofacy group.",
"report_group": "apt",
"tags": ["APT28","Fancy
Bear","Sednit","Sofacy","Tsar Team"],
"tags_actors": ["APT28","Fancy
Bear","Sednit","Sofacy","Tsar Team"]
}
}
Get specific information about publication ID
ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt, inputting an invalid include_info value:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate
CERT_NAME.pem on your computer> -X POST
'https://tip.kaspersky.com/api/publications/get_one?publication_id=ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt&include_info=pdf,<invalid
value>'
If fetching the specific information about the report using an invalid include_info value, an incorrect value will be ignored.
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"id": "ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt",
"updated": 1435010400,
"published": 1435010400,
"name": "Sofacy – New AZZY backdoor",
"desc": "Description of the AZZY backdoor used by the Sofacy group.",
"report_group": "apt",
"tags": ["APT28","Fancy
Bear","Sednit","Sofacy","Tsar Team"],
"tags_actors": ["APT28","Fancy
Bear","Sednit","Sofacy","Tsar Team"],
"report_pdf": "..base64(gzip()).."
}
}
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the
problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
403 Forbidden
Request not processed: running requests by using an API token is
forbidden for this service.
You can use an API token only for running Threat Lookup API requests.
For other Kaspersky Threat Intelligence Portal services, a certificate is required,
an API token usage is not available.
451 Unavailable For Legal Reasons
Page top
[Topic get_master_ioc]
Get Master IOC file
The publications/get_master_ioc endpoint is used to
display a Master IOC file, that contains indicators of compromise in CSV file format.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/publications/get_master_ioc
Query parameters:
Expected parameters
|
Parameter
|
Description
|
|
report_group
|
Report group. Required parameter.
Available values:
fin—Master file will contain indicators
of compromise only from Crimeware Threat Intelligence reports.
apt—Master file will contain indicators
of compromise only from APT Intelligence reports.
|
|
Request example:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_master_ioc?report_group=apt'
|
Responses
Click the links below for information about possible responses.
Expand all | Collapse all
200 OK
Request processed successfully.
The endpoint returns a report that includes descriptions of indicators of compromise for the
following object types: MD5 hashes, domains, and IP addresses in CSV file format. Results are provided in base64
gzip format, and must be decoded.
The first string in the file contains columns names:
UID—ID of a report.Publication—Name of a report.Indicator—Object's type: md5-hash, domain, or IP.DetectionDate—Detection date in YYYY-MM-DD format.IndicatorType—Type of indicator: md5Hash or networkActivity.
Starting from the third string, each string contains a description of a separate indicator of
compromise.
See result example
'UID','Publication','Indicator','DetectionDate','IndicatorType';
'5810843a-e310-4f63-acb8-6697c0a85a10','Sofacy - New AZZY backdoor','1de63702283745f442b554273f122f9e','2016-10-26','md5Hash'
'5810843a-f174-43c0-af15-6697c0a85a10','Sofacy - New AZZY backdoor','soft-storage.com','2016-10-26','networkActivity'
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the
problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
403 Forbidden
Request not processed: running requests by using an API token is
forbidden for this service.
You can use an API token only for running Threat Lookup API requests.
For other Kaspersky Threat Intelligence Portal services, a certificate is required,
an API token usage is not available.
451 Unavailable For Legal Reasons
Page top
[Topic get_master_yara]
Get Master YARA file
The publications/get_master_yara endpoint is used to
display a Master YARA file. Results are provided in base64 gzip format, and must be decoded.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/publications/get_master_yara
Query parameters:
Expected parameters
|
Parameter
|
Description
|
|
report_group
|
Report group. Required parameter.
Available values:
fin—Master file will contain information
only from Crimeware Threat Intelligence reports.
apt—Master file will contain information
only from APT Intelligence reports.
|
|
Request example:
Request a Master YARA file for APT Intelligence reports:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_master_yara?report_group=apt'
|
Responses
Click the links below for information about possible responses.
Expand all | Collapse all
200 OK
Request processed successfully.
The endpoint returns a report that includes all available reports at Kaspersky Threat
Intelligence Portal in YARA Rules format.
For more information on YARA Rules, see https://yara.readthedocs.io
See result example
import "math"
import "pe"
rule apt_ZZ_Ismdoor_crypto {
meta:
author = "Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "22-2-2017"
report = "Ismdoor - possible Shamoon attack vector found in Saudi Arabia"
reference =
"https://apt.threatintel.kaspersky.com/download.php?doc=intelcustomers/2017_02_Ismdoor-possibleShamoonattackvectorfoundinSaudiArabia/Ismdoor%20-%20possible%20Shamoon%20attack%20vector%20found%20in%20Saudi%20Arabia.pdf"
strings:
$a1 = { A7 00 [2-10] D4 00 [2-10] D0 00 [2-10] D2 00 [2-10] D8 00 [2-10] A5 00 [2-10] B6 00
[2-10] 26 01 [2-10] 94 01 [2-10] 82 01 [2-10] 90 01 [2-10] 87 01 [2-10] 4E 02 [2-10] A5 02}
condition:
uint16(0) == 0x5A4D and
all of them
}
...more rules
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the
problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
403 Forbidden
Request not processed: running requests by using an API token is
forbidden for this service.
You can use an API token only for running Threat Lookup API requests.
For other Kaspersky Threat Intelligence Portal services, a certificate is required,
an API token usage is not available.
451 Unavailable For Legal Reasons
Page top
[Topic UsingCURLforReports]
Using cURL utility for working with reports
Expand all | Collapse all
This section describes how you can request reports in different formats using the cURL utility.
To get a list of all available reports, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your
computer> -X POST 'https://tip.kaspersky.com/api/publications/get_list'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"count": 2,
"publications": [
{
"id": "ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt",
"updated": 1489079546,
"published": 1489079546,
"name": "APT10 Spearphishes Japanese Policy Experts late 2016 to early
2017",
"desc": "In late January 2017, JPCERT/CC reported a spearphishing campaign
and related backdoor which they named ChChes. The campaign, which we have high confidence was carried out by the
APT10 actor, targeted multiple Japanese organizations.",
"report_group": "apt",
"tags": ["Japan", "Educational", "APT10"],
"tags_industry": ["Educational"],
"tags_geo": ["Japan"],
"tags_actors": ["APT10"],
"pdfs": ["pt", "en"],
"exec_sums": ["en"]
},
{
"id": "ac36f465-337b-4f91-4177-0c7b6bdf6a48-apt",
"updated": 1487783546,
"published": 1487783546,
"name": "Ismdoor - possible Shamoon attack vector found in Saudi
Arabia",
"desc": "Ismdoor is a family of malware which according to public sources
might be connected or used in relation to the Shamoon2 attacks. Although no solid proof of connections with
Shamoon have been identified so far, the distribution of the victims has a strong bias towards Saudi Arabia and
Qatar, as well as other countries from the Gulf region.",
"report_group": "apt",
"tags": ["Iraq", "Jordan", " Qatar", " Saudi
Arabia", "Energy"],
"tags_industry": ["Energy"],
"tags_geo": ["Iraq", "Jordan", "Qatar", "Saudi
Arabia"],
"pdfs": ["pt", "en"],
"exec_sums": ["en"],
"exec_sum_text": [Text of the executive summary]
}
]
}
}
To get a list of all available reports within a specific time frame, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your
computer> -X POST
'https://tip.kaspersky.com/api/publications/get_list?date_start=1490628942&date_end=1490628942'
You can convert the date into UNIX format at www.epochconverter.com.
To request a certain report, execute:
curl -u <user name>-H 'Content-Length: 0' --cert <full path to the certificate on your
computer> -X POST 'https://tip.kaspersky.com/api/publications/get_one?publication_id=1166'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"id": "627",
"updated": 1435010400,
"published": 1435010400,
"name": "Sofacy – New AZZY backdoor",
"desc": "Description of the AZZY backdoor used by the Sofacy group.",
"report_group": "apt",
"tags": ["APT28","Fancy
Bear","Sednit","Sofacy","Tsar Team"]
}
}
To request a report in a PDF format, execute:
curl –u <user name> -H 'Content-Length: 0' --cert <full path to the certificate
on your computer> -X POST
'https://tip.kaspersky.com/api/publications/get_one?publication_id=627&include_info=pdf,execsum'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"id": "627",
"updated": 1435010400,
"published": 1435010400,
"name": "Sofacy – New AZZY backdoor",
"desc": "Description of the AZZY backdoor used by the Sofacy group.",
"report_group": "apt",
"tags": ["APT28","Fancy
Bear","Sednit","Sofacy","Tsar Team"],
"report_pdf": "..base64(gzip())..",
"report_execsum": "..base64(gzip()).."
}
}
If an invalid include_info value is used to get specific information about the report, an
incorrect value will be ignored.
Using an invalid include_info value to get specific information about the report:
curl –u <user name> -H 'Content-Length: 0' --cert <full path to the certificate
on your computer> -X POST
'https://tip.kaspersky.com/api/publications/get_one?publication_id=627&include_info=pdf,<invalid_value>'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"id": "627",
"updated": 1435010400,
"published": 1435010400,
"name": "Sofacy – New AZZY backdoor",
"desc": "Description of the AZZY backdoor used by the Sofacy group.",
"report_group": "apt",
"tags": ["APT28","Fancy
Bear","Sednit","Sofacy","Tsar Team"],
"report_pdf": "..base64(gzip()).."
}
}
To request a Master IOC, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your
computer> -X POST 'https://tip.kaspersky.com/api/publications/get_master_ioc'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"master_ioc": "..base64(gzip()).."
}
}
To request a Master YARA, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your
computer> -X POST 'https://tip.kaspersky.com/api/publications/get_master_yara'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"master_yara": "..base64(gzip()).."
}
}
To request an executive summary, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your
computer> -X POST
'https://tip.kaspersky.com/api/publications/get_one?publication_id=1187&include_info=execsum'
To request a report in all available formats, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your
computer> -X POST 'https://tip.kaspersky.com/api/publications/get_one?publication_id=627&include_info=all'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"id": "627",
"updated": 1435010400,
"published": 1435010400,
"name": "Sofacy – New AZZY backdoor",
"desc": "Description of the AZZY backdoor used by the Sofacy group.",
"report_group": "apt",
"tags": ["APT28","Fancy
Bear","Sednit","Sofacy","Tsar Team"],
"report_pdf": "..base64(gzip())..",
"report_execsum": "..base64(gzip())..",
"report_iocs": "..base64(gzip())..",
"report_yara": "..base64(gzip()).."
}
}
Page top
[Topic ActorProfileAPI]
Actor profiles API
This section explains how to obtain available APT and Crimeware actor profiles by using the
Kaspersky Threat Intelligence Portal API methods.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms
and Conditions online in your browser at https://tip.kaspersky.com.
Actor profile API methods
|
Method
|
Description
|
|
get_list
|
Obtains the list of actor profiles that are available for you according to your
Kaspersky Threat Intelligence Portal license.
|
|
get_one
|
Obtains specific information for an actor.
|
Page top
[Topic GetActorProfileList]
Get actor profile list
The actor_profiles/get_list endpoint is used to display
the list of actor profiles that are available for you according to your Kaspersky Threat Intelligence Portal license.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/actor_profiles/get_list
Query parameter:
Expected parameter
|
Parameter
|
Description
|
|
actor_group
|
Group of actors, the list of which you want to obtain.
Optional parameter. If this parameter is not specified, a list of profiles for both
APT and Crimeware related actors is returned.
Available values:
apt—APT-related actors.
crime—Crimeware related actors.
|
|
Request example:
Get a list of actor profiles:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/actor_profiles/get_list?actor_group=crime'
|
Responses
Click the links below for information about possible responses.
Expand all | Collapse all
200 OK
Request processed successfully.
Endpoint returns an array of JSON objects as return_data. Each JSON object describes a specific actor and contains the
following parameters.
200 OK response parameters
|
Parameter
|
Description
|
|
id
|
Actor's ID. For example, 1. This value can be
used as the id argument for the get_one
endpoint.
|
|
name
|
Actor's name. For example, "PLATINUM".
|
|
actor_group
|
Group the actor belongs to. Available values:
apt—Actor is related to an APT attack.
crime—Actor is mentioned in a Crimeware
Threat Intelligence report.
|
|
aliases
|
Aliases for the actor (array of unique strings). Aliases are used as alternative
actor identifiers. For example, ["PT", "PLAT"].
|
|
description
|
Actor's description, which contains several sections. The heading of each section
begins with a sequence of characters "####".
|
|
publications
|
Reports related to the actor that are available according to your license. For each
report, the following data is available:
tip_id—Report's ID in Kaspersky Threat
Intelligence Portal. For example, "1501-apt".
name—Report's name. For example, "Sofacy targeting embassies with Gamefish".
|
|
geo
|
Array that contains a list of countries in which an actor's activity was detected.
For each country, the following data is available:
country—Two-letter country code. For
example, "ru".
reports—Number of APT reports about the
actor's attacks in this country. For example, 3.
|
|
last_updated
|
Date and time when the actor profile was last updated (in the Coordinated Universal
Time (UTC) format). For example, "2018-11-28 15:20". If
the actor profile has not been updated, this field is not included in the return data.
|
|
descriptive_ttps
|
Array of the actor's tactics, techniques, and procedures (TTPs), including kaspersky_ttps. For each TTPs, the following data is available:
type—Type of the TTPs. Available
values:
Infrastructure—TTPs related to the
infrastructure that the actor uses.
Implants—TTPs related to the
malware and/or tools used by the actor.
Intrusion Vector—TTPs related to
the intrusion vector used by the actor (the way the actor delivers the implants). For example: "Spear-phishing".
Victimology—TTPs related to the
victims identified during the investigation (sectors, individuals, countries).
name—Name of the TTPs. For example,
"Use of Dropbox in hosting infrastructure.".
mitre_mapping—TTPs mapping with the
Cyber Kill Chain® stage:
id—The Cyber Kill Chain stage's ID.
For example, "PRE-T1084".
stage—The Cyber Kill Chain stage.
For example, "Recon".
mitre_source—MITRE stage that the
Cyber Kill Chain stage belongs to. Available values:
mitre-attack—TTPs belongs to the
MITRE ATT&CK matrix.
mitre-pre-attack—TTPs belongs to
the MITRE PRE-ATT&CK matrix.
name—The Cyber Kill Chain stage's name.
For example, "Acquire and/or use 3rd party infrastructure services (undefined)".
url—Web address of the detailed
description of the Cyber Kill Chain stage.
|
|
mitre_ttps
|
Array that contains TTPs descriptions, including mitre_ttps. For each TTPs, the following data is available:
id—The Cyber Kill Chain stage's ID. For
example, "PRE-T1084".
stage—The Cyber Kill Chain stage. For
example, "Recon".
mitre_source—MITRE stage that the Cyber
Kill Chain stage belongs to. Available values:
mitre-attack—TTPs belongs to the
MITRE ATT&CK matrix.
mitre-pre-attack—TTPs belongs to
the MITRE PRE-ATT&CK matrix.
name—The Cyber Kill Chain stage's name.
For example, "Acquire and/or use 3rd party infrastructure services (undefined)".
url—Web address of the detailed
description of the Cyber Kill Chain stage.
|
Response sample
{
"status": "ok",
"status_msg": "",
"return_data": {
"id":"1",
"name":"PLATINUM",
"actor_group": "apt",
"aliases":["PT", "PLAT"],
"description":"Actor's description",
"publications":[
{
"tip_id":"1501-apt",
"name":"Sofacy targeting embassies with Gamefish"
}
]
"geo":[
{
"country":"ru",
"reports":"3"
}
]
"last_updated":"2018-11-28 15:20",
"descriptive_ttps":[
{
"type":"Infrastructure",
"name":"Use of Dropbox in hosting infrastructure.",
"mitre_mapping":[
{
"id":"PRE-T1084",
"stage":"Recon",
"mitre_source":"mitre-attack",
"name":"Acquire and/or use 3rd party infrastructure services
(undefined)",
"url":"https://attack.mitre.org/mitigations/T1084/"
}
]
}
]
"mitre_ttps":[
{
"id":"PRE-T1084",
"stage":"Recon",
"mitre_source":"mitre-attack",
"name":"Acquire and/or use 3rd party infrastructure services
(undefined)",
"url":"https://attack.mitre.org/mitigations/T1084/"
}
]
}
}
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the
problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
403 Forbidden
Request not processed.
This error is returned if you do not have access to the APT Intelligence Reporting Service.
Purchase an APT Intelligence Reporting Service license and try again.
This error is also returned if you try to run a request by using an API token, not specifying
your credentials. You can use an API token only for running Threat Lookup API requests.
451 Unavailable For Legal Reasons
Page top
[Topic GetActorProfile]
Get specific actor profile
The actor_profiles/get_one endpoint is used to display
specific information for an actor, identified by id.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/actor_profiles/get_one
Query parameters:
Expected parameters
|
Parameter
|
Description
|
|
id
|
Actor's ID: the id parameter (a string)
returned by the get_list
endpoint.
|
|
Request example:
Get a specific actor profile:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/actor_profiles/get_one?id={actor ID}'
|
Responses
Click the links below for information about possible responses.
Expand all | Collapse all
200 OK
Request processed successfully.
The endpoint returns the following parameters.
200 OK response parameters
|
Parameter
|
Description
|
|
id
|
Actor's ID. For example, 1.
|
|
name
|
Actor's name. For example, "PLATINUM".
|
|
actor_group
|
Group the actor belongs to. Available values:
apt—Actor is related to an APT attack.
crime—Actor is mentioned in a Crimeware
Threat Intelligence report.
|
|
aliases
|
Aliases for the actor (array of unique strings). Aliases are used as alternative
actor identifiers. For example, ["PT", "PLAT"].
|
|
description
|
Actor's description, which contains several sections. The heading of each section
begins with a sequence of characters "####".
|
|
publications
|
APT reports related to the actor that are available according to your license. For
each APT report, the following data is available:
tip_id—APT report's ID in Kaspersky
Threat Intelligence Portal. For example, "1501-apt".
name—APT report's name. For example,
"Sofacy targeting embassies with Gamefish".
|
|
geo
|
Array that contains a list of countries in which an actor's activity was detected.
For each country, the following data is available:
country—Two-letter country code. For
example, "ru".
reports—Number of APT reports about the
actor's attacks in this country. For example, 3.
|
|
last_updated
|
Date and time when the actor profile was last updated (in the Coordinated Universal
Time (UTC) format). For example, "2018-11-28 15:20". If
the actor profile has not been updated, this field is not included in the return data.
|
|
descriptive_ttps
|
Array of the actor’s tactics, techniques, and procedures (TTPs), including kaspersky_ttps. For each TTPs, the following data is available:
type—Type of the TTPs. Available
values:
Infrastructure—TTPs related to the
infrastructure that the actor uses.
Implants—TTPs related to the
malware and/or tools used by the actor.
Intrusion Vector—TTPs related to
the intrusion vector used by the actor (the way the actor delivers the implants). For example: "Spear-phishing".
Victimology—TTPs related to the
victims identified during the investigation (sectors, individuals, countries).
name—Name of the TTPs. For example,
"Use of Dropbox in hosting infrastructure.".
mitre_mapping—TTPs mapping with the
Cyber Kill Chain stage.
id—The Cyber Kill Chain stage's ID.
For example, "PRE-T1084".
stage—The Cyber Kill Chain stage.
For example, "Recon".
mitre_source—MITRE stage that the
Cyber Kill Chain stage belongs to. Available values:
mitre-attack—TTPs belongs to the
MITRE ATT&CK matrix.mitre-pre-attack—TTPs belongs to
the MITRE PRE-ATT&CK matrix.name—The Cyber Kill Chain stage's name. For example, "Acquire and/or use 3rd party infrastructure services (undefined)".
url—Web address of the detailed
description of the Cyber Kill Chain stage.
|
|
mitre_ttps
|
Array that contains TTPs descriptions, including mitre_ttps. For each TTPs, the following data is available:
id—The Cyber Kill Chain stage's ID. For
example, "PRE-T1084".
stage—The Cyber Kill Chain stage. For
example, "Recon".
mitre_source—MITRE stage that the Cyber
Kill Chain stage belongs to. Available values:
mitre-attack—TTPs belongs to the
MITRE ATT&CK matrix.
mitre-pre-attack—TTPs belongs to
the MITRE PRE-ATT&CK matrix.
name—The Cyber Kill Chain stage's name.
For example, "Acquire and/or use 3rd party infrastructure services (undefined)".
url—Web address of the detailed
description of the Cyber Kill Chain stage.
|
Response sample
{
"status": "ok",
"status_msg": "",
"return_data": {
"id":"1",
"name":"PLATINUM",
"actor_group": "apt",
"aliases":["PT", "PLAT"],
"description":"Actor's description",
"publications":[
{
"tip_id":"1501-apt",
"name":"Sofacy targeting embassies with Gamefish"
}
]
"geo":[
{
"country":"ru",
"reports":"3"
}
]
"last_updated":"2018-11-28 15:20",
"descriptive_ttps":[
{
"type":"Infrastructure",
"name":"Use of Dropbox in hosting infrastructure.",
"mitre_mapping":[
{
"id":"PRE-T1084",
"stage":"Recon",
"mitre_source":"mitre-attack",
"name":"Acquire and/or use 3rd party infrastructure services
(undefined)",
"url":"https://attack.mitre.org/mitigations/T1084/"
}
]
}
]
"mitre_ttps":[
{
"id":"PRE-T1084",
"stage":"Recon",
"mitre_source":"mitre-attack",
"name":"Acquire and/or use 3rd party infrastructure services
(undefined)",
"url":"https://attack.mitre.org/mitigations/T1084/"
}
]
}
}
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the
problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
403 Forbidden
Request not processed.
This error is returned if you do not have access to the APT Intelligence Reporting Service.
Purchase an APT Intelligence Reporting Service license and try again.
This error is also returned if you try to run a request by using an API token, not specifying
your credentials. You can use an API token only for running Threat Lookup API requests.
404 Not Found
Requested ID not found.
Make sure the specified id value is correct, and then
run the query again.
451 Unavailable For Legal Reasons
Page top
[Topic CnCTrackingAPI]
APT C&C Tracking API
This section explains how to request a list of dangerous IP addresses by using the Kaspersky
Threat Intelligence Portal API.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms
and Conditions online in your browser at https://tip.kaspersky.com.
To work with C&C Tracking by using the Kaspersky Threat Intelligence Portal API:
- Make sure that the application you use for working with Kaspersky Threat Intelligence
Portal API uses the certificate you received from Kaspersky.
- In the Authorization field of the HEADER section, specify the user name and password that you received from
Kaspersky.
- Specify the Basic authentication scheme.
- Specify the GET HTTP method.
- Run your query by using the
api/apt_cnc/{country}
method described below.
Request
Request method: GET
Endpoint: https://tip.kaspersky.com/api/apt_cnc/{country}
Query parameters:
Expected parameters
|
Parameter
|
Description
|
|
country
|
The two-letter code of a country you want to receive a feed for.
Required parameter.
Available values:
all—The response will contain information
for all countries.
The two-letter country code (lowercase).
|
|
Request example:
Get a list of dangerous IP addresses:
curl -u <user name> --cert <full path to the certificate on your computer> -X GET 'https://tip.kaspersky.com/api/apt_cnc/ru'
|
Responses
Click the links below for information about possible responses.
Expand all | Collapse all
200 OK
Endpoint returns a JSON object that contains information about dangerous IP addresses in the
specified countries.
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the
problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
403 Forbidden
Request not processed.
This error is returned if you have the trial license and request a feed for a country (or for
all countries) to which you do not have access to.
Purchase a commercial license or specify another value for the country parameter and try again.
This error is also returned if you try to run a request by using an API token, not specifying
your credentials. You can use an API token only for running Threat Lookup API requests.
451 Unavailable For Legal Reasons
Page top
[Topic IndustrialReportingAPI]
Industrial Threat Intelligence reporting API
This section explains how to request Industrial Threat Intelligence reports by using the
Kaspersky Threat Intelligence Portal API methods.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms
and Conditions online in your browser at https://tip.kaspersky.com.
Industrial Threat Intelligence reporting API methods
|
Method
|
Description
|
|
get_list
|
Obtains the list of Industrial Threat Intelligence reports published on Kaspersky
Threat Intelligence Portal.
|
|
get_one
|
Obtains specific information for an Industrial Threat Intelligence report.
|
|
get_master_ioc
|
Obtains a Master IOC file that contains indicators of compromise, which are reported
in the CSV file format.
|
|
get_master_yara
|
Obtains a Master YARA file.
|
Page top
[Topic GetIndustrialReportListAPI]
Get Industrial Threat Intelligence report list
The ics/get_list endpoint is used to display the list of
Industrial Threat Intelligence reports published on Kaspersky Threat Intelligence Portal.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/ics/get_list
Query parameters:
Expected parameters
|
Parameter
|
Description
|
|
date_start
|
Optional parameter. Includes only Industrial Threat Intelligence reports that were
published starting from and including the specified date onwards. The default value is 1.
|
|
date_end
|
Optional parameter. Includes only Industrial Threat Intelligence reports that were
published only until and including the specified date. The default value is time()—current time.
|
The date_start and date_end parameters must be specified in the UNIX time stamp system (the number
of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970). If these parameters are not specified, the
Kaspersky Threat Intelligence Portal API returns a list of all Industrial Threat Intelligence reports.
|
Request example:
Get a list of Industrial reports:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/ics/get_list?date_start=1584551570'
|
Responses
Click the links below for information about possible responses.
Expand all | Collapse all
200 OK
Request processed successfully.
Endpoint returns the following parameters.
