Find out what's new in the latest release and which features have already been introduced or are expected. |
Check which operating systems and browser versions are supported. Set up one-time password protection or obtain and import a certificate. Use an overview of current cyber threats and information about your organization on the Home page to start threat investigation as soon as you sign in. |
||
Run search requests for indicators (hash, IP address, domain, web address) and actor profiles. You can also run search requests by using the Kaspersky Threat Intelligence Portal API. |
Explore a research graph visualizing the relationships of objects involved in an incident investigation. |
||
Search and view APT Intelligence, Crimeware Threat Intelligence and Industrial reports, and actor profiles. |
Upload/download and execute files and emulate the opening of web addresses in a safe Kaspersky Sandbox environment. You can also analyze objects by using the Kaspersky Threat Intelligence Portal API. |
||
View notifications about threats and reports from Kaspersky, manage assets for your organization. OpenAPI specification for Digital Footprint Intelligence is also available. Learn more about our new Tenant management service. |
Search for WHOIS information about domains and IP addresses. |
||
View and export a list of dangerous IP addresses of infrastructure connected to advanced threats. |
Search and download Threat Data Feeds and view related materials. Download incident response guides and tools, supplementary tools, and SIEM connectors. Implementation guide that describes Kaspersky Threat Intelligence Data Feeds and their usage is also available. You can also obtain Threat Data Feeds by using the Kaspersky Threat Intelligence Portal API. |
||
Use API methods to work with Kaspersky Threat Intelligence Portal services. OpenAPI specification for Threat Lookup, Threat Analysis, and Threat Data Feeds is also available. |
Change your account password and configure email notifications. Manage your employee accounts (for administrators). |
Kaspersky Threat Intelligence Portal (hereinafter also referred to as Kaspersky TIP) provides reliable, immediate intelligence about cyber-threats, legitimate objects, their interconnections and indicators, enriched with actionable context to inform your business or clients about the associated risks and implications. Now you can mitigate and respond to threats more effectively, defending your system against attacks even before they are launched.
Kaspersky Threat Intelligence Portal delivers all the knowledge acquired by Kaspersky about cyber-threats and their relationships, brought together into a single, powerful web service. The goal is to provide your security teams with as much data as possible in order to prevent cyber-attacks that can impact your organization. The platform retrieves the latest detailed threat intelligence about web addresses, domains, IP addresses, file hashes, statistical / behavioral data, WHOIS / DNS data, and so on. The result is global visibility of new and emerging threats, helping you secure your organization and boosting incident response.
Threat intelligence is aggregated from fused, heterogeneous, and highly reliable sources. Then, in real time, all the aggregated data is carefully inspected and refined using multiple preprocessing techniques, such as statistical criteria, Kaspersky expert systems, validation by analysts, and allow-listing verification.
How it works
Indicators of compromise can be looked up through a web-based interface or Kaspersky Threat Intelligence Portal API. Kaspersky Threat Intelligence Portal enables you to request threat intelligence about the following objects:
Kaspersky Threat Intelligence Portal displays whether an object is in Good, Bad, or Not categorized zones, while providing a rich set of contextual data to answer the who, what, where, and when questions that help you respond to or investigate threats more effectively.
Key features
The following are the key features of Kaspersky Threat Intelligence Portal:
Increase your awareness and knowledge of high profile cyber-espionage campaigns with wide-ranging and practical advanced persistent threat (APT) reporting from Kaspersky. Download reports in any available format.
Security Threat Intelligence Services from Kaspersky give you access to the intelligence you need to mitigate cyber threats, provided by our world-class team of researchers and analysts.
The key benefit of threat intelligence is the reliability of data enriched with actionable context.
Threat intelligence is automatically generated in real time, based on findings across the globe, providing high coverage and accuracy.
Threat intelligence delivered by Kaspersky Threat Intelligence Portal includes a vast amount of different data types such as hashes, web addresses, IP addresses, WHOIS, GeoIP, pDNS, file attributes, statistical and behavioral data, download chains, time stamps, and much more. Empowered with this data, you have access to a diverse landscape of security threats.
Threat intelligence delivered by Kaspersky Threat Intelligence Portal is generated and monitored by a highly fault-tolerant infrastructure, ensuring continuous availability and consistent performance.
Hundreds of experts, including security analysts from across the globe, world-famous security experts from Global Research & Analysis Team (GReAT), and leading-edge R&D teams, contribute to generating valuable and real-life threat intelligence.
Use the service in manual mode through a web portal or get access by means of a simple Kaspersky Threat Intelligence Portal API.
With software as a service (SaaS), there is no need to integrate additional systems or services into your company’s infrastructure. Start using the service immediately.
Key benefits
By using Kaspersky Threat Intelligence Portal you can do the following:
You can work with Kaspersky Threat Intelligence Portal in one of the following ways:
Kaspersky Threat Intelligence Portal web interface
You can work with Kaspersky Threat Intelligence Portal online by using any of the supported browsers. After signing in, you can run requests, search for WHOIS information on domains and IP addresses, and execute objects in the Kaspersky Sandbox. A history of your previous requests is also available. All investigation results can be exported in CSV, OpenIOC, or Structured Threat Information eXpression (STIX™) format. You can search for and download APT Intelligence reports and Crimeware Threat Intelligence reports in the PDF, OpenIOC, or YARA Rules format. The Industrial Threat Intelligence Reporting and Digital Footprint Intelligence functionality is also available. Furthermore, you can also view and purchase licenses.
Kaspersky Threat Intelligence Portal Plugin
Kaspersky Threat Intelligence Portal Plugin is designed for Enterprise users subscribed to a commercial version of Kaspersky Threat Intelligence Portal and enables users to lookup web addresses, IPs, hashes (MD5, SHA1, and SHA256), and domains straight from the viewed web pages using the Kaspersky Threat Intelligence Portal lookup functionality. The plugin also lets subscribers gain rich threat context around IoCs, enabling them to make faster prioritization decisions. The goal of the plugin is to immediately provide your security teams with as much data about IoCs as possible from any web page, allowing you to speed up your threat investigation activities. IoCs are highlighted automatically.
You can add Kaspersky Threat Intelligence Portal Plugin to your Chrome browser via the Chrome Web Store.
Kaspersky Threat Intelligence Portal API
You can create lookup and report requests to Kaspersky Threat Intelligence Portal, as well as execute objects in the Kaspersky Sandbox by using the Kaspersky Threat Intelligence Portal API. Investigation results are provided in JSON format. The APT C&C Tracking, Industrial Threat Intelligence Reporting, and Digital Footprint Intelligence API methods are also available.
Page top
Kaspersky Threat Intelligence Portal has the following hardware and software requirements:
Minimum general requirements:
Minimum hardware requirements:
Supported browsers (the latest versions):
Software requirements for working with the Kaspersky Threat Intelligence Portal API:
We currently maintain at least 99.5% uptime for our general portal availability.
Portal unavailability is defined as the failure to verify and authorize legitimate user access to the portal, resulting in an inability to access core functionalities. Unavailability is only reported when such issues occur regardless of external factors beyond our control (such as network-related issues) or user error scenarios.
Please be aware that general portal availability does not automatically extend to the individual services within the portal. Each service is evaluated on its own terms, allowing us to customize performance standards to suit distinct operational requirements.
Page top
Kaspersky Threat Intelligence Portal offers the following features and enhancements.
Release 07.2024
The Web Categories Feed is now available via API. This feed is intended for web content filtering services. This feed contains regularly updated records consisting of domains and/or domains with their categories.
General improvements:
Release 04.2024
Support Multitenancy capabilities for Digital Footprint Intelligence to meet the requirements of MSSP and multi-branch Enterprises, with additional support of Threat Lookup and Reporting Services.
Multitenancy administrative capabilities:
The new Tenant Center dashboard for the Digital Footprint Intelligence service now displays key data for each tenant, including threat notifications and number of assets in different statuses. Users can filter this information by various time periods and sort tenants based on total notifications or assets. Additionally, tenant managers can seamlessly access detailed information on each tenant through the Digital Footprint Dashboard.
Dashboards for Digital Footprint Intelligence
A Dashboard section is now available in Digital Footprint Intelligence, providing quick identification and analysis of relevant threats within an organization. The Dashboard is now the primary interface, replacing all previous statistical widgets. This update aims to enhance user experience through more intuitive data presentation, detailed insights and improved navigation.
Digital Footprint Intelligence enhancement
Korean UI localization
We are excited to announce the addition of Korean language UI support to enhance user experience for our Korean-speaking users.
Improved Reports Visibility
Users now have the ability to view the names of all APT, Crimeware and ICS reports, regardless of whether they hold a license for report services. This marks a significant change from previous versions, where report names were entirely inaccessible without a corresponding license. Additionally, we have modified the way reports are displayed and sorted to enhance the user experience.
UserGate Support
The API for NGFW feeds has been upgraded to support UserGate. This upgrade introduces a new "format" query parameter, expanding the capabilities and customization options for NGFW feeds.
Data Feeds page
Enhanced Search Functionality
We have upgraded our search engine to deliver more relevant results for queries that include email addresses, web addresses, domain names, and IP addresses, ensuring a more efficient and accurate search experience.
Home page
General improvements:
RELEASE 12.2023
Threat Lookup has been enhanced to showcase indicator availability across our Data Feeds, thus helping to identify and prioritize the most dangerous, prevalent and emerging threats.
Threat Lookup API now allows users to search the Dark and Surface webs.
URL Sandbox. Phishing content analysis for web addresses has been significantly enhanced, improving accuracy when identifying phishing threats.
File Sandbox. Now allows automatic type detection for file names featuring multiple dots, thus optimizing the analysis process by improving accuracy and efficiency.
Reporting. User interface (UI) has been enhanced by consolidating various report types into a single section, streamlining the user experience for easier access and navigation (including Home page).
Data Feeds API. Introducing a new set of prevention-oriented feeds that can be seamlessly integrated with network security appliances and accessed through an API.
Data Feeds tab updated to provide up-to-date information about our Data Feeds (introducing new Feeds).
General improvements:
RELEASE 10.2023
Similarity technology. New Similarity technology is available both for Threat Lookup and Threat Analysis. Users can now submit a file (in Threat Analysis) or its hash (in Threat Lookup) and receive a list of hashes for similar malicious files known to Kaspersky. Furthermore, users can also get additional useful context to identify samples with similar functionality and understand their characteristics and properties to better detect evolving cyberthreats. Making an intelligent decision based on comprehensive file analysis is the optimal approach to understanding current sophisticated, targeted, and tailored threats. Individual anti-virus or behavior analysis tools working in silos may yield only limited information about recently modified malware. However, the combination of threat intelligence, dynamic analysis, threat attribution and similarity technologies provide users with a powerful tool for the detection of malicious objects that were not previously seen. To help security researchers stay informed about existing and emerging threats, the technology has a customizable interface that allows users to filter search parameters to quickly prioritize and address critical threats and thus remediate them more effectively.
The Threat Analysis User interface (UI), including History section, has been enhanced to support file analysis scenarios covering the Similarity technology and results display speed.
Data Feeds tab updated. Data Feeds tab now highlights proper use cases for available Data Feeds. It allows users to make a conscious decision when selecting Data Feeds for their purposes.
Analysis of password-protected archives now supported. Kaspersky Threat Attribution Engine technology has been updated to improve Threat Analysis by supporting the option to analyze password-protected archives. After uploading, such archives are then extracted and all objects are fully processed, like any other files that are not password protected.
New API specifications for Threat Lookup and Threat Analysis. The new specifications adhere to industry OpenAPI standards and provide clear and standardized endpoints, parameters, and responses for seamless integration. This allows developers to access comprehensive insights, thus streamlining API consumption and integration.
API specification files are easy to navigate and are available from Kaspersky Threat Intelligence Portal Help.
General improvements:
RELEASE 05.2023
New timeline of IoCs changes. Kaspersky Threat Intelligence Portal now displays how and when zone and category changes were made for an IP address, web addresses or domain over the last two months or two years. This significantly accelerates incident investigations and threat hunting when identified IoCs are clean or not categorized at the moment of investigation.
Asset Management of Digital Footprint Intelligence improvements. Service now supports new asset types:
This extension of attack surface monitoring capabilities increases cyber underground visibility and transparency, allowing you to identify a new class of previously hidden threats.
The user can also remove unnecessary assets to stop monitoring them.
New "Like" button for Threat Intelligence reports. Users can now "Like" reports to provide anonymized feedback, helping experts to focus on developing reports with the most popular formats or themes.
Data Feeds tab content updated. Users can now access up-to-date information about our Data Feeds (introducing new Data Feeds) and tools designed for their seamless integration with your security controls.
General improvements:
RELEASE 02.2023
Improved UI/UX Research Graph. New nodes such as Actor and Report names are now also supported. The user can now place a Report name or an Actor to the Graph to see their relations with IoCs and vice versa. This accelerates incident investigations and threat hunting activities by highlighting IoCs from high-profile attacks described in our APT, Crimeware or Industrial reports, as well as Actor profiles.
Introduction of dark mode or theme. Users can now switch between the current bright mode and a dark alternative, either to improve visibility in dim light or for purely aesthetic reasons.
Improved Threat Lookup. More details are now available about attachments in spam messages. The information is provided for a hash in the new File was attached to email section and includes the following:
Categories for spam messages are also provided, such as phishing or spoofing.
Saved searches with filters are now supported. Users can now specify different filters and criteria for automated scheduled searches to monitor and receive alerts about new information for a particular IoC, keyword, phrase or intelligence report. This significantly improves proactive uncovering of the following previously unknown or inactive threats:
Users can manage (edit, delete) the list of created saved searches by specifying their names, periods to check new data, and notifications about new data (via UI or email). Notifications about new findings are also displayed on the Home page for a quick check. When opening the notification, users obtain new data compared to the previous state.
Monthly subscriptions are now supported. This change was made to meet MSSP license requirements.
The customer registration process to get user credentials for the Portal has also been simplified.
RELEASE 07.2022
Threat Lookup now supports new categories for IP addresses:
Threat Lookup now provides more classifications for APT- and Crimeware-related objects (IP addresses, domains, web addresses, and hashes):
Full context about for found objects is available via a link to the corresponding report or service, which is next to the tag.
We updated Surface web and Dark Web search syntax in Threat Lookup. See the Help for more information on syntax and working with search operators.
Improved Kaspersky Sandbox. Now you can download files generated while the analyzed file is executed:
General improvements:
RELEASE 06.2022
Improved Digital Footprint Intelligence. Now context for the phishing, typosquatting, and combo-squatting real-time notifications is extended. Our phishing tracking service actively tracks and alerts you in real time to the appearance of phishing websites targeting your brand, company name, online services or trademarks, and provides you with relevant, accurate and detailed context about phishing or fraudulent activity directly relevant to your business, including injected malware and phishing URLs that steal credentials, sensitive information, financial information, and personal data from your users.
Every notification provides deep coverage, high accuracy, and reliable information about phishing attacks, enabling you to react fast to dynamically generated phishing domains and URLs as well as to phishing outbreaks. Provided intelligence enables you act swiftly and with precision to mitigate the impact of phishing activity on your organization and your users, taking a proactive stance against fraud. Takedown service is also available.
Phishing notifications now include the following context:
RELEASE 04.2022
Improved Cloud Threat Attribution Engine. Now clicking on an Actor (on the analysis report page) initiates a search request to show available related threat intelligence reports and actors.
Improved user experience for the search functionality. When using the search functionality, the user stays on the tab where the search was initiated (previously the user was always redirected to the Lookup tab).
Improved Kaspersky Sandbox:
section
values are added to differentiate results for specific Android and
Windows sections with the same section names. Certain values are still available for the backward compatibility
with previous API versions.RELEASE 12.2021
Introduction of Dark web search. This is a source of invaluable threat and brand intelligence that offers insights from a comprehensive range of deep and dark web sources for threats to your organization, whether a planned attack, discussions around vulnerabilities, or a successful data breach. This tailored information provides visibility over risks to your organization, enabling security teams to reduce the attack surface, secure online brand value, and take actions on threats before, or even after, they become incidents (to minimize impact).
With the service you can:
Benefits include Dark web monitoring, Digital Footprint tailored reports, real-time notification about threats to your assets, and takedown services. The service also provides actionable and trusted threat and brand intelligence, with human contextualized analysis, to ensure security teams move as swiftly as possible to prevent, detect, respond to and mitigate external threats that pose the greatest danger to your assets, brand organization, region or industry.
Introduction of Surface web search. Surface web offers security practitioners a vast and potentially hugely valuable source of intelligence about threats. By introducing this service, we inform you about how global security events can potentially impact or are already threatening your assets, brand or organization. The service condenses and validates a comprehensive range of security-related surface/open web sources (such as security news portals, blogs or forums) to provide access to information that helps you identify critical events, access risks, anticipate disruptions to reduce security risks, keep employees safe and boost security resilience.
Benefits include Surface web monitoring, Dark web monitoring, Digital Footprint tailored reports, real-time notification about threats to your assets, and takedown services. You also receive actionable and trusted threat and brand intelligence, with human contextualized analysis, to ensure security teams move as swiftly as possible to prevent, detect, respond and mitigate external threats that pose the greatest danger to your assets, brand organization, region or industry.
Threat Lookup is extended by Indicator of Compromises relating to a wide range of high-confident OSINT sources. The results are displayed via the OSINT IoCs tab. This allows for the presenting of OSINT sources where looked-up IoCs are mentioned, even if Kaspersky Threat Lookup does not provide any context. Hash IoC type is also supported now, while URL, Domain and IP address IoC types will be available during 2022.
Introduction of Research Graph. The Graph (also known as Link Analysis) is designed to explore data stored in TI Portal (Threat Lookup) visually, discover threat commonalities and generate new related IoCs. It allows you to graphically visualize the relationship between URLs, domains, IPs, files, and other context encountered during investigations, pivot to find additional relationships and view in-depth information without the investigation losing context (no need to manually cross reference dozens of indicators provided in tables). The graph includes the following features: transformations, mini graph, grouping nodes, manual addition of links, addition of indicators and node searching.
Digital Footprint Intelligence service now allows the management of an organization’s assets to be monitored. The user can specify or import a list of assets grouped by their type (such as IP addresses or ranges, domains, brand names, employee names, emails, and so on) to be automatically monitored by the service. Kaspersky experts can also contribute to the list of assets, for example, by discovering your servers or services which are publicly exposed on the internet, intentionally or unintentionally (shadow IT). An ignore list is also supported, allowing users to specify assets that should be disregarded for monitoring. In the case that a specified asset is discovered across the surface, deep, or dark web, the user receives a real-time notification with useful context, such as priority, timestamps and source. Digital Footprint tailored reports also include analysis of all assets specified by the user.
Cloud Threat Attribution Engine (TAE) is now provided as Software-as-a-Service (SaaS), which runs completely on cloud TI Portal infrastructure (previously, only the on-premise deployment option was available). TAE is an unrivaled malware analysis tool that provides insights into the origin of high-profile malware and possible perpetrators and is now also integrated with Cloud Sandbox within the TI portal under the Threat Analysis tab. The tab allows you to access the results of Dynamic, Static, Anti-Virus and Attribution analysis for objects considered as suspicious enriched with Threat Intelligence within one single place, thus providing a powerful tool for the detection of previously unseen malicious objects. It saves the time of security analysts by preventing the need for files considered as suspicious to be run under the platforms of different vendors — a requirement that yields disparate results that are difficult to consolidate. Without accurate consolidation, it is hard to make correct decisions. As a result, the Threat Analysis tab helps SOC teams, security researchers, and malware analysts stay informed about existing and emerging malware-related threats, thus allowing them to quickly prioritize and address critical threats and remediate them more effectively.
The Threat Lookup service has been significantly improved by extending coverage to support searches within the following services:
The service unifies all of our best-in-market Treat Intelligence services and sources, and cyber reconnaissance capabilities within one single window. This allows you to leverage the synergy of these resources to extend overall threat visibility and coverage, without the need to switch between services delivering different results.
Improvement of Digital Footprint Intelligence by supporting real-time notifications of typosquatting attacks. This allows organizations to be notified not only about phishing websites, but also typosquatting. The current list of real-time notification types is the following:
The web interface has been significantly enhanced (new color scheme, layout) to ensure a smooth user experience as new features are introduced. In addition, Kaspersky’s new corporate user interface style is also supported.
General improvements:
RELEASE 10.2021
Suricata rules have been introduced to accompany our APT, Crimeware and ICS (now Industrial) Threat Intelligence reports. Threat Intelligence reports are provided with complementary files that include related Indicators of Compromise (IOCs) and YARA rules. Additionally, Suricata rules are now supported as well (see Download section for particular Threat Intelligence report).
Cyberattacks have become so sophisticated that they can thwart even the best security systems, especially those that still assume networks can be secured via firewall encryption. Kaspersky security experts provide Suricata rules to detect network threats related to those in Threat Intelligence reports. The rules can be used by Threat Intelligence report customers for network security appliances such as network intrusion detection and prevention systems (IDS/IPS), next generation firewalls (NGFW), and other network security or PCAP processing tools.
Services available through the Kaspersky Threat Intelligence Portal web interface can now also be accessed using time-based one-time passwords (TOTP), as an alternative two-factor verification method (instead of providing a Certificate). Previously, users had to have both a Login/Password and Certificates (pfx) to access the Portal web interface. However, TOTP token service offers users the flexibility to choose from a range of authentication applications like Google Authenticator or Microsoft Authenticator.
RELEASE 08.2021
The public roadmap for Kaspersky Threat Intelligence services and features is now available for Kaspersky Threat Intelligence Portal users. It provides users with information about recent developments and what features and functionality can be expected over the coming quarters. With more transparency on the future "roadmap", users can better adjust their work activities and existing plans. The public roadmap page also offers the opportunity to submit new feedback or feature requests to influence future plans.
Given the continuously evolving cyber threat landscape, businesses need to be more proactive regarding ever more sophisticated and blended security attacks. In response, we decided to extend the scope of our Financial Threat Intelligence Reporting service to provide all clients with a unified source of information on cybercrime (not only specific to financial industries). Given the breadth of information provided, we changed the name of the existing service to Kaspersky Crimeware Intelligence Reporting.
The service will cover the following types of reports:
Reports are usually provided with complementary files that include related Indicators of Compromise (IOCs) and YARA rules (similar to APT and ICS (now Industrial) reports). Suricata rules will be added as well soon.
Crimeware Intelligence Reporting users can now gain full access to crimeware actor profiles. Similar to APT actor profiles, the new technical descriptions section for crimeware actors allows security professionals to track actors and their networks, understand their own visibility and gaps, as well as overlap TTPs against the MITRE ATT&CK matrix. Consequently, this helps companies understand what to focus on to improve their defenses proactively.
Accurate information about a malevolent actor and their preferred tools and tactics are essential, as it provides an understanding of the potential goal of an attack and what techniques may be used. For each actor, we provide a general overview, different aliases used, victimology and previous targets, descriptions of past operations, toolsets, and external references. We also provide all available reports on the actor, as well as specific IOCs and YARA rules to detect and track their activity.
RELEASE 06.2021
HasRedZone
) that indicates whether the requested object has
potentially dangerous relations. This provides valuable context for prioritization purposes, even if the
requested object is not categorized.HOTFIX 08.2020
RELEASE 04.2020
HOTFIX 06.2019
RELEASE 04.2019
Kaspersky Sandbox now supports dynamic analysis not only for files, but for web addresses and the files accessed by web addresses as well. Web addresses are deeply analyzed in a secure environment to provide their web category, threat and suspicious activities, network and operating system activities, screenshots, downloaded files and scripts, and any other security threats hidden within legitimate content or located on the web address. A comprehensive and detailed analysis report is generated for every detonated web address to enable security professionals to accelerate incident response (IR) activities, or implement appropriate defense strategies and protection measures.
Kaspersky’s APT Intelligence Reporting Service is the result of Kaspersky Global Research and Analysis Team (GReAT) investigations. GReAT is a worldwide group of Kaspersky’s top-notch cyber-security experts who have tracked the most sophisticated APT actors and their activity for the last 10 years.
Accurate information about an actor behind a campaign is essential, as it provides an understanding of what might be the real goal of the attack and the techniques available for an adversary. The knowledge of an actoÒ‘s origin, capabilities, past campaigns, techniques used in their operations, and technical details is now one click away thanks to the new actor profiles provided in our APT Intelligence Reporting Service.
For each actor, we provide a general overview, its suspected country of origin, different aliases used, victimology and previous targets, descriptions of past campaigns, toolset, and external references. We also provide all of the reports related to the actor, as well as specific IoCs and YARA rules to detect their activity.
Additionally, we map all the actor's tactics, techniques and procedures (TTPs) with MITRE threat model, showing in the ATT&CK Enterprise and PRE-ATT&CK matrix that the actor used in previous campaigns. As we always do in our reports, we also map TTPs with our own descriptive methodology, dividing them in Infection Vector, Implants, and Infrastructure for a quick and high-level understanding of the threat.
Our technical description of threat actors provides the means for security professionals to track actors in their networks, understand their own visibility and gaps, as well as overlap TTPs against the MITRE ATT&CK matrix to know what to focus to improve your defense proactively.
We are introducing a feedback form to receive customer feedback regarding our Kaspersky Threat Intelligence Portal, accessible by an easy-to-use tray icon. Every feedback will be considered to improve the Portal.
The Data Feeds tab content is updated to provide up-to-date information about our Data Feeds (introducing new Feeds) and tools designed for Data Feeds seamless integration with your security controls (such as, SIEMs, ELK, MISP, and so on).
The Chrome™ Plugin enables users to lookup web addresses, IPs, hashes (MD5, SHA1, and SHA256), and domains straight from the viewed web pages, by using the Kaspersky Threat Intelligence Portal lookup functionality.
The goal of the plugin is to immediately provide your security teams with as much data about IoCs as possible, from any web page (without even opening Kaspersky Threat Intelligence Portal), allowing you to speed up your threat investigation activities. IoCs are highlighted automatically.
A pop-up window (with the opt-out option) for the plug-in is shown when visiting the Threat Lookup tab, for users who do not have this plug-in installed yet.
RELEASE 08.2018
id
parameter in the get_list
endpoint is
a string value now.RELEASE 05.2018
RELEASE 04.2018
Kaspersky Sandbox is now available for our customers. Kaspersky Sandbox is an advanced, automated malware analysis system that has been developed out of Kaspersky sandboxing technology and previously used only in Kaspersky internal infrastructure. The technology has been evolving for more than 20 years of continuous threat research and release of the most industry-leading security solutions. It offers a hybrid approach combining threat intelligence gleaned from petabytes of statistical data (thanks to Kaspersky Security Network), behavioral analysis, and rock-solid anti-evasion and human-simulating technologies such as auto clicker, document scrolling, and stub processes.
As a result, Kaspersky Sandbox provides a high detection rate—thousands of new malicious files are detected every day. This advantage allows customers to detect advanced persistent threats (thanks to the Kaspersky Anti-APT team) and targeted and complex threats that bypass traditional anti-virus tools.
Kaspersky Sandbox is designed to boost incident response and forensic activities, or can be used as a cloud system for processing files automatically. Also available are capabilities such as data visualization graphs, export to JSON / STIX / CSV formats, and REST API for automated integration into customer workflow.