200 OK response parameters
|
Parameter
|
Description
|
|
publications
|
Array with the keys described in this table.
|
|
id
|
Industrial Threat Intelligence report ID. This value can be used as a publication_id argument for the get_one
endpoint.
|
|
updated
|
Time stamp when the Industrial Threat Intelligence report was updated.
|
|
published
|
Time stamp when the Industrial Threat Intelligence report was published.
|
|
name
|
Industrial Threat Intelligence report name.
|
|
desc
|
Industrial Threat Intelligence report description.
|
|
report_group
|
Industrial Threat Intelligence report group ("ics").
|
|
tags
|
Array of all tags associated with the Industrial Threat Intelligence report. For
example: ["turla", "epic turla"].
|
|
tags_industry
|
Array of industry tags associated with the report: industries that are involved in
APT attacks or mentioned in Crimeware Threat Intelligence reports. For example: ["Activists", "Zoo"].
|
|
tags_geo
|
Array of geography tags associated with the report: countries and regions that are
targeted by APTs or mentioned in Crimeware Threat Intelligence reports. For example: ["Egypt", "Iran",
"Jordan"].
|
|
tags_actors
|
Array of actor tags associated with the report: personalities or companies that are
involved in APT attacks or mentioned in Crimeware Threat Intelligence reports. For example: ["APT28"].
|
|
pdfs
|
Array of two-letter codes of the languages in which the Industrial Threat
Intelligence report is available. The value can be one of the following: ru (Russian), en (English), pt (Portuguese), or es (Spanish).
You can specify an available value as a value for the lang parameter
for the get_one
endpoint to fetch the Industrial report in the specified language.
|
|
Count
|
Total number of returned reports.
|
Tag values can contain UTF-8 (Unicode Transformation Format 8-bit) symbols. The list of values
is not limited, and tags can be added or deleted without prior notification.
Response samples
Get all Industrial Threat Intelligence reports:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate
CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_list'
See result example
{
"status": "ok",
"status_msg": "",
"return_data": {
"count": 2,
"publications": [
{
"id": "ac36f485-337b-4f91-4177-0c7b6bdf6a48-apt",
"updated": 1489079546,
"published": 1489079546,
"name": "APT10 Spearphishes Japanese Policy Experts late 2016 to early
2017",
"desc": "In late January 2017, JPCERT/CC reported a spearphishing
campaign and related backdoor which they named ChChes. The campaign, which we have high confidence was
carried out by the APT10 actor, targeted multiple Japanese organizations.",
"report_group": "apt",
"tags": ["Japan", "Educational", "APT10"],
"tags_industry": ["Educational"],
"tags_geo": ["Japan"],
"tags_actors": ["APT10"],
"pdfs": ["pt", "en"],
"exec_sums": ["en"]
},
{
"id": "ac36f465-337b-4f91-4177-0c7b6bdf6a48-apt",
"updated": 1487783546,
"published": 1487783546,
"name": "Ismdoor - possible Shamoon attack vector found in Saudi
Arabia",
"desc": "Ismdoor is a family of malware which according to public
sources might be connected or used in relation to the Shamoon2 attacks. Although no solid proof of
connections with Shamoon have been identified so far, the distribution of the victims has a strong bias
towards Saudi Arabia and Qatar, as well as other countries from the Gulf region.",
"report_group": "apt",
"tags": ["Iraq", "Jordan", " Qatar", "
Saudi Arabia", "Energy"],
"tags_industry": ["Energy"],
"tags_geo": ["Iraq", "Jordan", "Qatar",
"Saudi Arabia"],
"pdfs": ["pt", "en"],
"exec_sums": ["en"],
"exec_sum_text": [Text of the executive summary]
}
]
}
}
Get the Industrial Threat Intelligence reports within a specific timeframe:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate
CERT_NAME.pem on your computer> -X POST
'https://tip.kaspersky.com/api/publications/get_list?date_start=1490628942&date_end=1490628942'
You can convert the date into UNIX format at www.epochconverter.com.
Result example is the same as for getting all Industrial Threat Intelligence reports
(see example above).
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the
problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
403 Forbidden
Request not processed: running requests by using an API token is
forbidden for this service.
You can use an API token only for running Threat Lookup API requests.
For other Kaspersky Threat Intelligence Portal services, a certificate is required,
an API token usage is not available.
451 Unavailable For Legal Reasons
Page top
[Topic GetICSreport]
Get Industrial Threat Intelligence report
The ics/get_one endpoint is used to display specific
information for an Industrial Threat Intelligence report, identified by publication_id.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/ics/get_one
Query parameters:
Expected parameters
|
Parameter
|
Description
|
|
publication_id
|
Industrial Threat Intelligence report ID: the id parameter (a string) returned by the get_list
endpoint.
|
|
include_info
|
List of the optional parameters separated by comma:
all—All available formats.
pdf—Industrial Threat Intelligence report
in PDF format.
execsum—Brief report summary for business
purposes (executive summary) in PDF format.
yara—Industrial Threat Intelligence
report in YARA Rules format.
iocs—OpenIOC file that includes
description of indicators of compromise.
suricata—File that contains Suricata
rules associated with the Industrial Threat Intelligence report.
|
|
lang
|
Language for an Industrial Threat Intelligence report. The value can be one of the
following: ru (Russian), en
(English), pt (Portuguese), or es (Spanish). A list of available languages for an Industrial Threat
Intelligence report is returned by the pdfs in the get_list
endpoint. If the lang parameter is not specified, an English version
of the Industrial Threat Intelligence report will be returned.
|
|
Request example:
Retrieve the executive summary and the PDF report for the specific
Industrial report:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/ics/get_one?publication_id={Industrial report ID}&include_info=execsum,pdf'
|
Responses
Click the links below for information about possible responses.
Expand all | Collapse all
200 OK
Request processed successfully.
The endpoint returns the following parameters.
200 OK response parameters
|
Parameter
|
Description
|
|
publications
|
Array with the keys described in this table.
|
|
id
|
Industrial Threat Intelligence report ID.
|
|
updated
|
Time stamp when the Industrial Threat Intelligence report was updated.
|
|
published
|
Time stamp when the Industrial Threat Intelligence report was published.
|
|
name
|
Industrial Threat Intelligence report name.
|
|
desc
|
Industrial Threat Intelligence report description.
|
|
report_group
|
Industrial Threat Intelligence report group ("ics").
|
|
tags
|
Array of all tags associated with the Industrial Threat Intelligence report. For
example: ["turla", "epic turla"].
|
|
tags_industry
|
Array of industry tags associated with the report: industries that are involved in
APT attacks or mentioned in Crimeware Threat Intelligence reports. For example: ["Activists", "Zoo"].
|
|
tags_geo
|
Array of geography tags associated with the report: countries and regions that are
targeted by APTs or mentioned in Crimeware Threat Intelligence reports. For example: ["Egypt", "Iran",
"Jordan"].
|
|
tags_actors
|
Array of actor tags associated with the report: personalities or companies that are
involved in APT attacks or mentioned in Crimeware Threat Intelligence reports. For example: ["APT28"].
|
|
report_pdf
|
Optional element if available, base64 gzip-encoded PDF report.
|
|
report_yara
|
Optional element if available, base64 gzip-encoded YARA Rules.
|
|
report_suricata
|
Optional element if available, base64 gzip encoded file containing Suricata rules
associated with the Industrial Threat Intelligence report.
|
|
report_iocs
|
Optional element if available, base64 gzip-encoded IoCs.
|
Tag values can contain UTF-8 (Unicode Transformation Format 8-bit) symbols. The list of values
is not limited, and tags can be added or deleted without prior notification.
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the
problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
403 Forbidden
Request not processed: running requests by using an API token is
forbidden for this service.
You can use an API token only for running Threat Lookup API requests.
For other Kaspersky Threat Intelligence Portal services, a certificate is required,
an API token usage is not available.
451 Unavailable For Legal Reasons
Page top
[Topic GetMasterIOC]
Get Master IOC
The ics/get_master_ioc endpoint is used to display a
Master IOC file that contains indicators of compromise, which are reported in the CSV file format.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/ics/get_master_ioc
Query parameters: The endpoint does not expect any parameters.
|
Request example:
Request a Master IOC:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/ics/get_master_ioc'
|
Responses
Click the links below for information about possible responses.
Expand all | Collapse all
200 OK
Request processed successfully.
Endpoint returns the following parameters. Results are provided in the base64 gzip format, and
must be decoded.
The first string in the file contains columns names:
UID—ID of the report.Publication—Name of the report.Indicator—Object's type: md5-hash, domain, or IP.DetectionDate—Detection date in YYYY-MM-DD format.IndicatorType—Type of indicator: md5Hash or networkActivity.
Starting from the third string, each string contains a description of a separate indicator of
compromise.
See result example
'UID','Publication','Indicator','DetectionDate','IndicatorType';
'5810843a-e310-4f63-acb8-6697c0a85a10','Sofacy - New AZZY backdoor','1de63702283745f442b554273f122f9e','2016-10-26','md5Hash'
'5810843a-f174-43c0-af15-6697c0a85a10','Sofacy - New AZZY backdoor','soft-storage.com','2016-10-26','networkActivity'
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the
problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
403 Forbidden
Request not processed: running requests by using an API token is
forbidden for this service.
You can use an API token only for running Threat Lookup API requests.
For other Kaspersky Threat Intelligence Portal services, a certificate is required,
an API token usage is not available.
451 Unavailable For Legal Reasons
Page top
[Topic GetMasterYARA]
Get Master YARA
The ics/get_master_yara endpoint is used to display a
Master YARA file. Results are provided in the base64 gzip format and must be decoded.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/ics/get_master_yara
Query parameters: The endpoint does not expect any parameters.
|
Request example:
Request a Master YARA for APT Intelligence reports:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/ics/get_master_yara?report_group=apt'
|
Responses
Click the links below for information about possible responses.
Expand all | Collapse all
200 OK
Request processed successfully.
The endpoint returns a report that includes all available Industrial Threat intelligence
reports at Kaspersky Threat Intelligence Portal in YARA Rules format. Results are provided in the base64 gzip
format and must be decoded.
For more information on YARA Rules, see https://yara.readthedocs.io.
See result example
import "math"
import "pe"
rule apt_ZZ_Ismdoor_crypto {
meta:
author = "Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "22-2-2017"
report = "Ismdoor - possible Shamoon attack vector found in Saudi Arabia"
reference =
"https://apt.threatintel.kaspersky.com/download.php?doc=intelcustomers/2017_02_Ismdoor-possibleShamoonattackvectorfoundinSaudiArabia/Ismdoor%20-%20possible%20Shamoon%20attack%20vector%20found%20in%20Saudi%20Arabia.pdf"
strings:
$a1 = { A7 00 [2-10] D4 00 [2-10] D0 00 [2-10] D2 00 [2-10] D8 00 [2-10] A5 00 [2-10] B6 00
[2-10] 26 01 [2-10] 94 01 [2-10] 82 01 [2-10] 90 01 [2-10] 87 01 [2-10] 4E 02 [2-10] A5 02}
condition:
uint16(0) == 0x5A4D and
all of them
}
...more rules
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the
problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
403 Forbidden
Request not processed: running requests by using an API token is
forbidden for this service.
You can use an API token only for running Threat Lookup API requests.
For other Kaspersky Threat Intelligence Portal services, a certificate is required,
an API token usage is not available.
451 Unavailable For Legal Reasons
Page top
[Topic ThreatLookupAPI]
Threat Lookup API
You can investigate objects by using the Kaspersky Threat Intelligence Portal API methods.
Endpoints, required parameters, responses, and usage examples are described in the OpenAPI
documentation.
You can use the Threat Lookup API without a certificate, by using an
API token if it is allowed by your organization.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms
and Conditions online in your browser at https://tip.kaspersky.com.
To run a request by using Kaspersky Threat Intelligence Portal API:
- Perform the following steps depending on the second two-factor authentication method (certificate or API token):
Expand all | Collapse all
- If you use a certificate (click to view steps)
- Make sure that the application you use for working with Kaspersky Threat
Intelligence Portal API uses the certificate you received from Kaspersky.
- In the Authorization field of the HEADER section, specify the user name and password that you received from
Kaspersky or your administrator encoded to the base64 format.
- Specify the Basic authentication scheme.
For more information, please refer to the following sections in this Help:
- If you use an API token (click to view steps)
- Obtain an API token, if you have not requested it before: sign in to Kaspersky Threat
Intelligence Portal via your browser, and then request an API token.
- Specify the Bearer authentication scheme.
- Specify the required HTTP method.
- Enter your query in the following format:
https://tip.kaspersky.com/api/<request type>/<request>?count=<records
count>[§ions=<sections names>][&format=<result format>]
Here:
<request type>—Type of object that
you want to investigate.Available values:
hash—Specify this value to investigate
a hash.ip—Specify this value to investigate
an IP address. If you want an IP address to be processed as a web address, add the http:// or https:// prefix to
the IP address in your request. For example, 104.132.161.0 is processed as an IP address, and
http://104.132.161.0 is processed as a web address.domain—Specify this value to
investigate a domain.url—Specify this value to investigate
a web address. Use percent-encoding (URL encoding) to convert certain characters into a valid ASCII
format.
<request>—Object that you want to
investigate.For a web address, its length is limited to a maximum of 2000
characters. If the requested web address length exceeds the limit, an HTTP error 414 (URI Too Long) is
returned.
<records count>—Maximum number of
records in each data group to display.If this parameter is not specified, up to
1000 records will be displayed. This restriction does not apply to DetectionsInfo and FileParentCertificates groups. For these groups, all records are
displayed regardless of the number of records.
<sections names>—Sections that you
want to process for the requested object. Use the comma to specify several sections.If the parameter is not specified, all sections will be processed.
For faster request processing, we recommend that, in the <sections names> field, you specify only required sections you
want to receive and, in the <records count> field, you specify
the number of entries you want to receive.
Use the question mark (?) to separate the first parameter from the request.
Use the ampersand (&) to separate parameters from each other. The parameters can be specified in any
order.
Dates in all sections are displayed in Coordinated Universal Time (UTC)
format.
<result format>—Investigation result
format.This is an optional parameter.
Available values:
json—Investigation results are
returned in JSON format.stix—Investigation results are
returned in STIX format. If this value is specified, the <records count> and <sections names> parameters are ignored: data from all groups is
returned.
If the <result format> parameter is not
specified, investigation results are returned in JSON format.
For detailed information about investigation results, see related sections: hashes,
IP addresses, domains, and web addresses.
View
usage examples in the OpenAPI specification
Page top
[Topic PercentEncoding]
Percent-encoding for web address investigation
The table below contains characters that must be percent-encoded if you investigate a web
address using the Kaspersky Threat Intelligence Portal API.
Characters to be percent-encoded
|
Character
|
Percent-encoded character
|
|
space
|
%20
|
|
!
|
%21
|
|
$
|
%24
|
|
&
|
%26
|
|
'
|
%27
|
|
(
|
%28
|
|
)
|
%29
|
|
*
|
%2A
|
|
+
|
%2B
|
|
,
|
%2C
|
|
;
|
%3B
|
|
=
|
%3D
|
|
:
|
%3A
|
|
/
|
%2F
|
|
?
|
%3F
|
|
#
|
%23
|
|
[
|
%5B
|
|
]
|
%5D
|
|
@
|
%40
|
Page top
[Topic WorkingWithKtl_lookup]
Working with ktl_lookup utility
This section explains how you can run requests using the ktl_lookup utility, which is used to run requests and change some of its
parameters if necessary. This section also explains how to download the ktl_lookup utility. Formats of
investigation results are also described.
Page top
[Topic PreparingToWorkWithKtl_lookup]
Preparing to work with ktl_lookup utility
You can download the ktl_lookup utility from ktl_lookup.py.
You can work with the ktl_lookup utility using its default parameters or change the default
parameters if necessary.
To change the default parameters in the ktl_lookup utility:
- Open the ktl_lookup.py file in a text editor.
- Change any of the following parameters:
KTL_HOST—If you have to specify a
different Kaspersky Threat Intelligence Portal host.By default, KTL_HOST = 'tip.kaspersky.com'.
PROXY—If you have to specify a proxy
server.The format is as follows: (http|https)://<user name>:<password>@<host>:<port>
VERBOSE—If you want to enable the verbose
option, specify VERBOSE = True. This option allows you to display
detailed information.By default, VERBOSE = False.
PEM_FILE—If you have to specify a
different name for your certificate in PEM format.By default, PEM_FILE = 'ktl_lookup.pem'.
- Save changes in your text editor.
- Set the environment variables:
- Execute the following command in the command prompt to set the active code page value
to
65001 (UTF-8):chcp 65001
- Make sure that the environment variable
PYTHONIOENCODING is set to UTF-8:Select Start → Control Panel → System → Advanced system settings →
Environment Variables → System
variables.
Page top
[Topic RunningRequestWithKtl_lookup]
Running request with ktl_lookup utility
This section explains how to investigate objects using the ktl_lookup utility.
Python 3.5.3 or a later version must be installed on the computer that you will use to work
with Kaspersky Threat Intelligence Portal API.
To run the ktl_lookup utility in Windows,
Type the following string at the command prompt:
python.exe <path>\ktl_lookup --user=<user name> --pass=<password>
[--recordsCount=<count>] --url|--domain|--ip|--hash=<value> [--sections=<sections names>]
To run the ktl_lookup utility in Linux®,
Execute the following command:
./<path>/ktl_lookup --user=<user name> --pass=<password>
[--recordsCount=<count>] --url|--domain|--ip|--hash=<value> [--sections=<sections names>]
You can investigate only one object at a time.
|
Keys
|
Description
|
|
--user=<user name>
-u <user name>
|
Your user name received from your dedicated Kaspersky Technical Account Manager.
|
|
--password=<password>
-p <password>
|
Your password received from your dedicated Kaspersky Technical Account Manager.
|
|
--recordsCount=<count>
-c <count>
|
Optional key.
Maximum number of records to display.
If this key is not specified, the ktl_lookup utility displays all available results.
|
|
--hash=<value>
|
Hash that you want to investigate.
|
|
--ip=<value>
|
IP address that you want to investigate.
|
|
--domain=<value>
|
Domain that you want to investigate.
|
|
--url=<value>
|
Web address that you want to investigate.
|
|
--sections=<sections names>
|
Optional key.
Names of specific sections for the objects that you want to investigate.
|
If you want an IP address to be processed as a web address, add the http:// or https:// prefix to the IP address
in your request. For example, 104.132.161.0 is processed as an IP address, and
http://104.132.161.0 is processed as a web address.
Responses
Click the links below for information about possible responses.
Expand all | Collapse all
200 OK
Request completed successfully.
For detailed information about investigation results, see related sections: hashes, IP
addresses, domains, and web addresses.
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the
problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
451 Unavailable For Legal Reasons
Page top
[Topic ThreatAnalysisAPI]
Threat Analysis API
You can execute an object or browse a web address, and view task results by using the Kaspersky
Threat Intelligence Portal API methods.
You can execute files separately with Kaspersky
Sandbox or Kaspersky Threat Attribution Engine, or by using both technologies simultaneously. For web
addresses, only execution in Kaspersky Sandbox is available.
Endpoints, required parameters, responses, and usage examples are described in the OpenAPI
documentation.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms
and Conditions online in your browser at https://tip.kaspersky.com.
To work with Threat Analysis by using the Kaspersky Threat Intelligence Portal API:
- Make sure that the application you use for working with Kaspersky Threat Intelligence
Portal API uses the certificate you received from Kaspersky.
- In the Authorization field of the HEADER section, specify the user name and password that you received from
Kaspersky.
- Specify the Basic authentication scheme.
- Specify the required HTTP method.
- Run your query by using one of the methods described in the API documentation.
View
the OpenAPI specification describing requests to the Kaspersky Threat Intelligence Portal API
Page top
[Topic DFI_API]
Digital Footprint Intelligence API
This section explains how to request Digital Footprint Intelligence notifications and reports by
using the Kaspersky Threat Intelligence Portal API methods.
Endpoints, required parameters, responses, and usage examples are described in the OpenAPI documentation.
You can use the Digital Footprint Intelligence API without a certificate, by using an
API token if it is allowed by your organization.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms
and Conditions online in your browser at https://tip.kaspersky.com.
Digital Footprint Intelligence API methods
|
Method
|
Description
|
|
threats/get_list
|
Gets the list of available threat notifications.
|
|
threats/{threat notification ID}/attachment
|
Gets the file associated with the specified threat
notification.
The archive may contain objects that could harm your device or data, if handled
improperly. By downloading, you agree that you are informed and accept full responsibility for the handling
of downloaded objects contained in the archive. You can only use the downloaded content to increase the
level of protection of your devices and systems.
|
|
reports/get_list
|
Gets the list of available Digital Footprint Intelligence reports.
|
|
reports/get_one
|
Gets the specified Digital Footprint Intelligence report.
|
As a tenant manager, you can work with the Digital Footprint Intelligence API by using an
API
token. For each tenant group, a separate API token is required.
To run a request by using Digital Footprint Intelligence API with your API token:
- Specify the Bearer authentication scheme.
- Specify the required HTTP method.
- Run your query by using one of the methods described in this section.
Page top
[Topic DataFeedsAPI]
Data Feeds API
You can obtain Threat Data Feeds by using the Kaspersky Threat Intelligence Portal API methods.
Endpoints, required parameters, responses, and usage examples are described in the OpenAPI documentation.
You can use the Data Feeds API with an API token. In this case, the Bearer authentication scheme is required. Also, you can use the Data Feeds API with
a certificate, if
using an API token is not allowed by your organization. In this case, the Basic
authentication scheme is required.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms
and Conditions online in your browser at https://tip.kaspersky.com.
To obtain an API token, you must sign in to Kaspersky Threat Intelligence Portal via your browser, and then
request an API
token.
To obtain Data Feeds by using Kaspersky Threat Intelligence Portal API with your API
token:
- Specify the Bearer authentication scheme.
- Specify the required HTTP method.
- Run your query by using one of the methods described in the API documentation.
If necessary, you can specify the Basic authentication scheme
and use your API token as described below.
To obtain Data Feeds by using the Kaspersky Threat Intelligence Portal API with Basic
authentication scheme:
- Specify the Basic authentication scheme.
- Specify the user name (login)
api_token and your API token as
password.Login api_token is the same for all
users within the Data Feeds API service.
- Specify the required HTTP method.
- Run your query by using one of the methods described in the API documentation.
View the
OpenAPI specification describing requests to the Kaspersky Threat Intelligence Portal API
Page top
[Topic LimitationsWarnings]
Limitations and warnings
Kaspersky Threat Intelligence Portal has the following limitation.
Lifetime of links in notifications and direct links to Threat Lookup
reports
Links in notifications and direct links to Threat Lookup reports are supported for two years.
After this period, the correct operation of the links is not guaranteed.
Page top
[Topic Appendices]
Appendices
This section provides reference information for using Kaspersky Threat Intelligence Portal.
Page top
[Topic ExportingToCSV]
Threat Lookup: Exporting to CSV archive
If you select the CSV Archive (.zip) option when exporting all investigation
results, Kaspersky Threat Intelligence Portal saves investigation results as a .zip archive. Each .zip
archive contains files in a comma-separated values (CSV) format, with commas used as field separators.
By default, the format of the archive name is as follows: <entered request>-en.zip. You can change the archive name if necessary.
|
Example:
If you export investigation results for the hash 45D52E4061983C4EFDA8D978A2B25A3C, the exported archive has the following
name by default:
45D52E4061983C4EFDA8D978A2B25A3C-en.zip
|
Page top
[Topic CSVforHash]
Exporting results for hash
The contents of the files that are included in the CSV archive are described in the table below.
The first string in all files contains column names.
CSV archive contents for hash
|
|
|
|
|
File name
|
Description
|
Columns
|
|
ContainerCertificates.csv
|
Information about the signatures and certificates of a container.
|
ParentMd5—MD5 hash of the container's
certificate.
SerialNumber—Serial number of the
container's certificate.
Vendor—Owner of the container's certificate.
Publisher—Publisher of the container's
certificate.
TimeStamp—Date and time when the container's
certificate was signed.
Issued—Date and time when the container's
certificate was issued.
Expires—Expiration date of the container's
certificate.
IsDirectlySigned—Shows whether a container's
certificate is embedded into the file.
IsDiscredited—Shows whether the container's
certificate is discredited.
IsTrusted—Shows whether the container's
certificate is trusted.
IsRevoked—Shows whether the container's
certificate is revoked.
IsGray—Shows whether the container's
certificate is in a Gray zone.
IsGood—Shows whether the container's
certificate is in a Good zone.
|
|
FileThreats.csv
|
Information about detected objects related to the requested hash (for example,
HEUR:Exploit.Script.Blocker).
|
LastDetectDate—Date and time when the object
was last detected by Kaspersky expert systems.
DescriptionUrl—Link to the detected object
description in Kaspersky
threats website (if available).
Zone—Color of the zone that the detection object
belongs to.
DetectionName—Name of the detected object.
DetectionMethod—Method used to detect the
object.
|
|
FileUrls.csv
|
Information about web addresses that were accessed by the file identified by the
requested hash.
|
Url—Web addresses accessed by the file
identified by the requested hash.
IsUrlTruncated—Shows whether private data
was filtered in the displayed web address.
Zone—Color of the zone that the web address
belongs to.
Domain—Upper domain of the web address used
to download the file identified by the requested hash.
LastDownloadDate—Date and time when the file
identified by the requested hash was last downloaded from the web address / domain.
IpsCount—Number of IP addresses that the
domain resolves to.
|
|
FileDownloadedBy.csv
|
Information about objects that were downloaded by the file identified by the
requested hash.
|
Zone—Color of the zone that a file belongs to.
HitsCount—Number of times the object was
downloaded as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded object.
Location—Root folder or drive where the
downloaded object is located on user computers.
Path—Path of the downloaded object on user
computers.
Name—Name of the downloaded object.
LastDownloadDate—Date and time when the
object was last downloaded by the file identified by the requested hash.
DetectionName—Name of the detected object.
|
|
FileDownloadedFromUrls.csv
|
Information about web addresses and domains from which the file identified by the
requested hash was downloaded.
|
Url—Web addresses accessed by the file
identified by the requested hash.
IsUrlTruncated—Shows whether private data
was filtered in the displayed web address.
Zone—Color of the zone that the web address
belongs to.
Domain—Upper domain of the web address
accessed by the file identified by the requested hash.
LastDownloadDate—Date and time when the file
identified by the requested hash last accessed the web address.
IpsCount—Number of IP addresses that the
domain resolves to.
|
|
FileNames.csv
|
Information about known names of the file identified by the requested hash on
computers using Kaspersky software.
|
FileName—Name of the file identified by the
requested hash.