A user-friendly interface allows customers to easily understand the actions and behaviors of executed files, such as the following:
RELEASE 12.2017
RELEASE 11.2017
An executive summary, technical analysis of an attack, and indicators of compromise (IOCs) in CSV and YARA Rules formats are available for every report. RESTful API and comprehensive full-text search are also supported.
Two types of accounts are supported:
RELEASE 09.2017
The Home page displays a worldwide cyber-map with data visualization of global cyber-attacks, and provides information about the top 10 threats for each country. The Home page contains a tagged events list to notify users about new articles on the Securelist website and new APT Intelligence reports. WHOIS Tracking notifications are also available.
This section includes links to the tools developed by Kaspersky to help users to detect and remove malware during incident response activities. An Incident Response Guide from Kaspersky in PDF is also available. This guide provides basic explanations and recommendations for responding to information security incidents. This guide aims to do the following:
This utility is a multifunction high-performance tool that allows downloading, converting, and filtering of Threat Data Feeds from Kaspersky according to a specified set of rules.
HOTFIX 06.2017
Executive summaries provide an easy-to-understand overview of an attack and are C-level oriented.
Demo mode provides full access (including IOCs and executive summaries) to some selected APT Intelligence reports. All other reports (in the Demo mode) are shown but not available (names of these reports are substituted with the following phrase—Available for commercial license only).
The Licenses page can also provide license information about licensed Threat Data Feeds. You can contact Business Development Managers (BDMs) to activate this feature.
RELEASE 04.2017
Be the first to know and get exclusive, in-depth actionable intelligence reporting on advanced persistent threats (APTs). APT Intelligence Reporting Service provides customers with exclusive, proactive access to the descriptions of high-profile cyber-espionage campaigns, including associated indicators of compromise (IOCs) available in CSV and YARA Rules formats. APT Intelligence reports and associated IOCs can now be automatically requested using RESTful API. Comprehensive full-text search and search by tags is also implemented.
Purchase access to new services, renew existing licenses, get information about remaining quotas, set notifications about expiring licenses, and much more.
Change your Kaspersky Threat Intelligence Portal password and configure email notifications for new or updated APT Intelligence reports and WHOIS tracking rules.
Now you can look up several objects in a single request using RESTful API, and see the result of each lookup in the web interface as well.
RELEASE (GA) 10.2016
This section provides information about how to start working with Kaspersky Threat Intelligence Portal. This includes how to obtain a certificate, user name (login) and password for working with the service online and through Kaspersky Threat Intelligence Portal API. It also describes two-factor authentication using one-time passwords.
Additionally, this section guides you through the first steps with Kaspersky Threat Intelligence Portal, such as importing your certificate and signing in to the web portal.
A certificate, user name, and password are required to work with Kaspersky Threat Intelligence Portal.
You must obtain a certificate, user name, and password from Kaspersky. To obtain a certificate, contact your dedicated Technical Account Manager at Kaspersky. A certificate and your credentials will be provided in a secure way.
WL-info certificate can also be used to access Kaspersky Threat Intelligence Portal.
After you receive a certificate, you must import it to the computer you plan to use for working with Kaspersky Threat Intelligence Portal if you use Google Chrome™ or Microsoft Edge browsers. If you use Mozilla Firefox, you also have to import the certificate to the browser.
The certificate has a limited term. The certificate term countdown starts from the date it has been issued.
When the certificate expires, the service becomes unavailable. To continue using the service, you must request a new certificate. You will receive a new certificate and a certificate password for it from your dedicated Kaspersky Technical Account Manager. Your user name and password remain the same and do not need to be updated.
If a Technical Account Manager changes your type of access (through web portal, API, or both) to Kaspersky Threat Intelligence Portal during your certificate term, your certificate and credentials remain the same.
There is no limit in place regarding the number of computers on which you can install a certificate.
Page top
Importing certificate to a computer
If you use Google Chrome or Microsoft Edge browsers, you can import a certificate to your computer using the Certificate Import Wizard.
To import a certificate to your computer:
Your certificate is now imported, and you can start working with Kaspersky Threat Intelligence Portal online.
Importing certificate to Mozilla Firefox
If you use Mozilla Firefox, you must also import a certificate to this browser.
To import a certificate to Mozilla Firefox:
The Certificate File to Import window opens.
A message confirming that the import was successful appears.
Your certificate is now imported, and you can start working with Kaspersky Threat Intelligence Portal using Mozilla Firefox.
Page top
Viewing certificate on computer
To view certificates imported to your computer:
mmc
in the Search box, and press Enter to open Microsoft Management Console.The Certificates snap-in window opens.
Viewing certificate in Mozilla Firefox
To view the certificate imported to Mozilla Firefox:
If a certificate is not imported, try to import it again or contact your administrator.
Page top
Kaspersky Threat Intelligence Portal provides the ability to use one-time passwords instead of certificates for authentication, if allowed by your organization.
To use one-time passwords, you have to set up two-factor verification via an authenticator app that supports the Time-based One-time Password (TOTP) algorithm (for example Google Authenticator or Microsoft Authenticator). One-time passwords are generated locally on your device with no need for an internet or mobile network.
We recommend that you also set up an authenticator app on a device other than your mobile phone. This will allow you to sign in to your Kaspersky Threat Intelligence Portal account if your mobile phone is ever lost or stolen.
To set up two-factor verification via your authenticator app:
Your administrator will provide the QR code via a PGP™-encrypted email or as a password-protected .zip archive. In this case, the archive and password are provided via separate secure channels (for example, the archive is sent via email and its password via SMS message).
Your authentication app is set up. You can now use one-time passwords generated in the app on the Kaspersky Threat Intelligence Portal sign-in page.
Page top
This section explains how to sign in to Kaspersky Threat Intelligence Portal. When you sign in to the portal for the first time, or you purchase a new Kaspersky Threat Intelligence Portal service, you must accept the Terms and Conditions and the Statement about Data Provision. You must also accept any new Terms and Conditions, in the case they were changed by Kaspersky.
You can choose to use a certificate as the second factor of authentication. In this case, before signing in to Kaspersky Threat Intelligence Portal, make sure that your certificate is imported to the computer and browser (if you use Mozilla Firefox) that you will use to work with Kaspersky Threat Intelligence Portal online.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms and Conditions online in your browser at https://tip.kaspersky.com.
To sign in to Kaspersky Threat Intelligence Portal:
This link is not available for users of Kaspersky Anti Targeted Attack and Kaspersky Endpoint Detection and Response.
On the page that opens, complete the form. A Kaspersky representative will then contact you within one business day.
Kaspersky Threat Intelligence Portal returns error 403 (Access is denied) if a valid certificate is not imported to the computer.
Signing in to Kaspersky Threat Intelligence Portal may fail for one of the following reasons:
After you have successfully signed in to Kaspersky Threat Intelligence Portal, you can run requests about hashes, IP addresses, web addresses, or domains. You can also perform a WHOIS search for domains and IP addresses, as well as use other Kaspersky Threat Intelligence Portal services.
Page top
This section explains how to accept the Terms and Conditions and the Statement about Data Provision.
Before signing in to Kaspersky Threat Intelligence Portal for the first time or using a new service, you have to accept the Terms and Conditions and the Statement about Data Provision. You must also accept the Terms and Conditions, in case they have changed.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms and Conditions online in your browser at https://tip.kaspersky.com.
To accept the Terms and Conditions and the Statement about Data Provision:
If you sign in to Kaspersky Threat Intelligence Portal for the first time, the Terms and Conditions and the Statement about Data Provision for all purchased services are displayed.
If you open a page for a newly purchased service, only the Terms and Conditions and the Statement about Data Provision for this service are displayed.
If you do not agree with the Terms and Conditions and the Statement about Data Provision, click the Cancel link to cancel the sign-in.
The Confirm button becomes available only if you scroll through the Terms and Conditions text and select both check boxes.
On the Kaspersky Threat Intelligence Portal Home page (), an overview of current cyber threats around the world and various types of information concerning your organization are displayed. The data provided allows you to start threat investigation as soon as you sign in.
In the Search field, you can request data from Kaspersky databases for indicators (hash, IP address, domain, web address) and actor profiles. Also, you can perform full-text requests in this field.
The Digital Footprint Global Threats section provides the overall threat landscape detected for all Digital Footprint Intelligence service users. Charts display the total number of detected threats and their distribution by risk levels and categories.
Depending on the licenses your organization has purchased and the permissions set by your administrator, the following sections are displayed on the Home page:
Demo reports (marked as ) are available for viewing and downloading without a commercial license. Clicking the View demo reports link takes you to the Reporting page, where demo reports are filtered out.
Unavailable reports (marked as ) are also displayed on the Home page, but their headings are not clickable. When you hover your mouse over a specific report name, a tooltip is displayed with the name of the service that must be purchased to view the full version of the report.
Clicking the See more reports link takes you to the Reporting page containing all reports available to you.
When you click a specific country on the cybermap, threat ratings and statistics are displayed for the selected country. The country's rating in the most frequently attacked countries list and the number of detected dangerous objects are displayed. The Top 10 lists for all threat types (threats, C&Cs, web addresses, and MD5 hashes of files) are shown below the cybermap. All items are clickable. Clicking an item in the threats list takes you to the Kaspersky threats website. Clicking items in the Top 10 CC, Top 10 URLs, and Top 10 files lists takes you to the Threat Lookup page, which has various results for the corresponding object.
For both the worldwide and individual country cybermap, filtering by type and time is available.
By selecting the information type in the drop-down list, you can display the information for the following types:
By selecting the time period in the drop-down list, you also can filter the displayed information for a specific period:
The What's New and Upcoming () page of the Kaspersky Threat Intelligence Portal displays information about released and expected features. Descriptions are provided during the same quarter development is approved, or when the feature is released.
You can also view information about features that were implemented earlier.
Via the Feedback form, you can leave feature requests for Kaspersky Threat Intelligence Portal. We encourage you to send ideas and suggestions to help us improve our services and website usability.
Page top
The News () page of Kaspersky Threat Intelligence Portal displays a list of Kaspersky news items available to you.
For each news item, its publication date and header are provided. News headers are clickable and take you to the source page for the news (for example, the Securelist website).
Page top
This section contains videos about Kaspersky Threat Intelligence Portal services, helping you to become familiar with the portal's functionality.
To watch the videos, you have to sign in to Kaspersky Threat Intelligence Portal.
To watch the video below, you have to sign in to Kaspersky Threat Intelligence Portal.
Subscribers to Kaspersky Threat Intelligence Portal gain instant access to both immediate and historic threat intelligence, helping you to combat cyberattacks as they arise. This enables SOC and IR teams to build a comprehensive threat intelligence workÂflow, by providing rich and meaningful context throughout the entire incident management cycle. See how this works in practice.
To watch the video below, you have to sign in to Kaspersky Threat Intelligence Portal.
Digital Footprint Intelligence service is a comprehensive digital risk protection service that helps you to monitor your organization's digital assets and detect threats. With real-time alerts, Digital Footprint Intelligence enables organizations to respond quickly and effectively to potential threats. Analytical reports complement these data with finished intelligence from Kaspersky experts providing insights into cyber security risks and recommendations on how to mitigate them. The following video explains how you can work with Digital Footprint Intelligence service.
To watch the video below, you have to sign in to Kaspersky Threat Intelligence Portal.
Kaspersky Threat Analysis is a flexible set of tools for comprehensive malicious file research. Combining together Kaspersky Sandbox, Kaspersky Threat Attribution Engine, and Similarity technologies, it enables to expose the most advanced unknown and evasive threats. Their synergy makes it possible to identify a sophisticated threat much faster than in case when file analysis is performed using only one of these technologies.
In this video, we demonstrate how to identify the malware behavior and objectives, reveal its various modifications, and establish its association with a known APT group and its techniques and tactics using Threat Analysis section on Kaspersky Threat Intelligence Portal.
OpenAPI specification describes endpoints, required parameters, responses, and usage examples.
In this version of Kaspersky Threat Intelligence Portal, OpenAPI specification is available for the following services:
Page top
This section describes the main elements of the Kaspersky Threat Intelligence Portal interface.
The right part of the page contains the contents of the selected Kaspersky Threat Intelligence Portal service.
On each Kaspersky Threat Intelligence Portal page, the Search field is available.
Kaspersky Threat Intelligence Portal allows you to choose a dark or light background web interface. You can use the toggle switch in the upper right corner of the page to select the mode (see picture below).
The left part of the Kaspersky Threat Intelligence Portal page contains a menu that provides you with access to the services and other functions.
This menu consists of two sections that you can collapse or expand ( / ) independently of each other at any time, for more convenient viewing of the relevant section or elements of the menu:
Kaspersky Threat Intelligence Portal interface in the dark mode
This section covers the main aspects of Kaspersky Threat Intelligence Portal licensing.
The Terms and Conditions are a binding agreement between you and AO Kaspersky Lab, stipulating the conditions under which you may use the service.
Please read the Terms and Conditions carefully before you start using the service.
You accept the Terms and Conditions by confirming that you agree with them when signing in to Kaspersky Threat Intelligence Portal. If you do not accept the Terms and Conditions, you cannot sign in to Kaspersky Threat Intelligence Portal.
If necessary, you can click the user icon () at the bottom of the Kaspersky Threat Intelligence Portal page, and select the Terms and Conditions option to read the Terms and Conditions at any time.
Page top
A license is a time-limited right to use Kaspersky Threat Intelligence Portal services, granted under your contract with Kaspersky.
A license entitles you to the following kinds of services:
To use Kaspersky Threat Intelligence Portal services, you must purchase a license.
The scope of the service usage term depends on which of the following licenses you opt for.
For Kaspersky Sandbox
Up to 1000 of the latest file executions and web address analysis results for a user are stored. When the maximum number of stored results is reached, the oldest results are assigned Archived status. For archived tasks, you can only view or delete a brief summary. For more details about archived tasks, refer to the About archived (discarded) tasks section.
Running a threat lookup request for a hash does not reduce the Threat Lookup daily quota for your group if the completed execution task for this hash is in Kaspersky Sandbox.
The number of service users for your company and other limited terms and conditions including quotas are specified in your contract with Kaspersky.
After the commercial license expires, you cannot upload, execute and analyze files. We recommend renewing the license before it expires.
For Crimeware Threat Intelligence Reporting Service
The demo license has a limited term and the following restrictions:
If you have not purchased the Crimeware Threat Intelligence Reporting Service license, notifications are not available.
Kaspersky Threat Intelligence Portal allows you to view and download reports marked as DEMO, regardless of the license. For more details, see the Reporting section.
For APT Intelligence Reporting Service
The demo license has a limited term and the following restrictions:
If you have not purchased the APT Intelligence Reporting Service license, notifications are not available.
Kaspersky Threat Intelligence Portal allows you to view and download reports marked as DEMO, regardless of the license. For more details, see the Reporting section.
For Kaspersky Industrial Threat Intelligence Reporting Service
The demo license has a limited term and the following restrictions:
If you do not purchase the Kaspersky Industrial Threat Intelligence Reporting Service license, notifications are not available.
Kaspersky Threat Intelligence Portal allows you to view and download reports marked as DEMO, regardless of the license. For more details, see the Reporting section.
For Kaspersky Threat Lookup / WHOIS Lookup / WHOIS Hunting / Research Graph / OSINT IoCs / Saved Searches
A separate quota for creating rules is provided for the WHOIS Hunting service.
A separate quota for creating saved search requests is provided for the Saved Searches service.
After the trial license expires, you cannot create lookup and saved search requests. The created saved search requests remain available to you but no updates are received for them.
Daily quotas and quotas for the entire period (depending on the contract with Kaspersky) are provided for Threat Lookup and its services.
A separate quota for creating rules is provided for the WHOIS Hunting service.
A separate individual quota for creating research graphs is provided to each user of the group.
A separate quota for creating saved search requests is provided for the Saved Searches service.
After the commercial license expires, you cannot create lookup requests, saved search requests, or tracking rules. Also, no new research graphs can be saved. The created saved search requests remain available, but no updates are received until you renew the license.
Kaspersky Threat Intelligence Portal offers integration with the external Kaspersky Transforms for Maltego service. A separate quota is provided for Maltego lookup requests: access to this service is provided only via the API. General information about an object and its zone are provided in the response. After the commercial license expires, you cannot create requests to Kaspersky Threat Lookup using Maltego.
Daily quota usage
If a user repeats a threat
lookup request on the same day, the Threat Lookup daily quota for your group is not reduced.
Running a
threat lookup request for a hash does not reduce the Threat Lookup daily quota for your group if the completed
execution task for this hash is in Kaspersky Sandbox.
The number of service users for your company and other limited terms and conditions including quotas are specified in your contract with Kaspersky. You may find information about the license on the Licenses page.
We recommend renewing the license before it expires.
For APT C&C Tracking Service
For Digital Footprint Intelligence Service
The demo license has a limited term and the following restrictions:
If you do not renew your commercial license, you can still access data received during the license period. You can search for reports and notifications, filter and export notifications. However, no new reports and notifications will be provided until you renew your license
Dark Web / Surface Web
If you do not renew your commercial license, you can still access data received during the license period. However, no new data will be provided until you renew your license. Also, no Dark Web / Surface Web updates for the created saved search requests are received. Note that, if the Threat Lookup license remains valid, you can still create and save new search requests for which the updates are based on the Lookup data.
Cloud Threat Attribution Engine
After the commercial license expires, you can still access data received during the license period. However, you cannot analyze the uploaded files and no new data will be provided until you renew your license.
We recommend renewing the license before it expires.
The following procedure tells you how to view your current and available Kaspersky Threat Intelligence Portal service licenses.
The current license entitles you to use the service.
In Kaspersky Threat Intelligence Portal, an expired, None, or Trial license for which the request quota is exceeded, is considered as an available license.
To view current licenses,
Click the user icon () at the bottom of the Kaspersky Threat Intelligence Portal page, and select the Licenses option.
The Licenses → Current licenses tab opens. For your current licenses, the data described in the table below is displayed.
Current licenses
Field |
Description |
---|---|
Service |
Service name. If necessary, expand the service name to view feature names. Service names are clickable, and navigate you to the corresponding service page. |
Type |
Type of your current license for the service (Commercial, Demo, or Trial). |
Quotas |
Request limit for the service. |
Expiration |
Date and time your current license expires. When the current license expires, it is moved to the Available licenses tab, where you can apply for license purchase. |
Conditions |
Link that opens the corresponding service Terms and Conditions. |
To view available licenses:
For licenses available to you, the data described in the table below is displayed.
Available licenses
Field |
Description |
---|---|
Service |
Service name. If necessary, expand the service name to view feature names. Service names are clickable, and navigate you to the corresponding service page. |
Type |
Type of the license for the service (Commercial, Demo, Trial, or None). |
Quotas |
Request limit for the service. |
Expiration |
Date and time the license expired. |
Purchase |
Button that you can use to apply for a license purchase. |
The following procedure tells you how to purchase a license.
To purchase a license:
The Licenses page opens.
The request form opens.
When using Kaspersky Threat Intelligence Portal, in addition to the data that you provide in accordance with the Terms and Conditions, the following types of data are automatically obtained and processed for the purposes described below.
Kaspersky protects any information received in accordance with law and applicable Kaspersky rules. Data is transmitted over a secure channel.
All obtained data is stored during the license term. When a storage period expires, the data is deleted from online transaction processing (OLTP) databases.
You can withdraw your consent to the provision of the data described below at any time.
To withdraw your consent, contact your dedicated Kaspersky Technical Account Manager by ktlsupport@kaspersky.com.
Processed data:
General user actions
For detection services improvement and processing user requests to Kaspersky Threat Intelligence Portal services in accordance with license terms, on any user action during work with Kaspersky Threat Intelligence Portal, the portal obtains the following data according to the Terms and Conditions:
Terms and Conditions confirmation
For processing user requests to Kaspersky Threat Intelligence Portal services in accordance with license terms, the portal obtains the following data:
Statement About Data Provision confirmation
For processing user requests to Kaspersky Threat Intelligence Portal services in accordance with license terms, the portal obtains the following data:
Signing in to Kaspersky Threat Intelligence Portal
For purposes of user authentication and verification of compliance with the current license, on signing in to Kaspersky Threat Intelligence Portal, the portal obtains the following data according to the Terms and Conditions:
APT Intelligence Reporting, Crimeware Threat Intelligence Reporting, and Industrial Threat Intelligence Reporting services
For purposes of generating user input hints and searching for requested text (full text search), the requests to the Reporting service are received, stored, and processed in accordance with the Terms and Conditions.
Threat lookup service
For purposes of searching requested objects, display of recent user requests, and verification of compliance with the current license, when the Threat lookup service is used, Kaspersky Threat Intelligence Portal obtains the following data:
Dark web and Surface web search
For purposes of investigating issues, verifying compliance with the current license, and notifying the user, when the WHOIS hunting functionality is used in the Kaspersky Dark web and Surface web search, the following information are processed:
WHOIS hunting service
For purposes of issue investigations, verification of compliance with the current license, and user notification, when the WHOIS hunting service is used, Kaspersky Threat Intelligence Portal obtains the following data according to the Terms and Conditions:
WHOIS lookup service
For purposes of issue investigations, display of user recent requests, and verification of compliance with the current license, when the WHOIS lookup service is used, Kaspersky Threat Intelligence Portal obtains the following data:
Kaspersky Sandbox: Uploaded or downloaded files execution
For purposes of issue investigations, display of recent user requests, and verification of compliance with the current license, when executing a file in Kaspersky Sandbox, Kaspersky Threat Intelligence Portal obtains the following data:
Cloud Threat Attribution Engine
For purposes of investigating issues, verifying compliance with the current license, and notifying the user about a file analysis results that extracted with Cloud Threat Attribution Engine, the information from the file are processed.
Kaspersky Sandbox: Browse URL
For purposes of issue investigations, display of recent user requests, and verification of compliance with the current license, when analyzing a web address in Kaspersky Sandbox, Kaspersky Threat Intelligence Portal obtains the following data:
Account management
For the purpose of verification of compliance with the current license, when a new account is created, Kaspersky Threat Intelligence Portal obtains the following data according to the Terms and Conditions:
Digital Footprint Intelligence service
For the purpose of detecting immediate threats to the organization and provide the user with information about them, to perform text searches from the user and to filter those results, Kaspersky Threat Intelligence Portal receives the following data when you use the Digital Footprint Intelligence service:
Kaspersky Threat Intelligence Portal allows you to search threat intelligence information about various types of objects in all Kaspersky services databases in parallel:
The search field (Search) is located on each Kaspersky Threat Intelligence Portal page: you do not need to navigate to a certain service section to request specific information.
If you start a search on one of the Threat Lookup tabs (for example, Dark web or Surface web), the selected page remains active when the search results are displayed.
The Threat Lookup page contains the following sections:
If necessary, you can use filters () to narrow the amount of displayed results:
If necessary, you can use filters () to narrow the amount of displayed results.
On the Threats tab:
On the Reports tab, in the Date column, select a specific date or time interval when a report was published, or use the predefined Week or Month filters.
By section names, the number of results is displayed.
Kaspersky Threat Intelligence Portal allows you to run a full-text search against a limited set of Dark web and other hidden publications.
To search for a Dark web post:
Kaspersky Threat Intelligence Portal displays search results on the Threat Lookup () → Dark web page.
By default, Kaspersky Threat Intelligence Portal searches Forums, Messengers, Ransomware blogs, and News categories.
If the category selection changes, Kaspersky Threat Intelligence Portal performs the search again with the new filters.
In the window that opens, detailed information about the post and its text are displayed.
Dark web section
Field |
Description |
---|---|
Date |
Dark web post publication date and time. |
Preview |
Dark web post title and post preview. |
Source |
Source of the Dark web post. Please be aware, links to sources, as well as links within sources, can navigate to dangerous resources. |
Category |
The category of the source in which the post was found:
|
Kaspersky Threat Intelligence Portal allows you to run a full-text search against a limited set of publications in various social media.
To search a social media publication:
Kaspersky Threat Intelligence Portal displays search results on the Threat Lookup () → Surface web page.
In the window that opens, the post is displayed.
Surface web section
Field |
Description |
---|---|
Date |
Social media post publication date and time. |
Preview |
Social media post title and post preview. |
Source |
The source of the social media post. Please be aware, links to sources, as well as links within sources, can navigate to dangerous resources. |
This section explains how you can run requests by using Kaspersky Threat Intelligence Portal. Also, the concept of zones and detailed descriptions of object investigation results are provided.
All lookup results available to you are displayed in the Threat Lookup () → History table.
You can also run search requests by using the Kaspersky Threat Intelligence Portal API.
The following procedure tells you how to run a request on Kaspersky Threat Intelligence Portal.
For Kaspersky Anti Targeted Attack and Kaspersky Endpoint Detection and Response users, free lookup requests on Kaspersky Threat Intelligence Portal are available under the extended trial license. You can apply for this feature in one of the following ways: contact your manager (Kaspersky employee) or Kaspersky partner, send an email to ktlsupport@kaspersky.com, or click the Request Access button on the login page. Also, you can request a quota increase for lookup requests by clicking the support icon () in the main menu.
To run a request:
Kaspersky Threat Intelligence Portal recognizes the type of the requested object and displays investigation results in separate fields on the Threat Lookup () → Threat Lookup results page.
Note that you might enter the object to search in a defanged form. Such requests
are transformed to revert them to their original form. The supported defang sample items are specified in the
example below.
If you enter a defanged domain, IP address, or web address, we recommend to check that after
transformation the lookup was conducted for the required object.
See example
If you start a search on one of the Threat Lookup tabs (for example, Lookup, Dark web or Surface web), the selected page remains active when the search results are displayed.
For a web address, it's length is limited to a maximum of 2000 characters. Other characters will be ignored during a web address investigation.
You can export investigation results as an archive.
After the request is run, results on the report page may differ from the results shown in the Threat Lookup () → History table for the same object because Kaspersky expert systems update information about objects in real time. Investigation results depend on the threat landscape.
You can also run search requests by using the Kaspersky Threat Intelligence Portal API.
Page top
After you run a threat lookup request, Kaspersky Threat Intelligence Portal displays a report for the investigated object on the Threat Lookup () → Threat Lookup results page.
General information about the investigated object is displayed at the top of the page. The panel with the requested object and its status appears in one of the following colors, depending on the zone of the investigated object:
Also, for IP addresses, the flag of the country to which the requested IP address belongs is displayed. When you hover your mouse over a flag, a tooltip with the country name appears. For IP addresses that do not belong to any country, the flag with a question mark () and tooltip No information are displayed.
You can use the following buttons:
Opens the research graph for the object.
Copies your request to clipboard.
Exports all investigation results into a CSV, OpenIOC, or STIX format.
Kaspersky Threat Intelligence Portal displays detailed information in separate tables below the report panel. Tables contain up to 10 entries. In most tables, entries are clickable—you can click them to further investigate the object displayed. The number and contents of the tables differ for each request type.
When you click the hint icon (), a tooltip appears with a brief description of data displayed in the selected table.
The scissors icon () indicates that some private data in a displayed web address was filtered out.
In the History table, your local task creation time is displayed. In reports, date and time are displayed in Coordinated Universal Time (UTC) format.
You can use the following buttons located near the table:
Exports data from the table. The button is displayed if the table contains data.
Opens a window with up to 100 entries for the selected table. The button is displayed if there are more than 10 entries in the table.
Kaspersky Threat Intelligence Portal allows you to create search requests which are repeated periodically, so you can track and analyze changes for specific objects. Search requests can be created for one of the following objects:
The search is conducted through one or several Threat Lookup services. If you select Lookup / Dark web, you can also specify one or several sections/categories for the search.