FileNamesHitsCount—Number of file name
detections by Kaspersky expert systems.
|
|
FilePaths.csv
|
Information about known paths to the file identified by the requested hash on
computers using Kaspersky software.
|
Path—Path to the file on user computers
identified by the requested hash.
Location—Root folder or drive where the file
identified by the requested hash is located on user computers.
FilePathHitsCount—Number of path detections
by Kaspersky expert systems.
|
|
FileCertificates.csv
|
Information about signatures and certificates of the file identified by the requested
hash.
|
ParentMd5—MD5 hash of the certificate.
SerialNumber—Serial number of the
certificate.
Vendor—Owner of the certificate.
Publisher—Publisher of the certificate.
TimeStamp—Date and time when the certificate
was signed.
Issued—Date and time when the certificate
was issued.
Expires—Expiration date of the certificate.
IsDirectlySigned—Shows whether a certificate
is embedded into the file.
IsDiscredited—Shows whether the certificate
is discredited.
IsTrusted—Shows whether the certificate is
trusted.
IsRevoked—Shows whether the certificate is
revoked.
IsGray—Shows whether the certificate is in a
Gray zone.
IsGood—Shows whether the certificate is in a
Good zone.
|
|
FileStarters.csv
|
Information about objects that started the file identified by the requested hash.
|
Zone—Color of the zone that a file belongs to.
HitsCount—Number of times the file
identified by the requested hash was started as detected by Kaspersky expert systems.
Md5—MD5 hash of the object that started the
file identified by the requested hash.
Location—Root folder or drive where the
object is located on user computers.
Path—Path to the object on user computers.
Name—Name of the object that started the
file identified by the requested hash.
LastStartDate—Date and time when the file
identified by the requested hash was last started.
DetectionName—Name of the detected object.
|
|
FileDownloaders.csv
|
Information about objects that downloaded the file identified by the requested hash.
|
Zone—Color of the zone that a file belongs to.
HitsCount—Number of times the file
identified by the requested hash was downloaded as detected by Kaspersky expert systems.
Md5—MD5 hash of the object that downloaded
the file identified by the requested hash.
Location—Root folder or drive where the
object is located on user computers.
Path—Path to the object on user computers.
Name—Name of the object that downloaded the
file identified by the requested hash.
LastDownloadDate—Date and time when the file
identified by the requested hash was last downloaded.
DetectionName—Name of the detected object.
|
|
FileStartedBy.csv
|
Information about objects that were started by the file that was identified by the
requested hash.
|
Zone—Color of the zone that a file belongs to.
HitsCount—Number of times the file
identified by the requested hash started the object as detected by Kaspersky expert systems.
Md5—MD5 hash of the started object.
Location—Root folder or drive where the
started object is located on user computers.
Path—Path to the object on user computers.
Name—Name of the started object.
LastStartDate—Date and time when the object
was last started by the file identified by the requested hash.
DetectionName—Name of the detected object.
|
|
FileHashes.csv
|
Information about file hashes and size.
|
Md5—MD5 hash of the file requested by hash.
Sha1—SHA1 hash of the file requested by
hash.
Sha256—SHA256 hash of the file requested by
hash.
Size—Size of the object that is being
investigated by hash (in bytes).
|
|
FileProperties.csv
|
General information about the requested hash.
|
Md5—MD5 hash of the file requested by hash.
Sha256—SHA256 hash of the file requested by
hash.
FirstNotificationDate—Date and time when the
requested hash was detected by Kaspersky expert systems for the first time.
LastNotificationDate—Date and time when the
requested hash was detected by Kaspersky expert systems for the last time.
Signer—Organization that signed the
requested hash.
SignerZone—Color of the zone indicating the
signer's trust level (red, gray, green).
SignerStatus—Trust level of the object
signature (Discredited, Not trusted,
Trusted).
Packer—Packer name.
Size—Size of the object that is being
investigated by hash (in bytes).
Type—Format of the object that is being
investigated by hash.
HitsCount—Number of hits (popularity) of the
requested hash detected by Kaspersky expert systems.
HasApt—Shows whether the file is related to
an advanced persistent threat (APT) attack.
RelatedAptReports—IDs of APT Intelligence
reports and Crimeware Threat Intelligence reports, to which the requested object is related. For each
report, its ID, type (fin or apt), and
title are provided in a JSON-like format (pseudo-JSON), for example: {Id : 632-apt , Type : apt , Title : Sofacy-Delphocy Toolset}. If there
are several reports for the requested object, each report is enclosed in braces, and reports are separated
by a comma. The report ID can be used as an argument (publication_id)
for the get_one
endpoint, which is used to obtain specific information for a report.
Categories—Categories of the requested
object and zones that the category belongs to. Category and zone are provided in a
JSON-like format (pseudo-JSON), for example: {Name : CATEGORY_APT, Zone : Red}. If the requested object does not belong
to any defined categories, the General category is specified.
|
|
FileUnpackedFrom.csv
|
Information about parent objects of the file identified by the requested hash.
|
Zone—Color of the zone that the parent
object belongs to.
ParentMd5—MD5 hash of the parent object.
ChildMd5—MD5 hash of the child object. For
direct parent objects (level=0), the MD5 hash of the requested object
is provided.
ParentFileSize—Size of the parent object (in
bytes).
ParentFileType—File type of the parent
object.
ParentDetectionName—Detected objects related
to the parent object (for example, HEUR:Exploit.Script.Blocker).
Level—Parent level. The direct parent of the
requested object has level=0. The parent of the requested object's
parent has level=1, and so on. The maximum possible level is 5.
|
|
FileUnpackedObjects.csv
|
Information about child objects of the file identified by the requested hash.
|
Zone—Color of the zone that the child object
belongs to.
ChildMD5—MD5 hash of the child object.
ParentMD5—MD5 hash of the parent object. For
direct child objects (level=0), the MD5 hash of the requested object
is displayed.
ChildFileSize—Size of the child object (in
bytes).
ChildFileType—File type of the child object.
ChildDetectionName—Detected objects
related to the child object (for example, HEUR:Exploit.Script.Blocker).
Level—Child level. The direct child of the requested object has level=0. The child of the requested object's child has level=1, and so on. The maximum possible level is 5.
|
|
SimilarFiles.csv
|
Information about files that are similar to the requested object.
|
MD5—MD5 hash of the object similar to the
file identified by the requested hash.
Zone—Color of the zone that the object
similar to the file identified by the requested hash belongs to.
Confidence—Level of confidence that the
object is similar to the file identified by the requested hash. Kaspersky Threat Intelligence Portal
displays similar files with a confidence level from 8 to 11.
DetectionName—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
Hits—Number of hits (popularity) for the
object similar to the identified file (by the requested hash) detected by Kaspersky expert systems (rounded
to nearest power of 10).
FirstSeen—Date and time when the similar
object was detected by Kaspersky expert systems for the first time (for your local time zone).
LastSeen—Date and time, accurate to one
minute, when the similar object was detected by Kaspersky expert systems for the last time (for your local
time zone).
Type—Type of the object similar to the file
identified by the requested hash.
Size—Size of the object similar to the file
identified by the requested hash (in bytes).
|
|
SpamReport.csv
|
Information about spam attacks in which the requested object was attached to email
messages.
|
HitsCount—Number of email messages in which
the requested object was attached.
HitsByDate—Number of email messages in which
the requested object was attached during one day.
Subjects—Subjects of spam messages.
FileNames—Names of attachments in spam
messages.
|
Page top
[Topic CSVforIP]
Exporting results for IP address
RelatedAptReports—IDs of APT Intelligence reports and
Crimeware Threat Intelligence reports, to which the requested object is related. For each report, its ID, type
(fin or apt), and title are provided in a
JSON-like format (pseudo-JSON), for example: {Id : 632-apt , Type : apt , Title : Sofacy-Delphocy Toolset}. If there are
several reports for the requested object, each report is enclosed in braces, and reports are separated by a comma.
The report ID can be used as an argument (publication_id) for the get_one
endpoint, which is used to obtain specific information for a report.
For reserved IP addresses, only IpProperties.csv and IpWhoIsInfo.csv files are exported.
CSV archive contents for IP address
|
File name
|
Description
|
Columns
|
|
IpPdnsDomains.csv
|
pDNS information for the requested IP address.
|
Zone—Color of the zone that a domain (resolved
to the requested IP address) belongs to.
Domain—Domain that resolves to the requested
IP address.
FirstSeen—Date and time when the domain
first resolved to the requested IP address, according to your computer local time zone.
LastSeen—Date and time when the domain last
resolved to the requested IP address, according to your computer local time zone.
HitsCount—Number of times that the domain
resolved to the requested IP address.
DailyPeak—Maximum number of domain
resolutions to the requested IP address per day.
PeakDate—Date of maximum number of domain
resolutions to the requested IP address.
Categories—Categories of the requested
IP address.
|
|
IpFiles.csv
|
Information about MD5 hashes of files that are related to web addresses containing
domains that resolve to the requested IP address. Also, MD5 hashes of files that accessed the requested IP
address are displayed.
|
Zone—Color of the zone that a file belongs to.
DownloadHitsCount—Number of times that a
file was downloaded from the requested IP address as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded file.
LastSeen—Date and time that the file was
last downloaded from the requested IP address, according to your computer local time zone.
FirstSeen—Date and time the file was first
downloaded from the requested IP address, according to your computer local time zone.
DetectionName—Name of the detected object.
Url—Web addresses used to download the file.
|
|
IpUrls.csv
|
Information about web addresses that contain the requested IP address and web
addresses of the domain that resolves to the requested IP address.
|
Zone—Color of the zone that a web address
belongs to.
UrlHitsCount—Number of web address
detections by Kaspersky expert systems.
Url—Detected web address (including web
addresses that contain the requested IP address).
IsUrlTruncated—Shows whether private data
was filtered in the displayed web address.
FirstSeen—Date and time when the web address
was first detected, according to your computer local time zone.
LastSeen—Date and time when the web address
was last detected, according to your computer local time zone.
|
|
IpFeedMasks.csv
|
Information about masks of detected by Kaspersky expert systems web addresses that
contain the requested IP address and web addresses of the domain that resolves to the requested IP address.
If a mask is included in Threat Data Feeds, the feed names are also provided.
|
Zone—Color of the zone that web addresses
covered by the corresponding mask (Red, Orange, or Yellow) belongs to.
NormalizedMask—Mask of the web address.
FeedNames—Threat Data Feeds that contain the
web address mask (Malicious URL Feed, Phishing
URL Feed, Botnet C&C URL Feed, APT URL Data Feed, and APT IP Data Feed.
MaskType—Type of the web address mask.
|
|
IpProperties.csv
|
General information about the requested IP address.
|
Status—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and
NoInfo for IP addresses that do not belong to any country and are not
reserved).
CountryCode—Two-letter country code (ISO
3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP
addresses, the NULL value is exported.
HitsCount—Hits number (popularity) of the
requested IP address.
FirstSeen—Date and time when the requested
IP address appeared in Kaspersky expert systems statistics for the first time, according to your computer
local time zone.
ThreatScore—Probability that the requested
IP address appears dangerous (0 to 100). RelatedAptReports—IDs of
APT Intelligence reports and Crimeware Threat Intelligence reports, to which the requested object is
related. For each report, its ID, type (fin or apt), and title are provided in a JSON-like format (pseudo-JSON), for
example: {Id : 632-apt , Type : apt , Title : Sofacy-Delphocy Toolset}. If there
are several reports for the requested object, each report is enclosed in braces, and reports are separated
by a comma. The report ID can be used as an argument (publication_id)
for the get_one
endpoint, which is used to obtain specific information for a report.
|
|
IpReputation.csv
|
Information about the requested IP address reputation and categories.
|
Ip—Requested IP address.
Zone—Color of the zone that an IP address
belongs to.
Categories—Categories of the requested
object and zones that the category belongs to. Category and zone are provided in a
JSON-like format (pseudo-JSON), for example: {Name : CATEGORY_APT, Zone : Red}. If the requested object does not belong
to any defined categories, the General category is specified.
HasApt—Shows whether the requested IP
address is related to an advanced persistent threat (APT) attack.
BotnetCnCThreatName—Name of the detected
Botnet C&C.
|
|
IpWhoIsInfo.csv
|
WHOIS information about the requested IP address.
|
Asn—Autonomous system number.
Net—Information about the network that the
requested IP address belongs to.
Contacts—Contact information of the owner of
the requested IP address.
|
|
IPSpamInfo.csv
|
Information about spam attacks associated with the requested IP address.
|
spam_attacks—Number of spam attacks.
spam_ratio—Ratio of spam generated by the
requested IP address to the rest of the content.
last_attack_date—Date of the latest spam
attack.
spam_attack_types—Array of attack types.
|
|
IPPhishingInfo.csv
|
Information about spam attacks associated with the requested IP address.
|
phishing_attacks—Number of phishing attacks.
phish_kit—Phishing kit name (set of
materials and tools) used during the phishing attack.
last_attack_date—Date of the latest phishing
attack.
regions—Top 10 regions affected by the
phishing attack.
stolen_data_type—Type of data stolen during
phishing attack, for example, user names, passwords.
attacked_industry—Target industry of a
phishing attack.
attacked_organization—Target organization of
a phishing attack.
|
|
IpTimeline.csv
|
Information about detection statistics and requested object status changes during the
certain historical periods. The timeline is generated only when the detection statistics for the period is
available for a specific object.
|
historical_zone—Object zone during the certain
period.
historical_status—Object status during the certain
period.
start_date—Start date and time of the period
when the object was assigned to the certain status.
end_date—End date and time of the period
when the object was assigned to the certain status.
categories—Categories assigned to the object
during the specified period.
|
Page top
[Topic CSVforDomain]
Exporting results for domain
The contents of the files that are included in the CSV archive are described in the table below.
The first string in all files contains column names.
CSV archive contents for domain
|
File name
|
Description
|
Columns
|
|
HostPdnsIps.csv
|
Information about IP addresses that the requested domain resolves to.
|
Zone—Color of the zone that the domain belongs
to.
Ip—IP address.
Status—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and
NoInfo for IP addresses that do not belong to any country and are not
reserved).
CountryCode—Two-letter country code (ISO
3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP
addresses, the NULL value is exported.
HitsCount—Number of IP address detections by
Kaspersky expert systems.
FirstSeen—Date and time when the requested
domain first resolved to the IP address, according to your computer local time zone.
LastSeen—Date and time when the requested
domain last resolved to the IP address, according to your computer local time zone.
DailyPeak—Maximum number of domain
resolutions to the IP address per day.
PeakDate—Date of maximum number of domain
resolutions to the IP address.
ThreatScore—Probability that the requested
domain will be dangerous (0 to 100).
|
|
HostReferredTo.csv
|
Information about links, forwards, or redirects to following web addresses.
|
Zone—Color of the zone that a web address
belongs to.
LastSeen—Date and time when the requested
domain was last referred to by listed web addresses, according to your computer local time zone.
Url—Web address that refers to the requested
domain.
IsUrlTruncated—Shows whether private data
was filtered in the displayed web address.
|
|
HostFiles.csv
|
Information about MD5 hashes of files that accessed the requested domain.
|
Zone—Color of the zone that a file belongs to.
AccessedHitsCount—Number of file downloads
from the requested domain as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded file.
LastSeen—Date and time when the file was
last downloaded from the requested domain, according to your computer local time zone.
FirstSeen—Date and time when the file was
first downloaded from the requested domain, according to your computer local time zone.
DetectionName—Name of the detected object.
|
|
HostGeoPlot.csv
|
Information about domain access spread across the world.
|
countryCode—Two-letter country code.
value—Number of domain access in a certain
country.
|
|
HostDownloaders.csv
|
Information about MD5 hashes of files that were downloaded from the requested domain
and web addresses of the requested domain.
|
Zone—Color of the zone that a file belongs to.
DownloadedHitsCount—Number of file downloads
from the requested domain as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded file.
LastSeen—Date and time when the file was
last downloaded from the requested domain, according to your computer local time zone.
FirstSeen—Date and time when the file was
first downloaded from the requested domain, according to your computer local time zone.
DetectionName—Date and time when the file
was first downloaded from the requested domain.
Url—Web address from which the file was
downloaded.
|
|
HostProperties.csv
|
General information about the requested domain.
|
TotalFilesCount—Number of known files.
TotalUrlsCount—Number of known web
addresses.
HitsCount—Number of IP addresses related to
the domain.
RelatedAptReports—IDs of APT Intelligence
reports and Crimeware Threat Intelligence reports, to which the requested object is related. For each
report, its ID, type (fin or apt), and
title are provided in a JSON-like format (pseudo-JSON), for example: {Id : 632-apt , Type : apt , Title : Sofacy-Delphocy Toolset}. If there
are several reports for the requested object, each report is enclosed in braces, and reports are separated
by a comma. The report ID can be used as an argument (publication_id)
for the get_one
endpoint, which is used to obtain specific information for a report.
|
|
HostReputation.csv
|
Information about the requested domain reputation and categories.
|
Domain—Name of the requested domain.
Zone—Color of the zone that a domain belongs to.
Categories—Categories of the requested
object and zones that the category belongs to. Category and zone are provided in a
JSON-like format (pseudo-JSON), for example: {Name : CATEGORY_APT, Zone : Red}. If the requested object does not belong
to any defined categories, the General category is specified.
HasApt—Shows whether the requested domain is
related to an advanced persistent threat (APT) attack.
BotnetCnCThreatName—Name of the detected
Botnet C&C.
|
|
HostReferredBy.csv
|
Information about web addresses that refer to the requested domain.
|
Zone—Color of the zone that a web address
belongs to.
LastSeen—Date and time when the requested
domain was last referred to by listed web addresses, according to your computer local time zone.
Url—Web address that refers to the requested
domain.
IsUrlTruncated—Shows whether private data
was filtered in the displayed web address.
|
|
HostSubDomains.csv
|
Information about hosts related to the requested domain (subdomains).
|
Zone—Color of the zone that a subdomain belongs
to.
Subdomain—Name of the detected subdomain.
UrlsCount—Number of web addresses related to
the subdomain.
FilesCount—Number of files hosted on the
detected subdomain.
FirstSeen—Date and time when the subdomain
was first detected, according to your computer local time zone.
|
|
HostFeedMasks.csv
|
Information about the requested domain and web address masks detected by Kaspersky
expert systems.
|
Zone—Color of the zone that a domain belongs to
(Red, Orange, or Yellow).
NormalizedMask—Requested domain mask.
FeedNames—Threat Data Feeds that contain the
requested domain mask.
Type—Type of requested domain and web
address mask.
|
|
HostWhoIsInfo.csv
|
WHOIS information about the requested domain.
|
DomainName—Name of the requested domain.
Created—Date when the requested domain was
registered.
Updated—Date when registration information
about the requested domain was last updated.
Expires—Expiration date of the requested
domain.
NameServers—Name servers of the requested
domain.
Contacts—Contact information for the owner
of the requested domain.
Registrar—Name, IANA ID, and email of the
registrar of the requested domain.
DomainStatus—Statuses of the requested
domain.
RegistrationOrganization—Name of the
registration organization.
|
|
HostSimilarDomains.csv
|
Information about domains with similar names to the requested domain.
|
Zone—Color of the zone that a similar domain
belongs to.
Domain—Similar domain name.
Registration—Date when a similar domain was
registered.
Expiration—Expiration date of a similar
domain.
Http_open—Shows whether an HTTP port is
open.
Https_open—Shows whether an HTTPS port is
open.
|
|
HostSpamInfo.csv
|
Information about spam attacks associated with the requested domain.
|
spam_attacks—Number of spam attacks.
spam_ratio—Ratio of spam generated by the
requested domain to the rest of the content.
last_attack_date—Date of the latest spam
attack.
spam_attack_types—Array of attack types.
|
|
HostPhishingInfo.csv
|
Information about spam attacks associated with the requested domain.
|
phishing_attacks—Number of phishing attacks.
phish_kit—Phishing kit name (set of
materials and tools) used during the phishing attack.
last_attack_date—Date of the latest phishing
attack.
regions—Top 10 regions affected by the
phishing attack.
stolen_data_type—Type of data stolen during
phishing attack, for example, user names, passwords.
attacked_industry—Target industry of a
phishing attack.
attacked_organization—Target organization of
a phishing attack.
|
|
HostTimeline.csv
|
Information about detection statistics and requested object status changes during the
certain historical periods. The timeline is generated only when the detection statistics for the period is
available for a specific object.
|
historical_zone—Object zone during the
certain period.
historical_status—Object status during the
certain period.
start_date—Start date and time of the period
when the object was assigned to the certain status.
end_date—End date and time of the period
when the object was assigned to the certain status.
categories—Categories assigned to the object
during the specified period.
|
Page top
[Topic CSVforURL]
Exporting results for web address
The contents of the files that are included in the CSV archive are described in the table below.
The first string in all files contains column names.
CSV archive contents for web address
|
File name
|
Description
|
Columns
|
|
UrlPdnsIps.csv
|
Information about IP addresses that the domain for the requested web address resolves
to.
|
Zone—Color of the zone that the domain belongs
to.
Ip—IP address.
Status—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and
NoInfo for IP addresses that do not belong to any country and are not
reserved).
CountryCode—Two-letter country code (ISO
3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP
addresses, the NULL value is exported.
HitsCount—Number of IP address detections by
Kaspersky expert systems.
FirstSeen—Date and time when the domain for
the requested web address first resolved to the IP address, according to your computer local time zone.
LastSeen—Date and time when the domain for
the requested web address last resolved to the IP address, according to your computer local time zone.
DailyPeak—Maximum number of domain
resolutions to the IP address per day.
PeakDate—Date of maximum number of domain
resolutions to the IP address.
ThreatScore—Probability that the requested
web address will be dangerous (0 to 100).
|
|
UrlDownloaders.csv
|
Information about MD5 hashes of files that accessed the requested web address.
|
Zone—Color of the zone that a file belongs to.
AccessedHitsCount—Number of file downloads
from the requested web address as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded file.
LastSeen—Date and time when the file was
last downloaded from the requested web address, according to your computer local time zone.
FirstSeen—Date and time when the file was
first downloaded from the requested web address, according to your computer local time zone.
DetectionName—Name of the detected object.
|
|
UrlFiles.csv
|
Information about objects that were downloaded from the requested web address.
|
Zone—Color of the zone that a file belongs to.
DownloadedHitsCount—Number of file downloads
from the requested web address as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded file.
LastSeen—Date and time when the file was
last downloaded from the requested web address, according to your computer local time zone.
FirstSeen—Date and time when the file was
first downloaded from the requested web address, according to your computer local time zone.
DetectionName—Name of the detected object.
Url—Web address from which the file was
downloaded.
|
|
UrlFeedMasks.csv
|
Information about masks of the requested web address domain that are detected by
Kaspersky expert systems.
|
Zone—Color of the zone that a domain belongs to
(Red, Orange, or Yellow).
Type—Type of the requested domain and
web addresses mask.
NormalizedMask—Mask of the requested web
address domain.
FeedNames—Threat Data Feeds that contain the
mask of the requested web address domain.
|
|
UrlGeoPlot.csv
|
Information about web address access spread across the world.
|
countryCode—Two-letter country code.
value—Number of web address access in a
certain country.
|
|
UrlReferredBy.csv
|
Information about web addresses that refer to the requested web address.
|
Zone—Color of the zone that a web address
belongs to.
LastSeen—Date and time when the requested
web address was last referred to, according to your computer local time zone.
Url—Web address that refers to the requested
web address.
IsUrlTruncated—Shows whether private data
was filtered in the displayed web address.
|
|
UrlReferredTo.csv
|
Information about links, forwards, or redirects to displayed web addresses.
|
Zone—Color of the zone that a web address
belongs to.
LastSeen—Date and time when the requested
web address last linked, forwarded, or redirected to listed web addresses, according to your computer local
time zone.
Url—Web address accessed by the requested
web address.
IsUrlTruncated—Shows whether private data
was filtered in the displayed web address.
|
|
UrlProperties.csv
|
General information about the requested web address.
|
Url—Requested web address.
Host—Name of the upper-level domain of the
requested web address.
RelatedAptReports—IDs of APT Intelligence
reports and Crimeware Threat Intelligence reports, to which the requested object is related. For each
report, its ID, type (fin or apt), and
title are provided in a JSON-like format (pseudo-JSON), for example: {Id : 632-apt , Type : apt , Title : Sofacy-Delphocy Toolset}. If there
are several reports for the requested object, each report is enclosed in braces, and reports are separated
by a comma. The report ID can be used as an argument (publication_id)
for the get_one
endpoint, which is used to obtain specific information for a report.
|
|
UrlReputation.csv
|
Information about the requested web address reputation and categories.
|
Url—Requested web address.
Zone—Color of the zone that a web address
belongs to.
Categories—Categories of the requested
object and zones that the category belongs to. Category and zone are provided in a
JSON-like format (pseudo-JSON), for example: {Name : CATEGORY_APT, Zone : Red}. If the requested object does not belong
to any defined categories, the General category is specified.
HasApt—Shows whether the requested web
address is related to an advanced persistent threat (APT) attack.
BotnetCnCThreatName—Name of the detected
Botnet C&C.
|
|
UrlWhoIsInfo.csv
|
WHOIS information about the requested web address.
|
Type—Object type.
DomainName—Name of the domain of the
requested web address.
Created—Date when the domain for the
requested web address was registered.
Updated—Date when registration information
about the domain for the requested web address was last updated.
Expires—Expiration date of the prepaid
domain registration term.
NameserverHostnames—Name servers of the
domain for the requested web address.
Contacts—Contact information for the owner
of the domain.
Registrar—Name, IANA ID, and email of the
registrar of the domain.
DomainStatus—Statuses of the domain.