The table below provides possible types of requests supported by the service.
Types of saved search requests
Object |
Lookup |
Dark web |
Surface web |
OSINT IoCs |
---|---|---|---|---|
Hash |
||||
Web address |
||||
IP address |
||||
Domain |
||||
Text input |
When Kaspersky Threat Intelligence Portal receives updates for your saved search requests, the information is displayed in the web interface and sent to you by email (if you configured email notifications).
To create a saved search request:
The list of available services depends on the type of requested object that you specified.
Note that Dark web and Surface web are available for selecting only if permitted by your organization's license.
The name of the request must be unique, you cannot save several search requests with the same name.
The search request is added to your list of saved search requests.
Some section names in the Lookup service are shortened or renamed for better viewing of the saved search requests in the web interface. The table below displays the correlation between regular and modified Lookup section names.
Regular and modified section names
Regular name |
Modified name |
---|---|
Hash |
|
Overview |
General info |
File downloaded from URLs and domains |
Downloaded from |
File accessed the following URLs |
Accessed URLs |
File started the following objects |
Started objects |
File was started by the following objects |
Started by |
File downloaded the following objects |
Downloaded objects |
File was downloaded by the following objects |
Downloaded by |
File signatures and certificates |
Certificates |
Container signatures and certificates |
Container certificates |
File was unpacked from the following objects |
Unpacked from |
File contains the following objects |
Unpacked objects |
Web address |
|
Overview |
General info |
Files that accessed requested URL |
Files accessing URL |
Files downloaded from requested URL |
Files downloaded |
Referrals to requested URL |
Referrals |
Requested object linked, forwarded, or redirected to the following URLs |
Referred to |
DNS resolutions for domain |
DNS resolutions |
Spam attacks |
Spam info |
Phishing attacks |
Phishing info |
IP address |
|
Overview |
General info |
Files related to IP address |
Files related to IP |
DNS resolutions for IP address |
DNS resolutions |
Spam attacks |
Spam info |
Phishing attacks |
Phishing info |
Domain |
|
Overview |
General info |
Files that accessed the requested domain |
Files accessing domain |
Files downloaded from requested domain |
Files downloaded |
Referrals to domain |
Referrals |
Domain referred to the following URLs |
Referred to |
DNS resolutions for domain |
DNS resolutions |
Spam attacks |
Spam info |
Phishing attacks |
Phishing info |
Kaspersky Threat Intelligence Portal allows you to view the saved search requests you created and their updates.
The following information is displayed for each saved search request:
To view the details of a specific saved search request and updates,
Click the required saved search request.
Kaspersky Threat Intelligence Portal displays the following information in the opened side-bar:
You can edit your saved search requests.
To edit a saved search request:
You cannot change the requested object of the saved search request. If you want to change the object, a new saved search request should be created.
You can delete your saved search requests.
If you delete a request, all its update history is also deleted. The history is not restored if you later create an identical request.
To delete one or more saved search requests:
A warning that all the history for the selected requests will be deleted is displayed.
Kaspersky Threat Intelligence Portal notifies you about updates received for your saved search requests through the web interface and by email.
Notifications in the web interface
Kaspersky Threat Intelligence Portal displays the number of updates in the following ways:
The details of updates are available for viewing.
Email notifications
Kaspersky Threat Intelligence Portal allows you to configure email notifications about updates for your saved search requests.
Page top
The Threat Lookup () → History page displays a list of your recent lookup requests.
For each request, the information described in the table below is provided.
Request history table
Field |
Description |
---|---|
Status |
Status of the requested object. |
Date |
Date when the request was submitted. In the History table, your local task creation time is displayed. In the reports, date and time are displayed in Coordinated Universal Time (UTC) format. You can use the filter () to narrow the amount of displayed results. Use the date pickers (calendar) or predefined filters to specify a certain period and click Apply. |
Type |
Automatically detected type of request. |
Request |
Object or text you requested. The items are clickable and navigate you to the corresponding results page. |
The request history list displays the objects in the form they were entered and looked up. If you submitted a defanged lookup request, the list of your recent requests will contain its original form.
Page top
All investigated objects are assigned to zones. A zone indicates the danger level of the object. All related objects are assigned to their own zones. Their zones and the zone of the investigated object may not match.
The list of zones is common for all types of objects, but not all zones can be applied to all types of objects.
Each type of object has its own set of statuses that most accurately describe the danger of objects of this type.Statuses and zones can vary depending on the type of objects and the section of the service. For example, the No threats detected status is shown only for IP addresses, domains and web addresses in the Timeline section.
The relationship between the zones and statuses for all object types are provided in the table below.
Zones and statuses
Zone |
Danger level |
Hash status |
IP address status |
Domain status |
Web address status |
---|---|---|---|---|---|
Red |
High |
Malware |
Dangerous |
Dangerous |
Dangerous |
Orange |
Medium |
n/a* |
Not trusted |
Not trusted |
Not trusted |
Yellow |
Medium |
Adware and other |
Adware and other |
Adware and other |
Adware and other |
Gray |
Info |
Not categorized |
Not categorized |
Not categorized |
Not categorized |
Green |
Low |
Clean |
Good / No threats detected |
Good / No threats detected |
Good / No threats detected |
* n/a – Not applicable
Page top
Kaspersky Threat Intelligence Portal enables you to search for information about objects by MD5, SHA1, and SHA256 hashes.
Now Kaspersky Threat Intelligence Portal additionally provides the ability to obtain information on hash from various open sources. This allows you to find more information on the hash, for example, in posts and articles that mentioned the requested hash. For more details, please refer to the OSINT IoCs section description.
General information about hash
Kaspersky Threat Intelligence Portal provides the following general information about hashes:
General information about hash
Field name |
Description |
---|---|
Status |
Shows whether the requested hash can be classified as malicious. The investigated hash may have one of the following statuses: Clean—Object is not malicious. Adware and other—Object can be classified as Not-a-virus. Malware—Object is malicious. Not categorized—No or not enough information about the object is available to define the category. |
Hits |
Number of hits (popularity) of the requested hash detected by Kaspersky expert systems. Number of hits is rounded to the nearest power of 10. |
Format |
Format of the object being investigated by hash. |
Size |
Size of the object being investigated by hash (in bytes). |
Packed by |
Packer name (if any). |
Signed by |
Organization that signed the requested hash. |
Signature trust |
Trust level (zone) of object signature: Discredited (), Not trusted (), Trusted (). |
First seen |
Date and time when the requested hash was detected by Kaspersky expert systems for the first time, according to your computer local time zone. |
Last seen |
Date and time when the requested hash was detected by Kaspersky expert systems for the last time, according to your computer local time zone. |
MD5 |
MD5 hash of the file requested by hash. |
SHA1 |
SHA1 hash of the file requested by hash. |
SHA256 |
SHA256 hash of the file requested by hash. |
Categories |
Categories of the requested hash. If the hash does not belong to any of defined categories, the General category is displayed. |
Reports |
Available APT Intelligence, Crimeware Threat Intelligence, and Industrial reports. If you have a valid commercial license for the corresponding service and the requested hash is related to an APT attack and/or mentioned in a report, links to the corresponding reports on the Reporting page are displayed. |
Data Feeds |
List of Threat Data Feeds that contain information about the requested hash. You can click a link to view the list of available feeds on the Threat Data Feeds page. |
Graphical information about hash
The Hash Hit Map (a graphical representation) displays the requested hash spread across the world if the number of hits is larger than 10. Data obtained from users participating in Kaspersky Security Network is used to build the map.
The Detection Statistics shows the hash activity statistics—daily hit statistics.
Additional information about hash
Kaspersky Threat Intelligence Portal displays, in separate tables, additional information about the hash that is being investigated. You can export data from these tables as separate archives.
Additional information about hash
Table name |
Description |
Table fields |
Comments |
---|---|---|---|
Detection names |
Detected objects related to the requested hash (for example, HEUR:Exploit.Script.Blocker). |
— |
In this table, the following information is displayed: Color of the zone that the detection object belongs to (red, yellow, gray, green). Date and time when the object was last detected by Kaspersky expert systems. Name of the detected object. You can click any entry to view its description in the Kaspersky threats website. |
File signatures and certificates |
Shows detailed information about signatures and certificates of the file identified by the requested hash. |
Status—Status of the file certificate. Vendor—Owner of the certificate. Publisher—Publisher of the certificate. Signed—Date and time when the certificate was signed. Issued—Date and time when the certificate was issued. Expires—Expiration date of the certificate. Serial number—Serial number of the certificate. |
Items in the table are sorted by the Signed field in descending order. |
Container signatures and certificates |
Information about the signatures and certificates of a container. |
Status—Status of the container's certificate. Container MD5—MD5 hash of the container's file. Signed—Date and time when the container's certificate was signed. Issued—Date and time when the container's certificate was issued. Expires—Expiration date of the container's certificate. |
Items in the table are sorted by the Signed field in descending order. |
File names |
Known names of the file identified by the requested hash on computers using Kaspersky software. Private data is not displayed. For example, a file or folder will not be displayed if its name contains a user name. |
Hits—Number of file name detections by Kaspersky expert systems. File names—Name of the file identified by the requested hash. |
Items in the table are sorted by the Hits field in descending order. |
File paths |
Known paths of the file identified by the requested hash on computers using Kaspersky software. Private data is not displayed. For example, a file or folder will not be displayed if its name contains a user name. |
Hits—Number of path detections by Kaspersky expert systems. Path—Path to the file on user computers identified by the requested hash. Location—Root folder or drive where the file identified by the requested hash is located on user computers. |
Items in the table are sorted by the Hits field in descending order. The Path and Location fields can be empty if the file is located in the registry. |
File downloaded from URLs and domains |
Web addresses and domains from which the file identified by the requested hash was downloaded. |
Status—Status of web addresses or domains used to download the file identified by the requested hash. URL—Web addresses used to download the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web addresses to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Last downloaded—Date and time when the file identified by the requested hash was last downloaded from the web address / domain. Domain—Upper domain of the web address used to download the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information about the domain. IP count—Number of IP addresses that the domain resolves to. |
Items in the table are grouped by status. Items in each group are sorted by the Last downloaded field in descending order. |
File accessed the following URLs |
Web addresses that were accessed by the file identified by the requested hash. |
Status—Status of accessed web addresses. URL—Web addresses accessed by the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Last accessed—Date and time when the file identified by the requested hash last accessed the web address. Domain—Upper domain of the web address accessed by the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information about the domain. IP count—Number of IP addresses that the domain resolves to. |
Items in the table are grouped by status. Items in each group are sorted in descending order by the Last accessed field. |
File started the following objects |
Objects that were started by the file identified by the requested hash. |
Status—Status of started objects. Hits—Number of times the file identified by the requested hash started the object, as detected by Kaspersky expert systems. File MD5—MD5 hash of the started object. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Location—Root folder or drive where the started object is located on user computers. Path—Path to the object on user computers. File name—Name of the started object. Last started—Date and time when the object was last started by the file identified by the requested hash. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last started field in descending order. The Path and Location fields can be empty if the file is located in the registry. |
File was started by the following objects |
Objects that started the file identified by the requested hash. |
Status—Status of objects that started the file identified by the requested hash. Hits—Number of times the file identified by the requested hash was started as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that started the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Location—Root folder or drive where the object is located on user computers. Path—Path to the object on user computers. File name—Name of the object that started the file identified by the requested hash. Last started—Date and time when the file identified by the requested hash was last started. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last started field in descending order. The Path and Location fields can be empty if the file is located in the registry. |
File downloaded the following objects |
Files that were downloaded by the file identified by the requested hash. |
Status—Status of downloaded objects. Hits—Number of times the object was downloaded as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded object. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Location—Root folder or drive where the downloaded object is located on user computers. Path—Path to the downloaded object on user computers. File name—Name of the downloaded object. Last downloaded—Date and time when the object was last downloaded by the file identified by the requested hash. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Items in the table are grouped by status. Items in each group are sorted by the Last downloaded field in descending order. The Path and Location fields can be empty if the file is located in the registry. |
File was downloaded by the following objects |
Objects that downloaded the file identified by the requested hash. |
Status—Status of objects that downloaded the file identified by the requested hash. Hits—Number of times the file identified by the requested hash was downloaded as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that downloaded the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Location—Root folder or drive where the object is located on user computers. File name—Name of the object that downloaded the file identified by the requested hash. Path—Path to the object on user computers. Last downloaded—Date and time when the file identified by the requested hash was last downloaded. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Items in the table are grouped by status. Items in each group are sorted by the Last downloaded field in descending order. The Path and Location fields can be empty if the file is located in the registry. |
File was unpacked from the following objects |
Parent objects of file identified by the requested hash. |
Status—Status of the parent object. Parent MD5—MD5 hash of the parent object. Child MD5—MD5 hash of the child object. For
direct parent objects ( Parent size—Size of the parent object (in bytes). Parent type—File type of the parent object. Parent detection name—Detected objects related to the parent object (for example, HEUR:Exploit.Script.Blocker). Level—Parent level. The direct parent of the
requested object has |
Items in the table are grouped by parent object status. Items in each group are sorted by the Level field in ascending order. |
File contains the following objects |
Child objects of file identified by the requested hash. |
Status—Status of the child object. Child MD5—MD5 hash of the child object. Parent MD5—MD5 hash of the parent object. For
direct child objects ( Child size—Size of the child object (in bytes). Child type—File type of the child object. Child detection name—Detected objects related to the child object (for example, HEUR:Exploit.Script.Blocker). Level—Child level. The direct child of the
requested object has |
Items in the table are grouped by child object status. Items in each group are sorted by the Level field in ascending order. |
File was attached to email |
Information about spam attacks in which the requested object was attached to email messages. |
— |
— |
Similar files |
Files that are similar to the requested object. Using machine-learning (ML) methods, Kaspersky systems extract the requested file features and detect similar malicious files. Information about similar files can be used in an incident response to search more extensively for modifications and variations of a malicious object. Also, this information allows you to optimize perimeter protection from certain threats and take into account different modifications and variations of a malicious object. |
Status—Status of the object similar to the file identified by the requested hash. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Confidence—Level of confidence that the object is similar to the file identified by the requested hash. Kaspersky Threat Intelligence Portal displays similar files with a confidence level from 8 to 11. First seen—Date and time when the similar object was detected by Kaspersky expert systems for the first time (for your local time zone). Last seen—Date and time, accurate to one minute, when the similar object was detected by Kaspersky expert systems for the last time (for your local time zone). Hits—Number of hits (popularity) for the object similar to the identified file (by requested hash) detected by Kaspersky expert systems (rounded to nearest power of 10). MD5—MD5 hash of the object similar to the file identified by the requested hash. Items are clickable, you can select the following actions:
Type—Type of the object similar to the file identified by the requested hash. Size—Size of the object similar to the file identified by the requested hash (in bytes). |
Items in the table are grouped and sorted by confidence in descending order. Items in groups with the same confidence are sorted by the Status field in descending order, and then by the Last seen field in descending order. |
In addition to lookup results, Kaspersky Threat Intelligence Portal provides open-source intelligence (OSINT) for the requested hash. This allows you to find more information on the hash, for example, in posts in which the hash is mentioned.
To search for open-source intelligence for a hash,
In the Search field on any Kaspersky Threat Intelligence Portal page, enter a hash (MD5, SHA1, SHA256) you want to investigate and press Enter.
On the Threat Lookup ()→ OSINT IoCs page, Kaspersky Threat Intelligence Portal displays a list of posts in which the requested hash or files identified by the hash are mentioned.
The search results include not only posts found for the requested hash, but also those ones found by other hashes known for the identified file. For example, if you search for MD5 hash, posts on MD5, SHA1 and SHA256 hashes of the file are also shown.
OSINT IoCs section
Field |
Description |
---|---|
Date |
Post publication date. |
Source |
Link to a post. In some cases, the requested hash is not mentioned in the post by the direct link, but mentioned in posts accessed by links in the first post. |
Hash |
Hash type by which the article was found (MD5, SHA1 or SHA256). |
Kaspersky Threat Intelligence Portal enables you to search for information about IP addresses.
For reserved IP addresses, only general and WHOIS information is displayed. Detailed reports are not provided.
General information about IP address
Kaspersky Threat Intelligence Portal provides the following general information about IP addresses:
General information about IP address
Field name |
Description |
---|---|
Status |
Shows whether the requested IP address generates malicious activity. The IP address can have one of the following statuses: Good—IP address does not generate malicious activity. No threats detected—IP address was scanned and/or analyzed by Kaspersky, and no threats were detected. This status is used only in the Timeline section. Not trusted—IP address may host malicious objects. Its threat score is from 50 to 74. Adware and other—There are objects related to the IP address, which can be classified as Not-a-virus. Dangerous—IP address hosts malicious objects. Not categorized—No or not enough information about the IP address is available to define the category. |
Country flag |
Flag of the country that the requested IP address belongs to. When you hover your mouse over a flag, a tooltip with the country name appears. For IP addresses that do not belong to any country, the flag with a question mark () and the tooltip No information are displayed. |
Hits |
Hit number (popularity) of the requested IP address. Hit number is rounded to the nearest power of 10. |
First seen |
Date and time when the requested IP address first appeared in Kaspersky expert systems statistics, according to your computer local time zone. |
Threat score |
Probability that the requested IP address will appear dangerous (0 to 100). An IP address is classified by Kaspersky expert systems as dangerous if its threat score is greater than 74. |
Owner name |
Name of the requested IP address owner. |
Owner ID |
ID of the requested IP address owner according to the register's base. |
Created |
Date when the requested IP address was registered. |
Updated |
Date when information about the requested IP address was last updated. |
Categories |
Categories of the requested IP address. If the IP address does not belong to any defined categories, the General category is displayed. |
Reports |
Available APT Intelligence, Crimeware Threat Intelligence, and ICS reports. If you have a valid commercial license for the corresponding service and the requested IP address is related to an APT attack and/or mentioned in a report, links to the corresponding reports on the Reporting page are displayed. |
Data Feeds |
List of Threat Data Feeds that contain information about the requested IP address. You can click a link to view the list of available feeds on the Threat Data Feeds page. |
If you want an IP address to be processed as a web address, run a request using Kaspersky Threat Intelligence Portal API.
Graphical information about IP address
A timeline shows detection statistics for certain historical periods. The changes in the zone of a categorized object are displayed for two months (by default) or two years. The timeline is generated only when the detection statistics for the period is available for a specific object.
The timeline shows changes only for the following statuses:
If you pause the mouse pointer on a certain point of the timeline, Kaspersky Threat Intelligence Portal displays the date and time of the detection and category of the object.
The category and status of the object on the timeline might not match the category in Categories and status in the object lookup results due to different methods applied.
Additional information about IP address
Kaspersky Threat Intelligence Portal provides additional information about the requested IP address displayed in separate tables. You can export data from these tables as separate archives.
Additional information about IP address
Table name |
Description |
Table fields |
Comments |
---|---|---|---|
WHOIS |
WHOIS information for the requested IP address. |
IP range—Range of IP addresses in the network that the requested IP address belongs to. Net name—Name of the network that the requested IP address belongs to. Net description—Description of the network that the requested IP address belongs to. Created—Date when the requested IP address was registered. Changed—Date when information about the requested IP address was last updated. AS description—Autonomous system description. ASN—Autonomous system number according to RFC 1771 and RFC 4893. Contact—Contact type (person or organization). Name—Contact name. Role—Role of a contact (for example, owner). Address—Postal address that is registered for the IP address. Phone / Fax—Phone/fax number of a contact. Email—Email address of a contact. |
— |
DNS resolutions for IP address |
pDNS information for the requested IP address. |
Status—Status of domains. Hits—Number of times that the domain resolved to the requested IP address. Domain—Domain that resolves to the requested IP address. Items are clickable and take you to the Threat Lookup page, where you can search for information about the domain. First resolved—Date and time when the domain first resolved to the requested IP address, according to your computer local time zone. Last resolved—Date and time when the domain last resolved to the requested IP address, according to your computer local time zone. Peak date—Date of maximum number of domain resolutions to the requested IP address. Daily peak—Maximum number of domain resolutions to the requested IP address per day. |
Items in the table are grouped by status. Items in each group are sorted in descending order by the Last resolved field. |
Files related to IP address |
MD5 hashes of files that are related to web addresses containing domains that resolve to the requested IP address. Also, MD5 hashes of files that accessed the requested IP address are displayed. |
Status—Status of downloaded files. Hits—Number of times that a file was downloaded from the requested IP address as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded file. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). URL—Web addresses used to download the file. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Last seen—Date and time that the file was last downloaded from the requested IP address, according to your computer local time zone. First seen—Date and time the file was first downloaded from the requested IP address, according to your computer local time zone. |
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last seen field in descending order. |
Hosted URLs |
Web addresses that contain the requested IP address and web addresses of the domain that resolves to the requested IP address. |
Status—Status of web addresses and domains. Hits—Number of web address detections by Kaspersky expert systems. URL—Detected web address. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. First seen—Date and time when the web address was first detected, according to your computer local time zone. Last seen—Date and time when the web address was last detected, according to your computer local time zone. |
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last seen field in descending order. |
URL masks |
Masks detected by Kaspersky expert systems addresses that contain the requested IP address and web addresses of the domain that resolves to the requested IP address. If a mask is included in Threat Data Feeds, the feed names are also displayed. |
Status—Status of web addresses covered by the corresponding mask (Dangerous, Not trusted, or Adware and other). Type—Type of the mask. Mask—Web address mask. Each item in the list is clickable—you can click it to navigate to the Threat Lookup results page, which shows investigation results for the web address mask. Investigation results are available only if you have a valid Threat Lookup license and have not exceeded your quota for object investigation. Feeds—Threat Data Feeds that contain the web address mask. In this field, any of the following Threat Data Feeds can be displayed: Malicious URL Data Feed, Phishing URL Data Feed, Botnet CC URL Data Feed, APT URL Data Feed, and APT IP Data Feed. If a mask is detected by Kaspersky expert systems, but not included in any of these Threat Data Feeds, "—" is displayed. Each item in this list is clickable—you can click it to navigate to the corresponding Threat Data Feed on the Data Feeds page. |
— |
Spam attacks |
Information about spam attacks associated with the requested IP address. |
Number of attacks—Number of spam attacks. Spam ratio—The ratio of spam to other content. Attack type—Types of attacks (Unknown, Phishing, Spoofing). |
— |
Spam attack statistics |
Graph showing the number of spam attacks in the last six months. |
— |
— |
Phishing attacks |
Information about phishing attacks associated with the requested IP address. |
Number of attacks—Number of phishing attacks. Phishing kit—Name of a phishing kit (a set of materials and tools) used during the phishing attack. Stolen data type—Type of data stolen during phishing attack, for example, user names, passwords. Attacked industry—Target industry of a phishing attack. Attacked organization—Target organization of a phishing attack. |
— |
Phishing attack statistics |
Graph showing the number of phishing attacks in the last six months. |
— |
— |
Kaspersky Threat Intelligence Portal enables you to search for information about domains.
General information about domain
Kaspersky Threat Intelligence Portal provides the following general information about domains:
General information about domain
Field name |
Description |
---|---|
Status |
Shows whether the requested domain can be classified as malicious, good, or not categorized. The domain can have one of the following statuses: Good—Domain is not malicious. No threats detected—Domain was scanned and/or analyzed by Kaspersky, and no threats were detected. This status is used only in the Timeline section. Dangerous—There are malicious objects related to the domain. Adware and other—There are objects related to the domain, which can be classified as Not-a-virus. Not trusted—Domain is categorized as Infected or Compromised. Not categorized—No or not enough information about the domain is available to define the category. |
IPv4 count |
Number of IP addresses related to the domain. |
File count |
Number of known malicious / all files. |
Owner name |
Domain owner name. |
Owner ID |
Domain owner ID. |
Created |
Domain creation date. |
Updated |
Domain update date. |
Categories |
Categories of the requested domain. If the domain does not belong to any defined categories, the General category is displayed. |
Reports |
Available APT Intelligence, Crimeware Threat Intelligence, and ICS reports. If you have a valid commercial license for the corresponding service and the requested domain is related to an APT attack and/or mentioned in a report, links to the corresponding reports on the Reporting page are displayed. |
Data Feeds |
List of Threat Data Feeds that contain information about the requested domain. You can click a link to view the list of available feeds on the Threat Data Feeds page. |
Graphical information about domain
A timeline shows detection statistics for certain historical periods. The changes in the zone of a categorized object are displayed for two months (by default) or two years. The timeline is generated only when the detection statistics for the period is available for a specific object.
The timeline shows changes only for the following statuses:
If you pause the mouse pointer on a certain point of the timeline, Kaspersky Threat Intelligence Portal displays the date and time of the detection and category of the object.
The category and status of the object on the timeline might not match the category in Categories and status in the object lookup results due to different methods applied.
Additional information about domain
Kaspersky Threat Intelligence Portal provides additional information, displayed in separate tables, about the domain that is being investigated. You can export data from these tables as separate archives.