RegistrationOrganization—Name of the
registration organization.
|
|
UrlSpamInfo.csv
|
Information about spam attacks associated with the requested web address.
|
spam_messages—Number of spam messages
containing the requested web address.
|
|
UrlPhishingInfo.csv
|
Information about spam attacks associated with the requested web address.
|
phishing_status—Shows whether the requested
web address can be considered as a phishing one.
phishing_attacks—Number of phishing attacks.
phish_kit—Phishing kit name (set of
materials and tools) used during the phishing attack.
last_attack_date—Date of the latest phishing
attack.
regions—Top 10 regions affected by the
phishing attack.
stolen_data_type—Type of data stolen during
phishing attack, for example, user names, passwords.
attacked_industry—Target industry of a
phishing attack.
attacked_organization—Target organization of
a phishing attack.
|
|
UrlTimeline.csv
|
Information about detection statistics and requested object status changes during the
certain historical periods. The timeline is generated only when the detection statistics for the period is
available for a specific object.
|
historical_zone—Object zone during the
certain period.
historical_status—Object status during the
certain period.
start_date—Start date and time of the period
when the object was assigned to the certain status.
end_date—End date and time of the period
when the object was assigned to the certain status.
categories—Categories assigned to the object
during the specified period.
|
Page top
[Topic ExportingToOpenIOC]
Threat Lookup: Exporting to OpenIOC
Expand all | Collapse all
This section contains examples of OpenIOC files with
investigation results for a hash, IP address, domain, and web address.
This format is not available for exporting investigation results for reserved IP addresses.
By default, the format of the file name is as follows: <request type>_<request>.ioc
Here:
You can change the file name if necessary.
See a file name example
If you export investigation results for the domain ddns.net, the OpenIOC file will have the following name by default:
DOMAIN_852808bf99be59a2902e089e26d5976a.ioc
OpenIOC for a hash
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may
return for the hash 495DB359D61411F0688211C8DD473CB7 in OpenIOC format.
See result example
Data and ratings are updated dynamically. The data displayed in this example may differ
from the data for the same object requested at a later time.
MD5_495DB359D61411F0688211C8DD473CB7.ioc
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.mandiant.com/2010/ioc"
id="0294496a-b037-55b9-a3fe-46a344d7f524" last-modified="2016-11-08T16:43:21.4083202Z">
<short_description>ioc for 495DB359D61411F0688211C8DD473CB7</short_description>
<description>ZONE:Yellow</description>
<authored_by>KasperskyThreatLookup</authored_by>
<authored_date>2016-11-08T16:43:21.4083202Z</authored_date>
<links />
<definition>
<Indicator operator="OR" id="6f7a75ee-f423-5cf1-ad42-140ae6aa2301">
<IndicatorItem condition="is"
id="59b35d49-14d6-f011-6882-11c8dd473cb7">
<Context document="FileItem" search="FileItem/Md5sum"
type="mir" />
<Content type="md5">495DB359D61411F0688211C8DD473CB7</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="4784b55d-d0a9-5172-8c0a-f740f9184607">
<Context document="FileItem" search="FileItem/Sha1sum"
type="mir" />
<Content
type="string">CAD7296F99733E209CE57422F348A8698245CBD5</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="b533c6cd-89ab-5c8c-971c-0cd79858aeb7">
<Context document="FileItem" search="FileItem/Sha256sum"
type="mir" />
<Content
type="string">12FF1AE06AC3ACA95969B2D338A24D47DF80D7B70521BD7DB801B715DB629420</Content>
</IndicatorItem>
<Indicator operator="AND" id="173db112-d8ee-5141-b76a-49dc3430f04c">
<IndicatorItem condition="is"
id="4b2610ba-5431-57f2-8af3-24d0f43d7919">
<Context document="FileItem"
search="FileItem/PEInfo/DigitalSignature/SignatureExists" type="mir" />
<Content type="string">YES</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="1f3510a5-0f48-522f-bd50-adbf9be9c9c8">
<Context document="FileItem" search="FileItem/SizeInBytes"
type="mir" />
<Content type="int">3702320</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="3e9d0121-11fb-5e7a-bf0c-9a99728178ca">
<Context document="FileItem" search="FileItem/FileExtension"
type="mir" />
<Content type="string">PE</Content>
</IndicatorItem>
<Indicator operator="AND" id="472a6ade-1196-5e1e-a8b4-8f0864b40051">
<Indicator operator="OR" id="a317c11b-0c26-5e52-b601-307d133ee986">
<IndicatorItem condition="is"
id="a4c97305-950f-555f-b0ca-ecbea8873e38">
<Context document="FileItem" search="FileItem/FilePath"
type="mir" />
<Content type="string">itva\lovivkontakte2</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="6cc33a2a-72b1-558b-b737-bcc52ede225b">
<Context document="FileItem" search="FileItem/FilePath"
type="mir" />
<Content type="string">lovivk</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="a0f344e5-5b06-51ec-bb14-02b60918f31a">
<Context document="FileItem" search="FileItem/FilePath"
type="mir" />
<Content type="string">system volume
information\_restore{8d816860-50be-4aed-b133-e43e1df90217}\rp115</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="759b363e-5f39-51f0-bacf-5c168eb1f5b3">
<Context document="FileItem" search="FileItem/FilePath"
type="mir" />
<Content type="string">system volume
information\_restore{8d816860-50be-4aed-b133-e43e1df90217}\rp113</Content>
</IndicatorItem>
</Indicator>
<Indicator operator="OR" id="8a207637-a1e8-5059-8e74-cdc0fb0a41eb">
<IndicatorItem condition="is"
id="d744a9e8-9f30-59a0-aca1-e0f00ffe4b5b">
<Context document="FileItem" search="FileItem/FileName"
type="mir" />
<Content type="string">lvk2.exe</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="af970d9e-b5f9-5ae2-81d3-5ebef78b63cf">
<Context document="FileItem" search="FileItem/FileName"
type="mir" />
<Content type="string">a0040146.exe</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="1cf19365-1b8e-5dbe-99d6-ed94783855a7">
<Context document="FileItem" search="FileItem/FileName"
type="mir" />
<Content type="string">a0004589.exe</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="2cc36f03-8207-55e2-9ed6-4b927a043c4b">
<Context document="FileItem" search="FileItem/FileName"
type="mir" />
<Content type="string">updater.exe</Content>
</IndicatorItem>
</Indicator>
<Indicator operator="OR" id="a20c7f94-60ce-5dd6-8c7b-b5beabcb2e62">
<IndicatorItem condition="is"
id="7e122afb-6820-53bd-ac1f-d976c98983eb">
<Context document="FileDownloadHistoryItem"
search="FileDownloadHistoryItem/SourceURL" type="mir" />
<Content
type="string">upconfusepat.ru/3e122e2dd79b0dcab9df0e4c6d3d238f/625819-book</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="da8849e7-2564-5709-81e7-0c5b7a244cad">
<Context document="FileDownloadHistoryItem"
search="FileDownloadHistoryItem/SourceURL" type="mir" />
<Content
type="string">73f2d1c5c7ea62da3b9f212a.appssharploads.ru/api/web/getInstaller</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="3bb6a5ae-41bf-511a-af12-0f59c4114ea1">
<Context document="FileDownloadHistoryItem"
search="FileDownloadHistoryItem/SourceURL" type="mir" />
<Content
type="string">1d30c85c657d5957297fea73.oysiudyfisdf.ru</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="6fb061ce-b6e2-52d7-918e-dbd9511c4991">
<Context document="FileDownloadHistoryItem"
search="FileDownloadHistoryItem/SourceURL" type="mir" />
<Content
type="string">8eb7094dd3284344a7abc7ca.ksldhfkshfks.ru/api/web/getInstaller</Content>
</IndicatorItem>
</Indicator>
<Indicator operator="OR" id="ee3069c4-c5a9-5594-9068-a1ad20349b5e">
<IndicatorItem condition="is"
id="9ef1b331-88aa-5782-9c23-228317aa358e">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL"
type="mir" />
<Content type="string">net-tak.net/favicon.ico</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="bfc24ba4-7c74-58ad-bed3-5b15e55e92be">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL"
type="mir" />
<Content type="string">dle.org.ua/favicon.ico</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="62ea1d9b-8fd9-56b5-a5d1-98c0a55032c9">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL"
type="mir" />
<Content type="string">www-odnoklassniki-ru.ru</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="89b59d77-35c9-58f5-a5b0-fda276497f5e">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL"
type="mir" />
<Content
type="string">octopus.elar.ru:8080/palpussetup/setup.exe</Content>
</IndicatorItem>
</Indicator>
</Indicator>
</Indicator>
</Indicator>
</definition>
</ioc>
OpenIOC for an IP address
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may
return for the IP address 14.14.14.14 in OpenIOC format.
See result example
Data and ratings are updated dynamically. The data displayed in this example may differ
from the data for the same object requested at a later time.
IP_14.14.14.14.ioc
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.mandiant.com/2010/ioc"
id="6142af1a-ed6a-5e99-a54b-05eb22e4fb04" last-modified="2016-10-28T11:41:07.7003725Z">
<short_description>ioc for 14.14.14.14</short_description>
<description>ZONE:Green</description>
<authored_by>KasperskyThreatLookup</authored_by>
<authored_date>2016-10-28T11:41:07.7003725Z</authored_date>
<links />
<definition>
<Indicator operator="OR" id="41137498-7ada-503c-bae1-4e3e1370a0db">
<IndicatorItem condition="is"
id="9854d7dd-bcf8-5d67-93eb-3e814a215c73">
<Context document="DnsEntryItem"
search="DnsEntryItem/RecordData/IPv4Address" type="mir" />
<Content type="IP">14.14.14.14</Content>
</IndicatorItem>
<Indicator operator="AND" id="291ff821-82e2-505b-aeff-dbf1ae68820f">
<Indicator operator="OR" id="51d01b5b-4ad0-5e0d-acb9-cdd1d500338a">
<IndicatorItem condition="is"
id="d073c3e0-3bf1-5c42-b266-13687407e00f">
<Context document="Network" search="Network/URI" type="mir"
/>
<Content type="string">?.CLOUDFRONT.NET</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="78d631ec-48d9-5aa2-a4cf-874058ee6a02">
<Context document="Network" search="Network/URI" type="mir"
/>
<Content type="string">DMG.DIGITALTARGET.RU</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="de1b4dd1-22c4-554b-810e-73c037ba242f">
<Context document="Network" search="Network/URI" type="mir"
/>
<Content type="string">PROSPORTZAL.RU</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="300ffcb0-bb63-52f9-9924-276306c91341">
<Context document="Network" search="Network/URI" type="mir"
/>
<Content type="string">METRO-PLUS.COM</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="4312e5b6-b571-59ca-963a-37d78b969e68">
<Context document="Network" search="Network/URI" type="mir"
/>
<Content type="string">FOODANDDRINK.TILE.APPEX.BING.COM</Content>
</IndicatorItem>
</Indicator>
<Indicator operator="OR" id="6376b283-0a4b-561e-a2fa-927e3c3ccab4">
<Indicator operator="AND" id="76fae3c2-a02e-5144-9bab-a85004414277">
<IndicatorItem condition="is"
id="605171d1-751e-8343-1962-c5ce8191d306">
<Context document="FileItem" search="FileItem/Md5sum"
type="mir" />
<Content type="md5">D17151601E7543831962C5CE8191D306</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="ce595631-691b-59fc-97d3-bddc92e795be">
<Context document="Network" search="Network/URI" type="mir"
/>
<Content type="string">14.14.14.14/software/compression and
backup/winrar/wrar54b4.exe</Content>
</IndicatorItem>
</Indicator>
<Indicator operator="AND" id="a149da5d-6462-522b-a997-37972cd31a19">
<IndicatorItem condition="is"
id="62a5a0a5-3533-babc-ba1c-e06f655b15a3">
<Context document="FileItem" search="FileItem/Md5sum"
type="mir" />
<Content type="md5">A5A0A5623335BCBABA1CE06F655B15A3</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="a61896d9-ff0b-5a3c-891b-a1dc1773ef54">
<Context document="Network" search="Network/URI" type="mir"
/>
<Content type="string">14.14.14.14/softower/compression & backup/win
rar/wrar521b1.exe</Content>
</IndicatorItem>
</Indicator>
</Indicator>
</Indicator>
</Indicator>
</definition>
</ioc>
OpenIOC for a domain
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may
return for the domain ddns.net in OpenIOC format.
See result example
Data and ratings are updated dynamically. The data displayed in this example may differ
from the data for the same object requested at a later time.
DOMAIN_852808bf99be59a2902e089e26d5976a.ioc
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.mandiant.com/2010/ioc"
id="df83c379-d757-5242-971e-640c92016a0b" last-modified="2016-10-27T14:01:31.6275083Z">
<short_description>ioc for ddns.net</short_description>
<description>ZONE:Green</description>
<authored_by>KasperskyThreatLookup</authored_by>
<authored_date>2016-10-27T14:01:31.6275083Z</authored_date>
<links />
<definition>
<Indicator operator="OR" id="b6fe04cb-dfbd-5205-a920-00f7a62308cc">
<IndicatorItem condition="contains"
id="852808bf-99be-59a2-902e-089e26d5976a">
<Context document="Network" search="Network/URI" type="mir"
/>
<Content type="string">DDNS.NET</Content>
</IndicatorItem>
<Indicator operator="AND" id="cfbcee05-35d8-5f37-8837-62fd716b7e1b">
<Indicator operator="OR" id="dfac3ba6-e2ed-5b9f-b1d3-aa1ef3046bc2">
<IndicatorItem condition="is"
id="cfcf62ca-6194-5916-becb-024a6cd5db18">
<Context document="DnsEntryItem"
search="DnsEntryItem/RecordData/IPv4Address" type="mir" />
<Content type="IP">213.128.81.34</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="e2d0d2bb-cbd9-5bf7-ad07-7de1c4d9e366">
<Context document="DnsEntryItem"
search="DnsEntryItem/RecordData/IPv4Address" type="mir" />
<Content type="IP">8.23.224.108</Content>
</IndicatorItem>
</Indicator>
</Indicator>
</Indicator>
</definition>
</ioc>
OpenIOC for a web address
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may
return for the web address go.spaceshipads.com-afu.php-zone in OpenIOC format.
See result example
Data and ratings are updated dynamically. The data displayed in this example may differ
from the data for the same object requested at a later time.
URL_20c056bbd30c5b41be005abd49506015.ioc
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.mandiant.com/2010/ioc"
id="d40696c1-3f0b-56e4-b911-6976b359a7f1" last-modified="2016-10-31T12:29:46.227187Z">
<short_description>ioc for
go.spaceshipads.com/afu.php?zoneid=361258</short_description>
<description>ZONE:Red</description>
<authored_by>KasperskyThreatLookup</authored_by>
<authored_date>2016-10-31T12:29:46.227187Z</authored_date>
<links />
<definition>
<Indicator operator="OR" id="92c30c12-2578-5d17-a9f6-05a5baaa4d96">
<IndicatorItem condition="contains"
id="20c056bb-d30c-5b41-be00-5abd49506015">
<Context document="Network" search="Network/URI" type="mir"
/>
<Content
type="string">go.spaceshipads.com/afu.php?zoneid=361258</Content>
</IndicatorItem>
<Indicator operator="AND" id="c0e45c3f-f292-5422-8c9f-f3514c26466c">
<Indicator operator="OR" id="0d78fcbd-91a9-507a-a510-6d55e0fb0311">
<IndicatorItem condition="is"
id="3cbf69fc-b1cb-54be-938f-3459b6aab54d">
<Context document="DnsEntryItem"
search="DnsEntryItem/RecordData/IPv4Address" type="mir" />
<Content type="IP">54.72.9.115</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="5402ae2b-f147-58a4-95ae-62ce2d980563">
<Context document="DnsEntryItem"
search="DnsEntryItem/RecordData/IPv4Address" type="mir" />
<Content type="IP">67.215.84.26</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="d3f84cb4-bc87-5120-a097-e2b0d62ee7cf">
<Context document="DnsEntryItem"
search="DnsEntryItem/RecordData/IPv4Address" type="mir" />
<Content type="IP">202.188.0.156</Content>
</IndicatorItem>
</Indicator>
<Indicator operator="OR" id="411fe6aa-8b73-5ad7-8b25-7c91f5278a45">
<IndicatorItem condition="is"
id="4d836507-49a5-bfcd-3193-25cb8f8171eb">
<Context document="FileItem" search="FileItem/Md5sum"
type="mir" />
<Content type="md5">0765834DA549CDBF319325CB8F8171EB</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="08914112-537d-dd29-e686-5067ee6e1462">
<Context document="FileItem" search="FileItem/Md5sum"
type="mir" />
<Content type="md5">124191087D5329DDE6865067EE6E1462</Content>
</IndicatorItem>
<IndicatorItem condition="is"
id="acfda603-edde-2d9e-dd1c-4197df4f7d77">
<Context document="FileItem" search="FileItem/Md5sum"
type="mir" />
<Content type="md5">03A6FDACDEED9E2DDD1C4197DF4F7D77</Content>
</IndicatorItem>
</Indicator>
</Indicator>
</Indicator>
</definition>
</ioc>
Page top
[Topic ExportingToSTIX]
Threat Lookup: Exporting to STIX
Expand all | Collapse all
This section contains examples of STIX files with
investigation results for a hash, IP address, domain, and web address.
This format is not available for exporting investigation results for reserved IP addresses.
By default, the format of the file name is as follows: <request type>_<request>_stix.xml
Here:
You can change the file name if necessary.
See a file name result
If you export investigation results for the domain ddns.net, the STIX file will have the following name by default:
DOMAIN_852808bf99be59a2902e089e26d5976a_stix.xml
STIX for a hash
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may
return for the hash 495DB359D61411F0688211C8DD473CB7 in STIX format.
See result example
Data and ratings are updated dynamically. The data displayed in this example may differ
from the data for the same object requested at a later time.
MD5_495DB359D61411F0688211C8DD473CB7_stix.xml
<stix:STIX_Package xmlns:KTL="http://ktl.kaspersky.com"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://stix.mitre.org/stix-1" xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:indicator="https://oasis-open.github.io/cti-documentation/"
xmlns:ttp="https://oasis-open.github.io/cti-documentation/"
xmlns:WhoisObj="http://cybox.mitre.org/objects#WhoisObject-2"
xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
id="KL_Botnet_Tracking:Package-09e55e6b-8e51-43db-a14a-01dce3c3f64d" version="1.2">
<stix:STIX_Header>
<stix:Title>HASH LOOKUP</stix:Title>
<stix:Description>Information about lookup HASH
495DB359D61411F0688211C8DD473CB7</stix:Description>
</stix:STIX_Header>
<stix:Observables cybox_major_version="1" cybox_minor_version="1">
<cybox:Observable id="KTL:Observable-6be4fae3-d355-42e3-8795-0aafa8ea8af5">
<cybox:Description>ZONE="Yellow" HITS="1000000"
FIRST_SEEN="29.05.2014" LAST_SEEN="08.11.2016"
DETECTION_NAMES="not-a-virus:Downloader.Win32.Agent.cugr"</cybox:Description>
<cybox:Object id="KTL:object-5607310f-82ac-5849-90c8-31526166c01e">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File is_packed="true">
<FileObj:File_Extension>PE</FileObj:File_Extension>
<FileObj:Size_In_Bytes>3702320</FileObj:Size_In_Bytes>
</FileObj:File>
<FileObj:Digital_Signatures>
<cyboxCommon:Digital_Signature signature_exists="true"
signature_verified="false">
<cyboxCommon:Certificate_Description>iTVA
LLC</cyboxCommon:Certificate_Description>
</cyboxCommon:Digital_Signature>
</FileObj:Digital_Signatures>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">495DB359D61411F0688211C8DD473CB7</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">CAD7296F99733E209CE57422F348A8698245CBD5</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">12FF1AE06AC3ACA95969B2D338A24D47DF80D7B70521BD7DB801B715DB629420</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:Indicators>
<stix:Indicator id="KTL:indicator-0390d2b2-0454-50fa-bd7e-76f6eaf7b783">
<indicator:Title>File paths</indicator:Title>
<indicator:Related_Observables>
<cybox:Observable id="KTL:Observable-f1fe37d1-2a62-526e-950e-a2d90db33864">
<cybox:Description>HITS="1000000"</cybox:Description>
<cybox:Object id="KTL:object-4ee3a9e3-817c-5566-8048-d1f8245165ac">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Path
fully_qualified="false">itva\lovivkontakte2</FileObj:File_Path>
<FileObj:Device_Path>ProgramFiles</FileObj:Device_Path>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-423aac92-69b1-594f-b021-113fcbae1742">
<cybox:Description>HITS="1000000"</cybox:Description>
<cybox:Object id="KTL:object-35e03985-c6cb-599c-a8d7-c35ee3a01033">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Path fully_qualified="false">lovivk</FileObj:File_Path>
<FileObj:Device_Path>ProgramFiles</FileObj:Device_Path>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-f7c29a0f-e650-510d-a9ea-4e75512cbadd">
<cybox:Description>HITS="10000"</cybox:Description>
<cybox:Object id="KTL:object-4ee3a9e3-817c-5566-8048-d1f8245165ac">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Path
fully_qualified="false">itva\lovivkontakte2</FileObj:File_Path>
<FileObj:Device_Path>ProgramFiles</FileObj:Device_Path>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-1cf62ef0-e266-592d-aea8-1c157dd1890c">
<cybox:Description>HITS="1000"</cybox:Description>
<cybox:Object id="KTL:object-35e03985-c6cb-599c-a8d7-c35ee3a01033">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Path fully_qualified="false">lovivk</FileObj:File_Path>
<FileObj:Device_Path>ProgramFiles</FileObj:Device_Path>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-2bdab6e0-a20b-585c-826c-be41b83ce249">
<cybox:Description>HITS="100"</cybox:Description>
<cybox:Object id="KTL:object-c4cd4595-b34f-5ebd-9125-0b9fdc2d3d74">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Path fully_qualified="false">system volume
information\_restore{8d816860-50be-4aed-b133-e43e1df90217}\rp115</FileObj:File_Path>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-f93493b3-c59f-51e1-b614-a6b702566b3f">
<cybox:Description>HITS="100"</cybox:Description>
<cybox:Object id="KTL:object-3aa80a01-40ab-59c5-a971-061193a7d134">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Path fully_qualified="false">system volume
information\_restore{8d816860-50be-4aed-b133-e43e1df90217}\rp113</FileObj:File_Path>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-9901368e-338b-5fec-ad0a-185b672fb271">
<indicator:Title>File names</indicator:Title>
<indicator:Related_Observables>
<cybox:Observable id="KTL:Observable-5049756c-3d27-565d-9fe1-4a5668ad6ef5">
<cybox:Description>HITS="1000000"</cybox:Description>
<cybox:Object id="KTL:object-d744a9e8-9f30-59a0-aca1-e0f00ffe4b5b">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Name>lvk2.exe</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-cd60b5bc-c0a2-5e43-9897-b6ebb2577d14">
<cybox:Description>HITS="100"</cybox:Description>
<cybox:Object id="KTL:object-af970d9e-b5f9-5ae2-81d3-5ebef78b63cf">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Name>a0040146.exe</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-731d9bda-c427-5c1a-b86e-4121b3f05d34">
<cybox:Description>HITS="100"</cybox:Description>
<cybox:Object id="KTL:object-1cf19365-1b8e-5dbe-99d6-ed94783855a7">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Name>a0004589.exe</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-097928ae-5424-57e9-9fba-8f9830842d6c">
<cybox:Description>HITS="100"</cybox:Description>
<cybox:Object id="KTL:object-2cc36f03-8207-55e2-9ed6-4b927a043c4b">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:File_Name>updater.exe</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-2f648dfb-35e8-56bb-9d69-fe968b7dee9e">
<indicator:Title>File downloaded from URLs and domains</indicator:Title>
<indicator:Related_Observables>
<cybox:Observable id="KTL:Observable-df04c1da-0db3-5f6a-a397-17361d8ca828">
<cybox:Description>ZONE="Red" LAST_DOWNLOADED="29.04.2016"
IP_COUNT="1"</cybox:Description>
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="KTL:Observable-7e122afb-6820-53bd-ac1f-d976c98983eb">
<cybox:Object id="KTL:URI-7e122afb-6820-53bd-ac1f-d976c98983eb">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">upconfusepat.ru/3e122e2dd79b0dcab9df0e4c6d3d238f/625819-book</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-2e48404f-254e-5293-b99c-b3d48a350e6b">
<cybox:Object id="KTL:URI-2e48404f-254e-5293-b99c-b3d48a350e6b">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="Domain
Name">
<URIObj:Value condition="Equals">upconfusepat.ru</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</cybox:Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-70fb0b4a-a5a4-5782-961f-c18fe7ecee73">
<indicator:Title>File started following objects</indicator:Title>
<indicator:Related_Observables>
<cybox:Observable id="KTL:Observable-2791e879-a8b1-5741-8ef9-5af2b11ee9a4">
<cybox:Description>HITS="10" ZONE="Red"
LAST_STARTED="10.07.2014" DETECTION_NAME="Virus.Win32.Neshta.a"</cybox:Description>
<cybox:Object id="KTL:object-8becd1bd-e8ae-5712-a271-bc126a467e15">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">91677B76C4FC52F26097B61E74F5D01B</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
<FileObj:File_Name>svchost.com</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-7dfc9e1d-15b9-599b-9131-bc65f5ef4bca">
<cybox:Description>HITS="10" ZONE="Yellow"
LAST_STARTED="04.04.2016"
DETECTION_NAME="not-a-virus:Downloader.Win32.Agent.cugr"</cybox:Description>
<cybox:Object id="KTL:object-6c262a1a-fd7c-5d9c-8ae8-32f4b2dbcca5">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">495DB359D61411F0688211C8DD473CB7</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
<FileObj:Device_Path>ProgramFiles</FileObj:Device_Path>
<FileObj:File_Path
fully_qualified="false">itva\lovivkontakte2</FileObj:File_Path>
<FileObj:File_Name>lvk2.exe</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-19b447ad-cafa-522b-81bd-f72866a2e2ed">
<cybox:Description>HITS="10000" ZONE="Grey"
LAST_STARTED="08.11.2016"
DETECTION_NAME="PDM:P2P-Worm.Win32.Generic"</cybox:Description>
<cybox:Object id="KTL:object-4d4c5977-5001-5d75-9b35-ab1671fb98d9">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">88D076275DBF770406A232DBFF5F9AAE</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
<FileObj:Device_Path>ProgramFiles</FileObj:Device_Path>
<FileObj:File_Path fully_qualified="false">screen
capture</FileObj:File_Path>
<FileObj:File_Name>updater.exe</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-fa806ccf-803a-50cc-8660-a986984587be">
<cybox:Description>HITS="10" ZONE="Grey"
LAST_STARTED="23.02.2016"
DETECTION_NAME="not-a-virus:BSS:WebToolbar.Win32.Rubar.b"</cybox:Description>
<cybox:Object id="KTL:object-29e69ee3-46b3-5e06-857c-fa45ebc43d7c">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">5B817FC229E661786D01331274868C94</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
<FileObj:Device_Path>ProgramFiles</FileObj:Device_Path>
<FileObj:File_Path
fully_qualified="false">lovivkontakte</FileObj:File_Path>
<FileObj:File_Name>unins000.exe</FileObj:File_Name>
</FileObj:File>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observables>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP xsi:type="ttp:TTPType"
id="KTL:ttp-789f87ea-a68f-445f-8a96-d5ee2aa7598c" timestamp="2016-11-08T04:40Z">
<ttp:Title>LOOKUP_HASH</ttp:Title>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Observable_Characterization cybox_major_version="2"
cybox_minor_version="1">
<cybox:Observable idref="KTL:observable-6be4fae3-d355-42e3-8795-0aafa8ea8af5"
/>
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>
STIX for an IP address
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may
return for the IP address 195.175.254.2 in STIX format.
See result example
Data and ratings are updated dynamically. The data displayed in this example may differ
from the data for the same object requested at a later time.
IP_195.175.254.2_stix.xml
<stix:STIX_Package xmlns:KTL="http://ktl.kaspersky.com"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://stix.mitre.org/stix-1" xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:ttp="https://oasis-open.github.io/cti-documentation/"
xmlns:WhoisObj="http://cybox.mitre.org/objects#WhoisObject-2"
xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
id="KL_Botnet_Tracking:Package-8cf6606e-0510-4c3c-9065-8150e53252ea" version="1.2">
<stix:STIX_Header>
<stix:Title>IP LOOKUP</stix:Title>
<stix:Description>Information about lookup IP 195.175.254.2</stix:Description>
</stix:STIX_Header>
<stix:Observables cybox_major_version="1" cybox_minor_version="1">
<cybox:Observable id="KTL:Observable-b87283c7-fa74-4c25-aac9-d19abbe72871">
<cybox:Description>ZONE="Green" FIRST_SEEN="03.06.2014"
THREAT_SCORE="0" HITS="100000"</cybox:Description>
<cybox:Object id="KTL:object-8f070cfa-16c4-5833-ac7e-be5cf56efe5b">
<cybox:Properties xsi:type="WhoisObj:WhoisObjectType">
<URIObj:Whois_Entry>
<URIObj:Contact_Info>
<URIObj:Name>Turk Telekomunikasyon Anonim Sirketi</URIObj:Name>
</URIObj:Contact_Info>
<URIObj:Creation_Date>2002-06-12T12:00Z</URIObj:Creation_Date>
<WhoisObj:Remarks>ASN="9121" AS_DESCRIPTION="TTnetTurkTelekom"
NETWORK_NAME="TR-TELEKOM-960902" NETWORK_RANGE="195.174.0.0-195.175.255.255"
NETWORK_DESCRIPTION="Turk Telekomunikasyon Anonim Sirketi"</WhoisObj:Remarks>
<URIObj:IP_Address>
<AddressObj:Address category="ipv4-addr">
<AddressObj:Address_Value>195.175.254.2</AddressObj:Address_Value>
</AddressObj:Address>
</URIObj:IP_Address>
</URIObj:Whois_Entry>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:Indicators>
<stix:Indicator id="KTL:indicator-0b00eab7-9147-5066-97b8-148e70c56282">
<indicator:Title>IpPdnsDomains</indicator:Title>
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-f1efdbc9-7105-5174-a6e5-a0e39a97bf6f">
<cybox:Description>ZONE="Grey" HITS="10000"
FIRST_SEEN="06.11.2014" LAST_SEEN="08.11.2016" PEAK_DATE="02.03.2016"
PEAK_HITS="100"</cybox:Description>
<cybox:Object id="KTL:URI-928ccb8e-50f5-5369-8000-545e9b8276b6">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">?.tumblr.com</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-be3fe8bd-e143-5f0f-b0d8-8b47188a037b">
<cybox:Description>ZONE="Grey" HITS="100"
FIRST_SEEN="13.10.2016" LAST_SEEN="08.11.2016" PEAK_DATE="22.10.2016"
PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:URI-5c1454a6-8d00-513f-b1da-601ac95aaca1">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">xtubehd.org</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-23533db5-3d3a-56aa-aa3e-4eba009d612e">
<cybox:Description>ZONE="Grey" HITS="100"
FIRST_SEEN="03.11.2016" LAST_SEEN="08.11.2016" PEAK_DATE="05.11.2016"
PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:URI-2a95cb26-9958-56fb-b4a2-054f9d16f77d">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">perinatalmedicine2015.org</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-b4def839-0139-5ae4-9b72-ccb32e682cb4">
<cybox:Description>ZONE="Grey" HITS="100"
FIRST_SEEN="07.09.2016" LAST_SEEN="08.11.2016" PEAK_DATE="01.10.2016"
PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:URI-14a08633-2ae1-5f15-8f4e-fbbc233de658">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">unlimiteddamage.com</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-8b0d7e8d-061c-54c6-a95b-6446d1b5b80c">
<indicator:Title>Files downloaded from IP address</indicator:Title>
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-59d878fb-dac8-47ec-bbba-cac588fc6663">
<cybox:Description>ZONE="Red" FIRST_SEEN="09.10.2016"
LAST_SEEN="09.10.2016" HITS="10"
DETECTION_NAME="Trojan.JS.FBook.ab"</cybox:Description>
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="KTL:Observable-7aeb8e41-9f0f-4dcd-9b51-be4110b6866c">
<cybox:Object id="KL_DATA_FEED:File-202848b6-c89c-0824-75cd-cbb05ea6cf92">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">B64828209CC8240875CDCBB05EA6CF92</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>B64828209CC8240875CDCBB05EA6CF92</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-b17c86a0-f236-4de0-a2c4-83c96798c06b">
<cybox:Object id="KTL:URI-987568f4-55e0-5ed0-a0d8-fd1abb760fe3">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">cinselkameralisohbet.com/like.js</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-7b4acefb-2caa-4a89-9126-47ebceb21e81">
<cybox:Description>ZONE="Red" FIRST_SEEN="06.07.2016"
LAST_SEEN="06.07.2016" HITS="10"
DETECTION_NAME="HEUR:Trojan.Script.Generic"</cybox:Description>
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="KTL:Observable-8e88ceda-be05-412f-9862-86f407127282">
<cybox:Object id="KL_DATA_FEED:File-a4af22b3-0609-af97-be9f-ed547b6e45fe">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">B322AFA4090697AFBE9FED547B6E45FE</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>B322AFA4090697AFBE9FED547B6E45FE</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-c1e5be66-8ae5-4999-9027-07c8a17401cd">
<cybox:Object id="KTL:URI-f10c3b61-0c75-50ca-b33e-ce33b98969d9">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">library.com/stories/story.php?storyid=5044</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-87af2190-30d8-4764-b36f-0db1822c75f2">
<cybox:Description>ZONE="Red" FIRST_SEEN="13.06.2016"
LAST_SEEN="13.06.2016" HITS="10"
DETECTION_NAME="HEUR:Trojan.Script.Generic"</cybox:Description>
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="KTL:Observable-68fe3ce3-175c-459e-914d-c71a00dc6b5f">
<cybox:Object id="KL_DATA_FEED:File-ed3c0826-7c56-9bba-c814-65f79987a287">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">26083CED567CBA9BC81465F79987A287</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>26083CED567CBA9BC81465F79987A287</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-d6a1f25a-ad83-432c-a288-f06ddbd49671">
<cybox:Object id="KTL:URI-3e1b15a0-f861-5b32-b9e2-50184f7ba39c">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">friendvideos.com</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-e88f35fb-39ad-435e-a387-b5a1a76ebad9">
<cybox:Description>ZONE="Red" FIRST_SEEN="06.05.2016"
LAST_SEEN="06.05.2016" HITS="10"
DETECTION_NAME="HEUR:Trojan.Script.Generic"</cybox:Description>
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="KTL:Observable-9bc51e97-5a63-4f6b-85f0-8d48aaa37c9a">
<cybox:Object id="KL_DATA_FEED:File-27f0c8b9-9c11-2639-049e-bec9d97f866b">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">B9C8F027119C3926049EBEC9D97F866B</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>B9C8F027119C3926049EBEC9D97F866B</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-0f26d5f3-ddc6-4a06-a1b2-059f35ee29b2">
<cybox:Object id="KTL:URI-5f2f3931-ba38-5620-a558-84e60affd07f">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">friendvideos.com/members/d/drakedcx/383.php</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-99ca4aed-8a43-5c90-b7b6-7c94cd7c5d76">
<indicator:Title>Hosted URLs</indicator:Title>
<indicator:Related_Observables>
<cybox:Observable id="KTL:Observable-b744e29b-7844-54d9-9fb0-e7f916de8fc1">
<cybox:Description>ZONE="Red" FIRST_SEEN="21.01.2015"
LAST_SEEN="09.11.2016" HITS="1000"</cybox:Description>
<cybox:Object id="KTL:URI-fe05b502-32ea-5c87-88fa-82df8c15919b">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">b.com/favicon.ico</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-8527213c-f799-5b76-952d-5f37a83685a2">
<cybox:Description>ZONE="Red" FIRST_SEEN="15.11.2015"
LAST_SEEN="03.10.2016" HITS="1000"</cybox:Description>
<cybox:Object id="KTL:URI-aecd587d-42e4-5e52-bf36-174433163d4f">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">where.com/favicon.ico</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-7f385b2b-38d9-5dbb-aec7-a5f2eed402f3">
<cybox:Description>ZONE="Red" FIRST_SEEN="21.06.2016"
LAST_SEEN="29.08.2016" HITS="1000"</cybox:Description>
<cybox:Object id="KTL:URI-39370ec3-8cb0-587c-931c-49d5eb68d792">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">pz.net/favicon.ico</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="KTL:Observable-8e03aa7d-e8ac-58cf-b712-18d151a69321">
<cybox:Description>ZONE="Red" FIRST_SEEN="20.01.2015"
LAST_SEEN="25.12.2015" HITS="1000"</cybox:Description>
<cybox:Object id="KTL:URI-cd3e149e-b0d8-5fe3-9631-2aa05c9e9e2f">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">site.net/ncd/afterclick/arr0.png</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observables>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP xsi:type="ttp:TTPType"
id="KTL:ttp-13e84c8f-b85e-4d41-9cd8-e5106003041c" timestamp="2016-11-09T09:37Z">
<ttp:Title>LOOKUP_IP</ttp:Title>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Observable_Characterization cybox_major_version="2"
cybox_minor_version="1">
<cybox:Observable idref="KTL:observable-b87283c7-fa74-4c25-aac9-d19abbe72871"
/>
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>
STIX for a domain
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may
return for the domain ddns.net in STIX format.
See result example
Data and ratings are updated dynamically. The data displayed in this example may differ
from the data for the same object requested at a later time.
DOMAIN_852808bf99be59a2902e089e26d5976a_stix.xml
<stix:STIX_Package xmlns:KTL="http://ktl.kaspersky.com"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://stix.mitre.org/stix-1" xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:WhoisObj="http://cybox.mitre.org/objects#WhoisObject-2"
xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
id="KL_Botnet_Tracking:Package-6e1181fb-1c59-4214-8991-891deab614c7" version="1.2">
<stix:STIX_Header>
<stix:Title>DOMAIN LOOKUP</stix:Title>
<stix:Description>Information about lookup domain ddns.net</stix:Description>
</stix:STIX_Header>
<stix:Observables cybox_major_version="1" cybox_minor_version="1">
<cybox:Observable id="KTL:Observable-3c7c15a7-1ca9-436f-bdb6-27c8330e5c9a">
<cybox:Description>ZONE="Green" IP_COUNT="2"
FILES_COUNT="0" URLS_COUNT="10" HITS="100"</cybox:Description>
<cybox:Object id="KTL:object-0aa5bd9c-6eef-5f5c-8507-cb05b334af83">
<cybox:Properties xsi:type="WhoisObj:WhoisObjectType">
<WhoisObj:Whois_Entry>
<WhoisObj:Contact_Info>
<WhoisObj:Name>TLDS LLC. d/b/a SRSPlus</WhoisObj:Name>
<WhoisObj:Organization>Vitalwerks Internet Solutions, LLC</WhoisObj:Organization>
</WhoisObj:Contact_Info>
<WhoisObj:Creation_Date>28.06.2001</WhoisObj:Creation_Date>
<WhoisObj:Expiration_Date>28.06.2019</WhoisObj:Expiration_Date>
<WhoisObj:Domain_Name>
<URIObj:URI>
<URIObj:Value condition="Equals">ddns.net</URIObj:Value>
</URIObj:URI>
</WhoisObj:Domain_Name>
</WhoisObj:Whois_Entry>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:Indicators>
<stix:Indicator id="KTL:indicator-ab2e6385-ee49-54f7-8f92-62a520d660e0">
<indicator:Title>Domain resolved to following IP addresses</indicator:Title>
<stixCommon:TTP idref="KTL:ttp-ad122867-4c82-490c-ae86-89b53af55510"
xsi:type="ttp:TTPType" />
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-99f60c73-87e7-48fd-be82-9f09be246205">
<cybox:Description>ZONE="Grey" HITS="10"
FIRST_SEEN="14.12.2014" LAST_SEEN="14.12.2014" PEAK_DATE="14.12.2014"
PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:object-cfcf62ca-6194-5916-becb-024a6cd5db18">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address category="ipv4-addr">
<AddressObj:Address_Value>213.128.81.34</AddressObj:Address_Value>
</AddressObj:Address>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-cd672eb1-d6ae-4d88-80ef-c4125d476bfd">
<cybox:Description>ZONE="Green" THREAT_SCORE="0"
HITS="1000" FIRST_SEEN="31.10.2014" LAST_SEEN="07.11.2016"
PEAK_DATE="09.08.2016" PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:object-e2d0d2bb-cbd9-5bf7-ad07-7de1c4d9e366">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address category="ipv4-addr">
<AddressObj:Address_Value>8.23.224.108</AddressObj:Address_Value>
</AddressObj:Address>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-b8e4f05e-64d3-5e7e-94e9-17727f70c8ca">
<indicator:Title>Subdomains</indicator:Title>
<stixCommon:TTP idref="KTL:ttp-ad122867-4c82-490c-ae86-89b53af55510"
xsi:type="ttp:TTPType" />
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-db0b0742-a6c9-4a89-aea8-f7f0f8925c98">
<cybox:Description>ZONE="Red" URLS_COUNT="100"
FIRST_SEEN="20.10.2016" FILES_COUNT="0"</cybox:Description>
<cybox:Object id="KTL:URI-5cb36308-3dfe-5e09-a476-781a5ae87b1d">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">bainoirtee-seg20101.ddns.net</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-da25ee22-fa34-4ca7-9723-2483e4342ebd">
<cybox:Description>ZONE="Red" URLS_COUNT="10"
FIRST_SEEN="02.11.2016" FILES_COUNT="10"</cybox:Description>
<cybox:Object id="KTL:URI-cfa49da7-950c-55f5-938a-98758abf38da">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">090005.ddns.net</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-737325c2-da64-4d0b-b1e9-570581cdbd49">
<cybox:Description>ZONE="Red" URLS_COUNT="10"
FIRST_SEEN="23.10.2016" FILES_COUNT="10"</cybox:Description>
<cybox:Object id="KTL:URI-bafc3854-cef2-537f-b8bb-82d21d1a1198">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">q1w2e3.ddns.net</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-42f79cc9-1ba1-4e9e-9abe-1d9027759351">
<cybox:Description>ZONE="Red" URLS_COUNT="10"
FIRST_SEEN="14.10.2016" FILES_COUNT="10"</cybox:Description>
<cybox:Object id="KTL:URI-0ca6250b-8f28-556e-8382-f569cd34ff9e">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">bannding123.ddns.net</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP xsi:type="ttp:TTPType"
id="KTL:ttp-ad122867-4c82-490c-ae86-89b53af55510" timestamp="2016-11-08T02:02Z">
<ttp:Title>LOOKUP_DOMAIN</ttp:Title>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Observable_Characterization cybox_major_version="2"
cybox_minor_version="1">
<cybox:Observable idref="KTL:observable-3c7c15a7-1ca9-436f-bdb6-27c8330e5c9a"
/>
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>
STIX for a web address
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may
return for the web address go.spaceshipads.com-afu.php-zone in STIX format.
See result example
Data and ratings are updated dynamically. The data displayed in this example may differ
from the data for the same object requested at a later time.
URL_20c056bbd30c5b41be005abd49506015_stix(for DOMAIN).xml
<stix:STIX_Package xmlns:KTL="http://ktl.kaspersky.com"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://stix.mitre.org/stix-1" xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:WhoisObj="http://cybox.mitre.org/objects#WhoisObject-2"
xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
id="KL_Botnet_Tracking:Package-8a62b7d2-1b5c-484f-a5aa-920fb79a5325" version="1.2">
<stix:STIX_Header>
<stix:Title>URL LOOKUP</stix:Title>
<stix:Description>Information about lookup URL
go.spaceshipads.com/afu.php?zoneid=361258</stix:Description>
</stix:STIX_Header>
<stix:Observables cybox_major_version="1" cybox_minor_version="1">
<cybox:Observable id="KTL:observable-bbfb2c01-51eb-4a7b-a136-2d8016fc3ede">
<cybox:Description>ZONE="Red" IP_COUNT="76"
FILES_COUNT="1000000"
CATEGORY="URLREP_CATEGORY_INFORMATION_TECHNOLOGIES,URLREP_CATEGORY_MALWARE"</cybox:Description>
<cybox:Object id="KTL:URI-20c056bb-d30c-5b41-be00-5abd49506015">
<cybox:Propertis xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">go.spaceshipads.com/afu.php?zoneid=361258</URIObj:Value>
</cybox:Propertis>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:Indicator id="KTL:indicator-e720f4b7-9610-5cda-93a4-112d101095b9">
<indicator:Title>URL Domain</indicator:Title>
<stixCommon:TTP idref="KTL:ttp-0de541b7-55f1-4be0-8a40-2fc1ba7d3d74"
xsi:type="ttp:TTPType" />
<indicator:Observable
id="KL_Botnet_Tracking:Observable-ad3ae2fb-cc62-4363-aa10-5fcfd18d5dd1">
<cybox:Object
id="KL_Botnet_Tracking:object-3e8c815b-1de2-4c6c-9008-189598762c84">
<cybox:Object id="KTL:object-35bc71a1-eca7-5718-ab86-f5e0814328c5">
<cybox:Properties xsi:type="WhoisObj:WhoisObjectType">
<WhoisObj:Whois_Entry>
<WhoisObj:Contact_Info>
<WhoisObj:Name>URL SOLUTIONS INC.</WhoisObj:Name>
<WhoisObj:Organization>GLOBAL DOMAIN PRIVACY SERVICES INC</WhoisObj:Organization>
</WhoisObj:Contact_Info>
<WhoisObj:Creation_Date>15.06.2015</WhoisObj:Creation_Date>
<WhoisObj:Expiration_Date>15.06.2018</WhoisObj:Expiration_Date>
<WhoisObj:Domain_Name>
<URIObj:URI>
<URIObj:Value condition="Equals">spaceshipads.com</URIObj:Value>
</URIObj:URI>
</WhoisObj:Domain_Name>
</WhoisObj:Whois_Entry>
</cybox:Properties>
</cybox:Object>
</cybox:Object>
</indicator:Observable>
</stix:Indicator>
<stix:Indicators>
<stix:Indicator id="KTL:indicator-1001967c-3c3a-5b59-bc29-90be69890460">
<indicator:Title>Domain resolved to following IP addresses</indicator:Title>
<stixCommon:TTP idref="KTL:ttp-0de541b7-55f1-4be0-8a40-2fc1ba7d3d74"
xsi:type="ttp:TTPType" />
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-0ed26085-264f-43df-bc37-1d0852a536da">
<cybox:Description>ZONE="Grey" THREAT_SCORE="63"
HITS="1000" FIRST_SEEN="26.02.2016" LAST_SEEN="11.03.2016"
PEAK_DATE="27.02.2016" PEAK_HITS="1000"</cybox:Description>
<cybox:Object id="KTL:object-3cbf69fc-b1cb-54be-938f-3459b6aab54d">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address category="ipv4-addr">
<AddressObj:Address_Value>54.72.9.115</AddressObj:Address_Value>
</AddressObj:Address>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-1a745079-3141-4948-9d97-6ab5fe0416d5">
<cybox:Description>ZONE="Grey" THREAT_SCORE="25" HITS="10"
FIRST_SEEN="01.07.2016" LAST_SEEN="01.07.2016" PEAK_DATE="01.07.2016"
PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:object-0d996609-bd51-5c4e-9cbc-80bc44e31b48">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address category="ipv4-addr">
<AddressObj:Address_Value>144.76.152.140</AddressObj:Address_Value>
</AddressObj:Address>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-711dad25-31d2-4320-b6c3-cffe5b4c85c7">
<cybox:Description>ZONE="Grey" HITS="10"
FIRST_SEEN="08.10.2016" LAST_SEEN="08.10.2016" PEAK_DATE="08.10.2016"
PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:object-d0c6a41c-64aa-51a2-9366-7cf184704f74">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address category="ipv4-addr">
<AddressObj:Address_Value>154.51.128.11</AddressObj:Address_Value>
</AddressObj:Address>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-bf37ea8f-c0e9-4227-a35b-9d52e65654f6">
<cybox:Description>ZONE="Grey" HITS="10"
FIRST_SEEN="01.10.2016" LAST_SEEN="01.10.2016" PEAK_DATE="01.10.2016"
PEAK_HITS="10"</cybox:Description>
<cybox:Object id="KTL:object-7a43f1a3-1471-5b0e-ba87-2b9ecd8263d9">
<cybox:Properties xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address category="ipv4-addr">
<AddressObj:Address_Value>100.96.5.89</AddressObj:Address_Value>
</AddressObj:Address>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-31b1a20e-676a-579b-b85f-61a7d4900f64">
<indicator:Title>Files accessed requested URL</indicator:Title>
<stixCommon:TTP idref="KTL:ttp-0de541b7-55f1-4be0-8a40-2fc1ba7d3d74"
xsi:type="ttp:TTPType" />
<indicator:Related_Observables>
<indicator:Related_Observable
id="KTL:Observable-ac71a189-70aa-4044-afd4-c1d13ecb71f9">
<cybox:Observable id="KTL:Observable-c42b8190-50fc-4e08-88d1-84b32c27695e">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="11.02.2016"
HITS="1000000"
DETECTION_NAME="UDS:DangerousObject.Multi.Generic,PDM:P2P-Worm.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,
BSS:Exploit.Win32.Generic,BSS:Exploit.Win32.Generic,BSS:Worm.Win32.BSS.ScreenLock,BSS:Trojan.Win32.Generic,BSS:Exploit.Win32.Generic,
BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,Trojan.Win32.Agentb.bqvi,not-a-virus:BSS:RiskTool.Win32.DelShad.ra,
not-a-virus:AdWare.Win32.ELEX.nl,not-a-virus:HEUR:AdWare.Win32.ELEX.gen"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-90f566ee-b34f-14fb-ac3e-bd6a12713d35">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">EE66F5904FB3FB14AC3EBD6A12713D35</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>EE66F5904FB3FB14AC3EBD6A12713D35</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-b64a56bc-b0a9-4a98-af9b-5688aa36de85">
<cybox:Observable id="KTL:Observable-0826daed-0589-4d54-bf3e-1adff389167e">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="12.10.2016"
HITS="1000000"
DETECTION_NAME="PDM:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,Virus.Win32.Sality.aa,PDM:Trojan.Win32.DNSChanger,
not-a-virus:PDM:Monitor.Win32.KeyLogger,PDM:Trojan.Win32.DebugBehaviour,PDM:Trojan.Win32.Injecter.a,PDM:Trojan.Win32.Injecter.b,
PDM:Trojan.Win32.RootShell,PDM:Trojan-Spy.Win32.Generic.a,PDM:Rootkit.Win32.Generic.a,PDM:Rootkit.Win32.Generic.c,PDM:Rootkit.Win32.Generic.e,
PDM:P2P-Worm.Win32.Generic,BSS:Trojan.Win32.StartPage.a,BSS:Exploit.Java.Generic,BSS:Trojan.Win32.Badur.a,BSS:Trojan.Win32.Badur.a,
BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.StartPage.a,not-a-virus:BSS:Downloader.Win32.LMN.a,BSS:Worm.Win32.BSS.ScreenLock,
BSS:Trojan.Win32.Generic,BSS:Exploit.Win32.Generic,BSS:Trojan.Win32.Generic"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-0b29df1b-5c27-deef-6f45-0b5476c4e215">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">1BDF290B275CEFDE6F450B5476C4E215</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>1BDF290B275CEFDE6F450B5476C4E215</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-7115f561-a3b6-48c1-9e86-469e6873c5e8">
<cybox:Observable id="KTL:Observable-003159ab-cbec-46d2-9bc9-36cac150c8bb">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="15.10.2016"
HITS="100000" DETECTION_NAME="UDS:DangerousObject.Multi.Generic,
BSS:Trojan.Win32.Badur.a,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Truebadur.a,
HEUR:Exploit.Script.Blocker.U,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-4fd0bc0d-ee07-1a21-80d5-14b8ae64be81">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">0DBCD04F07EE211A80D514B8AE64BE81</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>0DBCD04F07EE211A80D514B8AE64BE81</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-cdebc1df-6270-4c0f-8627-79ff0c67cf3c">
<cybox:Observable id="KTL:Observable-58ebaf5c-09e0-483c-998f-10fe9941085f">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="10.10.2016"
HITS="100000" DETECTION_NAME="UDS:DangerousObject.Multi.Generic,
BSS:Trojan.Win32.Badur.a,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Exploit.Win32.Generic,BSS:Exploit.Win32.Generic,
BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Exploit.Win32.Generic,BSS:Exploit.Win32.Generic,BSS:Trojan.Win32.Generic,
BSS:Trojan.Win32.Generic,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-ebb74f37-2048-f09c-da7d-4e355c9eeeff">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">374FB7EB48209CF0DA7D4E355C9EEEFF</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>374FB7EB48209CF0DA7D4E355C9EEEFF</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-2afbca9f-eb7c-4dcb-9419-bd0bd905a5bc">
<cybox:Observable id="KTL:Observable-d3dc6d4c-7a29-40d0-9688-9c1ab8563a70">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="14.10.2016"
HITS="10000"
DETECTION_NAME="UDS:DangerousObject.Multi.Generic,BSS:Trojan.Win32.Badur.a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-800c55a7-7cd9-3aef-b0d4-4bbd403e35a4">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">A7550C80D97CEF3AB0D44BBD403E35A4</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>A7550C80D97CEF3AB0D44BBD403E35A4</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-9a09259d-82d2-58f0-baee-df5e2cd50ba2">
<indicator:Title>Referrals to requested URL</indicator:Title>
<stixCommon:TTP idref="KTL:ttp-0de541b7-55f1-4be0-8a40-2fc1ba7d3d74"
xsi:type="ttp:TTPType" />
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-648662bd-7022-4267-990b-188d963e4488">
<cybox:Description>ZONE="Red"
LAST_REFERENCE="08.11.2016"</cybox:Description>
<cybox:Object id="KTL:URI-1bb757ba-f948-5ca0-a915-54b9b5a1d06e">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">go.spaceshipads.com/afu.php</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-68ee76c9-8bd0-4d78-8da1-ed6125b3ec19">
<cybox:Description>ZONE="Green"
LAST_REFERENCE="08.11.2016"</cybox:Description>
<cybox:Object id="KTL:URI-58b814fb-ee6b-5759-b666-c403323727b7">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value condition="Equals">yxo.warmportrait.com</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-3d7808b5-a50c-4858-8261-0deee7578fb3">
<cybox:Description>ZONE="Green"
LAST_REFERENCE="08.11.2016"</cybox:Description>
<cybox:Object id="KTL:URI-07e0e95a-aae3-51b4-b8e6-9c8769a6f7f1">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">yxo.warmportrait.com/sd/dw32.html</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-05441720-72be-494c-bd37-1952e4e22cc8">
<cybox:Description>ZONE="Green"
LAST_REFERENCE="08.11.2016"</cybox:Description>
<cybox:Object id="KTL:URI-07e0e95a-aae3-51b4-b8e6-9c8769a6f7f1">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">yxo.warmportrait.com/sd/dw32.html</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP xsi:type="ttp:TTPType"
id="KTL:ttp-0de541b7-55f1-4be0-8a40-2fc1ba7d3d74" timestamp="2016-11-08T02:06Z">
<ttp:Title>LOOKUP_URL</ttp:Title>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Observable_Characterization cybox_major_version="2"
cybox_minor_version="1">
<cybox:Observable idref="KTL:observable-bbfb2c01-51eb-4a7b-a136-2d8016fc3ede"
/>
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may
return for the web address 54.171.124.134/upd/updsetup.exe in STIX format.