Additional information about domain
Table name |
Description |
Table fields |
Comments |
---|---|---|---|
WHOIS |
WHOIS data about the domain that is being investigated. |
Domain name—Name of the requested domain. Domain status—Status of the requested domain. Created—Date when the requested domain was registered. Updated—Date when registration information about the requested domain was last updated. Paid until—Expiration date of the prepaid registration term. Registrar info—Name of the requested domain registrar. IANA ID—IANA ID of the registrar. Email—Email of the registrar. Name servers—List of name servers of the requested domain. Contacts—Contact type (person or organization). Name—Contact name. Role—Role of a contact (for example, owner). Address—Postal address that is registered for the IP address. Phone/Fax—Phone/fax number of a contact. Email—Email address of a contact. |
— |
DNS resolutions for domain |
IP addresses that the requested domain resolves to. |
Status—Status of IP address. Threat score—Probability that the requested IP address will be dangerous (0 to 100). Hits—Number of IP address detections by Kaspersky expert systems. IP—IP addresses. Items are clickable and take you to the Threat Lookup page, where you can search for information about the IP address. The flag of the country to which the IP address belongs is displayed. When you hover your mouse over a flag, a tooltip with a country name appears. First resolved—Date and time when the requested domain first resolved to the IP address. Last resolved—Date and time when the requested domain last resolved to the IP address. Peak date—Date of maximum number of requested domain resolutions to the IP address. Daily peak—Maximum number of requested domain resolutions to the IP address per day. |
Items in the table are grouped by status. Items in each group are sorted by the Threat score field in descending order. |
Files downloaded from requested domain |
MD5 hashes of files that were downloaded from the requested domain and web addresses of the requested domain. |
Status—Status of files that were downloaded. Hits—Number of file downloads from the requested domain as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded file. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Last seen—Date and time when the file was last downloaded from the requested domain, according to your computer local time zone. First seen—Date and time when the file was first downloaded from the requested domain, according to your computer local time zone. URL—Web addresses used to download the file. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last seen field in descending order. |
Files that accessed the requested domain |
MD5 hashes of files that accessed the requested domain. |
Status—Status of files that accessed the requested domain. Hits—Number of times the file accessed the requested domain. File MD5—MD5 hash of the file that accessed the requested domain. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Last seen—Date and time when the file last accessed the requested domain, according to your computer local time zone. First seen—Date and time when the file first accessed the requested domain, according to your computer local time zone. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
— |
Subdomains |
Hosts related to the requested domain (subdomains). |
Status—Status of subdomains. Subdomain name—Name of the detected subdomain. URL count—Number of web addresses related to the subdomain. Hosted files—Number of files hosted on the detected subdomain. First seen—Date and time when the subdomain was first detected, according to your computer local time zone. |
Items in the table are grouped by status. Items in each group are sorted in descending order by the First seen field. |
Referrals to domain |
Web addresses that refer to the requested domain. |
Status—Status of web addresses that refer to the requested domain. URL—Web address that refers to the requested domain. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Last reference—Date and time when the requested domain was last referred to by listed web addresses. |
Items in the table are grouped by status. Items in each group are sorted by the Last reference field in descending order. |
Domain referred to the following URLs |
Requested domain links, forwards, or redirects to following web addresses. |
Status—Status of web addresses that the requested domain links, forwards, or redirects to. URL—Web address accessed by the requested domain. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Last reference—Date and time when the requested domain last linked, forwarded, or redirected to listed web addresses. |
Items in the table are grouped by status. Items in each group are sorted by the Last reference field in descending order. |
URL masks |
The requested domain masks detected by Kaspersky expert systems. If a mask is included in Threat Data Feeds, the feed names are also displayed. |
Status—Status of web addresses covered by the corresponding mask (Dangerous, Not trusted, or Adware and other). Type—Mask type. Mask—Requested domain mask. Each item in the list is clickable—you can click it to navigate to the Threat Lookup results page, which shows investigation results for the domain mask. Investigation results are available only if you have a valid Threat Lookup license and have not exceeded your quota for object investigation. Feeds—Threat Data Feeds that contain the requested domain mask. In this field, any of the following Threat Data Feeds can be displayed: Malicious URL Data Feed, Phishing URL Data Feed, and Botnet CC URL Data Feed. If a mask is detected by Kaspersky expert systems, but not included in any of these Threat Data Feeds, "—" is displayed. Each item in this list is clickable—you can click it to navigate to the corresponding Threat Data Feed on the Data Feeds page. |
— |
Similar domains |
Information about domains with names similar to those of the requested domain. |
Status—Status of a similar domain. Domain—Similar domain name. Registered—Date when a similar domain was registered. Expires—Expiration date of a similar domain. Port status—Information about open ports. |
— |
Spam attacks |
Information about spam attacks associated with the requested domain. |
Number of attacks—Number of spam attacks. Spam ratio—The ratio of spam to other content. Attack type—Types of attacks (Unknown, Phishing, Spoofing). |
— |
Spam attack statistics |
Graph showing the number of spam attacks in the last six months. |
— |
— |
Phishing attacks |
Information about phishing attacks associated with the requested domain. |
Number of attacks—Number of phishing attacks. Phishing kit—Name of a phishing kit (a set of materials and tools) used during the phishing attack. Stolen data type—Type of data stolen during phishing attack, for example, user names, passwords. Attacked industry—Target industry of a phishing attack. Attacked organization—Target organization of a phishing attack. |
— |
Phishing attack statistics |
Graph showing the number of phishing attacks in the last six months. |
— |
— |
Kaspersky Threat Intelligence Portal enables you to search for information about web addresses.
General information about web address
Kaspersky Threat Intelligence Portal provides the following general information about web addresses.
General information about web address
Field name |
Description |
---|---|
Status |
Shows whether the requested web address can be classified as malicious, good, or not categorized. The web address can have one of the following statuses: Good—Web address is not malicious. No threats detected—Web address was scanned and/or analyzed by Kaspersky, and no threats were detected. This status is used only in the Timeline section. Dangerous—There are malicious objects related to the web address. Adware and other—There are objects related to the web address, which can be classified as Not-a-virus. Not trusted—Web address is categorized as Infected or Compromised. Not categorized—No or not enough information about the web address is available to define the category. |
IPv4 count |
Number of known IP addresses related to the requested web address. |
File count |
Number of known malicious / all files. |
Created |
Web address creation date. |
Expires |
Web address expiration date. |
Domain |
Name of the upper-level domain. |
Registration organization |
Name of the registration organization. |
Registrar name |
Name of the domain name registrar. |
Categories |
Categories of the requested web address. If the web address does not belong to any defined categories, the General category is displayed. |
Reports |
Available APT Intelligence, Crimeware Threat Intelligence, and ICS reports. If you have a valid commercial license for the corresponding service and the requested web address is related to an APT attack and/or mentioned in a report, links to the corresponding reports on the Reporting page are displayed. |
Data Feeds |
List of Threat Data Feeds that contain information about the requested web address. You can click a link to view the list of available feeds on the Threat Data Feeds page. |
Graphical information about web address
A timeline shows detection statistics for certain historical periods. The changes in the zone of a categorized object are displayed for two months (by default) or two years. The timeline is generated only when the detection statistics for the period is available for a specific object.
The timeline shows changes only for the following statuses:
If you pause the mouse pointer on a certain point of the timeline, Kaspersky Threat Intelligence Portal displays the date and time of the detection and category of the object.
The category and status of the object on the timeline might not match the category in Categories and status in the object lookup results due to different methods applied.
Additional information about web address
Kaspersky Threat Intelligence Portal provides additional information, displayed in separate tables, about the web address that is being investigated. You can export data from these tables as separate archives.
Additional information about web address
Table name |
Description |
Table fields |
Comments |
---|---|---|---|
WHOIS |
WHOIS information about domain for the requested we address. |
Contact—Contact type (person or organization). Name—Contact name. Role—Role of a contact (for example, owner). Address—Postal address that is registered for the IP address. Phone / Fax—Phone/fax number of a contact. Email—Email address of a contact. |
— |
DNS resolutions for domain |
IP addresses that the domain for the requested web address resolves to. |
Status—Status of IP addresses that the domain for the requested web address resolves to. Threat score—Probability that the requested IP address will be dangerous (0 to 100). Hits—Number of IP address detections by Kaspersky expert systems. IP—IP addresses. Items are clickable and take you to the Threat Lookup page, where you can search for information about the IP address. The flag of the country to which the IP address belongs is displayed. When you hover your mouse over a flag, a tooltip with a country name appears. First resolved—Date and time when the domain for the requested web address first resolved to the IP address. Last resolved—Date and time when the domain for the requested web address last resolved to the IP address. Peak date—Date of maximum number of domain resolutions to the IP address. Daily peak—Maximum number of domain resolutions to the IP address per day. |
Items in the table are grouped by status. Items in each group are sorted by the Threat score field in descending order. |
Files downloaded from requested URL |
Objects that were downloaded from the requested web address. |
Status—Status of downloaded files. Hits—Number of file downloads from the requested web address as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded file. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Last seen—Date and time when the file was last downloaded from the requested web address, according to your computer local time zone. First seen—Date and time when the file was first downloaded from the requested web address, according to your computer local time zone. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Items in the table are grouped by status. Items in each group are sorted by the Last downloaded field in descending order. |
Files that accessed requested URL |
MD5 hashes of files that accessed the requested web address. |
Status—Status of MD5 hashes of files that accessed the requested web address. Hits—Number of times the file accessed the requested web address. File MD5—MD5 hash of the file that accessed the requested web address. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Last accessed—Date and time when the file last accessed the requested web address. First accessed—Date and time when the file first accessed the requested web address. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
— |
Referrals to requested URL |
Web addresses that refer to the requested web address. |
Status—Status of web addresses that refer to the requested web address. URL—Web address that refers to the requested web address. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Last reference—Date and time when the requested web address was last referred to. |
Items in the table are grouped by status. Items in each group are sorted by the Last reference field in descending order. |
Requested object linked, forwarded, or redirected to the following URLs |
Requested object links, forwards, or redirects to following web addresses. |
Status—Status of web addresses that the requested object links, forwards, or redirects to. URL—Web address accessed by the requested web address. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Last reference—Date and time when the requested web address last linked, forwarded, or redirected to listed web addresses. |
Items in the table are grouped by status. Items in each group are sorted by the Last reference field in descending order. |
URL masks |
Masks of the requested web address domain, which were detected by Kaspersky expert systems. If a mask is included in Threat Data Feeds, the feed names are also displayed. |
Status—Status of web addresses covered by the corresponding mask (Dangerous, Not trusted, or Adware and other). Type—Mask type. Mask—Mask related to the domain of the requested web address. Each item in the list is clickable—you can click it to navigate to the Threat Lookup results page, which shows investigation results for the domain mask. Investigation results are available only if you have a valid Threat Lookup license and have not exceeded your quota for object investigation. Feeds—Threat Data Feeds that contain the domain mask of the requested web address. In this field, any of the following Threat Data Feeds can be displayed: Malicious URL Data Feed, Phishing URL Data Feed, and Botnet CC URL Data Feed. If a mask is detected by Kaspersky expert systems, but not included in any of these Threat Data Feeds, "—" is displayed. Each item in this list is clickable—you can click it to navigate to the corresponding Threat Data Feed on the Data Feeds page. |
— |
Spam attacks |
Information about spam attacks associated with the requested web address. |
Number of attacks—Number of spam attacks. |
— |
Phishing attacks |
Information about phishing attacks associated with the requested web address. |
Phishing status—Shows whether the requested web address can be considered as a phishing one. Number of attacks—Number of phishing attacks. Phishing kit—Name of a phishing kit (a set of materials and tools) used during the phishing attack. Stolen data type—Type of data stolen during phishing attack, for example, user names, passwords. Attacked industry—Target industry of a phishing attack. Attacked organization—Target organization of a phishing attack. |
— |
Phishing attack statistics |
Graph showing the number of phishing attacks in the last six months. |
— |
— |
To get a full path of a file,
Add the Path field value to an environment variable based on the Location field value.
Full path of a file
Location value |
Environment variables |
---|---|
Desktop |
%PUBLIC%\desktop %USERPROFILE%\desktop |
Downloads |
%PUBLIC%\downloads %USERPROFILE%\downloads %windir%\downloaded installations |
Drive |
A hard drive letter |
InternetCache |
%USERPROFILE%\local settings\temporary internet files |
ProgramData |
%ProgramData% |
ProgramFiles |
%ProgramFiles% %ProgramFiles(x86)% %ProgramW6432% |
ProgramFilesCommon |
%CommonProgramFiles% %CommonProgramFiles(x86)% %CommonProgramW6432% |
RecycleBinFolder |
%SystemDrive%\$Recycle.Bin\%SID% |
RoamingAppData |
%USERPROFILE%\appdata\roaming |
Startup |
%APPDATA%\microsoft\windows\start menu\programs\startup %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup %ALLUSERSPROFILE%\start menu\programs\startup |
System |
%SystemRoot% |
Windows® |
%windir% |
This section contains descriptions of masked and non-masked domain and web address types. Click the links in the Mask examples column to expand or collapse mapping example blocks.
Descriptions of masked types
Mask class |
Mask type |
Blocks |
Does not block |
Mask examples |
---|---|---|---|---|
Domain mask |
MASK_TYPE_DOMAIN |
Content of the third and higher-level domains. |
Content of the second-level domain and other domains. |
*.subdomain.domain.com |
Common mask |
MASK_TYPE_FOLDER |
Content of the folder which has other subfolders. |
Content of subdomains and other folders. |
subdomain.domain.com/folder/* 172.12.168.2/folder/* |
Common mask |
MASK_TYPE_SCRIPT |
|
|
domain.com/folder/load.php?* Normalized blocked link examples Normalized non blocked links examples domain.com/folder/load.jpg?* Normalized blocked link examples Normalized non blocked links examples 172.12.168.2/load.php?* Normalized blocked link examples Normalized non blocked links examples domain.com/.sys/?* |
Common mask |
MASK_TYPE_WILDCARD |
Any sequence of characters other than an asterisk (*) that may appear. Any matches with the mask are blocked. |
|
domain.com/*/abc*.exe Normalized blocked link examples Normalized non blocked links examples *.domain.com/*.php Normalized blocked link examples Normalized non blocked links examples domain.com/fol*.exe Normalized blocked link examples Normalized non blocked links examples domain.com/abc*/file.exe Normalized blocked link examples Normalized non blocked links examples *.domain.com/file.exe |
Descriptions of non-masked types
Mask class |
Mask type |
Blocks |
Does not block |
Mask examples |
---|---|---|---|---|
Second-level domain |
MASK_TYPE_DOMAIN2_OBJECTS |
Domain, all its subdomains, all contents of the domain and of all its subdomains. |
Links containing the domain as a substring that is not a domain of any level. |
domain.com |
Third-level and higher-level domains |
MASK_TYPE_DOMAIN3_OBJECTS |
All objects (files, folders, scripts), encountered on the domain level only. |
Links to sites located on other domain levels. |
subdomain.domain.com chat.subdomain.domain.com |
Domain with folder or file |
MASK_TYPE_DOMAIN_FOLDER |
Exact matches or links that contain the match with a subfolder or file. It is intended to prohibit the download or execution from a specific folder or file. |
Links to items in folders that are lower than the level of the last folder or file in the record. |
domain.com/script.php 172.17.0.1/setup.exe 172.17.0.1/pid=1000/setup.exe domain.com/d/12 172.17.0.1/x domain.com/script.php? domain.com/folder/? |
Script with specific parameters |
MASK_TYPE_SCRIPT_PARAMS |
Links with a matching set of parameters that are located in the specific domain. |
|
domain.com/get.php?p=4&id=2 |
Kaspersky Threat Intelligence Portal enables you to export investigation results about requested objects for further analysis. You can export the following data:
You can run another request in a separate browser tab or window while Kaspersky Threat Intelligence Portal prepares and downloads a file with the investigation results of your previous request.
To export all investigation results:
For reserved IP addresses, only CSV archive format is available. The archive will only contain IpProperties.csv and WHOIS.csv files.
The Save As window opens.
Preparing a file with all investigation results for download may take several minutes.
Kaspersky Threat Intelligence Portal exports up to 1000 items from each data group.
The file with investigation results for the requested object from all available data groups is saved to the specified location.
Detailed information about exporting results in various formats is provided in the following sections in Appendices.
To export investigation results from a selected data group:
The Save As window opens.
Kaspersky Threat Intelligence Portal exports up to 1000 items from a data group.
You can change the file name if necessary.
The archive containing a CSV file with investigation results from the data group is saved to the specified location.
Kaspersky Threat Intelligence Portal research graph is an analytical tool for visualizing relationships between various types of objects (files, web addresses, domains, IP addresses, actors, or reports) analyzed and detected during the research.
The information in graphs is presented as nodes (for objects) and relationships that show connection between the nodes. Each object on the research graph can be represented by only one node. Node types are described in the table below.
Research graph nodes
Node |
Description |
---|---|
Object |
Node for representing an object on a research graph. |
Section |
Additional node for displaying different variants of the parent object (file) node relationship to derived nodes. |
Group |
Group nodes that unite several objects of the same type related to one parent object (for example, a group of files extracted from one archive). |
When the research graph represents analysis results for the object submitted to Kaspersky Threat Intelligence Portal, this object is shown as the node of the research graph. This includes group nodes for the files transferred or dropped during file execution in the Kaspersky Sandbox, groups of web addresses and domains accessed during execution.
You can create your own research graphs or edit existing graphs for the analyzed objects. Your personal limit for graphs is displayed on the Research Graph () page. When you exceed your limit, you need to delete unnecessary research graphs or apply for a quota increase.
The research graph data is updated only based on the results of lookups initiated by the user editing the research graph.
Kaspersky Threat Intelligence Portal allows you to view a list of available research graphs on the Research Graph () page.
You can select a list or tiles view mode.
In the list view mode, research graph information described in the table below is displayed.
Research graphs list
Table field |
Description |
---|---|
Name |
Research graph name. |
Created by |
User name (login) of the user who created a research graph. |
Date created |
Date and time when a research graph was created. |
Last modified |
Date and time when the research graph was last modified. |
Actions |
Actions you can perform to a research graph depending on your access rights. |
In the tiles view mode, research graph names, names of users who created a graph, previews, and available actions are displayed.
Page top
Kaspersky Threat Intelligence Portal allows you to create a research graph automatically or manually.
To create a research graph automatically:
The research graph editor window opens.
To create a research graph manually:
You can view available research graphs on the Research Graph () page.
To view a research graph, perform one of the following actions:
The selected research graph opens.
To search for a certain node in a research graph:
Kaspersky Threat Intelligence Portal locates the requested node in the center of the research graph editor window and marks it with a blue circle.
To zoom in or out:
To view a research graph in full screen mode,
Move the mouse pointer to the scale icon (N%) in the lower right corner of the graph editor window. In the toolbar that opens, click the full screen mode button ().
To go back to regular view mode,
Click Esc or move the mouse pointer to the scale icon (N%) and click the regular view mode button () in the toolbar that opens.
Page top
You can rename research graphs you created.
To rename a research graph in a graphs list:
The Rename graph window opens.
To rename a research graph while editing:
You can copy an existing research graph.
To copy a research graph in a graphs list:
The Copy graph window opens.
By default, the new name has the following format: <original research graph name> (Copy).
The new research graph appears in the list of research graphs.
To rename a research graph while editing:
The Copy graph window opens.
By default, the new name has the following format: <original research graph name> (Copy).
The new research graph is displayed in the editor window, you can start editing it, if necessary. Also, it appears in the list of research graphs on the Research Graph () page.
Page top
Kaspersky Threat Intelligence Portal allows you to delete one or several research graphs simultaneously.
You can delete only the graphs you created. Only a group administrator can delete graphs created by other users.
To delete one or several research graphs:
The button becomes available if at least one research graph is selected.
You can also delete a research graph while editing it.
To delete a graph:
Please distinguish between the Delete this graph button () for deleting the research graph (at the top) and Delete selected nodes button () for deleting the nodes (on the left).
You can edit research graphs you created.
You cannot edit the research graph of another user: you only can save it with another name after editing, or create a copy of a graph before editing.
To edit a research graph:
This section explains how you can add objects and relationships to a research graph.
Adding objects to research graphs
The following objects can be added to research graphs:
Note that the reports can be added to the graph only if they are permitted in your license. Please see all terms and conditions in your contract with Kaspersky.
To add an object through Object lookup:
The specified object is added to a research graph with the related objects.
If the specified object is not found, you can add a custom object manually (see the procedure below) or edit the search request. For actors, Kaspersky Threat Intelligence Portal searches for an exact name match.
Note that the Threat Lookup quota is reduced when you specify the object to look for and then add it to the research graph. The number of available quotas is displayed under the filled-in Object lookup field.
To add an object manually:
If you search for an object and it is not found, the Create object button is also displayed in the Object lookup field.
Please note, the Summary and other sections are not displayed when you add a node manually.
If you try to add a node of the object that is already presented in the graph (for example, a file with the same hash), this new node will not be created. Instead, the existing node with the same parameter will be highlighted in the research graph for your attention. The existing nodes are highlighted regardless of the way you added objects to the research graph - through Object lookup or manually.
Adding relationships to research graphs
To add a new relationship:
The relationship is created.
Kaspersky Threat Intelligence Portal allows you to view detailed information about specific objects represented by nodes on research graphs.
Detailed information is not displayed for the following:
To view an object's detailed information,
Right-click the node and select Show detailed info.
In the window that opens, the lookup information for the object represented by this node is displayed.
You can like or unlike a report using the like () icon.
Also, when you hover your mouse over a specific object node, brief information for this node is displayed. Brief information about group nodes and section nodes is not provided.
Page top
You can edit a comment for an object node or a relationship.
To edit a comment for an object node or a relationship:
This section explains how to view connected objects for object nodes on research graphs.
To view connected objects:
Available data groups and corresponding object numbers are listed.
If the section contains four or less objects, they are linked to the group node as separate object nodes.
If the section contains more than four objects, the extra objects can be found in the group node +(N) items, where N is the number of objects hidden in the group node.
Depending on the confidence level, similar files for a hash are displayed on a graph as separate section nodes.
If you click the open lookup page () icon in the Actions column, Kaspersky Threat Intelligence Portal opens a side-bar with the lookup data for the specific object. At the top of the side-bar, click the open lookup page () icon again to display the Threat Lookup page with detailed information about the object.
You can search specific items in the list by typing the identifier or part of it in the Search field.
Selected objects will be added to the research graph and deleted from the table.
To move a node,
Place the mouse pointer on the node and drag it.
To move several nodes:
All the selected nodes will move.
Page top
To delete a node,
Right-click the node and select Remove node.
The node is deleted. If the selected node is part of a section node, it is deleted and other nodes in the section remain on the graph.If you delete an object node related to a section node, it is moved to the group node of this section. If the group node does not exist, Kaspersky Threat Intelligence Portal creates it.
To delete a section node,
Right-click the node and select Remove section with nodes.
All nodes in the section node are deleted.
If you delete a section node, the following information about the nodes remains hidden on the graph:
A group node is also automatically deleted if you move all its member nodes to the graph.
To delete a relationship,
Right-click the relationship and select Delete.
You can delete only manually added relationships.
If you delete elements from the research graph created for the analyzed file, it will not affect the file analysis report. This means that the next time you use the Create graph button in the file report or Object lookup functionality in the graph editor, you will obtain the original graph again.
Page top
This section explains how you can search for APT Intelligence, Crimeware Threat Intelligence, and Industrial reports using Kaspersky Threat Intelligence Portal. You will also know how to view actor profiles.
If you are using a demo version of the service, the Reporting service has several limitations. For more information, see section About the license.
APT Intelligence reports
Provides you with exclusive, proactive access to the descriptions of high-profile cyber-espionage campaigns, including associated indicators of compromise (IOCs).
APT actor profiles
General overview, actor's suspected country of origin, different aliases used, victimology and previous targets, descriptions of past campaigns, toolset, and external references. All of the reports related to the actor are also provided.
Crimeware Threat Intelligence report
Provides exclusive, in-depth actionable intelligence reporting covering the following types of reports: detailed description of malware (popular, widespread or made noise/hype malware); malware campaigns (widespread, dangerous); researcher notes/early warnings (sneak peek at warnings on new or updated malware threats); detailed description of threats targeting financial institutions and tools used by cybercriminals to attack banks, payment processing companies, ATMs and POS systems.
Crimeware actor profiles
Similar to APT actor profiles, the new technical descriptions section for crimeware actors allows security professionals to track actors and their networks, understand their own visibility and gaps, as well as overlap TTPs against the MITRE ATT&CK matrix.
Industrial Threat Intelligence reports
Heightened intelligence and awareness of malicious campaigns targeting industrial organizations, as well as information on vulnerabilities found in the most popular industrial control systems and underlying technologies.
If you are using a demo version of the service, the Reporting service has several limitations. For more information, see section About the license.
Report files in any format, including Master YARA and Master IOC, are marked TLP:AMBER. Downloaded reports can only be shared within your company, and must not be distributed externally, unless specified otherwise in the downloaded file.
Available reports are displayed on the Reporting () page.
For each report, the following information is displayed:
Reports that appeared after your last visit to the Reporting page are marked as New. Reports that were updated after your last visit are marked as Updated. Reports that are available for viewing and downloading without a commercial license are marked as DEMO.
Some of the displayed reports may not be available if you do not have the appropriate license. You can view information about these reports by following the link in the unavailability notice (), or by selecting the Demo option in the filter in the Report column.
You can like or unlike a report using the like () icon. Summary and links for downloading are displayed only for reports that are available to you according to your organization's license.
You can download reports in any of the available formats using links under the report summary for further analysis.
Available formats depend on the permissions, set by your administrator, to download reports. If you do not have permissions to download reports, no links will be displayed.
A report in YARA Rules format is displayed.
For more information on YARA Rules, see https://yara.readthedocs.io.
By default, the format of the file name is as follows: <REPORT_NAME>.yara.
A file that contains Suricata rules associated with the report.
By default, the format of the file name is as follows: <REPORT_NAME>.rules.
An OpenIOC file that includes a description of IOCs (indicators of compromise) for the following object types: MD5 hashes, domains, web addresses, and IP addresses.
Kaspersky Threat Intelligence Portal supports IOC files that use open standard for IOC description—OpenIOC version 1.0. For more information on OpenIOC files, see http://www.openioc.org.
By default, the format of the file name is as follows: <REPORT_NAME>.ioc.
A PDF report. You can select the required language from a drop-down list if a report is available in several languages.
By default, the format of the file name is as follows: <REPORT_NAME_language>.pdf.
A brief report summary for business purposes in PDF. You can select the required language from a drop-down list if an executive summary is available in several languages.
By default, the format of the file name is as follows: <SUMMARY_NAME_language>.pdf.
If you download an updated version of the report that you downloaded before, the number of available downloads does not decrease.
If necessary, you can download the following reports if you have the corresponding permissions:
A report that includes all available reports at Kaspersky Threat Intelligence Portal in YARA Rules format.
Click the Master YARA button and select the required report type in the drop-down list:
By default, the file name is master.yara.
A report that includes descriptions of IOCs (indicators of compromise) for the following object types: MD5 hashes, domains, and IP addresses in CSV file format. The file contains information from reports.
Click the Master IOC button and select the required report type in the drop-down list:
The first string in the file contains columns names:
UID
—ID of a reportPublication
—Name of a reportIndicator
—Object's type: md5-hash
, domain
, or IP
DetectionDate
—Detection date in YYYY-MM-DD
formatIndicatorType
—Type of indicator: md5Hash
or networkActivity
Starting from the third string, each string contains a description of a separate indicator of compromise.
By default, the file name is master.ioc.
If you are using a demo version of the service, the Reporting service has several limitations. For more information, see section About the license.
Report files in any format, including Master YARA and Master IOC, are marked TLP:AMBER. Downloaded reports can only be shared within your company, and must not be distributed externally, unless specified otherwise in the downloaded file.
To search for a specific report,
In the Search field on any Kaspersky Threat Intelligence Portal page, enter search criteria (report name or certain words) and press Enter.
You can put double quotes around the entire search string you enter to search for a report by its full name or by an exact phrase in a description.
Kaspersky Threat Intelligence Portal displays search results on the Reporting () page.
Page top
If you are using a demo version of the service, the Reporting service has several limitations. For more information, see section About the license.
To view a report detailed description:
Kaspersky Threat Intelligence Portal will display a list of all available reports.
The report description opens in new tab.
You can like or unlike a report using the like () icon.
Kaspersky Threat Intelligence Portal provides the following information about reports.
Report details
Field |
Description |
---|---|
Report name |
Report name. |
Published |
Date and time when the report was published. |
Tags |
Tags related to the report. |
Details |
Brief summary of the report. |
Download |
Links for downloading the report for further analysis in various formats. Available formats depend on the permissions, set by your administrator, to download reports. If you do not have permissions to download reports, no links will be displayed. |
If you are using a demo version of a reporting service, viewing actor profiles may be limited. For more information, see section About the license.
All APT and Crimeware actor profiles that are available for you, according to your group's license and your permissions, are displayed on the Actors tab of the (Reporting () page. You can view all available actor profiles (All actors) or select a certain type of actor profile (APT actors or Crimeware actors). For each actor, general information is displayed.
General information about an actor
Field |
Description |
---|---|
General information |
General information about actor:
|
Aliases |
Number of actor aliases. |
Industries |
Number of industries related to the actor. |
Countries |
Number of countries related to the actor. |
TTPs |
Number of TTPs descriptions for the actor. |
Reports |
Number of reports, in which the actor is mentioned. |
Clicking a certain actor profile takes you to the page with the detailed description.