See result example
Data and ratings are updated dynamically. The data displayed in this example may differ
from the data for the same object requested at a later time.
URL_23483e60e81b5005a84eff5ed7e1cf20_stix (for IP
address).xml
<stix:STIX_Package xmlns:KTL="http://ktl.kaspersky.com"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://stix.mitre.org/stix-1" xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:WhoisObj="http://cybox.mitre.org/objects#WhoisObject-2"
xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
id="KL_Botnet_Tracking:Package-3886bf16-16f8-4074-8702-a12ddd22a0bc" version="1.2">
<stix:STIX_Header>
<stix:Title>URL LOOKUP</stix:Title>
<stix:Description>Information about lookup URL
54.171.124.134/upd/updsetup.exe</stix:Description>
</stix:STIX_Header>
<stix:Observables cybox_major_version="1" cybox_minor_version="1">
<cybox:Observable id="KTL:observable-4fe4c43c-abd9-4fec-9180-b2032c5d19d8">
<cybox:Description>ZONE="Red" IP_COUNT="0"
FILES_COUNT="10000" CATEGORY="URLREP_CATEGORY_MALWARE"</cybox:Description>
<cybox:Object id="KTL:URI-23483e60-e81b-5005-a84e-ff5ed7e1cf20">
<cybox:Propertis xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">54.171.124.134/upd/updsetup.exe</URIObj:Value>
</cybox:Propertis>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:Indicators>
<stix:Indicator id="KTL:indicator-7d9e431a-9aac-52d3-b028-535ae7c4e4f7">
<indicator:Title>Files accessed requested URL</indicator:Title>
<indicator:Related_Observables>
<indicator:Related_Observable
id="KTL:Observable-4b35df16-26a4-483f-8dd8-d5692156394e">
<cybox:Observable id="KTL:Observable-a9e94e2b-0599-4002-b882-3d960cfb8a25">
<cybox:Description>ZONE="Yellow" FIRST_DOWNLOADED="24.08.2016"
HITS="1000000"
DETECTION_NAME="Virus.Win32.Hidrag.a,BSS:Trojan.Win32.Generic,BSS:Worm.Win32.BSS.ScreenLock,BSS:Exploit.Win32.Generic,not-a-virus:Downloader.Win32.Agent.cugr,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b8,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.NSIS.ConvertAd.ba,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-59b35d49-14d6-f011-6882-11c8dd473cb7">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">495DB359D61411F0688211C8DD473CB7</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>495DB359D61411F0688211C8DD473CB7</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-359cce98-2311-425f-a97b-b9175865e690">
<cybox:Observable id="KTL:Observable-d9430bbe-7389-4c28-a4e0-057f1cf72def">
<cybox:Description>ZONE="Yellow" FIRST_DOWNLOADED="23.08.2016"
HITS="100000"
DETECTION_NAME="PDM:P2P-Worm.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,not-a-virus:AdWare.Win32.AdAgent.uf,not-a-virus:AdWare.Win32.AdAgent.uh"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-ec71fb57-e676-e2d6-c10a-8a0635834b72">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">57FB71EC76E6D6E2C10A8A0635834B72</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>57FB71EC76E6D6E2C10A8A0635834B72</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-29f13be7-7dfd-4126-bbde-6aa024cc6400">
<cybox:Observable id="KTL:Observable-5d5b0a68-2d20-43e6-ae20-b1568a9051f9">
<cybox:Description>ZONE="Yellow" FIRST_DOWNLOADED="23.08.2016"
HITS="10000"
DETECTION_NAME="HEUR:Trojan.Win32.Generic,not-a-virus:AdWare.Win32.Agent.kahx"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-005e8396-f063-75be-d767-dced1f57d7f8">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">96835E0063F0BE75D767DCED1F57D7F8</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>96835E0063F0BE75D767DCED1F57D7F8</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-da1bcef3-9edf-4acc-9b30-2fc176387f63">
<cybox:Observable id="KTL:Observable-6bf06cd3-c0a9-4355-8b33-9239f5e138cf">
<cybox:Description>ZONE="Yellow" FIRST_DOWNLOADED="26.08.2016"
HITS="10000"
DETECTION_NAME="not-a-virus:HEUR:AdWare.Win32.AdAgent.gen,not-a-virus:AdWare.Win32.AdAgent.kl"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-15495167-e580-0168-485b-56a2fc48dc3b">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">6751491580E56801485B56A2FC48DC3B</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>6751491580E56801485B56A2FC48DC3B</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-7cc29634-e9dd-4dd1-a134-2864ebe67b59">
<cybox:Observable id="KTL:Observable-198c83b7-4908-47d2-a0f8-81c98d94443a">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="23.08.2016"
HITS="10000000"
DETECTION_NAME="not-a-virus:BSS:AdWare.Win32.Eorezo.a,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,not-a-virus:BSS:Downloader.Win32.AdLoad.aca,not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-aa00338d-3725-0d5d-f724-979b28f33b27">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">8D3300AA25375D0DF724979B28F33B27</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>8D3300AA25375D0DF724979B28F33B27</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-d2182bef-931f-462f-828b-5a48b88562b1">
<cybox:Observable id="KTL:Observable-867c8a98-cfc8-4eb2-9c42-4f117bef50d9">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="23.08.2016"
HITS="1000000"
DETECTION_NAME="BSS:Exploit.Win32.Generic,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b3,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,not-a-virus:BSS:Downloader.Win32.AdLoad.aca,not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a,BSS:Trojan.Win32.Generic,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-572f5e15-75c9-1b34-6250-490c14d1123b">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">155E2F57C975341B6250490C14D1123B</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>155E2F57C975341B6250490C14D1123B</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-468ebf7a-58a5-4ee9-9084-b425ed4482b7">
<cybox:Observable id="KTL:Observable-6287549f-b9c8-4734-81e9-cd3694a1eefa">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="26.08.2016"
HITS="100000"
DETECTION_NAME="not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-a4782fba-136c-b0b6-c0a1-2f3fa3d19d16">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">BA2F78A46C13B6B0C0A12F3FA3D19D16</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>BA2F78A46C13B6B0C0A12F3FA3D19D16</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-b19bfad2-aeb9-4e94-9a3e-b26fd4c36f75">
<cybox:Observable id="KTL:Observable-af75dbf5-a6f5-4710-af26-bd0528d81a4f">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="24.08.2016"
HITS="100000"
DETECTION_NAME="BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Trojan.Win32.Generic,BSS:Worm.Win32.BSS.ScreenLock,not-a-virus:BSS:AdWare.Win32.Eorezo.a,BSS:Trojan.Win32.Generic,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a,not-a-virus:BSS:AdWare.Win32.Eorezo.a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-d72c320c-4009-d90c-4ac2-b47621a7875f">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">0C322CD709400CD94AC2B47621A7875F</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>0C322CD709400CD94AC2B47621A7875F</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-c822a844-821b-48a3-b536-97d392567d66">
<cybox:Observable id="KTL:Observable-10c0a8c7-5736-42f8-bbb1-4ecf80600ed4">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="28.08.2016"
HITS="100000"
DETECTION_NAME="BSS:Trojan.Win32.Badur.a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b8,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.NSIS.ConvertAd.ba,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a,not-a-virus:BSS:AdWare.Win32.StartSurf.ra,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b,not-a-virus:BSS:AdWare.NSIS.ConvertAd.bcb"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-7a6c58a8-febf-1af9-3eb5-1d803110bcbc">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">A8586C7ABFFEF91A3EB51D803110BCBC</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>A8586C7ABFFEF91A3EB51D803110BCBC</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-7460bd5e-5104-40bc-9b6d-1f50829f979f">
<cybox:Observable id="KTL:Observable-bee3d112-b3a5-46aa-9006-adfe7584127d">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="23.08.2016"
HITS="10000"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-d8fd37cd-45cd-760d-5299-75d445745e19">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">CD37FDD8CD450D76529975D445745E19</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>CD37FDD8CD450D76529975D445745E19</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-6b824a8f-b75f-4e3f-a09c-51ad0705103a">
<cybox:Observable id="KTL:Observable-68fc8939-7787-461f-8fe3-fa325978ee6f">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="04.09.2016"
HITS="10000"
DETECTION_NAME="BSS:Trojan.Win32.Generic,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-667ca90e-c1ea-f80d-f18d-276f9522531a">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">0EA97C66EAC10DF8F18D276F9522531A</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>0EA97C66EAC10DF8F18D276F9522531A</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-cc5fedfb-de14-4e9a-b977-0e61c32691de">
<cybox:Observable id="KTL:Observable-7dad2738-420a-460d-a1f0-66482bc1635f">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="23.08.2016"
HITS="1000"
DETECTION_NAME="PDM:P2P-Worm.Win32.Generic,HEUR:Trojan.Win32.Generic"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-8e2ae83e-456c-87c6-2f46-87b132338dae">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">3EE82A8E6C45C6872F4687B132338DAE</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>3EE82A8E6C45C6872F4687B132338DAE</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-098210b0-f2cf-4bbf-b9c7-b660ffcfe017">
<cybox:Observable id="KTL:Observable-cbffd93e-1eee-448c-9c79-94e05bd63cdc">
<cybox:Description>ZONE="Grey" FIRST_DOWNLOADED="23.08.2016"
HITS="10"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-4d968e9d-8e1f-8f3a-16a1-52cfe51d77b0">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">9D8E964D1F8E3A8F16A152CFE51D77B0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>9D8E964D1F8E3A8F16A152CFE51D77B0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-ed7b6d29-6b17-4c2b-83e5-e4ce50045f37">
<cybox:Observable id="KTL:Observable-fd030e22-ed21-490b-9c84-2ef40a3fad33">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="24.08.2016"
HITS="1000000"
DETECTION_NAME="not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-9ca08599-d12a-ac57-d295-254e86b605ff">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">9985A09C2AD157ACD295254E86B605FF</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>9985A09C2AD157ACD295254E86B605FF</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-577147a3-9aca-4aea-8c33-d7d40bcdcb06">
<cybox:Observable id="KTL:Observable-9d8f7b12-966b-4925-88ff-c2afb38e929f">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="24.08.2016"
HITS="1000000" DETECTION_NAME="PDM:Trojan.Win32.DNSChanger,
PDM:Trojan.Win32.Injecter.b,PDM:Trojan.Win32.RootShell,PDM:Rootkit.Win32.Generic.c,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,
not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-eb24b3b7-ed46-22cf-08b7-6f3983061d67">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">B7B324EB46EDCF2208B76F3983061D67</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>B7B324EB46EDCF2208B76F3983061D67</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-1bbb18ad-d64d-4eff-8284-3738b8457c76">
<cybox:Observable id="KTL:Observable-6bc8a16f-d3f0-4de9-84c1-c29c096223f4">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="24.08.2016"
HITS="1000000"
DETECTION_NAME="PDM:Trojan.Win32.DNSChanger,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,BSS:Trojan.Win32.Generic,not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-8c1a1edd-a33b-dfe7-6871-e98a79f057a0">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">DD1E1A8C3BA3E7DF6871E98A79F057A0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>DD1E1A8C3BA3E7DF6871E98A79F057A0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-36623afe-48a5-4aa8-9d9a-a6b9fe2c3a88">
<cybox:Observable id="KTL:Observable-07e6ae8a-d557-4506-aa29-fb53a71f4a8f">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="23.08.2016"
HITS="100000"
DETECTION_NAME="BSS:Trojan.Win32.Badur.a,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-0dd5827d-3abc-cefd-f583-8a36b3296f86">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">7D82D50DBC3AFDCEF5838A36B3296F86</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>7D82D50DBC3AFDCEF5838A36B3296F86</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-f6925341-d8a5-462d-89ef-36b63af1d2b9">
<cybox:Observable id="KTL:Observable-23e0f9b8-58d3-4d28-99c8-a2a9704c5382">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="27.08.2016"
HITS="100000"
DETECTION_NAME="not-a-virus:AdWare.Win32.Agent.kakt,not-a-virus:HEUR:AdWare.Win32.Agent.gen"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-a95fd20a-8baf-613c-a165-fe70bf4426de">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">0AD25FA9AF8B3C61A165FE70BF4426DE</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>0AD25FA9AF8B3C61A165FE70BF4426DE</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-a17c39d4-302d-4dee-9fcb-15a04294f609">
<cybox:Observable id="KTL:Observable-fe83b1d0-e21b-4e1d-901c-928db82f3681">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="24.08.2016"
HITS="100000"
DETECTION_NAME="not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7,not-a-virus:BSS:AdWare.Win32.ICLoader.b3,not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-d2096bd0-f01e-c65a-dd1c-56b67de2fc93">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">D06B09D21EF05AC6DD1C56B67DE2FC93</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>D06B09D21EF05AC6DD1C56B67DE2FC93</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-fb96d6c4-73d0-45fb-99b4-a7ca0b4690e0">
<cybox:Observable id="KTL:Observable-82be8d2c-f05a-4f94-bb6c-a89591ee3fc4">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="24.08.2016"
HITS="10000"
DETECTION_NAME="PDM:Trojan.Win32.DNSChanger,not-a-virus:PDM:Monitor.Win32.KeyLogger,PDM:Trojan.Win32.Injecter.b"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-a7159f5b-e28f-3a52-b48c-14990e1e44ad">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">5B9F15A78FE2523AB48C14990E1E44AD</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>5B9F15A78FE2523AB48C14990E1E44AD</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-8ebc7d62-c264-4886-971e-16f4bcbc851f">
<cybox:Observable id="KTL:Observable-c9e14335-fba4-450f-929f-f2441275516e">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="26.08.2016"
HITS="10000"
DETECTION_NAME="not-a-virus:BSS:AdWare.NSIS.ConvertAd.b5,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b7"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-cbcfc725-3a3a-947d-ba7e-b66d894b9844">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">25C7CFCB3A3A7D94BA7EB66D894B9844</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>25C7CFCB3A3A7D94BA7EB66D894B9844</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-154d2048-5eda-4989-b2e6-270dd88f455c">
<cybox:Observable id="KTL:Observable-d9178382-1707-4428-98ea-f8947f8d4fc1">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="24.08.2016"
HITS="10000"
DETECTION_NAME="not-a-virus:BSS:Downloader.Win32.InstallMonster.ra2,not-a-virus:BSS:AdWare.NSIS.ConvertAd.b9a"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-defe3a59-464e-47d5-ab08-4d6be7cf93d0">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">593AFEDE4E46D547AB084D6BE7CF93D0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>593AFEDE4E46D547AB084D6BE7CF93D0</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-fb43141b-4557-4d03-ba16-5b4198bafba9">
<cybox:Observable id="KTL:Observable-d12ec472-6241-48ff-8a48-f6d40fb6c16e">
<cybox:Description>ZONE="Green" FIRST_DOWNLOADED="27.08.2016"
HITS="1000"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-683ba45b-3d21-d104-9914-4dac9d4049ed">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">5BA43B68213D04D199144DAC9D4049ED</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>5BA43B68213D04D199144DAC9D4049ED</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-911eec09-e42e-5094-b8ee-de1fa90f2067">
<indicator:Title>Files related to requested URL</indicator:Title>
<indicator:Related_Observables>
<indicator:Related_Observable
id="KTL:Observable-e1b31a68-43e6-4ace-ae32-7e5ee569d680">
<cybox:Observable id="KTL:Observable-13280701-1f74-4b8e-aeca-887e7c73f750">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="25.08.2016"
LAST_DOWNLOADED="25.08.2016" HITS="1000"
DETECTION_NAME="UDS:DangerousObject.Multi.Generic,PDM:P2P-Worm.Win32.Generic,BSS:Trojan.Win32.Badur.a,BSS:Trojan.Win32.Truebadur.a,HEUR:Exploit.Script.Blocker.U"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-25f13129-8116-daa3-f181-e7353ea64438">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">2931F1251681A3DAF181E7353EA64438</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>2931F1251681A3DAF181E7353EA64438</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-a5eb9018-762a-4fbe-8e9b-abbcd261b45f">
<cybox:Observable id="KTL:Observable-73351931-768e-493c-a859-dc17017d1f26">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="24.08.2016"
LAST_DOWNLOADED="24.08.2016" HITS="1000"
DETECTION_NAME="UDS:DangerousObject.Multi.Generic,PDM:P2P-Worm.Win32.Generic,BSS:Trojan.Win32.Badur.a,Trojan.MSIL.Agent.folj"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-81f6f963-3fc1-b870-19aa-b24154c0d3cb">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">63F9F681C13F70B819AAB24154C0D3CB</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>63F9F681C13F70B819AAB24154C0D3CB</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-6197beac-f080-4463-b9da-cc54d2a907a4">
<cybox:Observable id="KTL:Observable-1074ba72-1fd9-474b-bce9-06a5b2c8bc3c">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="23.08.2016"
LAST_DOWNLOADED="23.08.2016" HITS="1000"
DETECTION_NAME="UDS:DangerousObject.Multi.Generic,PDM:P2P-Worm.Win32.Generic,BSS:Trojan.Win32.Badur.a,BSS:Trojan.Win32.Truebadur.a,not-a-virus:BSS:Downloader.Win32.LMN.ra,Trojan.MSIL.Agent.folj"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-5bac6da0-d584-8423-a5ef-42241131b1aa">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">A06DAC5B84D52384A5EF42241131B1AA</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>A06DAC5B84D52384A5EF42241131B1AA</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable
id="KTL:Observable-b9b6e0f4-1c3f-4ad3-a2d1-4709e6823bbc">
<cybox:Observable id="KTL:Observable-ec65d96e-4df7-4bbd-ba5d-362a365e6645">
<cybox:Description>ZONE="Red" FIRST_DOWNLOADED="23.08.2016"
LAST_DOWNLOADED="23.08.2016" HITS="1000"
DETECTION_NAME="UDS:DangerousObject.Multi.Generic,BSS:Trojan.Win32.Badur.a,not-a-virus:BSS:Downloader.Win32.LMN.ra,not-a-virus:BSS:AdWare.Win32.ICLoader.gen"</cybox:Description>
<cybox:Object id="KL_DATA_FEED:File-2c03762b-65d9-e6e7-29c9-6902655a9130">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals"
xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value
condition="Equals">2B76032CD965E7E629C96902655A9130</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Simple_Hash_Value>2B76032CD965E7E629C96902655A9130</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-96535a34-b604-5c99-8b71-018058fd2798">
<indicator:Title>Referrals to requested URL</indicator:Title>
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-c1d867c2-43d3-43e6-975f-a1d3e321017a">
<cybox:Description>ZONE="Red"
LAST_REFERENCE="23.08.2016"</cybox:Description>
<cybox:Object id="KTL:URI-23483e60-e81b-5005-a84e-ff5ed7e1cf20">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">54.171.124.134/upd/updsetup.exe</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-9c158bdf-dfb7-4129-827a-bd33c2d96734">
<cybox:Description>ZONE="Green"
LAST_REFERENCE="26.08.2016"</cybox:Description>
<cybox:Object id="KTL:URI-32451edd-6264-509c-b873-4119a110d6e2">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">vahtajob.net/board/vakansii_vakhtoj_na_severe/6-7</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
<stix:Indicator id="KTL:indicator-efc2bed0-022a-51e0-9b91-39e28ce7949e">
<indicator:Title>Requested object linked, forwarded, or redirected to following
URLs</indicator:Title>
<indicator:Related_Observables>
<indicator:Related_Observable>
<cybox:Observable id="KTL:Observable-c9359828-4d04-4ccd-961a-3f7f5b41c98e">
<cybox:Description>ZONE="Red"
LAST_REFERENCE="23.08.2016"</cybox:Description>
<cybox:Object id="KTL:URI-23483e60-e81b-5005-a84e-ff5ed7e1cf20">
<cybox:Properties xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value
condition="Equals">54.171.124.134/upd/updsetup.exe</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</indicator:Related_Observable>
</indicator:Related_Observables>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs>
<stix:TTP xsi:type="ttp:TTPType"
id="KTL:ttp-62a1c115-6189-4abb-8164-a2f0321a4d59" timestamp="2016-11-09T04:39Z">
<ttp:Title>LOOKUP_URL</ttp:Title>
<ttp:Resources>
<ttp:Infrastructure>
<ttp:Observable_Characterization cybox_major_version="2"
cybox_minor_version="1">
<cybox:Observable idref="KTL:observable-4fe4c43c-abd9-4fec-9180-b2032c5d19d8"
/>
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
</stix:TTPs>
</stix:STIX_Package>
Page top
[Topic JSONforHash]
API results for hash
The table below contains possible sections available for a hash investigation in JSON format.
Certain objects can be assigned to the suspicious status.
Suspicious is the internal name that is only used to identify objects with a
threat score between 50 and 74, and it means not trusted.
200 OK response parameters
|
Section in API
|
Section in web interface
|
Description
|
|
LicenseInfo
|
—
|
Information on the license used.
AccessType—License type ("Commercial" or "Trial").
DayRequests—Number of requests performed
in the current day (for a commercial license).
DayQuota—Daily limit of requests (for a
commercial license).
TokenExpirationDate—Date when an API
token expires. If there is no API token requested, the null value is
returned.
|
|
Zone
|
On the Threat Lookup results page, the panel with
the requested object and its status appears in a certain color, depending on the zone of the investigated
object.
|
Color of the zone that a hash belongs to.
|
|
RelatedObjects
|
—
|
Information about the presence of malicious objects associated with the indicator.
HasRedZone—Shows whether there are
malicious objects (zone=red) related to the indicator: true—there are related malicious objects; false—no related malicious objects.
|
|
FileGeneralInfo
|
Overview
|
General information about the requested hash.
Md5—MD5 hash of the file requested by
hash.
Sha1—SHA1 hash of the file requested by
hash.
Sha256—SHA256 hash of the file requested
by hash.
FirstSeen—Date and time when the
requested hash was detected by Kaspersky expert systems for the first time, according to your computer local
time zone.
LastSeen—Date and time when the requested
hash was detected by Kaspersky expert systems for the last time, according to your computer local time zone.
Signer—Organization that signed the
requested hash.
SignerZone—Color of the zone indicating
the signer's trust level (red, gray, green).
SignerStatus—Trust level of the object
signature (Discredited, Not trusted,
Trusted).
Packer—Packer name.
Size—Size of the object that is being
investigated by hash (in bytes).
Type—Format of the object that is being
investigated by hash.
HitsCount—Number of hits (popularity) of
the requested hash detected by Kaspersky expert systems.
HasApt—Shows whether the file is related
to an advanced persistent threat (APT) attack.
RelatedAptReports—Array of objects that
describe APT Intelligence reports, Crimeware Threat Intelligence reports, and Industrial reports, to which
the requested hash is related. Each object contains a report's ID, type, and title. The report ID can be
used as an argument (publication_id) for the get_one
endpoint, which is used to obtain specific information for a report. If the requested hash is not related to
reports, an empty array is returned.
|
|
DetectionsInfo
|
Detection names
|
Information about detected objects.
LastDetectDate—Date and time when the
object was last detected by Kaspersky expert systems.
DescriptionUrl—Link to the detected
object description in Kaspersky threats website (if available).
Zone—Color of the zone that the detection object
belongs to.
DetectionName—Name of the detected object.
DetectionMethod—Method used to detect the
object.
|
|
FilePaths
|
File paths
|
Information about known paths to the file identified by the requested hash on
computers using Kaspersky software.
Path—Path to the file on user computers
identified by the requested hash.
Location—Root folder or drive where the
file identified by the requested hash is located on user computers.
FilePathHitsCount—Number of path
detections by Kaspersky expert systems.
|
|
FileNames
|
File names
|
Information about known names of the file identified by the requested hash on
computers using Kaspersky software.
FileName—Name of the file identified by
the requested hash.
FileNamesHitsCount—Number of file name
detections by Kaspersky expert systems.
|
|
FileDownloadedFromUrls
|
File downloaded from URLs and domains
|
Information about web addresses and domains from which the file identified by the
requested hash was downloaded.
Url—Web addresses accessed by the file
identified by the requested hash.
IsUrlTruncated—Shows whether private data
was filtered in the displayed web address.
Zone—Color of the zone that the web address
belongs to.
Domain—Upper domain of the web address
accessed by the file identified by the requested hash.
LastDownloadDate—Date and time when the
file identified by the requested hash last accessed the web address.
IpsCount—Number of IP addresses that the
domain resolves to.
|
|
FileAccessedUrls
|
File accessed the following URLs
|
Information about web addresses that were accessed by the file identified by the
requested hash.
Url—Web addresses accessed by the file
identified by the requested hash.
IsUrlTruncated—Shows whether private data
was filtered in the displayed web address.
Zone—Color of the zone that the web address
belongs to.
Domain—Upper domain of the web address
used to download the file identified by the requested hash.
LastDownloadDate—Date and time when the
file identified by the requested hash was last downloaded from the web address / domain.
IpsCount—Number of IP addresses that the
domain resolves to.
|
|
FileStartedObjects
|
File started the following objects
|
Information about objects that started the file identified by the requested hash.
Zone—Color of the zone that a file belongs to.
HitsCount—Number of times the file
identified by the requested hash was started as detected by Kaspersky expert systems.
Md5—MD5 hash of the object that started
the file identified by the requested hash.
Location—Root folder or drive where the
object is located on user computers.
Path—Path to the object on user
computers.
Name—Name of the object that started the
file identified by the requested hash.
LastStartDate—Date and time when the file
identified by the requested hash was last started.
DetectionName—Name of the detected
object.
|
|
FileStartedBy
|
File was started by the following objects
|
Information about objects that were started by the file that was identified by the
requested hash.
Zone—Color of the zone that a file belongs to.
HitsCount—Number of times the file
identified by the requested hash started the object as detected by Kaspersky expert systems.
Md5—MD5 hash of the started object.
Location—Root folder or drive where the
started object is located on user computers.
Path—Path to the object on user
computers.
Name—Name of the started object.
LastStartDate—Date and time when the
object was last started by the file identified by the requested hash.
DetectionName—Name of the detected
object.
|
|
FileDownloadedObjects
|
File downloaded the following objects
|
Information about objects that were downloaded by the file identified by the
requested hash.
Zone—Color of the zone that a file belongs to.
HitsCount—Number of times the object was
downloaded as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded object.
Location—Root folder or drive where the
downloaded object is located on user computers.
Path—Path of the downloaded object on
user computers.
Name—Name of the downloaded object.
LastDownloadDate—Date and time when the
object was last downloaded by the file identified by the requested hash.
DetectionName—Name of the detected
object.
|
|
FileDownloadedBy
|
File was downloaded by the following objects
|
Information about objects that downloaded the file identified by the requested hash.
Zone—Color of the zone that a file belongs to.
HitsCount—Number of times the file
identified by the requested hash was downloaded as detected by Kaspersky expert systems.
Md5—MD5 hash of the object that
downloaded the file identified by the requested hash.
Location—Root folder or drive where the
object is located on user computers.
Path—Path to the object on user
computers.
Name—Name of the object that downloaded
the file identified by the requested hash.
LastDownloadDate—Date and time when the
file identified by the requested hash was last downloaded.
DetectionName—Name of the detected
object.
|
|
FileCertificates
|
File signatures and certificates
|
Information about signatures and certificates of the file identified by the requested
hash.
ParentMd5—MD5 hash of the certificate.
SerialNumber—Serial number of the
certificate.
Vendor—Owner of the certificate.
Publisher—Publisher of the certificate.
TimeStamp—Date and time when the
certificate was signed.
Issued—Date and time when the certificate
was issued.
Expires—Expiration date of the
certificate.
IsDirectlySigned—Shows whether a
certificate is embedded into the file.
IsDiscredited—Shows whether the
certificate is discredited.
IsTrusted—Shows whether the certificate
is trusted.
IsRevoked—Shows whether the certificate
is revoked.
IsGray—Shows whether the certificate is
in a Gray zone.
IsGood—Shows whether the certificate is
in a Good zone.
|
|
FileParentCertificates
|
Container signatures and certificates
|
Information about container certificates of the file identified by the requested
hash.
ParentMd5—MD5 hash of the container's
certificate.
SerialNumber—Serial number of the
container's certificate.
Vendor—Owner of the container's
certificate.
Publisher—Publisher of the container's
certificate.
TimeStamp—Date and time when the
container's certificate was signed.
Issued—Date and time when the container's
certificate was issued.
Expires—Expiration date of the
container's certificate.
IsDirectlySigned—Shows whether a
container's certificate is embedded into the file.
IsDiscredited—Shows whether the
container's certificate is discredited.
IsTrusted—Shows whether the container's
certificate is trusted.
IsRevoked—Shows whether the container's
certificate is revoked.
IsGray—Shows whether the container's
certificate is in a Gray zone.
IsGood—Shows whether the container's
certificate is in a Good zone.
|
|
FileUnpackedFrom
|
File was unpacked from the following objects
|
Information about parent objects of the file identified by the requested hash.
Zone—Color of the zone that the parent
object belongs to.
ParentMd5—MD5 hash of the parent object.
ChildMd5—MD5 hash of the child object.
For direct parent objects (level=0), the MD5 hash of the requested
object is provided.
ParentFileSize—Size of the parent object
(in bytes).
ParentFileType—File type of the parent
object.
ParentDetectionName—Detected objects
related to the parent object (for example, HEUR:Exploit.Script.Blocker).
Level—Parent level. The direct parent of
the requested object has level=0. The parent of the requested object's
parent has level=1, and so on. The maximum possible level is 5.
|
|
FileUnpackedObjects
|
File contains the following objects
|
Information about child objects of the file identified by the requested hash.
Zone—Color of the zone that the child
object belongs to.
ChildMD5—MD5 hash of the child object.
ParentMD5—MD5 hash of the parent object.
For direct child objects (level=0), the MD5 hash of the requested
object is displayed.
ChildFileSize—Size of the child object
(in bytes).
ChildFileType—File type of the child
object.
ChildDetectionName—Detected objects
related to the child object (for example, HEUR:Exploit.Script.Blocker).
Level—Child level. The direct child of the requested object has level=0. The child of the requested object's child has level=1, and so on. The maximum possible level is 5.
|
|
SimilarFiles
|
Similar files
|
Md5—MD5 hash of the object similar to the
file identified by the requested hash.
Confidence—Trust level of the object
similar to the file identified by the requested hash.
Status—Status of the object similar to
the file identified by the requested hash.
DetectionName—Name of the detected object (for
example, HEUR:Exploit.Script.Blocker).
Hits—Number of hits (popularity) for the
object similar to the file identified by the requested hash that was detected by Kaspersky expert systems
(rounded to nearest power of 10).
FirstSeen—Date and time when the similar
object was detected by Kaspersky expert systems for the first time (for your local time zone).
LastSeen—Date and time, accurate to one
minute, when the similar object was detected by Kaspersky expert systems for the last time (for your local
time zone).
Type—Type of the object similar to the
file identified by the requested hash.
Size—Size of the object similar to the
file identified by the requested hash (in bytes).
|
|
DataFeeds
|
Data Feeds
|
List of Threat Data Feeds that contain information about the requested hash. If the
requested hash is not mentioned in Threat Data Feeds, this section is not returned.
|
Page top
[Topic JSONforIP]
API results for IP address
The table below contains possible sections available for an IP address investigation in JSON
format.
Certain objects can be assigned to the suspicious status.
Suspicious is the internal name that is only used to identify objects with a
threat score between 50 and 74, and it means not trusted.
For reserved IP addresses, only LicenseInfo, Zone, IpGeneralInfo, and IpWHOIS sections are provided.
200 OK response parameters
|
Section in API
|
Section in web interface
|
Description
|
|
LicenseInfo
|
—
|
Information on the license used.
AccessType—License type ("Commercial" or "Trial").
DayRequests—Number of requests performed
in the current day (for a commercial license).
DayQuota—Daily limit of requests (for a
commercial license).
TokenExpirationDate—Date when an API
token expires. If there is no API token requested, the null value is
returned.
|
|
Zone
|
On the Threat Lookup results page, the panel with
the requested object and its status appears in a certain color, depending on the zone of the investigated
object.
|
Color of the zone that an IP address belongs to.
|
|
RelatedObjects
|
Files related to IP address
|
Information about the presence of malicious objects associated with the indicator.
HasRedZone—Shows whether there are
malicious objects (zone=red) related to the indicator: true—there are related malicious objects; false—no related malicious objects.
|
|
IpGeneralInfo
|
Overview
|
General information about the requested IP address.
HitsCount—Hits number (popularity) of the
requested IP address.
FirstSeen—Date and time when the
requested IP address appeared in Kaspersky expert systems statistics for the first time, according to your
computer local time zone.
ThreatScore—Probability of the requested
IP address to appear dangerous (0 to 100).
Ip—Requested IP address.
CountryCode—Two-letter country code (ISO
3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP
addresses, the NULL value is exported.
Status—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and
NoInfo for IP addresses that do not belong to any country and are not
reserved).
Categories—Category of the requested IP
address.
CategoriesWithZone—Categories of the
requested IP address and zones that the category belongs to.
HasApt—Shows whether the requested IP
address is related to an advanced persistent threat (APT) attack.
RelatedAptReports—Array of objects that
describe APT Intelligence reports, Crimeware Threat Intelligence reports, and Industrial reports, to which
the requested IP address is related. Each object contains a report's ID, type, and title. The report ID can
be used as an argument (publication_id) for the get_one endpoint, which is used
to obtain specific information for a report. If the requested IP address is not related to reports, an empty
array is returned.
|
|
FilesDownloadedFromIp
|
—
|
Information that is provided about files that were downloaded from the requested IP
address and domains that resolve to the requested IP address, and MD5 hashes of files that accessed the
requested IP address.
Zone—Color of the zone that a file belongs to.
DownloadHitsCount—Number of times that a
file was downloaded from the requested IP address as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded file.
LastSeen—Date and time that the file was
last downloaded from the requested IP address, according to your computer local time zone.
FirstSeen—Date and time the file was
first downloaded from the requested IP address, according to your computer local time zone.
DetectionName—Name of the detected
object.
Url—Web addresses used to download the
file.
|
|
HostedUrls
|
Hosted URLs
|
Information about web addresses of the domain that resolves to the requested IP
address.
Zone—Color of the zone that a web address
belongs to.
UrlHitsCount—Number of web address
detections by Kaspersky expert systems.
Url—Detected web address (including web
addresses that contain the requested IP address).
IsUrlTruncated—Shows whether private data
was filtered in the displayed web address.
FirstSeen—Date and time when the web
address was first detected, according to your computer local time zone.
LastSeen—Date and time when the web
address was last detected, according to your computer local time zone.
|
|
FeedMasks
|
URL masks
|
Information about the web address covered by the mask.
Zone—Zone of the web address
covered by the corresponding mask (Red, Orange, or Yellow).
Status—Danger level of the web address
covered by the corresponding mask (Dangerous, Not trusted, or Adware and other).
NormalizedMask—Normalized mask of the web
address.
FeedNames—Threat Data Feeds that contain
the mask of the web address (Malicious URL Data Feed, Phishing URL Data Feed, Botnet CC URL Data
Feed, APT URL Data Feed, or APT IP
Data Feed).
MaskType—Type of the mask.
|
|
IpWhoIs
|
WHOIS
|
WHOIS information about the requested IP address.
Type
Status—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and
NoInfo for IP addresses that do not belong to any country and are not
reserved).
Asn—Autonomous system number, including:
Origin
Description
Net—Information about the network that
the requested IP address belongs to, including:
RangeStart
RangeEnd
Created
Changed
Name
Description
Contacts—Contact information for the
owner of the requested IP address, including:
Address
OrganizationId
Name
ContactRole
ContactType
Fax
Phone
Email
|
|
IpDnsResolutions
|
DNS resolutions for IP address
|
Information about the requested IP address.
Zone—Color of the zone that a domain (resolved
to the requested IP address) belongs to.
Domain—Domain that resolves to the
requested IP address.
FirstSeen—Date and time when the domain
first resolved to the requested IP address, according to your computer local time zone.
LastSeen—Date and time when the domain
last resolved to the requested IP address, according to your computer local time zone.
HitsCount—Number of times that the domain
resolved to the requested IP address.
DailyPeak—Maximum number of domain
resolutions to the requested IP address per day.
PeakDate—Date of maximum number of domain
resolutions to the requested IP address.
Categories—Categories of the requested IP
address.
|
|
IPSpamInfo
|
Spam attacks
|
Information about spam attacks associated with the requested IP address.
spam_attacks—Number of spam attacks.
spam_ratio—Ratio of spam generated by the
requested IP address to the rest of the content.
last_attack_date—Date of the latest spam
attack.
spam_attack_types—Array of attack types.
|
|
IPPhishingInfo
|
Phishing attacks
|
Information about phishing attacks associated with the requested IP address.
phishing_attacks—Number of phishing
attacks.
last_attack_date—Date of the latest
phishing attack.
regions—Top 10 regions affected by the
phishing attack.
phish_kit—Name of a phishing kit (a set
of materials and tools) used during the phishing attack.
stolen_data_type—Type of data stolen
during phishing attack, for example, user names, passwords.
attacked_industry—Target industry of a
phishing attack.
attacked_organization—Target organization
of a phishing attack.
|
|
DataFeeds
|
Data Feeds
|
List of Threat Data Feeds that contain information about the requested IP address. If
the requested IP address is not mentioned in Threat Data Feeds, this section is not returned.
|
Page top
[Topic JSONforDomain]
API results for domain
The table below contains possible sections available for a domain investigation in JSON format.
Certain objects can be assigned to the suspicious status.
Suspicious is the internal name that is only used to identify objects with a
threat score between 50 and 74, and it means not trusted.
200 OK response parameters
|
Section in API
|
Section in web interface
|
Description
|
|
LicenseInfo
|
—
|
Information on the license used:
AccessType—License type (Commercial or Trial).
DayRequests—Number of requests performed
in the current day (for a commercial license).
DayQuota—Daily limit of requests (for a
commercial license).
TokenExpirationDate—Date when an API
token expires. If there is no API token requested, the null value is
returned.
|
|
Zone
|
On the Threat Lookup results page, the panel with
the requested object and its status appears in a certain color, depending on the zone of the investigated
object.
|
Color of the zone that a domain belongs to.
|
|
RelatedObjects
|
—
|
Information about the presence of malicious objects associated with the indicator.
HasRedZone—Shows whether there are
malicious objects (zone=red) related to the indicator: true—there are related malicious objects; false—no related malicious objects.
|
|
DomainGeneralInfo
|
Overview
|
The following information about the requested domain will be provided:
FilesCount—Number of known malicious /
all files.
UrlsCount—Number of known malicious / all
web addresses.
HitsCount—Number of IP addresses related
to the domain.
Domain—Name of the requested domain.
Ipv4Count—Number of IP addresses (IPv4)
for the requested domain.
Categories—Categories
of the requested domain.
CategoriesWithZone—Categories of the
requested domain and zones that the category belongs to.
HasApt—Shows whether the requested domain
is related to an advanced persistent threat (APT) attack.
RelatedAptReports—Array of objects that
describe APT Intelligence reports, Crimeware Threat Intelligence reports, and Industrial Threat intelligence
reports to which the requested domain is related. Each object contains a report's ID, type, and title. The
report ID can be used as an argument (publication_id) for the get_one
endpoint, which is used to obtain specific information for a report. If the requested domain is not related
to reports, an empty array is returned.
|
|
FilesAccessed
|
Files that accessed the requested domain
|
Information about files that accessed the requested domain:
Zone—Color of the zone that a file
belongs to.
AccessedHitsCount—Number of file
downloads from the requested domain as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded file.
LastSeen—Date and time when the file was
last downloaded from the requested domain, according to your computer local time zone.
FirstSeen—Date and time when the file was
first downloaded from the requested domain, according to your computer local time zone.
DetectionName—Name of the detected
object.
|
|
FilesDownloaded
|
Files downloaded from requested domain
|
Information about objects that were downloaded from the requested domain and web
addresses of the requested domain:
Zone—Color of the zone that a file
belongs to.
DownloadedHitsCount—Number of file
downloads from the requested domain as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded file.
LastSeen—Date and time when the file was
last downloaded from the requested domain, according to your computer local time zone.
FirstSeen—Date and time when the file was
first downloaded from the requested domain, according to your computer local time zone.
DetectionName—Date and time when the file
was first downloaded from the requested domain.
|
|
Subdomains
|
Subdomains
|
Information about hosts related to the requested domain (subdomains):
Zone—Color of the zone that a subdomain
belongs to.
Subdomain—Name of the detected subdomain.
UrlsCount—Number of web addresses related
to the subdomain.
FilesCount—Number of files hosted on the
detected subdomain.
FirstSeen—Date and time when the
subdomain was first detected, according to your computer local time zone.
|
|
UrlReferrals
|
Referrals to domain
|
Information about web addresses that refer to the requested domain:
Zone—Color of the zone that a web address
belongs to.
LastSeen—Date and time when the requested
domain was last referred to by listed web addresses, according to your computer local time zone.
Url—Web address that refers to the
requested domain.
IsUrlTruncated—Shows whether private data
was filtered in the displayed web address.
|
|
UrlReferredTo
|
Domain referred to the following URLs
|
Information about web addresses that the requested domain refers to:
Zone—Color of the zone that a web address
belongs to.
LastSeen—Date and time when the requested
domain was last referred to by listed web addresses, according to your computer local time zone.
Url—Web address that refers to the
requested domain.
IsUrlTruncated—Shows whether private data
was filtered in the displayed web address.
|
|
DomainWhoIsInfo
|
WHOIS
|
The following information about the requested domain will be provided:
DomainName—Name of the requested domain.
Created—Date when the requested domain
was registered.
Updated—Date when registration
information about the requested domain was last updated.
Expires—Expiration date of the requested
domain.
NameServers—Name servers of the requested
domain.
Contacts—Contact information for the
owner of the requested domain, including:
ContactType
Name
Organization
Address
City
State
PostalCode
CountryCode
Phone
Fax
Email
Registrar—Name, IANA ID, and email of the
registrar of the requested domain.
DomainStatus—Statuses of the requested
domain.
RegistrationOrganization—Name of the
registration organization.
|
|
DomainDnsResolutions
|
DNS resolutions for domain
|
The following information about the requested domain will be provided:
Zone—Color of the zone that the domain
belongs to.
Ip—IP address.
CountryCode—Two-letter country code (ISO
3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP
addresses, the NULL value is exported.
Status—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and
NoInfo for IP addresses that do not belong to any country and are not
reserved).
HitsCount—Number of IP address detections
by Kaspersky expert systems.
FirstSeen—Date and time when the
requested domain first resolved to the IP address, according to your computer local time zone.
LastSeen—Date and time when the requested
domain last resolved to the IP address, according to your computer local time zone.
DailyPeak—Maximum number of domain
resolutions to the IP address per day.
PeakDate—Date of maximum number of domain
resolutions to the IP address.
ThreatScore—Probability that the
requested domain will be dangerous (0 to 100).
|
|
FeedMasks
|
URL masks
|
The following information about the requested domain will be provided:
Zone—Color of the zone that a domain
belongs to (Red or Yellow).
NormalizedMask—Requested domain mask.
FeedNames—Threat Data Feeds that contain
the requested domain mask.
Type—Type of the requested domain and
web addresses mask.
|
|
hostSimilarDomains
|
Similar domains
|
The following information about domains whose names are close in spelling to the name
of the requested domain is provided:
zone—Color of the zone that a similar domain
belongs to.
domain—Similar domain name.
registration—Date when a similar domain
was registered.
expiration—Expiration date of a similar
domain.
http_open—Shows whether an HTTP port is
open.
https_open—Shows whether an HTTPS port is
open.
|
|
hostSpamInfo
|
Spam attacks
|
The following information about spam attacks associated with the requested domain is
provided:
spam_attacks—Number of spam attacks.
spam_ratio—Ratio of spam generated by the
requested domain to the rest of the content.
last_attack_date—Date of the latest spam
attack.
spam_attack_types—Array of attack types.
|
|
hostPhishingInfo
|
Phishing attacks
|
The following information about phishing attacks associated with the requested domain
is provided:
phishing_attacks—Number of phishing
attacks.
last_attack_date—Date of the latest
phishing attack.
regions—Top 10 regions affected by the
phishing attack.
phish_kit—Name of a phishing kit (a set
of materials and tools) used during the phishing attack.
stolen_data_type—Type of data stolen
during phishing attack, for example, user names, passwords.
attacked_industry—Target industry of a
phishing attack.
attacked_organization—Target organization
of a phishing attack.
|
|
DataFeeds
|
Data Feeds
|
List of Threat Data Feeds that contain information about the requested domain. If the
requested domain is not mentioned in Threat Data Feeds, this section is not returned.
|
Page top
[Topic JSONforURL]
API results for web address
The table below contains possible sections available for a web address investigation in JSON
format.
Certain objects can be assigned to the suspicious status.
Suspicious is the internal name that is only used to identify objects with a
threat score between 50 and 74, and it means not trusted.
200 OK response parameters
|
Section in API
|
Section in web interface
|
Description
|
|
LicenseInfo
|
—
|
Information on the license used.
AccessType—License type ("Commercial" or "Trial").
DayRequests—Number of requests performed
in the current day (for a commercial license).
DayQuota—Daily limit of requests (for a
commercial license).
TokenExpirationDate—Date when an API
token expires. If there is no API token requested, the null value is
returned.
|
|
Zone
|
On the Threat Lookup results page, the panel with
the requested object and its status appears in a certain color, depending on the zone of the investigated
object.
|
Color of the zone that a web address belongs to.
|
|
RelatedObjects
|
—
|
Information about the presence of malicious objects associated with the indicator.
HasRedZone—Shows whether there are
malicious objects (zone=red) related to the indicator: true—there are related malicious objects; false—no related malicious objects.
|
|
UrlGeneralInfo
|
Overview
|
General information about the requested web address.
Url—Requested web address.
Host—Name of the upper-level domain of
the requested web address.
Ipv4Count—Number of IP addresses (IPv4)
for the requested web address.
FilesCount—Number of files for the
requested web address.
Categories—Categories
of the requested web address.
CategoriesWithZone—Categories of the
requested web address and zones that the category belongs to.
HasApt—Shows whether the requested web
address is related to an advanced persistent threat (APT) attack.
RelatedAptReports—Array of objects that
describe APT Intelligence reports, Crimeware Threat Intelligence reports, and Industrial Threat Intelligence
reports, to which the requested web address is related. Each object contains a report's ID, type, and title.
The report ID can be used as an argument (publication_id) for the
get_one
endpoint, which is used to obtain specific information for a report. If the requested web address is not
related to reports, an empty array is returned.
|
|
FilesAccessed
|
Files that accessed requested URL
|
Information about MD5 hashes of files that accessed the requested web address.
Zone—Color of the zone that a file belongs to.
AccessedHitsCount—Number of file
downloads from the requested web address as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded file.
LastSeen—Date and time when the file was
last downloaded from the requested web address, according to your computer local time zone.
FirstSeen—Date and time when the file was
first downloaded from the requested web address, according to your computer local time zone.
DetectionName—Name of the detected
object.
|
|
FilesDownloaded
|
Files downloaded from requested URL
|
Information about objects that were downloaded from the requested web address.
Zone—Color of the zone that a file belongs to.
DownloadedHitsCount—Number of file
downloads from the requested web address as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded file.
LastSeen—Date and time when the file was
last downloaded from the requested web address, according to your computer local time zone.
FirstSeen—Date and time when the file was
first downloaded from the requested web address, according to your computer local time zone.
DetectionName—Name of the detected
object.
|
|
UrlReferrals
|
Referrals to requested URL
|
Information about web addresses that refer to the requested web address.
Zone—Color of the zone that a web address
belongs to.
LastSeen—Date and time when the requested
web address was last referred to, according to your computer local time zone.
Url—Web address that refers to the
requested web address.
IsUrlTruncated—Shows whether private data
was filtered in the displayed web address.
|
|
UrlReferredTo
|
Requested object linked, forwarded, or redirected to the
following URLs
|
Information about web addresses that the requested object linked, forwarded, or
redirected to.
Zone—Color of the zone that a web address
belongs to.
LastSeen—Date and time when the requested
web address last linked, forwarded, or redirected to listed web addresses, according to your computer local
time zone.
Url—Web address accessed by the requested
web address.
IsUrlTruncated—Shows whether private data
was filtered in the displayed web address.
|
|
UrlDomainWhoIs
|
WHOIS
|
Information about the requested web address will be provided.
DomainName—Name of the domain of the
requested web address.
Created—Date when the domain for the
requested web address was registered.
Updated—Date when registration
information about the domain for the requested web address was last updated.
Expires—Expiration date of the prepaid
domain registration term.
NameServers—Name servers of the domain
for the requested web address.
Contacts—Contact information for the
owner of the domain, including:
ContactType
Name
Organization
Address
City
State
PostalCode
CountryCode
Phone
Fax
Email
Registrar—Name, IANA ID, and email of the
registrar of the domain.
DomainStatus—Statuses of the domain.