To search for a specific actor profile:
The Threat Lookup page opens. On the Actor tab, all actor profiles matching your search criteria are displayed.
On the actor profile page, detailed information for an actor is displayed.
Actor profile sections
Section |
Description |
---|---|
General information |
General information about actor, including the name, unique icon, aliases, and industries. |
Description |
Information about actor:
|
Geography |
Worldwide cybermap, countries mentioned in the reports for the actor are marked with color. When you hover your mouse over a specific country, the number of reports for that country is shown. To the right of the cybermap, countries and number of reports for the selected country are displayed. |
TTPsMITRE |
Known TTPs and mapping with the MITRE ATT&CK classification for the actor displayed in MITRE ATT&CK and MITRE PRE-ATT&CK matrices. All items in the matrices and in the table are clickable and navigate you to the TTPs descriptions on the MITRE website. Descriptive TTPS tab displays direct links to TTPs descriptions at the MITRE website. For easier searching, links are divided into three sections: Implants, Infrastructure, Intrusion vectors. |
Actor YARA / Actor IOC |
Buttons for downloading Master files that contain information about the reports: Actor YARA—Actor Master YARA file Actor IOC—Actor Master IOC file Buttons for downloading Master files are available if you have purchased the corresponding commercial license and permissions to download files, set by your administrator. |
Reports |
Reports, in which the actor is mentioned. For each report, the following information is displayed:
|
If you are using a demo version of the service, the Reporting service has several limitations. For more information, see section About the license.
Master files are ZIP archives that contain all YARA/IOC files from all reports related to the selected Actor profile and which are available depending on the user's permissions.
To download Master files:
The Actor YARA and Actor IOC buttons are displayed.
Actor YARA and Actor IOC buttons are active (clickable) if there are files to be included in the archives and you have permissions to download Master files for Actor profiles.
The actor-master-yara.zip archive is downloaded.
The actor-master-ioc.zip archive is downloaded.
Kaspersky Threat Intelligence Portal allows you to select various tags to narrow searches of APT, Industrial, and Crimeware Threat Intelligence reports.
To select required tags:
A bordered tag name indicates that the tag is selected as a search criterion. The number of selected tags of each type is displayed by the type name.
The report list is updated automatically after you change tags selection.
Kaspersky Threat Intelligence Portal provides the following types of tags:
Industries mentioned in APT, Industrial, and Crimeware Threat Intelligence reports.
Countries and regions targeted by advanced persistent threats or mentioned in APT, Industrial, and Crimeware Threat Intelligence reports.
Personalities or companies involved in APT attacks or mentioned in APT, Industrial, Crimeware Threat Intelligence reports.
New tags are being added automatically.
Page top
Kaspersky Threat Intelligence Portal allows you to like or unlike reports. You can like a report on the following pages:
To like a specific report:
The icon shows selected status.
This section explains how you can execute files and emulate opening of web addresses in safe environments that are isolated from your corporate network using Kaspersky Sandbox, Similarity, and Kaspersky Threat Attribution Engine technologies.
After you upload a file to the selected environment or start the web address analysis, Kaspersky Threat Intelligence Portal displays various results, including a graphical representation. Execution results can be downloaded as archives. All results, or data from certain sections, can be downloaded for further analysis.
During file execution, screenshots are taken for each change in the file execution environment. You can view screenshots online, or you can download all of them as an archive.
You can also analyze objects by using the Kaspersky Threat Intelligence Portal API.
Using Kaspersky Threat Attribution Engine technology, Kaspersky Threat Intelligence Portal automatically analyzes the "genetics" of malware, looking for code similarities with previously investigated advanced persistent threat (APT) samples and linked attribution entities. The portal compares the "genotypes" (small binary pieces of analyzed files) with the APT malware samples database and provides a report on malware origin, attribution entities, and file similarity with known APT samples.
When you send a file for analysis, Kaspersky Threat Intelligence Portal uses the Kaspersky Threat Attribution Engine technology to find genotypes and strings, and compares them with known genotypes and strings. As a result of this comparison, the analyzed file can be associated with one or more known attribution entities. An attribution entity is an actor, campaign, or known malware, or a combination of these three aspects.
For more information, please see Kaspersky Threat Attribution Engine documentation.
Using machine-learning (ML) methods, Kaspersky Threat Intelligence Portal searches for files that are similar to the analyzed file. Kaspersky systems extract the analyzed file features and detect similar malicious files. Information about similar files can be used in an incident response to search more extensively for modifications and variations of a malicious object. Also, this information allows you to optimize perimeter protection from certain threat and take into account different modifications and variations of a malicious object.
On the Threat Analysis () page, available usage quotas for Kaspersky Sandbox, Similarity, and Kaspersky Threat Attribution Engine technologies are displayed. If necessary, you can apply for a quota increase for a corresponding technology by clicking the Increase your quota link. In the side-bar that opens, you have to add a comment if necessary, and click Send.
Analysis results are displayed in the History table on the Threat Analysis page. You can click the required task area to expand it and view more details.
The Active tab displays the latest 1000 task results. Older task results are displayed on the Archived tab.
Result history table
Table field |
Description |
---|---|
Created |
Date and time when a task was created. |
Object |
Submitted object name. When expanded, the following information is displayed:
|
Details |
Task execution state, and the status of Kaspersky Sandbox, Similarity, and Kaspersky Threat Attribution Engine technologies for the analyzed object. Displayed status depends on the technology you selected for object execution. The History table displays the object status defined at the moment the request was processed. Task execution state is displayed near the corresponding technology name. If the task execution fails, the error reason is displayed. For Kaspersky Sandbox, status can be one of the following:
|
Actions |
Action you can perform to object execution results. For recent tasks (the Active tab):
|
When you click on the item in the History table, brief information about the analyzed object is displayed. Displayed fields depend on the analyzed object.
This section describes file execution in Kaspersky Threat Intelligence Portal.
Files can be uploaded manually (Executing a file, Starting a file upload and execution) or downloaded from a web address.
Analysis results are displayed in the History table on the Threat Analysis () page. When you click on the item in the History table, brief information about the analyzed object is displayed.
Brief information about analyzed object
Parameter |
Description |
---|---|
MD5 |
MD5 hash of the analyzed object. |
SHA1 |
SHA1 hash of the analyzed object. |
SHA256 |
SHA256 hash of the analyzed object. |
File name |
Name of the analyzed object. |
File size |
Size of the analyzed object. |
Execution environment |
Operating system that was used as an execution environment. |
Execution time |
Object execution time in seconds. |
Action |
Object execution type: only executed or unpacked before execution. |
HTTPS decryption |
Specifies whether HTTPS traffic generated by the executed object was decrypted. |
Click links |
Specifies whether the links in the opened documents were browsed. |
Internet access options |
Region or individual country of a network channel specified by the user for the executed object to access the internet. |
File extension |
Automatically detected type of the executed file. |
Before executing a file in Kaspersky Threat Intelligence Portal, you can upload it and select execution options.
To upload a file:
When the object is selected, its file name and size (in megabytes) are displayed.
The maximum size of an object that can be uploaded is 256 MB.
If you execute a multi-file (packed) object, make sure it contains less than 1000 files. Kaspersky Threat Intelligence Portal scans all files in the object, but only 1000 files are available for downloading. We recommend that you execute objects that contain less than 1000 files. The size of individual files in the packed object must not exceed 256 MB. The total size of all files when unpacked must not exceed 1 GB.
If necessary, enter a password for the archive in the Archive password (optional) field. Password length must be up to 256 characters. Any characters are allowed, although double-quote (") and backslash (\) characters must be escaped to ensure they are not interpreted as control characters in JSON.
If you do not enter a password for a password-protected archive, Kaspersky Threat Intelligence Portal tries to unpack an archive using default passwords. You can show or hide the password by clicking the eye icon.
Available values:
The Auto execution environment is selected by default.
By default, the Auto value is selected: Kaspersky Threat Intelligence Portal automatically selects the optimal execution time for your object.
To specify the execution time manually (from 30 to 500 seconds), click the Auto field and use the slider.
To return to the recommended value, click the Reset to Auto button.
An uploaded object will be executed in the selected environment during the specified execution time. The specified time does not include the time required for analysis and displaying results.
Available values:
The Auto item is selected by default. For more details about channels, refer to Internet channel values.
The list of available regions can contain individual countries through which the executed file can access the internet.
You can use the portable executable (PE) format to process files that are not images. To do this, you must explicitly specify a file extension in the file name or in the Change file name and extension to field.
Most characters can be used to specify a file extension. Reserved characters <, >, :, ", /, \, |, ?, * cannot be used.
You can enter up to 254 characters to specify a file name and extension.
If the file extension is not specified, Kaspersky Threat Intelligence Portal attempts to determine it automatically and then executes the file.
For more details about file types, refer to the Automatically detected file types section.
This field is optional and available only when a Microsoft Windows execution environment is selected. Command line examples are described in the Appendices.
The check box is unavailable if Microsoft Windows XP SP3 x86 is selected as the file execution environment.
Disabling HTTPS traffic decryption may reduce the probability of malware detection. This functionality allows you to obtain artifacts with information about the object interaction via HTTPS during the task execution. We recommend disabling HTTP traffic decryption only if you are sure that it for some reason will interfere with a certain object analysis.
Selecting this option can increase the level of detection of malicious objects and malicious object behavior. This check box is selected by default.
The check box is selected by default.
If this check box is cleared, Kaspersky Threat Intelligence Portal considers your sample to be a similar to a previously analyzed actor's sample if they have a number of common genes or strings greater than or equal to a threshold value set by Kaspersky experts. For each actor, a threshold is specified separately. In this case, Kaspersky Threat Intelligence Portal returns fewer results, but the proportion of useful results is higher.
If you select this check box, Kaspersky Threat Intelligence Portal considers your sample to be a similar to a previously analyzed actor's sample if they have at least one common gene or string. In this case, Kaspersky Threat Intelligence Portal returns more results. It is useful to enable this parameter if all parts of the code in your sample are malicious, and you want to find more similar actor samples.
Kaspersky Threat Intelligence Portal displays the object execution results.
If an error occurs during the upload process, you can try to upload the object again, or select another object.
If you terminate the upload process for some reason, you can try to upload the same object again later, or you can select another object.
An entry describing execution results for each analysis technology appears separately in the History table. You can start to analyze results when the process ends and the Execution state field is Completed.
If the previously specified internet channel is no longer available, the Auto item is selected by default.
If the file is executed again later, results may differ from those shown in the History table for the same file because Kaspersky expert systems update information about objects in real time. Therefore, execution results depend on the threat landscape.
Up to 1000 of the latest file executions and web address analysis results for a user are stored. When the maximum number of stored results is reached, the oldest results are assigned Archived status. For more details about archived tasks, refer to the About archived (discarded) tasks section.
Page top
Before executing a file, you can download it from a web resource and select execution options.
To download and execute a file:
You can download files only from HTTP or HTTPS web addresses.
If you execute a multi-file (packed) object, make sure it contains less than 1000 files. Kaspersky Threat Intelligence Portal scans all files in the object, but only 1000 files are available for downloading. We recommend that you execute objects that contain less than 1000 files. The size of individual files in the packed object must not exceed 256 MB. The total size of all files when unpacked must not exceed 1 GB.
If necessary, enter a password for the archive in the Archive password (optional) field (up to 256 characters). Any characters are allowed, although double-quote (") and backslash (\) characters must be escaped to ensure they are not interpreted as control characters in JSON.
If you do not enter a password for a password-protected archive, Kaspersky Threat Intelligence Portal tries to unpack an archive using default passwords. You can show or hide the password by clicking the eye icon.
Available values:
The Auto execution environment is selected by default.
By default, the Auto value is selected: Kaspersky Threat Intelligence Portal automatically selects the optimal execution time for your object.
To specify the execution time manually (from 30 to 500 seconds), click the Auto field and use the slider.
To return to the recommended value, click the Reset to Auto button.
A downloaded object will be executed in the selected environment during the specified execution time. The specified time does not include the time required for analysis and displaying results.
Available values:
The Auto item is selected by default. For more details about channels, refer to Internet channel values.
The list of available regions can contain individual countries through which the executed file can access the internet.
You can use the portable executable (PE) format to process files that are not images. To do this, you must explicitly specify a file extension in the file name or in the Change file name and extension to field.
Most characters can be used to specify a file extension. Reserved characters <, >, :, ", /, \, |, ?, * cannot be used.
You can enter up to 254 characters to specify a file name and extension.
If the file extension is not specified, Kaspersky Threat Intelligence Portal attempts to determine it automatically, and then executes the file.
For more details about file types, refer to the Automatically detected file types section.
This field is optional and available only when a Microsoft Windows execution environment is selected. Command line examples are described in the Appendices.
The check box is unavailable if Microsoft Windows XP SP3 x86 is selected as the file execution environment.
Disabling HTTPS traffic decryption may reduce the probability of malware detection. This functionality allows you to obtain artifacts with information about the object interaction via HTTPS during the task execution. We recommend disabling HTTP traffic decryption only if you are sure that it for some reason will interfere with a certain object analysis.
Selecting this option can increase the level of detection of malicious objects and malicious object behavior. This check box is selected by default.
The check box is selected by default.
If this check box is cleared, Kaspersky Threat Intelligence Portal considers your sample to be a similar to a previously analyzed actor's sample if they have a number of common genes or strings greater than or equal to a threshold value set by Kaspersky experts. For each actor, a threshold is specified separately. In this case, Kaspersky Threat Intelligence Portal returns fewer results, but the proportion of useful results is higher.
If you select this check box, Kaspersky Threat Intelligence Portal considers your sample to be a similar to a previously analyzed actor's sample if they have at least one common gene or string. In this case, Kaspersky Threat Intelligence Portal returns more results. It is useful to enable this parameter if all parts of the code in your sample are malicious, and you want to find more similar actor samples.
Kaspersky Threat Intelligence Portal will display object execution results.
An entry describing execution results for each analysis technology appears separately in the History table. You can start to analyze results when the process finishes and the Execution state field is Completed.
If the previously specified internet channel is no longer available, the Auto item is selected by default.
If the file is executed again later, results may differ from those shown in the History table for the same file. This is because Kaspersky expert systems update information about objects in real time. Therefore, execution results depend on the threat landscape.
Up to 1000 of the latest file executions and web address analysis results for a user are stored. When the maximum number of stored results is reached, the oldest results are assigned Archived status. For archived tasks, you can only view or delete a brief summary. For more details about archived tasks, refer to the About archived (discarded) tasks section.
Page top
On the Sandbox page, the file execution and analysis results for Kaspersky Sandbox are displayed. The status of the executed file (Malware, Adware and other, Clean, or Not categorized) is displayed under the file name.
The Sandbox page contains the following:
Execution results for multi-file (packed) objects are described in the Multi-file report page section.
A file execution in Kaspersky Sandbox may end with an error after Kaspersky expert systems have detected a threat related to the file. In this case, Kaspersky Threat Intelligence Portal displays only the abridged version of a report that contains the following information:
The History table displays your local task creation time. In reports, date and time are displayed in Coordinated Universal Time (UTC) format.
Your Kaspersky Sandbox quota is not affected by a failed file execution. Abridged reports cannot be exported to STIX format. For abridged reports, exporting to STIX format is not available.
You can click the Download data button located by each section (except the Summary section) to export the corresponding data. The button is available if the section contains data.
The Summary section represents general information about the results of a file execution.
The following charts are displayed:
The total number of threats detected during the file execution, and the proportion of threats with Malware (red) and Adware and other (yellow) status.
The name of the chart is clickable—you can click Detects to navigate to the Detection names table on the Results tab.
The total number of suspicious activities registered during the file execution, and the proportion of activities with High (red), Medium (yellow), and Low (gray) levels.
The name of the circle chart is clickable—you can click Suspicious activities to navigate to the Suspicious activities table on the Results tab.
This chart is not available for multi-file (packed) objects.
The total number of files downloaded or dropped by the file during the execution process, and the proportion of files with the status of Malware (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), and Not categorized (the category cannot be determined due to insufficient information about the extracted files, in gray).
The name of the chart is clickable—you can click Extracted files to navigate to the Extracted files tab.
The total number of registered network interactions that the file performed during the execution process, and the proportion of network interactions with the status of Dangerous (requests to resources with Dangerous status, in red), Adware and other (requests to resources with Adware and other status, in yellow), Good (requests to resources with Good status, in green), and – (requests to resources with Not categorized status, in gray).
The name of the circle chart is clickable—you can click Network activities to navigate to the Network activities tab.
This chart is not available for multi-file (packed) objects.
The number of detected files or activities with specific status is displayed below each chart. Small values are displayed out of proportion. For better viewing, small values are displayed as 1% of the entire circle chart.
You can download the file execution results as an archive by clicking the Export all results button.
The Summary section also displays the execution task details:
Date and time when the file was uploaded or downloaded.
Date and time when the file analysis was completed.
Date and time when the anti-virus databases were updated.
Size of the executed file in bytes.
Automatically detected type of the executed file.
Selected environment (operating system) for the file execution.
If you did not specify the execution environment, Kaspersky Threat Intelligence Portal automatically selects the optimal environment for executing your object and displays Auto.
Specified time of the file execution, in seconds.
If you did not specify the execution time, Kaspersky Threat Intelligence Portal automatically selects the optimal execution time for your object and displays Auto.
Specified file extension.
Information about whether the HTTPS traffic generated by the object was decrypted during execution.
Information about whether the links in opened documents were followed during the file execution.
Region of a network channel that the file used to access the internet.
If you selected the Tarpit item when creating the execution task, a warning that the file was executed in the environment without access to the internet is displayed. For more details about channels, refer to Internet channel values.
MD5 hash of the executed file. This item is clickable and takes you to the Threat Lookup page, where you can search for information about the MD5 hash.
SHA1 hash of the executed file. This item is clickable and takes you to the Threat Lookup page, where you can search for information about the SHA1 hash.
SHA256 hash of the executed file. This item is clickable and takes you to the Threat Lookup page, where you can search for information about the SHA256 hash.
Information about whether the password for the protected document was specified.
Command line parameters that were used to execute the object in the Sandbox.
Running a threat lookup request for a hash (MD5, SHA1, or SHA256) of the executed file does not count against the Threat Lookup quota for your group.
Page top
Kaspersky Threat Intelligence Portal provides information about detected items and activities that were registered during file execution. The execution results are displayed in separate tables, each of which contains up to 10 entries.
Results
Table name |
Description |
Table fields |
Comments |
---|---|---|---|
Detection names |
Detections registered during file execution. |
Status—Status of the detected object (Malware or Adware and other). Name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view a description on the Kaspersky threats website. |
Items in the table are sorted by status. |
Triggered network rules |
SNORT and Suricata rules triggered during analysis of traffic from the executed file. |
Status—Danger zone (level) of the network traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info). Rule—SNORT or Suricata rule name. |
Items in the table are sorted in the Status field from High to Info status. |
File download information |
Information about the file download process. This table is available only when an object was downloaded from a web address. |
Method—Method of sending an HTTP request. The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH. User agent—Identification string of the user agent (browser) that was used to open the specified web address (for example, Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36). |
— |
Download request |
Information about the request that was made to the submitted web address, from which the file was downloaded. This table is available only when an object was downloaded from a web address. |
Name—The Value—The |
Only information about the |
Download responses |
Detailed information about responses for the web address from which the file was downloaded. This table is available only when an object was downloaded from a web address. |
Status—Status (threat level)of the web address in the request. Categories—Category of the web address from which the file was downloaded. Protocol—Protocol that was used (HTTP or HTTPS). URL—Web address to which the request was registered. Items are clickable and navigate to the Threat Lookup page, where you can search for information about the web address. Response code—Response code of the HTTP request. Response length—Size of the response to the HTTP request in bytes. Response headers—Additional fields displayed as key:value. Standard header names are based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. |
— |
Execution map |
Graphical representation of the sequence of file activities and relationships between them. The root node of the tree represents the executed file. |
— |
Each tree element is marked according to its danger level (High, Medium, or Low). You can view the execution map in full-screen () or normal () mode. You can also zoom in on the execution map by scrolling the map area. For each element, a brief and detailed description is available. Use the minus/plus buttons (/) to expand or collapse the description for all elements. You can also expand or collapse an element description separately by clicking the drop-down icon. Clicking the element opens the tab with a detailed description. |
Suspicious activities |
Registered suspicious activities. |
Status—Danger zone (level) of the registered activity (High, Medium, Low). Severity—Numerical value of the danger level of the registered activity (integer 1–999). Description—Description of suspicious activity. For example, "Executable has obtained the privilege", "The file has been dropped and executed", or "The process has injected binary code into another process". Certain descriptions include a mapping to the MITRE ATT&CK™ threat classification. For example, "MITRE: T1082 System Information Discovery". |
— |
MITRE ATTCK matrix |
Information about known tactics, techniques and procedures (TTPs), and mapping with MITRE ATT&CK classification for the executed object. |
— |
All elements in the matrix are clickable and take you to the MITRE ATT&CK web site. To view sub-techniques (if available), you can expand certain elements. |
Screenshots () |
Set of screenshots taken during file execution. Screenshots are taken for each action the object performs. |
— |
Screenshots are available as a gallery with preview images, and as full-size images. To view a full-size image, click the desired screenshot. You can zoom in and out on images for a better view. You can also download screenshots by clicking the Download data button. |
The Static Analysis tab is available only for objects that were executed in the mobile (Android) operating system environment.
Kaspersky Threat Intelligence Portal provides the object's static analysis results.
The results are displayed in separate tables. Each table contains up to 10 entries.
Static analysis results
Table name |
Description |
Table fields |
Comments |
---|---|---|---|
Manifest |
Android app manifest in XML format. |
— |
The displayed version of a file is recovered from the application and may differ from the original file. |
Modules |
Android app modules detected through static analysis. |
Path—Path to the app module. Description—Description of the app module. |
Items in the table are listed in the order in which they were received. You can filter items in this table by specifying search criteria in the Search field below the table name. |
Permissions |
Android app permissions detected by using the static analysis. |
Status—Status (danger level) of the permission. Severity—Severity of the permission's danger. Permission—Permission value. Description—Detailed description of the permission. |
Items in the table are listed in the order in which they were received. You can filter items in this table by specifying search criteria in the Search field below the table name. |
Component |
Android app components detected through static analysis. |
Status—Status (danger level) of the component. Severity—Severity of the component's danger. Component—Component name. Description—Detailed description of the component. Intent filters—List of filters applied to the component. You can click the link to view the component's filters. The pane that opens displays the following data for each filter: priorities, actions, and categories. |
Items in the table are listed in the order in which they were received. You can filter items in this table by specifying search criteria in the Search field below the table name. |
Bundle |
Android App Bundle (APK). |
Type—File type (Module, Icon, or Picture). Path—File path and name. Size—File size. MD5—MD5 hash of the file. Each item in the list is clickable—you can click it to navigate to the Threat Lookup results page, which has investigation results for the file detected by the MD5 hash. Investigation results are available only if you have a valid Threat Lookup license and have not exceeded your quota for object investigation. If you requested this hash in the past 24 hours, the Threat Lookup quota for your group is not affected. Investigation results for certain hashes in this section may be unavailable on the Threat Lookup results page.
|
— |
Bundle images |
Android App Bundle images. |
— |
— |
Kaspersky Threat Intelligence Portal provides information about activities that were registered during the file execution. The results are displayed in separate tables, each of which contains up to 10 entries.
Execution environments with Microsoft Windows operating systems installed
System activities for Microsoft Windows
Table name |
Description |
Table fields |
---|---|---|
Loaded PE Images |
Loaded PE images detected during file execution. |
Path—Full path to the loaded PE image. Size—Size of the loaded PE image in bytes. |
File operations |
File operations registered during file execution. |
Operation—Operation name. Name—Name of the file related to the registered operation. Size—Size of the file related to the registered operation. |
Registry operations |
Operations performed on the operating system registry detected during file execution. Operations that have led to suspicious activities are shown first. |
Operation—Operation name. Details—Operation attributes. |
Process operations |
Interactions of the file with various processes registered during file execution. |
Interaction type—Type of interaction between the executed file and a process. Process name—Name of the process that interacted with the executed file. |
Synchronize operations |
Operations of created synchronization objects: mutual exclusions (mutexes), semaphores, and events registered during the file execution. |
Type—Type of the created synchronization object. Name—Name of the created synchronization object. |
Execution environments with Android operating systems installed
System activities for Android
Table name |
Description |
Table fields |
---|---|---|
Loaded modules |
Modules that the file downloaded during the execution. |
Status—Status (danger level) of the module. Severity—Severity of the module's danger level. Timestamp—Date and time when the module was loaded, specified in UNIX time: number of seconds elapsed since 00:00:00 (UTC), 1 January 1970. Path—Full path to the loaded module. Description—Description of the loaded module. |
Kaspersky Threat Intelligence Portal provides information about files that were extracted from network traffic or saved by the executed file during the execution. The results are displayed in separate tables, each of which contains up to 10 entries.
Kaspersky Threat Intelligence Portal displays all intermediate versions of the files downloaded or dropped during the object execution.
Extracted files
Table name |
Description |
Table fields |
Comments |
---|---|---|---|
Packed object content |
Information about each file in the uploaded object. |
Status—Danger level of the file. MD5—MD5 hash of the file. This item is clickable. Hover your mouse over the required item and click Lookup to navigate to the Threat Lookup page. This will display investigation results for the file detected by the MD5 hash. Investigation results are available only if you have a valid Threat Lookup license and have not exceeded your object investigation quota. If you requested this hash in the past 24 hours, the Threat Lookup quota for your group is not affected. Investigation results for certain hashes in this section may be unavailable on the Threat Lookup results page. Click Download to download the item as a
password-protected .zip archive. Use a default password The archive may contain objects that could harm your device or data, if handled improperly. By downloading, you accept full responsibility for the handling of downloaded objects contained in the archive. You can only use the downloaded content to increase the level of protection of your devices and systems. File name—File name and path from the root of the uploaded object. Packer—Name of the packer used to pack the uploaded object. File type—Automatically detected file type. Detection names—Names of detected objects. |
— |
Transferred files |
Files extracted from network traffic during file execution. |
Status—Status of the transferred file (Clean, Adware and other, Malware, Not categorized). If the file is related to an advanced persistent threat (APT) attack or mentioned in a threat intelligence report, the corresponding category is displayed by the file zone. You can click the corresponding MD5 hash to navigate to the Threat Lookup results page. If you have a valid commercial license for the corresponding service, and the file is related to an APT attack and/or mentioned in a report, a link to the corresponding report on the Reporting page is displayed. MD5—MD5 hash of the transferred file. This item is clickable. Hover your mouse over the required item and click Lookup to navigate to the Threat Lookup page, which has investigation results for the file detected by the MD5 hash. Investigation results are available only if you have a valid Threat Lookup license and have not exceeded your quota for object investigation. If you requested this hash in the past 24 hours, the Threat Lookup quota for your group is not affected. Investigation results for certain hashes in this section may be unavailable on the Threat Lookup results page. Click Download to download the item as password-protected .zip archive. Use a default password infected to unpack an archive. The archive may contain objects that could harm your device or data, if handled improperly. By downloading, you agree that you are informed and accept full responsibility for the handling of downloaded objects contained in the archive. You can only use the downloaded content to increase the level of protection of your devices and systems. Type—Automatically detected file type. Size—File size in bytes. Traffic—Traffic that the transferred file was extracted from (HTTP or HTTPS). Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view a description at the Kaspersky threats website. |
Items in the table are sorted by status. |
Dump files |
Dump files (snapshots) of the file execution process and loaded modules. This table is available only for execution environments that have the Android operating system installed. |
Status—Danger zone (level) of the file (Clean, Adware and other, Malware, Not categorized). File name—Name of the dump file. Type—Automatically detected file type. Size—File size in bytes. MD5—MD5 hash of the file. This item is clickable. Hover your mouse over the required item and click Lookup to navigate to the Threat Lookup page, which has investigation results for the file detected by the MD5 hash. Investigation results are available only if you have a valid Threat Lookup license and have not exceeded your quota for object investigation. If you requested this hash in the past 24 hours, the Threat Lookup quota for your group is not affected. Investigation results for certain hashes in this section may be unavailable on the Threat Lookup results page. Click Download to download the item as password-protected .zip archive. Use a default password infected to unpack an archive. The archive may contain objects that could harm your device or data, if handled improperly. By downloading, you agree that you are informed and accept full responsibility for the handling of downloaded objects contained in the archive. You can only use the downloaded content to increase the level of protection of your devices and systems. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view a description at the Kaspersky threats website. |
— |
Dropped files |
Files saved by the executed file. |
Status—Status of the downloaded file (Clean, Adware and other, Malware, Not categorized). If the file is related to an advanced persistent threat (APT) attack or mentioned in a threat intelligence report, the corresponding category is displayed by the file zone. You can click the corresponding MD5 hash to navigate to the Threat Lookup results page. If you have a valid commercial license for the corresponding service, and the file is related to an APT attack and/or mentioned in a report, a link to the corresponding report on the Reporting page is displayed. MD5—MD5 hash of the downloaded file. This item is clickable. Hover your mouse over the required item and click Lookup to navigate to the Threat Lookup page, which has investigation results for the file detected by the MD5 hash. Investigation results are available only if you have a valid Threat Lookup license and have not exceeded your quota for object investigation. If you requested this hash in the past 24 hours, the Threat Lookup quota for your group is not affected. Investigation results for certain hashes in this section may be unavailable on the Threat Lookup results page. Click Download to download the item as password-protected .zip archive. Use a default password infected to unpack an archive. The archive may contain objects that could harm your device or data, if handled improperly. By downloading, you agree that you are informed and accept full responsibility for the handling of downloaded objects contained in the archive. You can only use the downloaded content to increase the level of protection of your devices and systems. Type—Automatically detected file type. Size—File size in bytes. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view a description at the Kaspersky threats website. File name—File name of the downloaded file. |
Items in the table are sorted by status. |
Kaspersky Threat Intelligence Portal provides information about activities that were registered during the file execution. The results are displayed in separate tables, each of which contains up to 10 entries.
For easier navigation to certain sections, you can select the required protocol on the panel above the sections. Also, you can select the required section by clicking the button with three dots (). The panel is frozen and remains visible when you scroll the page.
Network interactions
Table name |
Description |
Table fields |
---|---|---|
IP sessions |
IP sessions that were registered during file execution. |
Threat score—Probability that the destination IP address is dangerous (0 to 100). An IP address is classified by Kaspersky expert systems as dangerous if its threat score is greater than 74. Destination IP—Destination IP address. Started—Date and time when the IP session started. Ended—Date and time when the IP session ended. Size—Size of data that was sent and received within the IP session (in bytes). Packets—Number of packets that were sent and received within the IP session. |
TCP sessions |
TCP sessions that were registered during file execution. |
Threat score—Probability that the IP address is dangerous (0 to 100). Destination IP—Destination IP address. Source port—Source port number (0–65536). Destination port—Destination port number (0–65536). Size—Size of data that was sent and received within the TCP session (in bytes). Packets—Number of packets that were sent and received within the TCP session. SYN packets—Number of SYN packets that were sent and received within the TCP session. FIN packets—Number of FIN packets that were sent and received within the TCP session. Out-of-order packets—Number of out-of-order packets that were sent and received within the TCP session. Lost ACK packets—Number of lost ACK packets that were sent and received within the TCP session. Duplicated ACK packets—Number of duplicated ACK packets that were sent and received within the TCP session. Window In—Number of incoming segments (bytes) that can be sent from server to client before an acknowledgment (ACK packet) is received. Window Out—Number of outgoing segments (bytes) that can be sent from client to server before an acknowledgment (ACK packet) is received. |
UDP sessions |
UDP sessions that were registered during file execution. |
Threat score—Probability that the IP address is dangerous (0 to 100). Destination IP—Destination IP address. Source port—Source port number (0–65536). Destination port—Destination port number (0–65536). Size—Size of data that was sent and received within the UDP session (in bytes). Packets—Number of packets that were sent and received within the UDP session. |
DNS requests |
DNS requests that were registered during file execution. |
Id—DNS message ID. QR—Request/response indicator (0—DNS query, 1—DNS response). RCode—DNS response code. Size—Size of data that was sent and received within the DNS session (in bytes). Packets—Number of packets that were sent and received within the DNS session. Records—Records in the message. You can click the link to view detailed information about records. For each record, its name, section, type, and APT categories are displayed. If available, TTL and Data fields are available. |
TLS sessions |
TLS sessions that were registered during file execution. |
Status—Status of the domain. APT categories—List of APT categories of the domain. Version—TLS protocol version. Cipher—Cryptographic algorithm. Curve—Curve class. Server name—Name of the server. Subject—Subject name. Issuer—Issuer name. |
FTP sessions |
FTP sessions that were registered during file execution. |
Status—Danger level. APT categories—List of APT categories of the IP address. Command—Command name. Reply—Reply code and reply message from a server. MD5—File that was transferred when the command was executed. Channel—Information about FTP client address, FTP server address and port number. |
IRC sessions |
IRC sessions that were registered during file execution. |
Command—Command name. User—User name. Nick—User's nickname. Sender—Nickname of the command's sender. Channel—Name of the channel to send the message to during the IRC session. Text—Text that was sent during the IRC session. |
POP3 sessions |
POP3 sessions that were registered during file execution. |
Type—Command type. Command—Command result. Arguments—Command arguments. Text—Description of the result of the command. |
SMB sessions |
SMB sessions that were registered during file execution. |
Status—Status of the IP address. APT categories—List of APT categories of the IP address. Destination IP—Session's destination IP address. Destination port—Destination port number (0–65536). Version—Protocol version. MD5—MD5 of the file transferred during the command execution. |
SMTP sessions |
SMTP sessions that were registered during file execution. |
Status—Status of the hash. APT categories—List of APT categories of the hash. From—Sender's name and address. To—Receivers' names and addresses. Subject—Message subject. MD5—List of MD5 hashes of attached files. |
SOCKS sessions |
SOCKS sessions that were registered during file execution. |
Status—Status of the IP address. APT categories—List of APT categories of the IP address. Version—SOCKS protocol version. Request host/port—IP address or fully qualified domain name (FQDN) and port (0-65536), to which the connection request was made via the SOCKS protocol. Bound host/port—IP address or fully qualified domain name (FQDN) and port (0-65536), to which the connection was established. |
HTTP(S) requests |
HTTP requests registered during file execution. |
Status—Status of the web address in the HTTP request. The web address can belong to one of the following zones:
If the web address is related to an APT attack or mentioned in threat intelligence reports, the corresponding category is displayed by the web address zone. You can click the web address to navigate to the Threat Lookup results page. If you have a valid commercial APT Intelligence Reporting Service license, and the file is related to an APT attack, a link to the corresponding APT Intelligence report on the Reporting page is displayed in the Categories field. If the requested object is related to several APT attacks, all related links are displayed. APT categories—List of APT categories of the web address. URL—Web address to which the request was registered. Investigation results for certain web addresses in this section may be unavailable on the Threat Lookup results page. Method—Method of sending the HTTP request. The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH. Response code—Response code of the HTTP request. Response length—Size of the response to the HTTP request in bytes. Fields—Additional fields (Request headers, Response headers, Request body, and Response body) displayed as key:value. Standard header names are based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Custom headers (for example, x-ms-request-id) are highlighted in blue. |
HTTPS requests |
HTTP requests registered during file execution. |
Status—Status of the web address in the HTTPS request. The web address can belong to one of the following zones:
|
Kaspersky Threat Intelligence Portal allows you to execute multi-file (packed) objects. In this case, Kaspersky Threat Intelligence Portal processes the object as a group of files. The report differs from the report for a single file and contains the following sections.
Multi-file execution results
Table name |
Description |
Table fields |
---|---|---|
Status |
Danger level of the object. |
Malware—Execution task completed; the object is malicious. Adware and other—Execution task completed; the object can be classified as Not-a-virus. Clean—Execution task completed; the object is not malicious. Not categorized—Execution task completed; no information about the object is available. — (no information)—Execution task is in progress or completed with errors. |
Summary |
General information about object execution results. |
Detects—Total number of objects detected during object execution, and the proportion of objects classified as: Malware (red), Adware and other (yellow). Extracted files—Total number of files downloaded or dropped by the object during the execution process, and the proportion of files with Malware (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), and Not categorized (no information about extracted files is available, in gray) statuses. |
General information |
General information about the object. |
Uploaded—Date and time the object was uploaded. Analyzed—Date and time the object analysis was completed. Database update—Date and time the anti-virus databases were updated. File size—Size of the executed file in bytes. File type—Automatically detected type of the executed file. Execution environment—Selected environment (operating system) for object execution. If you did not specify the execution environment, Kaspersky Threat Intelligence Portal automatically selects the optimal environment for your object execution and displays Auto. Execution time—Specified time of object execution (seconds). If you did not specify the execution time, Kaspersky Threat Intelligence Portal automatically selects the optimal execution time for your object, and displays Auto. File extension—Specified file extension. HTTPS decryption—Information about whether the HTTPS traffic generated by the object was decrypted during execution. Internet access options—Name of the network channel used by the object to access the internet. Click links—Information about whether Kaspersky Research Sandbox followed the links in the documents that were opened in the Sandbox. Document password— Information whether the password for the protected document was specified. Command line parameters—Command line parameters that were used to execute the object in the Sandbox. MD5—MD5 hash of the executed object. This item is clickable. You can copy the item to the clipboard (Copied to clipboard drop-down list option) or navigate to the Threat Lookup page (Lookup drop-down list option). SHA1—SHA1 hash of the executed object. This item is clickable. You can copy the item to the clipboard (Copied to clipboard drop-down list option) or navigate to the Threat Lookup page (Lookup drop-down list option). SHA256—SHA256 hash of the executed object. This item is clickable. You can copy the item to the clipboard (Copied to clipboard drop-down list option) or navigate to the Threat Lookup page (Lookup drop-down list option). |
Packed object content |
Information about each file in the uploaded object. |
Status—Danger level of the file. MD5—MD5 hash of the file. This item is clickable. Hover your mouse over the required item and click Lookup to navigate to the Threat Lookup page. This will display investigation results for the file detected by the MD5 hash. Investigation results are available only if you have a valid Threat Lookup license and have not exceeded your object investigation quota. If you requested this hash in the past 24 hours, the Threat Lookup quota for your group is not affected. Investigation results for certain hashes in this section may be unavailable on the Threat Lookup results page. Click Download to download the item as a
password-protected .zip archive. Use a default password The archive may contain objects that could harm your device or data, if handled improperly. By downloading, you accept full responsibility for the handling of downloaded objects contained in the archive. You can only use the downloaded content to increase the level of protection of your devices and systems. Path—File name and path from the root of the uploaded object. Packer—Name of the packer used to pack the uploaded object. Type—Automatically detected file type. Detect—Names of detected objects. |
The Attribution page displays the results of the file analysis using Kaspersky Threat Attribution Engine technology. Kaspersky Threat Intelligence Portal provides information on the possible origin of the file based on its similarity with known APT samples. The attribution entities listed in the report are either malicious actors that can be owners of this file, or APT tools and malware that can be related to the analyzed file.
All results obtained during file analysis by Kaspersky Threat Attribution Engine technology must be evaluated and cannot be considered or used as evidence. Threats and attribution entities classified as advanced persistent threats (APT) by Kaspersky Threat Attribution Engine technology may not necessarily be classified as APT by other security experts. It is up to you to make a final decision about the status of any threat or actor.
The Attribution report page contains the sections described in the table below.
TAE page
Table |
Description |
Fields |
---|---|---|
Summary |
General information about the file analysis results. |
MD5—MD5 hash of the analyzed file. File size—Size of the analyzed file, in bytes. Reset similarity thresholds—Indicates whether similarity thresholds for compared samples were ignored, i.e. the corresponding parameter (check box) was selected while creating a task. Matched attribution entities—List of malicious actors or tools matched with the submitted file (if found). Extracted path—Path to the file in the archive (for files that were unpacked for analysis). Unpack—Indicates whether contents of the attached file were unpacked before analysis, i.e. the corresponding parameter (check box) was selected while creating a task. |
Sample & Content |
Information about files extracted from the packed file that is submitted for Kaspersky Threat Attribution Engine analysis. |
Status—Status of the extracted file. MD5—MD5 hash of the extracted file. Clicking the item navigates you to the Threat Lookup page where lookup results for this file are displayed. File name—Name of the extracted file. Size—Size of the extracted file, in bytes. Bad genotypes (matched/total)—Number of genotypes in the analyzed file that match the genotypes in the similar attribution entity samples. Bad strings (matched/total)—Number of strings in the analyzed file that match the strings in the similar attribution entity samples. Attribution entities—Attribution entities related to the extracted file. Actor names are presented as clickable tags. When you click a tag, Kaspersky Threat Intelligence Portal searches for the respective actor and opens the Reporting tab of the Threat Lookup page with search results. |
Similar samples |
Information about attribution entity samples similar to the analyzed file. |
Status—Status of the sample. MD5—MD5 hash of a similar sample. Clicking the item navigates you to the Threat Lookup page where lookup results for this file are displayed. Size—Size of a similar sample, in bytes. Genotypes matched (total)—Number of genotypes in the similar attribution entity sample that match the analyzed file. This is followed by the total number of genotypes in the similar sample that are related to the attribution entity. Strings matched (total)—Number of strings in the similar attribution entity sample that match the analyzed file. This is followed by the total number of strings in the similar sample that are related to the attribution entity. Similarity—Percentage of similarity between the analyzed file and the similar attribution entity sample. Attribution entities—Malicious actors or tools matched with the sample. Actor names are presented as clickable tags. When you click a tag, Kaspersky Threat Intelligence Portal searches for the respective actor and opens the Reporting tab of the Threat Lookup page with search results. Aliases—Known aliases for the attribution entity related to this sample. |
Matched genotypes |
Information about the genotypes matched with the analyzed file. |
Genotype—Genotype in the analyzed file that matches genotypes of similar attribution entity samples. Matched—Number of all known attribution entity samples with this genotype. Used by—Attribution entities related to samples with this genotype. |
Matched strings |
Information about strings matched with the analyzed file. |
String—String in the analyzed file that matches strings of similar attribution entity samples. Matched—Number of all known attribution entity samples with this string. Used by—Attribution entities related to samples with this string. |
The Similarity page displays information about files that are similar to the analyzed file.
Using machine-learning (ML) methods, Kaspersky systems extract the requested file features and detect similar malicious files. Information about similar files can be used in an incident response to search more extensively for modifications and variations of a malicious object. This information allows you to optimize perimeter protection from certain threats and take into account different modifications and variations of a malicious object.
Please note, Kaspersky Threat Intelligence Portal and Kaspersky Threat Attribution Engine use different approaches to detect file similarity. Kaspersky Threat Intelligence Portal searches for similarity by special hashes, while Kaspersky Threat Attribution Engine searches by genotypes and strings extracted from the body of the file. For more information, please see Kaspersky Threat Attribution Engine documentation.
The Similarity report page contains the sections described in the table below.
Similarity page
Section |
Description |
Fields |
---|---|---|
Analyzed file |
Name of the analyzed file and whether similar files were found: Similar files found or Similar files not found. You can download information about detected similar files as an archive by clicking the Export results button. |
— |
Summary |
Date and time when the file analysis started. |
— |
Sample & Content |
Information about similar files. Contains the data described in the table below. Depending on the submitted object, this section contains the following:
|
— |
Info |
General information about the analyzed file. |
MD5—MD5 hash of the executed file. This item is clickable and takes you to the Threat Lookup page, where you can search for information about the MD5 hash. SHA1—SHA1 hash of the executed file. This item is clickable and takes you to the Threat Lookup page, where you can search for information about the SHA1 hash. SHA256—SHA256 hash of the executed file. This item is clickable and takes you to the Threat Lookup page, where you can search for information about the SHA256 hash. File name—Name of the analyzed file. Size—Size of the executed file in bytes. |
Similar files |
Information about detected similar files. You can click the Download data button located by this section to export the corresponding data. The button is available if the section contains data. |
Status—Status of the file that is similar to the analyzed file. If necessary, use the filter to view files with a specific status: Malware, Good, Not categorized. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Confidence—Level of confidence that the object is similar to the submitted file. Kaspersky Threat Intelligence Portal displays similar files with a confidence level from 8 to 11. First seen—Date and time when the similar file was detected by Kaspersky expert systems for the first time (for your local time zone). Last seen—Date and time, accurate to one minute, when the similar file was detected by Kaspersky expert systems for the last time (for your local time zone). Hits—Number of hits (popularity) for the file similar to the analyzed file that was detected by Kaspersky expert systems (rounded to nearest power of 10). MD5—MD5 hash of the file similar to the analyzed file. Items are clickable, you can select the following actions:
|
Statistics for similar files |
Statistical information about detected similar files. |
Similarity—Total number of detected similar files. Confidence summary—Chart that displays the total number of similar files, and the proportion of confidence levels. Status summary—Chart that displays the total number of similar files, and the proportion of files with Malware (red) and Clean (green), Adware and other (yellow), and Not categorized (gray) status. Detection names—Detected objects (for example, HEUR:Exploit.Script.Blocker):
|
Archive content |
Information about files extracted from the submitted archive. This section is displayed if the archive contains more than one file. |
|
Kaspersky Threat Intelligence Portal enables you to export file execution results for further analysis.
The execution result structure may change after the Kaspersky Sandbox database update. In addition to the described fields, other fields may appear in the exported results.
You can export the following data:
The following procedure tells you how to export all file execution results.
Kaspersky Sandbox, Kaspersky Threat Attribution Engine, and Similarity investigation results are exported separately.
To export all file execution results:
The file with execution results for the executed object are saved. Preparing a file with all investigation results for downloading may take several minutes.
If you select the CSV archive (.zip) option when exporting all execution results, Kaspersky Threat Intelligence Portal saves execution results as a .zip archive. The .zip archive contains files in comma-separated values (CSV) format, with commas used as field separators. Up to 10,000 entries can be exported to most files, with the exception of the sample-and-execution-properties.csv file, which contains only one entry.
Information about network traffic is exported to a network.pcap file.
Screenshots are exported as a folder.
Exported results for multi-file objects contain only the sample-and-execution-properties.csv, sample-content.csv, and detection-names.csv (if available) files. The sample-content.zip archive is not included in the CSV archive (.zip) file and can be exported separately.
For the abridged reports, only the sample-and-execution-properties.csv and detection-names.csv files are included in the CSV archive.
By default, the format of the archive name is as follows:
You can change the archive name if necessary.
Each .zip archive contains the files described in the table below. The first row in all files contains column names.
CSV archive contents
File name |
Description |
Column name |
---|---|---|
sample-and-execution-properties.csv |
Information about object parameters and execution settings (Executing a file, Starting a file upload and execution). The file contains only one entry. |
|
sample-download-info.csv |
Information about downloading the file from the submitted link. This file is available only for files that were downloaded from a web address. |
|
detection-names.csv |
Information about objects detected during file execution. |
|
triggered-network-rules.csv |
Information about SNORT and Suricata rules triggered during analysis of traffic from executed object. |
|
screens (folder) |
Set of screenshots (PNG images) that were taken during the file execution. |
— |
suspicious-activities.csv |
Information about registered suspicious activities. |
|
suspicious-activities-android.csv |
Information about registered Android suspicious activities. |
|
loaded-pe-images.csv |
Information about loaded images that were detected during the file execution. |
|
file-operations.csv |
Information about file operations that were registered during the file execution. |
|
registry-operations.csv |
Information about operations performed on the operating system registry detected during file execution. |
|
process-operations.csv |
Information about interactions of the file with various processes registered during file execution. |
|
synchronize-operations.csv |
Information about operations of created synchronization objects registered during file execution. |
|
network.pcap |
Information about activities registered during file execution. |
— |
downloaded-files.csv |
Information about files extracted from network traffic during file execution. |
|
dropped-files.csv |
Information about files saved by executed file. |
|
dumps.csv |
Dump files (snapshots) of the file execution process and loaded modules. Available only for execution environments that have the Android operating system installed. |
|
matrix.csv |
Information about known tactics, techniques and procedures (TTPs), and a mapping to the MITRE ATT&CK classification for the executed object. |
|
sample-content.csv |
Information about the content of the packed file. Unpack the archive using default passwords. |
|
sample-content.zip |
Archive that contains files included in the packed object. Unpack the archive using default passwords. This archive can only be exported separately. It is not exported, when you export all task results. |
— |
manifest.zip |
Information about Android app manifest. |
— |
static-modules.csv |
Android app modules detected through the static analysis. |
|
static-permissions.csv |
Android app permissions detected through the static analysis. |
|
static-components.csv |
Android app components detected through the static analysis. |
|
static-bundle.csv |
Android App Bundle (APK). |
|
static-images.csv |
Android App Bundle images. |
— |
dynamic-modules.csv |
Android app modules detected through the dynamic analysis. |
|
network-traffic-tables-ip-sessions.csv |
Array that contains information about IP sessions that were registered during file execution. |
|
network-traffic-tables-tcp-sessions.csv |
Array that contains information about TCP sessions that were registered during file execution. |
|
network-traffic-tables-udp-sessions.csv |
Array that contains information about UDP sessions that were registered during file execution. |
|
network-traffic-tables-dns-sessions.csv network-traffic-tables-dns-messages.csv |
Array that contains information about DNS sessions that were registered during file execution. |
|
network-traffic-tables-ftp-sessions.csv |
Array that contains information about FTP sessions that were registered during file execution. |
|
network-traffic-tables-http-sessions.csv |
Array that contains information about HTTP requests that were registered during the file execution. |
|
network-traffic-tables-tls-sessions.csv |
Array that contains information about TLS sessions that were registered during file execution. |
|
network-traffic-tables-irc-sessions.csv |
Array that contains information about IRC sessions that were registered during file execution. |
|
network-traffic-tables-pop3-sessions.csv |
Array that contains information about POP3 sessions that were registered during file execution. |
|
network-traffic-tables-smb-sessions.csv |
Array that contains information about SMB sessions that were registered during file execution. |
|
network-traffic-tables-smtp-sessions.csv |
Array that contains information about SMTP sessions that were registered during file execution. |
|
network-traffic-tables-socks-sessions.csv |
Array that contains information about SOCKS sessions that were registered during file execution. |
|
network-traffic-tables-https-sessions.csv |
Array that contains information about HTTPS requests that were registered during the file execution. |
|
If you select the JSON archive (.zip) option when exporting all execution results, Kaspersky Threat Intelligence Portal saves execution results as a .zip archive. The archive contains .json files. Files can contain up to 10,000 JSON objects, except for the sample-and-execution-properties.json file. This file contains only one JSON object.
Information about network traffic is exported to a network-traffic.pcap file.
Screenshots are exported as a folder.
Exporting results for multi-file objects contain only sample-and-execution-properties.json, sample-content.json, and detection-names.json (if available) files. The sample-content.zip archive is not included in JSON archive (.zip) file, and can be exported separately.
For the abridged reports, only sample-and-execution-properties.json and detection-names.json files are included in the JSON archive.
By default, the format of the archive name is as follows:
You can change the archive name if necessary.
Each .zip archive contains files described in the table below.
JSON archive contents for Kaspersky Sandbox
File name |
Description |
JSON attribute |
---|---|---|
sample-and-execution-properties.json |
Information about object parameters and execution settings (Executing a file, Starting a file upload and execution). The file contains only one JSON object. |
|
sample-download-info.json |
Information about downloading the file from the submitted link. This file is available only for files that were downloaded from a web address. |
|
detection-names.json |
Information about objects detected during file execution. |
|
triggered-network-rules.json |
Information about SNORT and Suricata rules triggered during analysis of traffic from executed object. |
|
screens (folder) |
Set of screenshots (PNG images) that were taken during the file execution. |
— |
suspicious-activities.json |
Information about registered suspicious activities. |
|
suspicious-activities-android.json |
Information about registered Android suspicious activities. |
|
loaded-pe-images.json |
Information about loaded images that were detected during the file execution. |
|
file-operations.json |
Information about file operations that were registered during the file execution. |
|
registry-operations.json |
Information about operations performed on the operating system registry detected during file execution. |
|
process-operations.json |
Information about interactions of the file with various processes registered during file execution. |
|
synchronize-operations.json |
Information about operations of created synchronization objects registered during file execution. |
|
network.pcap |
Information about activities that were registered during the file execution. This file is included in the archive if the PCAP (.pcap) option is selected during the results export. |
— |
matrix.json |
Information about known tactics, techniques and procedures (TTPs), and mapping with MITRE ATT&CK classification for the executed object. |
|
sample-content.json |
Information about the content of the packed file. Use default passwords |
|
sample-content.zip |
Archive that contains files included in the packed object. Use default passwords
Archive can be exported separately only. It is not exported, when you export all task results. |
— |
downloaded-files.json |
Information about files extracted from network traffic during file execution. |
|
dropped-files.json |
Information about files saved by executed file. |
|
dumps.json |
Dump files (snapshots) of the file execution process and loaded modules. Available only for execution environments that have the Android operating system installed. |
|
manifest.zip |
Information about Android app manifest. |
— |
static-modules.json |
Android app modules detected by using the static analysis. |
|
static-permissions.json |
Android app permissions detected by using the static analysis. |
|
static-components.json |
Android app components detected by using the static analysis. |
|
static-bundle.json |
Android App Bundle (APK). |
|
static-images.json |
Android App Bundle images. |
— |
dynamic-modules.json |
Android app modules detected by using the dynamic analysis. |
|
network-traffic-tables.json |
Information about network activities that were registered during the file execution. The data is saved in the root JSON object with the attributes described below in this table, or in separate CSV files with corresponding names. |
— |
IpSessions section |
Array that contains information about IP sessions that were registered during file execution. |
|
TcpSessions section |
Array that contains information about TCP sessions that were registered during file execution. |
|
UdpSessions section |
Array that contains information about UDP sessions that were registered during file execution. |
|
DnsSessions section |
Array that contains information about DNS sessions that were registered during file execution. |
|
FtpSessions section |
Array that contains information about FTP sessions that were registered during file execution. |
|
HttpSessions section |
Array that contains information about HTTP requests that were registered during the file execution. |
|
TlsSessions section |
Array that contains information about TLS sessions that were registered during file execution. |
|
IrcSessions section |
Array that contains information about IRC sessions that were registered during file execution. |
|
Pop3Sessions section |
Array that contains information about POP3 sessions that were registered during file execution. |
|
SmbSessions section |
Array that contains information about SMB sessions that were registered during file execution. |
|
SmtpSessions section |
Array that contains information about SMTP sessions that were registered during file execution. |
|
SocksSessions section |
Array that contains information about SOCKS sessions that were registered during file execution. |
|
HttpsSessions section |
Array that contains information about HTTPS requests that were registered during the file execution. |
|
JSON archive contents for Similarity
File name |
Description |
JSON attribute |
---|---|---|
<file MD5>_similarity.json |
Information about files that are similar to the requested file. |
|
If you select the STIX (.xml) option when exporting all execution results, Kaspersky Threat Intelligence Portal saves execution results as a file in STIX format.