RegistrationOrganization—Name of the
registration organization.
Asn—Autonomous system number, including:
Number
Description
Net—Information about the network,
including:
RangeStart
RangeEnd
Created
Changed
Name
Description
|
|
DomainDnsResolutions
|
DNS resolutions for domain
|
Information about the requested web address:
Zone—Color of the zone that the domain
belongs to.
Ip—IP address.
CountryCode—Two-letter country code (ISO
3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP
addresses, the NULL value is exported.
Status—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and
NoInfo for IP addresses that do not belong to any country and are not
reserved).
HitsCount—Number of IP address detections
by Kaspersky expert systems.
FirstSeen—Date and time when the domain
for the requested web address first resolved to the IP address, according to your computer local time zone.
LastSeen—Date and time when the domain
for the requested web address last resolved to the IP address, according to your computer local time zone.
DailyPeak—Maximum number of domain
resolutions to the IP address per day.
PeakDate—Date of maximum number of domain
resolutions to the IP address.
ThreatScore—Probability that the
requested web address will be dangerous (0 to 100).
|
|
FeedMasks
|
URL masks
|
Information about the requested web address.
Zone—Zone of web addresses covered
by the corresponding mask (Red or Yellow).
NormalizedMask—Mask of the requested web
address's domain.
FeedNames—Threat Data Feeds that contain
the mask of the requested web address's domain.
|
|
UrlSpamInfo
|
Spam attacks
|
Information about spam attacks associated with the requested web address.
spam_messages—Number of spam messages
containing the requested web address.
|
|
UrlPhishingInfo
|
Phishing attacks
|
Information about phishing attacks associated with the requested web address.
phishing_status—Indicates whether the
requested web address can be considered as phishing one.
phishing_attacks—Number of phishing
attacks.
last_attack_date—Date of the latest
phishing attack.
regions—Top 10 regions affected by the
phishing attack.
phish_kit—Name of a phishing kit (a set
of materials and tools) used during the phishing attack.
stolen_data_type—Type of data stolen
during phishing attack, for example, user names, passwords.
attacked_industry—Target industry of a
phishing attack.
attacked_organization—Target organization
of a phishing attack.
|
|
DataFeeds
|
Data Feeds
|
List of Threat Data Feeds that contain information about the requested web address.
If the requested web address is not mentioned in Threat Data Feeds, this section is not returned.
|
Page top
[Topic DetectedFileTypes]
Automatically detected file types
Kaspersky Threat Intelligence Portal automatically detects the type of an executed file if you
do not specify it manually when creating a file execution task (Executing a file, Starting a file upload
and execution).
In this section, possible file types are listed. The following list of file types is not fixed,
and can be modified during components update.
3
3gp.
7
7z.
A
a3x, access, ace, adts, alzip, amr, andbxml, apk, apple_enc, arch, arj, asf, au3, avi.
B
beam, bencode, binder, bmp, bplist, bzip2.
C
cab, cert, chm, class, cmd, coff, cpl, crx, csc.
D
daa, dds, delta_compr, dex, dicom, djvu, dll, doc, docm, docx, dotm, dotx, dqy, dsstore, dwg.
E
emf, eml, eot, exe.
F
f4v, flac, flv, freearch, fxc.
G
gbi, gif, gz.
H
hlp, hta, html.
I
ico, iqy, iso.
J
jar, jetdb, jetdb2016, jpeg, js, jsc, jse, jserobj.
K
khi.
L
le, leveldb, lha, lnk, lx.
M
macho, midi, mkv, mo, mp3, mpp, msbuild, msg, msi, mz.
N
ne, nls.
O
odex, odp, ods, odt, ogg, one.
P
pack200, pcap, pdb, pdf, pe64_com, pe64_cpl, pe64_dll, pe64_exe, pe64_srv, pe64_sys, pe_com,
pe_cpl, pe_dll, pe_exe, pe_srv, pe_sys, pea, pl, png, potm, potx, ppam, ppsm, ppsx, ppt, pptm, pptx, ps1, psd,
pst, pub, pycode.
R
rar, raw, reg, ri64, riff, riffw64, rpm, rqy, rtf.
S
script, sct, sdb, sh, sqlite, svg, swf, sylk, szdd.
T
tar, tga, tiff, tnef, ts, ttcf, ttf, txt, type1_font.
U
udif.
V
vba, vbe, vbs, vsd, vsdx, vss.
W
wav, webm, wim, wmf, woff, wordml, wsf.
X
xap, xar, xcf, xlam, xls, xlsb, xlsm, xlsx, xltm, xltx, xml, xpi, xsl, xz.
Z
z, zip, zlibstream.
Page top
[Topic IPcategories]
IP address categories
This section describes categories that Kaspersky Threat Intelligence Portal returns for IP
addresses.
IP address categories
|
Category name
|
Category code
(used in API and exporting)
|
Description
|
|
APT
|
CATEGORY_APT
|
The host with this IP address is related to an APT attack and/or mentioned in a
report.
|
|
APT C&C Tracking
|
CATEGORY_APT_CNC_TRACKING
|
IP addresses involved in Advanced Persistent Threat (APT) infrastructure as Command
and Control (C&C) server.
|
|
Botnet C&C
|
CATEGORY_BOTNET_CNC
|
Command and control (C&C) servers that remotely send malicious commands to a
botnet, or other resources, access to which indicates a possible infection.
|
|
Compromised
|
CATEGORY_COMPROMISED
|
The host with this IP address is usually legitimate but is infected or compromised at
the moment of the analysis.
|
|
Crimeware
|
CATEGORY_CRIMEWARE
|
The host with this IP address is used in attacks on any organization for the purpose
of stealing/extorting funds.
|
|
Denial of service attacks
|
CATEGORY_NETATTACK_DDOS
|
The host with this IP address performs DDoS attacks.
|
|
Industrial Threat
|
CATEGORY_ICS_THREAT
|
The host with this IP address is used in malicious campaigns targeting industrial
organizations, as well as in vulnerabilities found in the most popular industrial control systems and
underlying technologies.
|
|
Intrusion attacks
|
CATEGORY_NETATTACK_INTRUSION
|
Represents external IP addresses attempting exploitation, potentially leading to
remote code execution.Â
|
|
Malware
|
CATEGORY_MALWARE
|
The host with this IP address hosts malware.
|
|
Multi-User IP
|
CATEGORY_NAT_GATEWAY
|
Identifies IP addresses related to Network Address Translation (NAT) gateways.
|
|
Network port scanning
|
CATEGORY_NETATTACK_SCAN
|
Indicates systematic scanning activities, often as a precursor to more targeted
attacks (searching for network vulnerabilities).
|
|
Password brute-force attempts
|
CATEGORY_NETATTACK_BRUTEFORCE
|
Identifies repeated and aggressive attempts to gain unauthorized access by
systematically trying different user name and password combinations.
|
|
Phishing
|
CATEGORY_PHISHING
|
The host with this IP address hosts phishing web pages.
|
|
Proxy
|
CATEGORY_PROXY
|
Indicates a public proxy server.
|
|
Sinkhole
|
CATEGORY_SINKHOLE
|
Identifies traffic directed towards a sinkhole—a network component
strategically employed by anti-malware researchers to redirect and isolate malicious traffic away from its
intended targets.
|
|
Spam
|
CATEGORY_SPAM
|
IP address sends spam.
|
|
Tor Exit Node
|
CATEGORY_TOR_EXIT_NODE
|
Indicates a Tor exit node.
|
|
Tor Node
|
CATEGORY_TOR_NODE
|
Indicates a Tor node.
|
|
VPN
|
CATEGORY_VPN
|
The host with this IP address is used by public VPN providers to host VPN servers.
|
Page top
[Topic SearchSyntaxExamples]
Search syntax examples
When working with Dark web or Surface web data, you should typically run a custom search based
on keywords. These include your company, brand, product name, or unique strings related to your organization.
For the Dark web posts, social media publications, and other hidden publications, Kaspersky
Threat Intelligence Portal supports simple Elasticsearch queries.
The following search operators can be used:
- Conditional union operator AND: +
Example: keyword1 + keyword2 — returns
messages containing both keyword1 and keyword2.
- Exclusive operator: -
Example: -keyword1 — returns messages that
do not contain keyword1.
- Space between two keywords (or symbol | ) is equivalent for
logical disjunction operator OR
Example: keyword1 keyword2 / keyword1 | keyword2 — returns messages containing keyword1 or keyword2.
- Double quotes are used to search for a phrase consisting of
two or more words: ""
Example: "keyword1 keyword2".
- Asterisk symbol (*) for any sequence of characters
Example: keyw* — returns all messages that
begin with keyw: keyword1, keyword2, keywhat, etc.
- Asterisk symbol (*) to filter results by source
Example: darknet_site.com* — returns all
publications found on the darknet_site.com web site.
Do not use schemes (HTTP or HTTPS) or slash character (/) to perform the search.
- Round brackets () to group performed operations
Example: (keyword1 | keyword2) + YYYY* —
returns messages for the specified year (YYYY) that contain keyword1 or keyword2.
- The ~N operator after a word, where N is an integer specifying
the allowed edit distance for matching (Levenshtein edit distance)
Example: keyword~2 — returns messages which
allow two edits to make the keyword.
- The ~N operator after a phrase, where N is the maximum number
of positions allowed between matching tokens
Example: "keyword1 keyword2"~2 —
returns messages which allow two changes in word sequence to make the "keyword1 keyword2" phrase.
- Backslash (\) before a control character to escape it and
interpret literally as a regular character
Example: \" + keyw* — Returns messages
containing " (double quotes) and keyword1, keyword2, keywhat, etc.
- Combined search using multiple criteria
Example: "Kaspersky Lab" + -keys + 202112* — returns messages that
contain the phrase "Kaspersky Lab" and do not contain the word
"keys", posted in December, 2021.
More information on syntax and working with search operators is available at: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-simple-query-string-query.html#simple-query-string-syntax.
Page top
[Topic CommandLine]
Examples of command line parameters
Kaspersky Threat Intelligence Portal allows you to start object execution with specific command
line parameters. The Command line parameters field is optional and available
only when a Microsoft Windows execution environment is selected.
You can use environment variables by placing the % sign in
front of and after the variable name, for example: %SYSTEMROOT%. By default,
the environment variables are expanded on the user's host before the object is transferred to and executed in the
Sandbox. To transfer environment variables to the Sandbox as is, without expansion, use the %% sign, for example: %%SYSTEMROOT%%.
The command line may contain a $sample variable that will
be replaced in the Sandbox with the actual path to the object in the operating system (for example, <notepad path> /A $sample).
A command in the command line must not exceed 1024 characters, otherwise Kaspersky Threat
Intelligence Portal shortens it. Depending on the technical constraints of an operating system that is used as an
execution environment in the Sandbox, the command may be further shortened.
|
Examples:
Specify an application that you want to execute the object with:
%windir%\System32\notepad.exe /a $sample
"%ProgramFiles%\Internet Explorer\iexplore.exe" $sample
Specify a file to write the output of the object to:
$sample > %userprofile%\test_output.txt
Execute an object and write the output into a file that includes the
computer name as the file name:
$sample --t –r=2 >> %TEMP%\%COMPUTERNAME%.txt
|
Environment variables usage
|
Environment variables
|
Microsoft Windows 10 x64
|
Microsoft Windows 7 x64
|
Microsoft Windows 7
|
Microsoft Windows XP
|
|
ALLUSERSPROFILE
|
|
|
|
|
|
APPDATA
|
|
|
|
|
|
CLIENTNAME
|
.
|
|
|
|
|
CommonProgramFiles
|
|
|
|
|
|
CommonProgramFiles(x86)
|
|
|
|
|
|
CommonProgramW6432
|
|
|
|
|
|
COMPLUS_ProfAPI_ProfilerCompatibilitySetting
|
|
|
|
|
|
COMPUTERNAME
|
|
|
|
|
|
ComSpec
|
|
|
|
|
|
COR_ENABLE_PROFILING
|
|
|
|
|
|
COR_PROFILER
|
|
|
|
|
|
DriverData
|
|
|
|
|
|
FP_NO_HOST_CHECK
|
|
|
|
|
|
HOME
|
|
|
|
|
|
HOMEDRIVE
|
|
|
|
|
|
HOMEPATH
|
|
|
|
|
|
LOCALAPPDATA
|
|
|
|
|
|
LOGNAME
|
|
|
|
|
|
LOGONSERVER
|
|
|
|
|
|
MAIL
|
|
|
|
|
|
NUMBER_OF_PROCESSORS
|
|
|
|
|
|
OneDrive
|
|
|
|
|
|
OS
|
|
|
|
|
|
Path
|
|
|
|
|
|
PATHEXT
|
|
|
|
|
|
PROCESSOR_ARCHITECTURE
|
|
|
|
|
|
PROCESSOR_IDENTIFIER
|
|
|
|
|
|
PROCESSOR_LEVEL
|
|
|
|
|
|
PROCESSOR_REVISION
|
|
|
|
|
|
ProgramData
|
|
|
|
|
|
ProgramFiles
|
|
|
|
|
|
ProgramFiles(x86)
|
|
|
|
|
|
ProgramW6432
|
|
|
|
|
|
PROMPT
|
|
|
|
|
|
PSModulePath
|
|
|
|
|
|
PUBLIC
|
|
|
|
|
|
PWD
|
|
|
|
|
|
SESSIONNAME
|
|
|
|
|
|
SHELL
|
|
|
|
|
|
SHLVL
|
|
|
|
|
|
SystemDrive
|
|
|
|
|
|
SystemRoot
|
|
|
|
|
|
TEMP
|
|
|
|
|
|
TERM
|
|
|
|
|
|
TMP
|
|
|
|
|
|
USER
|
|
|
|
|
|
USERDOMAIN
|
|
|
|
|
|
USERDOMAIN_ROAMINGPROFILE
|
|
|
|
|
|
USERNAME
|
|
|
|
|
|
USERPROFILE
|
|
|
|
|
|
windir
|
|
|
|
|
|
windows_tracing_flags
|
|
|
|
|
|
windows_tracing_logfile
|
|
|
|
|
|
XDG_RUNTIME_DIR
|
|
|
|
|
|
XDG_SEAT
|
|
|
|
|
|
XDG_SESSION_ID
|
|
|
|
|
|
XDG_VTNR
|
|
|
|
|
Page top
[Topic InternetChannelValues]
Internet channel values
Kaspersky Threat Intelligence Portal allows you to select a region or an individual country for
a network channel that the executed file can use to access the internet. There are individual countries among the
regions through which the executed file can access the internet.
The table below contains descriptions for available internet channel parameter values. For other
regions, a value detected by Kaspersky Threat Intelligence Portal during the file execution is displayed.
Available internet channel parameter's values
|
Value in website
|
Value in API
|
Description
|
|
Any channel
|
any
|
The internet channel belongs to any region and does not direct traffic through the
TOR network. If no region is available, the Tarpit value is selected.
|
|
Tor
|
tor
|
The internet channel that does not belong to any region and directs traffic through
the TOR network.
|
|
Tarpit
|
tarpit
|
The access to the internet is emulated. This option is used when internet is not
available or the analyzed object should not have access to the internet.
|
Page top
[Topic DefaultPasswords]
Default passwords for archives
Kaspersky Threat Intelligence Portal uses the following default passwords to unpack
password-protected archives, if you did not specify a password when creating an object analysis task. These
passwords can be used both for Kaspersky Sandbox and Kaspersky Threat Attribution Engine tasks.
- infected
- password
- 123456
- 123456789
- 12345678
- qwerty
Page top
[Topic AdditionalInfoAttack]
Additional information about phishing attack
The table below describes the structure of a JSON file that includes metadata about a phishing
attack. You can download an archive containing the JSON file via Kaspersky Threat Intelligence Portal web
interface or API method.
The described fields are optional and may be omitted in the JSON file if the relevant
information is not available. Also, the JSON file may contain fields that are not described in the table.
JSON fields
|
Field
|
Description
|
|
phishing_url
|
Phishing web address.
|
|
redirect
|
Indicator that shows whether the phishing web address redirects to another web
address (true or false).
|
|
redirect_to
|
Web address which the phishing web address redirects to.
|
|
brand
|
Name of the brand mentioned on the web page located at the phishing web address.
|
|
first_seen
|
Date and time when the phishing web address was first detected, specified in the UNIX
time stamp system (number of seconds elapsed since 00:00:00 UTC, 1 January 1970).
For a web address detected for the first time, the values of the first_seen and last_seen fields are
the same.
|
|
last_seen
|
Date and time when the phishing web address was last detected, specified in the UNIX
time stamp system (number of seconds elapsed since 00:00:00 UTC, 1 January 1970).
|
|
popularity
|
Phishing web address popularity index for the last three months.
|
|
users_geo
|
Top 10 countries from which Kaspersky users have accessed the phishing web address in
the last three months.
|
|
resolver_ips
|
IP addresses to which the phishing web address resolves.
|
|
stolen_data
|
Types of stolen data.
|
|
attack_type
|
Type of attack.
|
|
whoisinfo
|
Section containing WHOIS information about an object.
|
|
whois_object
|
Name of an object for which WHOIS information is provided.
|
|
main
|
Section containing general information about the object specified in the whois_object field.
|
|
changed
|
Date of last information update about the domain or network in the registrar
database.
|
|
created
|
Date of the domain or network registration.
|
|
paidtill
|
Date until which the domain registration is paid.
|
|
handle
|
Network ID, the unique descriptor assigned to the network by the registrar.
|
|
ip-max
|
Maximum value of the IP address range in the network.
|
|
ip-min
|
Minimum value of the IP address range in the network.
|
|
nserver
|
DNS server name.
|
|
status
|
Object status.
|
|
country
|
Country code.
|
|
descr
|
Description of a domain or network.
|
|
name
|
Network name, the unique descriptor assigned to the network by the registrar.
|
|
source
|
Data source.
|
|
contacts
|
Section containing contact information.
|
|
person
|
Name of the domain or network owner.
|
|
organization
|
Name of the organization that owns the domain or network.
|
|
role
|
Contact role (owner, admin, tech).
|
|
address
|
Address where the contact is registered.
|
|
country
|
Country in which the contact is registered.
|
|
city
|
City in which the contact is registered.
|
|
changed
|
Date when the contact information was last modified.
|
|
created
|
Contact registration date.
|
|
email
|
Contact email address.
|
|
handle
|
Contact ID, the unique descriptor assigned to the contact by the registrar.
|
|
phone
|
Contact phone number.
|
|
fax
|
Contact fax number.
|
|
source
|
Data source for the contact.
|
|
descr
|
Contact description.
|
Page top
[Topic 95897]
Glossary
APT C&C Tracking
APT C&C Tracking Service delivers IP addresses of infrastructure connected to advanced
threats. For each IP address, there is a name of an APT group, operation, or malware it is associated with,
internet service provider, and autonomous system, collection of associated IP addresses hosting information, and
dates when this was first and last seen.
APT Intelligence report
A report on advanced persistent threats (APT) that include investigation results and full
technical data. APT Intelligence reports are provided in PDF, OpenIOC, YARA Rules, and Suricata Rules formats.
Available formats depend on a user's license type.
Compromised resource category notification
Resource that is usually legitimate but is infected or compromised at the moment of the
analysis.
Crimeware Threat Intelligence report
A report that provides information on attacks on a bank's infrastructure, ATMs, and
point-of-sale (POS) devices. It describes Mobile Trojan bankers, new cyber-criminal techniques to bypass security
solutions, and hybrid attacks with monitoring of cyber-criminal activities at early stage. Crimeware Threat
Intelligence reports are provided in PDF, OpenIOC, YARA Rules, and Suricata Rules formats. The formats available
depend on a user's license type.
cURL utility
The utility that can be used to run lookup searches and report requests by using the Kaspersky
Threat Intelligence Portal API.
Dark web category notification
Recently published topics, comments, or advertisements on the Dark web forums, shops,
communication channels, and onion sites.
Defacement category notification
Defacement (also website or web defacement) is an attack on a website that alters its visual
appearance or informational content.
Digital Footprint Intelligence report
A report that contains threat intelligence that is specific for your organization. Digital
Footprint Intelligence reports provide information about the following: identification of threat vectors, malware
and cyberattack tracking analysis, third-party attacks, information leakage, and current attack status.
Full certificate
The certificate used by Kaspersky Threat Intelligence Portal for customer authentication when
working with the service online and / or using the Kaspersky Threat Intelligence Portal API. The certificate and
its password are provided by a Kaspersky Technical Account Manager.
Provided permissions depend on Kaspersky Threat Intelligence Portal user's account settings and
can be changed by a Kaspersky Technical Account Manager.
Industrial report
Kaspersky Industrial Threat Intelligence Reporting Service provides customers with heightened
intelligence and awareness of malicious campaigns targeting industrial organizations, as well as information on
vulnerabilities found in the most popular industrial control systems and underlying technologies. Industrial
reports are provided in PDF, OpenIOC, YARA Rules, and Suricata Rules formats. Available formats depend on a user's
license type.
ktl_lookup utility
The utility that can be used to run requests using the Kaspersky Threat Intelligence Portal API.
The utility can be downloaded from this Help document.
Leakage category notification
Provides any kind of information related to the company that was found on online content hosting
services such as Pastebin. Compromised employee accounts, client's bank cards,
credentials for access to the internal systems, as well as other sensitive information.
Malware category notification
Notifications about malicious activity that involve company's resources. Provides alerts on:
- Communicating samples, that tried to communicate with the company's resources when they
were executed in a Sandbox.
- Downloaded samples, that were downloaded from the company's resources.
- Referrer samples, that embed web address pattern strings with company's domains.
- Botnet activity against the company's resources.
MD5
A cryptographic hash function that produces a 128-bit hash value. The 128-bit hash value is
represented as a sequence of 32 hexadecimal digits.
Personal category notification
Information on the company's employees (email address, position, social network accounts, and
more) found in public sources.
Ransomware activity category notification
Ransomware is a type of Trojan that modifies user data on a victim's computer so that the victim
can no longer use the data or fully run the computer. Once the data has been "taken hostage" (blocked or
encrypted), the user receives a ransom demand. The last tells the victim to send the malefactor money; on receipt
of this, the cybercriminal promises to send a program to the victim to restore the data or restore the computer's
performance.
Sandbox
An isolated safe environment that allows you to upload and execute files.
SHA1
A cryptographic hash function that produces a 160-bit hash value. The 160-bit hash value is
represented as a sequence of 40 hexadecimal digits.
SHA256
A cryptographic hash function that produces a 256-bit hash value. The 256-bit hash value is
represented as a sequence of 64 hexadecimal digits.
Suspicious activity
A group of reasons evaluated as unusual actions by the detection technology, insufficient for
complete incident generation, and thus listed for informational or further investigation purposes.
Threat Data Feed
Continuously updated reports informing about risks and implications associated with cyber
threats. Threat Data Feeds are available in JSON, CSV, OpenIOC, and STIX formats, and provided with connectors for
SIEMs, including Splunk, ArcSight, IBM QRadar, RSA NetWitness, LogRhythm, and McAfee Enterprise Security Manager
(ESM).
Vulnerability category notification
Notifications about newly discovered security issues on the company's network perimeter
resource. Provides information about vulnerable or misconfigured service, and short-term recommendations for
remediation.
Web vulnerability category notification
Vulnerabilities of incorrectly designed, implemented, or configured web resources that could be
exploited by attackers to compromise their integrity, availability, or confidentiality.
WHOIS
A protocol that is used for querying databases that store the registered users or assignees of
internet resources such as domains, IP addresses, or autonomous systems.
Page top
[Topic TrademarkNotices]
Trademark notices
Registered trademarks and service marks are the property of their respective owners.
Adobe, Flash are either registered trademarks or trademarks of Adobe in the United States and/or
other countries.
Apache is either a registered trademark or a trademark of the Apache Software Foundation.
iPhone, Safari are trademarks of Apple Inc.
Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.
Cisco is a registered trademark or trademark of Cisco Systems, Inc. and/or its affiliates in the
United States and certain other countries.
Dropbox is a trademark of Dropbox, Inc.
Elasticsearch, Kibana, Logstash are trademarks of Elasticsearch BV, registered in the U.S. and
in other countries.
FortiSIEM is either a registered trademark or trademark of Fortinet, Inc. in the United States
and/or other countries.
Google, Android, Chrome, Google Chrome are trademarks of Google LLC.
Intel, Pentium are trademarks of Intel Corporation in the U.S. and/or other countries.
IBM, QRadar are trademarks of International Business Machines Corporation, registered in many
jurisdictions worldwide.
Intel, Pentium are trademarks of Intel Corporation in the U.S. and/or other countries.
LinkedIn is a registered trademark or trademark of LinkedIn Corporation and its affiliates in
the United States and/or other countries.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Cyber Kill Chain is a registered trademark or trademark of Lockheed Martin Corporation or its
subsidiaries, in the United States and/or other countries or jurisdictions.
McAfee is a trademark or registered trademark of McAfee LLC or its subsidiaries in the United
States and other countries.
Microsoft, Edge, Excel, Internet Explorer, Microsoft Edge, MS-DOS, Win32, Windows are trademarks
of the Microsoft group of companies.
CVE is a registered trademark of The MITRE Corporation.
OVAL and the OVAL logo are registered trademarks of The MITRE Corporation.
Mozilla, Firefox are trademarks of the Mozilla Foundation in the U.S. and other countries.
OpenSSL is a trademark owned by the OpenSSL Software Foundation.
Java is a registered trademark of Oracle and/or its affiliates.
Python is a trademark or registered trademark of the Python Software Foundation.
Splunk is a trademark and registered trademark of Splunk Inc. in the United States and other
countries.
PGP is a trademark or registered trademark of Symantec Corporation or its affiliates in the U.S.
and other countries.
OpenAPI is a trademark of The Linux Foundation.
Tor is a trademark of The Tor Project, U.S. Registration No. 3,465,432.
The names, images, logos and pictures identifying UserGate's products and services are
proprietary marks of UserGate and/or its subsidiaries or affiliates, and the products themselves are proprietary
to UserGate.
UNIX is a registered trademark in the United States and other countries, licensed exclusively
through X/Open Company Limited.
Page top
).
for APT-related actors.
for Crimeware actors.