For the abridged reports, exporting to STIX format is not available.
By default, the format of the file name is as follows: <object MD5>.stix. You can change the file name if necessary. For similar files, the default file name is <object MD5>_similarity.stix.
Each STIX file contains sections described in the tables below.
STIX file sections for Sandbox
Section |
Description |
Comment |
---|---|---|
Description |
Information about object parameters and execution settings (Executing a file, Starting a file upload and execution), threats that were detected during the file execution, and SNORT or Suricata rules that were triggered during analysis of traffic from the executed object. |
— |
Download URLs |
Information about the specified web address and web addresses to which the file redirected during the downloading process. |
This section is available only for files that were downloaded from a web address. |
Files |
Information about files that were extracted from network traffic or saved by the executed file during the execution. |
This section is included to the export file, if there is at least one extracted or saved file was detected. Each extracted or saved file is described in a separate subsection within this section. |
PE images |
Information about loaded images that were detected during the file execution. |
This section is included to the export file, if there is at least one PE image detected. Each loaded PE image is described in a separate subsection within this section. |
Synchronization objects |
Information about synchronization object registered during the file execution. |
This section is included to the export file, if there is at least one synchronization object registered. Each synchronization object is described in a separate subsection within this section. |
Similarity |
Information about files that are similar to the analyzed object. |
— |
The following procedure tells you how to export file execution results from a separate data group.
To export object execution results from a selected data group:
Kaspersky Threat Intelligence Portal exports up to 10,000 items from a data group.
The file containing execution results from the data group will be saved.
Default file names are represented in the table below. You can change the file name if necessary.
Default file names
Table name |
Default downloaded file name |
---|---|
Results tab |
|
Detection names |
<executed file MD5>.detection-names.json |
Triggered network rules |
<executed file MD5>.triggered-network-rules.json |
Download responses Available only for files that were downloaded from a web address. |
<executed file MD5>.download-responses.zip |
Suspicious activities |
<executed file MD5>.suspicious-activities.json |
Screenshots () |
<executed file MD5>.screenshots.zip |
System activities tab |
|
Loaded PE Images |
<executed file MD5>.loaded-pe-images.json |
File operations |
<executed file MD5>.file-operations.json |
Registry operations |
<executed file MD5>.registry-operations.json |
Process operations |
<executed file MD5>.process-operations.json |
Synchronize operations |
<executed file MD5>.synchronize-operations.json |
Extracted files tab |
|
Transferred files |
<executed file MD5>.downloaded-files.json |
Dropped files |
<executed file MD5>.dropped-files.json |
Network activities tab |
|
HTTP(S) requests DNS requests |
<executed file MD5>.network-traffic.zip (contains only network.pcap file) |
Similarity page |
|
Similarity |
<executed file MD5>_similarity.json |
This section describes the emulation of a web address opening in Kaspersky Sandbox.
Analysis results are displayed in the History table on the Threat Analysis () page. When you click on the item in the History table, a brief information about the analyzed web address is displayed.
Brief information about analyzed web address
Parameter |
Description |
---|---|
Emulation environment |
Operating system that was used as a browsing environment. |
Emulation time (sec) |
Web address browsing time in seconds. |
Internet access options |
Region or individual country of a network channel specified by the user for the executed object to use to access the internet. |
Decrypt HTTPS |
Specifies whether HTTPS traffic generated by the executed object was decrypted. |
Kaspersky Threat Intelligence Portal allows you to emulate browsing of a web address in a safe Kaspersky Sandbox environment.
To browse a web address in Kaspersky Sandbox:
Available values:
Microsoft Windows 10 x64 is selected by default.
You can specify the execution time, from 30 to 500 seconds. The default value is 100 seconds.
The web address will only be browsed in the selected environment during the specified execution time. The specified time does not include the time required for analysis and displaying results.
Available values:
The Auto item is selected by default. For more details about channels, refer to Internet channel values.
The list of available regions can contain individual countries through which the executed file can access the internet.
The check box is selected by default.
Disabling HTTPS traffic decryption may reduce the probability of malware detection. This functionality allows you to obtain artifacts with information about the object interaction via HTTPS during the task execution. We recommend disabling HTTP traffic decryption only if you are sure that it for some reason will interfere with a certain object analysis.
An entry describing results appears in the History table. You can start to analyze results when the process finishes and the Execution state field is Completed.
If the previously specified internet channel is no longer available, the Auto item is selected by default.
If the web address is opened again later, results may differ from those shown in the History table for the same web address because Kaspersky expert systems update information about objects in real time. Results depend on the threat landscape.
Up to 1000 of the latest file executions and web address analysis results for a user are stored. When the maximum number of stored results is reached, the oldest results are assigned Archived status. For archived tasks, you can only view or delete a brief summary. For more details about archived tasks, refer to the About archived (discarded) tasks section.
Page top
On the Sandbox page, the web address analysis results are displayed. The zone of the web address's status (Dangerous, Adware and other, Good, or Not categorized) is displayed under the web address.
The analysis results are displayed in separate sections (tables). Each table contains up to 10 entries.
The Sandbox page contains the following sections:
Graphically presented (icons) statistical information, task details, information about certificate, categories of the requested web address, and links to the related APT Intelligence reports and Crimeware Threat Intelligence reports.
Detected items that were registered during the web address analysis.
SNORT and Suricata rules that were triggered during the web address traffic analysis.
IP addresses that were accessed in all HTTP(S) requests after the FQDN resolved.
WHOIS information about domain for the analyzed web address.
HTTP/HTTPS requests that were registered during the web address analysis.
DNS requests that were registered during the web address analysis.
Set of screenshots that were taken during the web address analysis.
In the History table, your local task creation time is displayed. In reports, date and time are displayed in Coordinated Universal Time (UTC) format.
You can click the Download data button located by each section (except the Summary section) to export data from the section. The button is available if the section contains data.
The Summary section represents general information about web address analysis results.
The following charts are displayed:
The total number of threats that were detected during the web address browsing, and the proportion of threats with Malware (red) and Adware and other (yellow) statuses.
The name of the chart is clickable—you can click Detects to navigate to the Detection names table on the Results tab.
The total number of suspicious activities that were registered during the web address browsing, and the proportion of activities with High (red), Medium (yellow), and Low (gray) levels.
The name of the circle chart is clickable—you can click Suspicious activities to navigate to the Suspicious activities table on the Results tab.
The total number of files that were downloaded or dropped by the file during the web address browsing, and the proportion of files with the status of Malware (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), and Not categorized (no or not enough information about the extracted files is available to define the category, in gray).
The name of the chart is clickable—you can click Extracted files to navigate to the Extracted files tab.
The total number of registered network interactions that the file performed during the web address browsing, and the proportion of network interactions with the status of Dangerous (requests to resources with the Dangerous status, in red), Adware and other (requests to resources with the Adware and other status, in yellow), Good (requests to resources with the Good status, in green), and – (requests to resources with the Not categorized status, in gray).
The name of the circle chart is clickable—you can click Network activities to navigate to the Network activities tab.
The number of detected files or activities with specific status is displayed below each chart. Small values are displayed out of proportion. For better viewing, small values are displayed as 1% of the entire circle chart.
You can download results of the web address browsing as an archive by clicking the Export all results button.
Web address information
The following general information about an analyzed web address is displayed:
Web address information
Field name |
Description |
Comments |
---|---|---|
Host |
Part of the analyzed web address that indicates the host. Available values:
|
Item is clickable and takes you to the Threat Lookup page, where you can search for information about the domain or IP address. |
Browsing environment |
Operating system that was used as an emulation environment. |
— |
Browsing time |
Web address emulation time in seconds. |
— |
HTTPS decryption |
Boolean parameter that specifies whether HTTPS traffic generated by the executed object was decrypted. |
— |
Internet access options |
Region (or individual country) of a network channel specified by the user for the web address to use to access the internet. |
— |
Database update |
Date and time when the anti-virus databases were updated. |
— |
Categories
Categories of the analyzed web address. Category labels are marked with a color of the zone, to which the category belongs (red, orange, yellow, or gray). If the web address does not belong to any of defined categories, the - category is displayed. Category labels are not clickable.
Page top
Kaspersky Threat Intelligence Portal provides information about detected items that were registered during the web address analysis.
Sandbox detection names section
Field name |
Description |
Comments |
---|---|---|
Status |
Danger zone (level) to which the threat refers (High, Medium, Low, Info). |
Items in the table are sorted in the Status field from High to Info status. |
Name |
Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view its description at Kaspersky threats website. |
— |
Kaspersky Threat Intelligence Portal provides information about SNORT and Suricata rules that were triggered during the web address traffic analysis.
Triggered network rules section
Field name |
Description |
Comments |
---|---|---|
Status |
Danger zone (level) of the network traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info). |
Items in the table are sorted in the Status field from High to Info status. |
Rule |
SNORT or Suricata rule name. |
— |
Kaspersky Threat Intelligence Portal provides information about IP addresses that were accessed in all HTTP(S) requests after the FQDN resolved.
Hosts section
Field name |
Description |
Comments |
---|---|---|
Status |
Status (danger level) of IP addresses that the domain for the requested web address resolved to (Dangerous, Not trusted, Not categorized, Good). |
Items in the table are grouped by status (1—Dangerous, 2—Not trusted, 3—Not categorized, 4—Good). |
IP |
IP address to which a domain from the Resolved from domain column in this table resolved. |
The flag of the country that the IP address belongs to is displayed. When you hover your mouse over a flag, a tooltip with the country name appears. Items are clickable and take you to the Threat Lookup page, where you can search for information about the IP address. |
ASN |
Autonomous system number according to RFC 1771 and RFC 4893. |
— |
Hits |
Number of IP address detections by Kaspersky expert systems. |
— |
Resolved from domain |
Fully qualified domain name (FQDN) that resolved to the IP address from the IP column in this table. |
Items are clickable and take you to the Threat Lookup page, where you can search for information about the domain. |
Kaspersky Threat Intelligence Portal provides WHOIS information about host of the analyzed web address.
Host indicated by IP address
WHOIS section for IP address as a host
Table field |
Description |
---|---|
IP range |
Range of IP addresses in the network that the requested host belongs to. Also, the flag of the country the network of the IP address belongs is displayed. When you hover your mouse over a flag, a tooltip with the country name appears. |
Net name |
Name of the network that the IP address belongs to. |
Net description |
Description of the network that the IP address belongs to. |
Created |
Date when the IP address was registered. |
Changed |
Date when information about the IP address was last updated. |
AS description |
Autonomous system description. |
ASN |
Autonomous system number according to RFC 1771 and RFC 4893. |
Contact |
Section containing the contact (organization or person) name, role, address, phones / faxes, and emails. |
Host indicated by FQDN
WHOIS section for FQDN as a host
Field name |
Description |
---|---|
Domain name |
Name of the domain for the analyzed web address. |
Domain status |
Status of the domain for the analyzed web address. |
Created |
Date when the domain for the analyzed web address was registered. |
Updated |
Date when the registration information about the domain for the analyzed web address was last updated. |
Paid until |
Expiration date of the prepaid domain registration term. |
Registrar info |
Name of the registrar of the domain for the analyzed web address. |
IANA ID |
IANA ID of the domain registrar. |
|
Email of the domain registrar. |
Name servers |
List of name servers of the domain for the analyzed web address. |
Contact |
Section containing the contact (organization or person) name, role, address, phones / faxes, and emails. |
Kaspersky Threat Intelligence Portal provides information about HTTP and HTTP over TLS (HTTPS) requests that were registered when browsing the web address.
HTTP requests section
Table fields |
Description |
---|---|
Status |
Status of a web address in the HTTP(S) request. The web address can be assigned one of the following statuses: Dangerous (there are malicious objects related to the web address). Not trusted (categorized as Infected or Not trusted). Adware and other (there are objects related to the web address, which can be classified as Not-a-virus). Good (the web address is not malicious). Not categorized (no or not enough information about the web address is available to define the category). |
Scheme |
Web address scheme that identifies the protocol which was used (HTTP or HTTPS). |
URL |
Web address to which the request was registered. |
IP |
IP address that indicates the host. The corresponding flag and the status of the IP address are also displayed. |
Request |
HTTP(S) request details: Method—Method of sending an HTTP request. The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH. Scheme—Web address scheme that identifies the protocol which was used (HTTP or HTTPS). Request body—MD5 hash of a file in the HTTP(S) request. Item is clickable, and navigates to hash investigation results on the Threat Lookup results page. Status—Status of a file in the HTTP(S) request. Detection names—Names of the detected objects (for example, HEUR:Exploit.Script.Blocker). Size—Size of a file in the HTTP(S) request in bytes. Type—Content type of the HTTP(S) request. File type—File type in the HTTP(S) request, which was detected by Kaspersky expert systems. Request headers—Additional fields displayed as key:value. Standard header names are based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Custom headers (for example, x-ms-request-id) are highlighted in blue. |
Response |
Response details: Code—Response code for the HTTP(S) request. Response body—MD5 hash of a file in the HTTP(S) response. The item is clickable and navigates to the hash investigation results on the Threat Lookup results page. Status—Status of a file in the HTTP(S) response. Detection names—Names of the detected objects (for example, HEUR:Exploit.Script.Blocker). Size—Size of a file in the HTTP(S) response in bytes. Type—Content type of the HTTP(S) response. File type—File type in the HTTP(S) response, which was detected by Kaspersky expert systems. Response headers—Additional fields displayed as key:value. Standard header names are based on the RFC2616 Hypertext Transfer Protocol - HTTP/1.1. Custom headers (for example, x-ms-request-id) are highlighted in blue. |
Kaspersky Threat Intelligence Portal provides information about DNS requests that were registered when browsing the web address.
DNS requests
Table field |
Description |
---|---|
Status |
Status of an object in DNS request. |
Type |
DNS request type. |
Response |
Contents of the DNS response. For A, CNAME, PTR, MX, and NS types of DNS requests, items in this column are clickable and navigate to investigation results on the Threat Lookup results page. If you requested this object during the past 24 hours, the Threat Lookup quota for your group is not decreased. Investigation results for certain web addresses may be unavailable on the Threat Lookup results page. |
Set of screenshots that were taken when browsing the web address. Screenshots are available as a gallery with preview images, and as full size images.
You can view screenshots online, or you can download all of them as an archive.
Page top
Kaspersky Threat Intelligence Portal enables you to export web address browsing results for further analysis.
You can export the following data:
The following procedure tells you how to export all web address browsing results.
To export all web address browsing results:
The file with results for the browsed web address will be saved. Preparing a file with all investigation results for download may take several minutes.
If you select the CSV archive (.zip) option when exporting all execution results, Kaspersky Threat Intelligence Portal saves web address browsing results as a .zip archive. The .zip archive contains files in comma-separated values (CSV) format, with commas used as field separators. Up to 10,000 entries can be exported to most files, with the exception of the url-and-analysis-properties.csv file, which contains only one entry.
Information about network traffic is exported to a network.pcap file.
Screenshots are exported as a folder.
By default, the format of the archive name is as follows: <web address MD5>-csv.zip. You can change the archive name if necessary.
Each .zip archive contains the files described in the table below. The first string in all files contains column names.
CSV archive contents
File name |
Description |
Column name |
---|---|---|
url-and-analysis-properties.csv |
Information about web address browsing parameters. The file contains only one entry. |
|
categories.csv |
Information about browsed and redirected web addresses categories. |
|
publications.csv |
Information about Crimeware Threat Intelligence and/or APT Intelligence reports to which the analyzed web address is related. |
|
detection-names.csv |
Information about threats that were detected during the web address emulation. |
|
hosts-ips.csv |
Information about IP addresses that were accessed in all HTTP(S) requests after the FQDN resolved. |
|
WHOIS-ips.csv |
WHOIS information about host of the analyzed web address. |
For IP addresses:
For FQDN:
|
triggered-network-rules.csv |
Information about SNORT and Suricata rules that were triggered during analysis of traffic from the web address. |
|
screens (folder) |
Set of screenshots (PNG images) that were taken during the web address browsing. |
— |
network.pcap |
Information about activities that were registered during the web address browsing. |
— |
If you select the JSON archive (.zip) option when exporting all execution results, Kaspersky Threat Intelligence Portal saves web address browsing results as a .zip archive. The archive contains .json files. Files can contain up to 10,000 JSON objects, except for the url-and-analysis-properties.json file. This file contains only one JSON object.
Information about network traffic is exported to a network.pcap file.
Screenshots are exported as a folder.
By default, the format of the archive name is as follows: <web address>.zip. You can change the archive name if necessary.
Each .zip archive contains files described in the table below. The first string in all files contains column names.
JSON archive contents
File name |
Description |
Column name |
---|---|---|
url-and-analysis-properties.json |
Information about web address browsing parameters. The file contains only one entry. |
|
categories.json |
Information about browsed and redirected web addresses categories. |
|
dns-requests.json |
Information about DNS requests that were registered when browsing the web address. |
|
publications.json |
Information about Crimeware Threat Intelligence and/or APT Intelligence reports to which the analyzed web address is related. |
|
detection-names.json |
Information about threats that were detected during the web address emulation. |
|
hosts-ips.json |
Information about IP addresses that were accessed in all HTTP(S) requests after the FQDN resolved. |
|
http-requests.json |
Information about HTTPS requests that were registered during the file execution. |
|
WHOIS-ip.json |
WHOIS information about host of the analyzed web address. This file is available for IP address as a host. |
|
WHOIS-domain.json |
WHOIS information about host of the analyzed web address. This file is available for FQDN as a host. |
|
triggered-network-rules.json |
Information about SNORT and Suricata rules that were triggered during analysis of traffic from the web address. |
|
screens (folder) |
Set of screenshots (PNG images) that were taken during the web address browsing. |
— |
network.pcap |
Information about activities that were registered during the web address browsing. |
— |
If you select the STIX (.xml) option when exporting all web address browsing results, Kaspersky Threat Intelligence Portal saves results as a file in STIX format.
By default, the format of the file name is as follows: <web address>.stix. You can change the file name if necessary.
Each STIX file contains sections described in the table below.
STIX file sections
Section |
Description |
---|---|
Description |
Information about web address parameters and browsing settings, threats that were detected during the web address browsing, and SNORT or Suricata rules that were triggered during analysis of traffic from the web address. |
URL Domain |
WHOIS information about host of the analyzed web address. |
Hosts |
Information about IP addresses to which the fully qualified domain name (FQDN) for the requested web address resolved during the analysis. |
The following procedure tells you how to export web address browsing results from a separate data group.
To export web address browsing results from a selected data group:
Kaspersky Threat Intelligence Portal exports up to 10,000 items from a data group.
The file containing execution results from the data group will be saved. Default file names are represented in the table below. You can change the file name if necessary.
Default file names
Section name |
Default downloaded file name |
---|---|
Task properties (Summary section) |
<web address>.url-and-analysis-properties.json |
Categories (Summary section) |
<web address>.categories.json |
Reports (Summary section) |
<web address>.publications.json |
<web address>.detection-names.json |
|
<web address>.hosts-ips.json |
|
<web address>.WHOIS-ip.json or <web address>.WHOIS-domain.json |
|
<web address>.triggered-network-rules.json |
|
<web address>.network-traffic.zip (contains only network.pcap file) |
|
<web address>.screenshots.zip |
Kaspersky Threat Intelligence Portal allows you to execute files that were extracted (dropped or downloaded) during another file execution or browsing a web address in Kaspersky Sandbox.
To execute an extracted file,
The Upload and execute file tab opens with the default execution parameter values selected.
Kaspersky Threat Intelligence Portal stores up to 1000 of the latest task results for a user. When the maximum number of stored results is reached, Archived (previously Discarded) status is assigned to the oldest object analysis results. Archived task results are displayed in the History → Archived table on the Threat Analysis () page.
For archived tasks, detailed results are not available. Instead, you only can view a brief summary. Also, you can delete information about a specific task that has been archived, or all archived tasks, from the Archived table.
To execute a file from an archived task, you have to start execution again. For uploaded files, you need to upload the file again. Keep in mind that the oldest file execution result will acquire Archived status.
To delete archived tasks, do one of the following:
This section describes errors that may occur during an object execution.
Upload canceled
User canceled the object upload.
To execute the object, upload it again and make sure the upload process is complete.
Unpacking failed
Error occurred when unpacking the archive.
To execute the object, try to compress the object into a .zip archive again, or upload it unpacked.
Incorrect password
Failed to unpack the archive because of incorrect password.
To execute the object, try to compress the object into a supported archive format again, or upload it unpacked.
Invalid archive
Failed to identify the archive format.
To execute the object, try to compress the object into a supported archive format again, or upload it unpacked.
Upload timeout
Failed to upload the object within the time limit (5 minutes).
To execute the object, upload the object using a faster network connection.
Processing timeout
Failed to process the object because Kaspersky Sandbox is busy.
Try to execute the file or browse the web address later. If the problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
Processing failed
Error occurred during the object execution.
Try to execute the object again later. If the problem reoccurs, please contact your dedicated Kaspersky Technical Account Manager.
Object size exceeded
Failed to execute the object that exceeds a size limit.
To execute the object, make sure object size does not exceed 256 megabytes.
Sandbox overload
Kaspersky Sandbox is currently overloaded.
Try to execute the object again later. If the problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
Unknown file type
Failed to automatically detect the object type, the object was not executed.
If you know the object type, manually enter the object extension in the Change file name and extension to field in the Advanced options section, and start the execution task.
For more detail about object types, refer to section Automatically detected file types.
Selected internet channel is no longer available
The internet channel that you selected is no longer available.
Select another channel and start the task again. Your Kaspersky Sandbox quota will not be decreased for the failed object execution.
For more details about channels, refer to Internet channel values.
Download failed
Failed to download the object from the specified web address, the object was not executed.
Make sure the web address is correct and the object size does not exceed 256 megabytes, and then try again or specify another file to download.
Page top
This section explains how you can view notifications about threats and reports from Kaspersky for your organization. It also describes how you can change the data you send to Kaspersky, so as to help us improve the reports for your organization.
To receive notifications about threats related to your organization, you must first add assets for information that you want to monitor. You can receive notifications and reports by using the Kaspersky Threat Intelligence Portal web interface, API methods, or by email.
Also, you can manage assets and threat notifications in the multitenancy mode.
The table below shows a comparison of available features, depending on the way you work with Kaspersky Threat Intelligence Portal.
Comparison of available Digital Footprint features
Feature |
Web interface |
API |
|
---|---|---|---|
View reports list |
|||
View/download reports |
|||
View threat notification list |
|||
Filter threat notifications and reports by date |
|||
Filter threats by tags and other criteria |
|||
Full-text search for threats and reports |
|||
Export threat notification list |
|||
Download additional threat information |
|||
Assets management |
|||
Notifications about new reports |
|||
Notifications about recent threat notifications |
You can also work with the Digital Footprint Intelligence service by using the Kaspersky Threat Intelligence Portal API.
The Digital Footprint () → Dashboard page displays a summary for Digital Footprint Intelligence objects: assets and threat notifications that were found in the organization's infrastructure:
If you do not have any threat notifications about the threats for the selected period, No data found is displayed.
If you do not have any submitted assets, No data found is displayed.
Kaspersky Threat Intelligence Portal allows you to customize assets—objects that contain information associated with your organization's infrastructure. These are used by Kaspersky experts to monitor potential external vulnerabilities concerning your organization and provide notifications about related threats.
You can specify assets with one of the following roles: assets used to include related threats in monitoring results, or assets used to exclude threats that are not relevant to your company from monitoring results. For example, you can exclude the following information by adding assets:
Excluding such a name may be useful if your organization is part of a holding company with a name that is included in names of its subsidiaries.
Specifying assets with different roles allows you to narrow monitoring results.
You can only add assets related to your company for monitoring. Kaspersky Threat Intelligence Portal does not provide information about threats related to other organizations. When validating assets, Kaspersky experts check if the assets are related to your company.
In previous versions of Kaspersky Threat Intelligence Portal, this feature was called "Changing organization's information". As before, users, depending on their license and access rights, can view and change information about the organization, presented as asset sets. Now, the possibilities for managing assets have been significantly expanded, and assets categories and statuses have been added for easier management.
Assets can be specified using predefined categories. You can try adding assets for which the predefined categories are not suitable, using a file. However, this case, it is not guaranteed that all uncategorized assets will be added successfully.
Information displayed for each asset on the Digital Footprint () → Asset management page is described in the table below.
Asset parameters
Field |
Description |
---|---|
Asset |
Asset that is used during monitoring. |
Category |
Asset category. Available values: CIDR—Classless Inter-Domain Routing, a subnet range. Company/brand name—Your company or brand name. Domain—Domain or subdomain name. IP (v4/v6)—IP address version 4 (IPv4) or version 6 (IPv6). Email—Email address. You can specify one email address to include threats related to the whole organization domain. Employee name—Organization's employee name. IP range—Range of IP addresses. Keywords—Any word or phrase uniquely related to your company (for example product name, department name, conference name, brand, patent number, etc.). IIN/BIN—IINs or BINs related to your bank (six- or eight-digit code). Account link—Link to an actual and legitimate company account page on a social network (including accounts of top managers). Mobile app link—Link to the actual and legitimate page of the company mobile application (usually in mobile marketplaces). See About asset categories for more information. |
Status |
Asset status. Available values: Pending validation—Asset is in process of being validated by Kaspersky expert. Confirmed—Asset is confirmed by Kaspersky expert. Rejected—Asset is rejected by Kaspersky expert. |
Role in monitoring |
Indicator showing how the asset is used during monitoring. Available values: Include—Threats related to the asset are included in monitoring results. Exclude—Threats related to the asset are excluded from monitoring results. |
Status details |
Comment on asset status. Available only for assets with Confirmed or Rejected status. |
This section provides a description of asset categories and examples to help you create relevant assets for your company.
Assets that you add must meet the following requirements common to all asset categories:
Asset categories and examples are described in the table below.
Asset categories
Asset category in web interface |
Description |
Format |
Examples |
---|---|---|---|
Domain |
Domain names related to your company only. As a result of processing domain assets, after the asset is validated, Kaspersky Threat Intelligence Portal by default also adds subdomains and associated IP addresses to monitoring scope. |
Domain format:
|
example.com sub.example.org *.example.com |
IP (v4/v6) |
IP addresses used in your company's external network infrastructure. You can specify IP address version 4 (IPv4) or version 6 (IPv6). |
IPv4 format:
|
IPv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 |
CIDR |
Subnet ranges (CIDR) registered to your organization or used by your external network infrastructure. |
CIDR format:
|
IPv6: ff06::c3/7 |
IP range |
Ranges of IP addresses registered to your organization or used by your external network infrastructure. |
IP range format:
|
IPv6: 2001:db8::-2001:db9:: |
|
Email addresses used by employees. You can specify one email address to include threats related to the whole organization domain. |
Email address format:
|
test@email.com |
Company/brand name |
Keyword or phrase referring to company, brand name or employees. An asset of this type will be used to monitor relevant threats on the dark web. Kaspersky analyst will add the specified words or phrases to monitoring scope to exclude false positives as much as possible. In addition, you can manually search for keywords in the dark web using Threat Lookup. |
Name format:
|
AO "Company" companyname Slogan Corporate message |
Employee name |
Employee names. Specified names will be used to monitor relevant threats on the dark web. Kaspersky Threat Intelligence Portal monitors not the specified persons, but mentions of them in the context of threats to the company. So we recommend to add for monitoring employees mentioned publicly, for example top managers. Kaspersky analyst will add the specified words or phrases to monitoring scope to exclude false positives as much as possible. In addition, you can manually search for keywords in the dark web using Threat Lookup. Local languages are also allowed. |
Name format:
|
John Smith |
Keywords |
Any word or phrase uniquely related to your company, for example product name, department name, conference name, brand, patent number, etc. All entered words are interpreted as a single monitoring object, not separately. |
Keywords format:
|
Company Annual Conference Conference 2023 |
IIN/BIN |
IINs or BINs related to your bank (six- or eight-digit code). An asset of this type will be used to monitor information about leaked customer cards. |
IIN/BIN format:
|
546789 |
Legitimate social account links |
Link to an actual and legitimate company account page on a social network (including accounts of top managers). |
Link format:
|
https://example.com/page-777107_28406709 |
Legitimate mobile app links |
Link to the actual and legitimate page of the company's mobile application (usually in mobile marketplaces). |
Link format:
|
https://apps.example.com/ru/app/who-calls-caller-id/id1144206312?l=en |
Kaspersky Threat Intelligence Portal allows you to add a new asset using a form. You can also add a set of assets using a file.
To add a new asset:
The Add asset side-bar opens.
For CIDR and IP range categories, specify a range of IP addresses in the network.
By default, the asset is added to include related threats (including role). You can select to exclude related threats for the asset if you do not want to receive notifications about them.
The added asset is sent for validation and appears in the table on the Digital Footprint → Asset management page with Pending validation status.
As soon as Kaspersky experts validate the asset, it is given Confirmed or Rejected status. Confirmed assets are added to monitoring scope with the including or excluding role. Validation of each asset may take up to five business days.
You can change asset role so that related threats are included or excluded from monitoring results, or delete unnecessary assets.
Kaspersky Threat Intelligence Portal allows you to add a set of assets using a file. With this method, you can add assets from different categories in one file or try adding assets for which the predefined categories are not suitable. However, in this case, it is not guaranteed that all uncategorized assets will be added successfully.
This method is available if it is allowed by your organization.
To add a set of assets as a file:
The Submit file with assets side-bar opens.
The file size must not exceed 256 MB.
As soon as Kaspersky experts validate the assets in the file, the assets appear in the All assets table on the Digital Footprint → Asset management page with Confirmed or Rejected status. Confirmed assets are added to monitoring scope. Validation of each asset may take up to five business days.
Kaspersky Threat Intelligence Portal allows you to change asset role for monitoring so that you only receive notifications about threats that are relevant to your company. You can set asset role to include related threats in monitoring results, or exclude non-relevant threats from monitoring results and not receive notifications about them.
You can edit roles only for confirmed assets (Confirmed status).
To change the role of an asset:
The Edit asset side-bar opens.
The changed asset is displayed in the table on the Digital Footprint → Asset management page with Pending validation status.
As soon as Kaspersky experts validate the changed asset, Confirmed status is granted. Confirmed assets are added to monitoring scope with the including or excluding role. Validation of each asset may take up to five business days.
Page top
After you add a new asset or edit an existing asset, it is sent for validation to Kaspersky experts. They check if the asset is specified correctly and is related to your company. Validation of each asset may take up to five business days.
If Kaspersky experts approve the asset, it is given Confirmed status and added for monitoring. For confirmed assets that contain domains, Kaspersky experts can also add subdomains and associated IP addresses for monitoring.
If Kaspersky experts do not approve the asset, it is given Rejected status and not added for monitoring. Kaspersky experts may reject a specified asset because of the following reasons:
Kaspersky Threat Intelligence Portal allows you to delete assets if necessary. You can delete assets regardless of their validation status.
To delete assets:
The deleted asset is removed from the table on the Digital Footprint → Asset management page and is not considered during monitoring.
Page top
Kaspersky Threat Intelligence Portal provides notifications about detected threats and vulnerabilities that may reduce the level of protection of your organization.
Threat notifications may include information about compromised credentials, data leakages, vulnerable services on the network perimeter, insider threats, and many other issues. To receive threat notifications, you must add assets first.
Threat notifications are displayed on the Threats tab of the Digital Footprint () page. The Threats section represents the total number of detected threats and their danger level (Critical, High, Medium, Low, Info).
For each threat, the following data is displayed:
Date and time when the threat was detected.
Danger level of the detected threat (Critical, High, Medium, Low, Info).
Category of the threat, for example Vulnerability, Malware, Person, Leakage, Dark web, Ransomware activity, Web vulnerability, Defacement, Compromised resource. Other threat categories may also appear.
Object associated with the detected threat (domain, IP address, keyword).
Threat notification identifier. You can click the item to copy it or open a new tab for a detailed description.
Description of the threat and recommendations on how to mitigate associated risks. You can expand or collapse the description and recommendations for better viewing.
Tags associated with the threat: for example, threat name according to the Kaspersky classification, Common Vulnerabilities and Exposures (CVE), or keywords.
Link to download additional information associated with the vulnerability provided as an encrypted archive, if available. Use the password infected to unpack the archive.
The archive may contain objects that could harm your device or data, if handled improperly. By downloading, you agree that you are informed and accept full responsibility for the handling of downloaded objects contained in the archive. You can only use the downloaded content to increase the level of protection of your devices and systems.
The archive may contain the following:
This section tells you how to search for a specific threat notification.
To search for a specific threat notification:
Kaspersky Threat Intelligence Portal performs a full-text search and displays results on the Threat Lookup () → Digital Footprint page.
The archive may contain objects that could harm your device or data, if handled improperly. By downloading, you agree that you are informed and accept full responsibility for the handling of downloaded objects contained in the archive. You can only use the downloaded content to increase the level of protection of your devices and systems.
Kaspersky Threat Intelligence Portal displays notifications for threats according to specified search criteria.
Page top
To view a threat notification detailed description:
The threat notification description opens in a new tab.
At the top of the page, Kaspersky Threat Intelligence Portal provides a description of the threat. Below the description, Kaspersky Threat Intelligence Portal displays the following information about the notification and the detected threat.
Threat notification details
Field |
Description |
---|---|
Threat ID |
Threat notification identifier. |
Date |
Date and time when the threat was detected. |
Risk |
Danger level of the detected threat (Critical, High, Medium, Low, Info). |
Category |
Category of the threat, for example vulnerability, malware, person, leakage, dark web. Other threat categories may also appear. |
Object |
Object associated with the detected threat (domain, IP address, keyword). |
Recommendation |
Recommendations on how to mitigate risks associated with the threat. |
Tags |
Tags associated with the threat: for example, threat name according to the Kaspersky classification, Common Vulnerabilities and Exposures (CVE), or keywords. |
Additional information |
Link to download additional information associated with the vulnerability provided as an encrypted archive, if available. Use the password infected to unpack the archive. The archive may contain objects that could harm your device or data, if handled improperly. By downloading, you agree that you are informed and accept full responsibility for the handling of downloaded objects contained in the archive. You can only use the downloaded content to increase the level of protection of your devices and systems. The archive may contain the following:
|
This section tells you how to export threat notifications.
To export threat notifications,
On the Threats tab of the Digital Footprint () page, click the Export results button.
After after applying filters, up to 10,000 threat notifications can be exported.
Kaspersky Threat Intelligence Portal saves results as a .zip archive. Each .zip archive contains a file in the comma-separated values (CSV) format.
Page top
Kaspersky Threat Intelligence Portal provides threat intelligence reporting that is specific for your organization.
Digital Footprint Intelligence reports are developed by using open source intelligence (OSINT), deep analysis of Kaspersky's expert systems, and databases.
Digital Footprint Intelligence reports cover the following:
Identification and status analysis of externally available critical components of your network, including ATMs, video surveillance, and other systems using mobile technologies, employee social network profiles and personal email accounts, which are potential targets for attack.
Identification, monitoring, and analysis of any active or inactive malware samples targeting your organization, any past or present botnet activity, and any suspicious network-based activity.
Evidence of threats and botnet activity specifically targeting your customers, partners, and subscribers, whose infected systems could then be used to attack your organization.
Through discreet monitoring of underground online forums and communities, Kaspersky experts discover whether hackers are discussing attack plans with your organization in mind or, for example, if an unscrupulous employee is trading information.
APT attacks can continue undetected for many years. If a current attack affecting your organization's infrastructure is detected, Kaspersky experts provide advice on effective remediation.
For each Digital Footprint Intelligence report, Kaspersky Threat Intelligence Portal displays the following information on the Reports tab of the Digital Footprint () page:
Date when the Digital Footprint Intelligence report was added.
Digital Footprint Intelligence report name. For each Digital Footprint Intelligence report, a brief description is available.
Time interval for which the Digital Footprint Intelligence report was generated (quarter, by default).
Action you can perform to a Digital Footprint Intelligence report (for example, download).
This section tells you how to search for a specific Digital Footprint Intelligence report.
To search for a specific Digital Footprint Intelligence report:
Kaspersky Threat Intelligence Portal performs a full-text search and displays results on the Threat Lookup () → Digital Footprint → Reports page.
Kaspersky Threat Intelligence Portal notifies you about new vulnerabilities and reports from Kaspersky experts, through the web interface, and by email.
Notifications in the web interface
When a new vulnerability or report appears, Kaspersky Threat Intelligence Portal displays the total amount of updates in the notification section of the Digital Footprint () page. The number of new vulnerabilities and reports by going to the corresponding tabs are displayed.
A notification is displayed for vulnerabilities or reports that appeared after your last visit to the Digital Footprint page. Notifications are labeled as new for vulnerabilities that appeared within the last seven days, and reports that appeared within the last 14 days.
Email notifications
Kaspersky Threat Intelligence Portal allows you to configure email notifications about new vulnerabilities and reports.
Page top
Kaspersky Threat Intelligence Portal supports a multi-tenant architecture that allows you to provide multiple clients with isolated access to Kaspersky TIP services.
Multitenancy mode is intended for clients of AO Kaspersky Lab (for example, Managed Security Service Providers (MSSP) or enterprise companies) who want to monitor information security in several local offices from headquarters.
Tenants are clients of a Kaspersky partner who purchased the multitenancy feature:
Isolated access to Kaspersky Threat Intelligence Portal for tenants is achieved by providing a separate user group for each tenant.
An administrator of a group for which multitenancy mode is enabled, can add tenant groups and switch between them.
A tenant manager is a member of a group for which multitenancy mode is enabled. Tenant manager, can perform the following:
After you sign in to Kaspersky Threat Intelligence Portal to a group with enabled multitenancy mode, the Digital Footprint () → Tenant Center page becomes available. The Switch tenant option appears in the main menu in the upper-left corner of the page. By default, General is selected.
In the account menu, accessed by clicking the user icon () in the lower-left corner of the page, the following links appear:
The Digital Footprint () → Tenant Center page displays information about all tenant groups in an MSSP group. This dashboard is available when a tenant manager is working in the General group, and there is at least one tenant group associated with the current tenant manager's MSSP group.
You can filter the displayed tenant information for a specific time period by using the date pickers (calendar) or predefined filters (Day, Week, Month or Year). Selecting All time displays all available results (selected by default).
The Threats section displays the total number of threat notifications and their distribution by risk level (Critical, High, Medium, Low, Info) for all tenant groups for the selected period.
The Assets section displays the total number of assets and their distribution by verification status (Confirmed, Pending validation, Rejected) for all tenant groups. Information on the number of assets does not depend on the specified period.
The list of tenant groups contains the following information:
If necessary, in the search field, you can search tenant groups by name.
Page top
To create a tenant:
The Tenants tab of the Access control page opens.
The name must have a length of 2 to 64 characters and must not start or end with a space. It may contain uppercase or lowercase Latin letters, numbers, underscore characters, dashes, spaces, and dots.
The description length must not exceed 2048 characters.
Tenant is added. You can switch to this tenant in the main menu or on the Access control → Tenants tab by clicking the required tenant. Also, you can manage user accounts for your tenant.
To edit a tenant:
The Tenants tab of the Access control page opens.
The Edit tenant side-bar opens.
The description length must not exceed 2048 characters.
You can view current and available for purchasing Kaspersky Threat Intelligence Portal service licenses for tenants in your group.
To view licenses,
Click the user icon () at the bottom of the Kaspersky Threat Intelligence Portal page, and select Licenses → Tenant.
The Tenant licenses page opens. The Current licenses tab displays information about licenses for services that tenant users can work with. The Available licenses tab displays other Kaspersky Threat Intelligence Portal services.
For more details, please refer to the Viewing your current and available licenses section.
Page top
To work with tenant data via the API without having an account in the tenant, tenant manager needs to use a personal API token. For the convenience, tenant managers can request personal API tokens on this page, or also by switching to the tenant and signing into the personal account.
To request an API token:
The Tenants tab of the Access control page opens.
Generated API tokens and their expiration dates appear in the table.
As tenant manager, you can switch between tenants in your group. When you work in the general group, the Tenant center page that displays information about all your tenants, becomes available. To perform any actions in a certain tenant (for example, to add a new asset), you need to switch to this tenant.
To switch to another tenant:
The Home page of the selected tenant opens. You can work with Kaspersky Threat Intelligence Portal as a user of the selected tenant.
This section explains how you can view and export a list of dangerous IP addresses using the Kaspersky Threat Intelligence Portal web interface. API method for APT C&C Tracking service is also available.
APT C&C Tracking Service delivers IP addresses of infrastructure connected to advanced threats. This helps security analysts working in CERTs, National SOCs, and National Security Agencies monitoring the deployment of new malware, so that they can take the required measures to mitigate ongoing and upcoming attacks. The service is updated daily with recent findings of the Kaspersky Global Research and Analysis Team who have a proven track record in discovering APT campaigns across the world. For each IP address, there is a name of an APT group, operation, or malware it is associated with, internet service provider, and autonomous system, collection of associated IP addresses hosting information, and dates when this was first and last seen. The IP addresses can be downloaded in a machine-readable format, so you can upload it to existing security solutions to automate detection.
The table below shows comparison of available APT C&C Tracking features depending on the way you work with Kaspersky Threat Intelligence Portal.
Comparison of available APT C&C Tracking features
Feature |
Web interface |
API |
---|---|---|
View a list of dangerous IP addresses |
||
Filter a list of dangerous IP addresses by date |
||
Filter a list of dangerous IP addresses by country |
||
Export a list of dangerous IP addresses |
To view the APT C&C associated IP addresses,
Open the Active feed page ( APT CC Tracking).
Information about all available IP addresses is displayed.
Information about IP addresses
Field |
Description |
---|---|
IP address |
Detected IP address. The items are clickable and take you to the Threat Lookup () → Threat Lookup results page, where you can search for information about the IP address. |
First seen |
Date when the IP address was first detected by the Kaspersky experts, according to your computer local time zone. |
Last seen |
Date when the IP address was last detected by the Kaspersky experts, according to your computer local time zone. |
Domain |
Domain that resolves to the detected IP address. |
Country |
Country that the detected IP address belongs to. You can filter the displayed list using a filter (). |
IP address type |
Type of the detected IP address (for example, Derived or Organic). |
Tags |
Tags associated with the detected IP address. For certain IP addresses, a brief description is available. |
Activity periods |
The View activity link opens the window where activity periods for the selected IP address are displayed. |
To export information about the APT C&C associated IP addresses:
Information about all available IP addresses is displayed.
IP addresses that belong to the selected country are displayed.
The Save As window opens.
The file in the selected format will be saved to the specified location.
To view the APT C&C associated IP addresses activity:
Information about all activity periods of the IP addresses is displayed.
Activity periods of the IP addresses that belong to the selected country are displayed.
This section explains how you can search for WHOIS information and create rules to track the WHOIS information about domains and IP addresses using Kaspersky Threat Intelligence Portal.
The following procedure tells you how to perform a WHOIS search for a domain.
To perform a WHOIS lookup for a domain:
Required and optional fields will be displayed.
You can use special search characters (such as *, ~, and ^).
Advanced searches can be performed only for ASCII domain names. A search for internationalized domain names (IDNs) may be proceeded incorrectly.
You can perform different types of searches.
For name servers, the same types of search are possible as for domain names: exact matching, substring matching, and approximate string matching.
Kaspersky Threat Intelligence Portal will display available results.
If more than 1000 results are available, Kaspersky Threat Intelligence Portal will ask you to narrow your search by filling in more fields and/or using date pickers.
Page top
This section tells you how to perform a WHOIS search for an IP address.
To perform a WHOIS lookup for an IP address:
Required and optional fields will be displayed.
Use a two-letter country code (ISO 3166-1 alpha-2 standard).
Kaspersky Threat Intelligence Portal will display available results.
If more than 1000 results are available, Kaspersky Threat Intelligence Portal will ask you to narrow your search by filling in more fields and/or using date pickers.
Page top
The History table displays WHOIS lookup results for domains and IP addresses.
Request history table
Field |
Description |
---|---|
Request |
WHOIS lookup request (domain or IP address). |
Type |
Type of the requested object (Domain or IP address). |
Date |
Date and time when the request was created (according to your local time zone). |
Action |
Action you can perform to the corresponding request (repeat the WHOIS lookup search). |
You can search for certain WHOIS lookup request results by entering search criteria in the Search field.
Page top
The following procedure tells you how to create a tracking rule for a regular WHOIS search for a domain.
To create a tracking rule for regular WHOIS search for a domain:
Required and optional fields will be displayed.
A rule name must be unique.
In future Kaspersky Threat Intelligence Portal versions, the search interval for rules with high priority may be decreased.
The number of available/all tracking rules is displayed for all Kaspersky Threat Intelligence Portal users in your group.
You can use special search characters (such as *, ~, and ^).
Advanced searches can be performed only for ASCII domain names. A search for internationalized domain names (IDNs) may be proceeded incorrectly.
You can perform different types of searches.
For name servers, the same types of search are possible as for domain names: exact matching, substring matching, and approximate string matching.
Kaspersky Threat Intelligence Portal will create a tracking rule for a domain.
Page top
The following procedure tells you how to create a tracking rule for a regular WHOIS search for an IP address.
To create a tracking rule for a regular WHOIS search for an IP address:
A rule name must be unique.
In future Kaspersky Threat Intelligence Portal versions, the search interval for rules with high priority may be decreased.
The number of available/all tracking rules is displayed for all Kaspersky Threat Intelligence Portal users in your group.
Use a two-letter country code (ISO 3166-1 alpha-2 standard).
Kaspersky Threat Intelligence Portal will create a tracking rule for an IP address.
Page top
The Tracking rules table (WHOIS Tracking () → WHOIS Hunting) contains created tracking rules for domains and IP addresses.
Tracking rules table
Field |
Description |
---|---|
Rule |
Rule name. |
Type |
Type of an object (Domain or IP address) for which the tracking rule is created. |
Created |
Date and time when the tracking rule was created. In the Tracking rules table, your local rule creation time is displayed. In reports, date and time are displayed in Coordinated Universal Time (UTC) format. |
Priority |
Priority of a tracking rule (Normal or High). |
Notifications |
Indicates whether notifications are enabled for the tracking rule. |
New results |
Number of new results for the tracking rule. |
Actions |
Actions you can perform to the tracking rule:
|
For each tracking rule, the following information is displayed when you click the View result button.
Tracking rule results for domains
Field |
Description |
---|---|
Status |
Status of the tracked domain. |
Request |
Domain which is being tracked. |
Last checked |
Date and time when information about the tracked domain was last checked in Kaspersky expert systems. |
IP count |
Number of IP addresses that the tracked domain resolves to. |
Updated |
Date and time when information about the tracked domain was last updated in the registry. |
Tracking rule results for IP addresses
Field |
Description |
---|---|
Request |
IP address or range which is being tracked. |
Organization |
Name, email address of the organization or person, or net description. The search is word-based and case-insensitive. You can search for a phrase by putting your search terms (the entire string) in quotes that the IP address belongs to. |
ASN |
Autonomous system number. |
IP count |
Number of IP addresses that the domain resolves to. |
Domain count |
Number of domains which resolve to the tracked IP address. |
Last checked |
Date and time when information about the tracked IP address was last checked in Kaspersky expert systems. |
Updated |
Date and time when information about the tracked IP address was last updated in the registry. |
You can use special search characters (such as *
, ~
, and ^
) for WHOIS lookup and WHOIS hunting.
Exact matching
Searching for the exact domain or name server.
Substring searching
Searching for domain names that contain the specified string.
For the search to be interpreted as a substring search, use the asterisk (*) as a placeholder for one or more characters.
Approximate string matching (also called fuzzy string searching)
Searching for domain names that approximately match the required domain name.
For the search to be interpreted as fuzzy, add the tilde (~) after the domain name. The result will contain WHOIS lookup results for domain names that differ from the requested name when transposing, deleting, or adding several characters.
Fuzzy searches cannot be used together with other types of search. For example, the request *examp~ will not proceed correctly.
You can also perform the following types of search:
Phrase
Search for strings that contain a phrase, enclosed in quotation marks, in your search terms (the entire string).
Set of words
Search for a set of words in arbitrary order.
Strings starting from a word
Search for strings that begin with a specific word. Insert a caret (^) before the search term.
Strings starting from a phrase
Search for strings that begin with a specific phrase. Insert a caret (^) before the search term.
Strings ending with a word
Search for strings that end with a specific word. Add a dollar sign ($) after the search term.
Strings ending with a phrase
Search for strings that end with a specific phrase. Add a dollar sign ($) after the search term.
Page top
Kaspersky offers continuously updated Threat Intelligence Data Feeds to inform your business or clients about cybersecurity risks, in a format suitable for automated processing. These continuous updates of Data Feeds help you obtain up-to-date information about cyberthreats and make timely decisions about protecting against them.
Kaspersky Threat Intelligence Portal allows you to view and download data feeds, supplementary tools, SIEM connectors, delivery protocols, and additional documents on the Threat Data Feeds () page.
Detailed information about data feeds, tools, and documents is available in the Kaspersky Threat Intelligence Portal web interface. You can download required items from the web interface () or by using an external link ().
You can also obtain Threat Data Feeds by using the Kaspersky Threat Intelligence Portal API.
The Data Feeds section lists data sources and links that you can use to download Threat Data Feeds. Depending on your license, you can download a feed in one of the following versions:
For each Threat Data Feed, tags describing the intended use of the feed are displayed: Detection, Prevention, and Investigation.
The list also contains Threat Data Feeds marked with the META label. META feeds are region-specific versions of the regular feeds in JSON format. These feeds provide the best coverage for threats observed in META region, while regular feeds focus on worldwide coverage. We recommend that you use META feeds when network traffic is limited by META region.
For each Threat Data Feed, the number of records and update frequency are displayed.
You can click the required Threat Data Feed to view its JSON structure and elements description. In the window that opens, you can also click the Download ZIP archive button to download the selected Threat Data Feed.
The Related Materials section lists additional documents related to data feeds.
Page top
The Incident Response Tools section lists Incident Response Guide and tools developed by Kaspersky and other companies to help protect your computers.
The Supplementary Tools section lists utilities for working with downloaded Threat Data Feeds. The versions and file names of tools that can be downloaded in Kaspersky Threat Intelligence Portal web interface are displayed.
The SIEM Connectors section lists connectors to SIEM systems for working with downloaded Threat Data Feeds. The versions and file names of SIEM connectors that can be downloaded in Kaspersky Threat Intelligence Portal web interface are displayed. Related documentation is available inside the corresponding distribution archive. For assistance with Connector for IBM® QRadar®, built-in Help is available.
The Threat Intelligence Platform Connectors section lists connectors to Kaspersky solutions for working with Kaspersky Threat Intelligence Portal API.
The SOAR Connectors section lists connectors to SOAR solutions for working with Kaspersky Threat Intelligence Portal API.
The Event Broker Connectors section lists connectors to popular Event Brokers for working with Kaspersky CyberTrace.
The Observability Pipelines Connectors section lists connectors to popular Observability Pipelines for working with Kaspersky CyberTrace.
The Intrusion Prevention System Connectors section lists connectors to Intrusion Prevention Systems for working with downloaded Threat Data Feeds.
The Management Center Connectors section lists connectors to Management Centers for working with downloaded Threat Data Feeds.
Page top
The Delivery protocols section contains a list of Kaspersky delivery protocols that can be used to download Data Feeds and indicators of compromise (IOC).
Page top
Implementation guide describes Kaspersky Threat Intelligence Data Feeds and their usage.
The guide also explains how feed updates are delivered, depending on the format of Data Feeds, and how to integrate with SIEM systems.
Kaspersky Threat Intelligence Data Feeds implementation guide is available in English and Russian languages.
Page top
This section explains how to manage your employees accounts.
The account management is available only for Kaspersky Threat Intelligence Portal users with a group administrator privileges, including tenant group managers.
There are three account access types:
You can view, create, edit, and delete accounts. Also, the account history is available.
You can register as the first administrator for your group. The administrator has all group account management privileges including creating user accounts and defining user roles.
The link to the web registration is provided by your dedicated Kaspersky Technical Account Manager through a PGP-encrypted email or in a password-protected .zip archive. In this case, the archive and password are provided by separate secure channels (for example, the archive is sent by email and its password by SMS message).
To register as the first administrator of your group:
The administrator name must contain Latin letters, numbers, and an underscore. The maximum length is 12 characters.
The login name is case-sensitive and may contain uppercase and lowercase Latin letters, numbers, an underscore, and a minus sign. The length of this name must be between 2 and 64 characters.
The password must contain uppercase and lowercase letters, numbers, and special characters. In addition, the use of other character types is also allowed. The password length must be between 15 and 64 characters
The password-protected container with the certificate automatically downloads to your computer.
After you import the certificate, your registration as the group administrator is completed and you can start administering user accounts for your group on Kaspersky Threat Intelligence Portal.
The following procedure shows you how to view a list of accounts for your group.
To view your group's accounts,
Click the user icon () at the bottom of the Kaspersky Threat Intelligence Portal page, and select one of the following in the Access control section:
The Accounts tab of the Access control page opens.
The Access control page opens.
The information for the group's accounts is described in the table below.
Accounts management
Table field |
Description |
---|---|
User name |
User name to sign in to Kaspersky Threat Intelligence Portal. |
State |
State of the user's account. You can change the account's state in this table, without editing its settings. Enabled—User can work with Kaspersky Threat Intelligence Portal. Disabled—User does not have access to Kaspersky Threat Intelligence Portal. |
Full name |
User's first and last name. |
Role |
User's role: Admin—User with administrator privileges to manage user accounts. Each group can have several administrators. User—User who works with Kaspersky Threat Intelligence Portal services according to permissions and licenses available for the group. |
Type |
Type of access to Kaspersky Threat Intelligence Portal: FULL—User works with Kaspersky Threat Intelligence Portal both online and with API. WEB—User works with Kaspersky Threat Intelligence Portal only online. API—User works with Kaspersky Threat Intelligence Portal only using the API. |
Access control |
Second two-factor authentication method: Certificate—Certificate provided by Kaspersky is used to sign in. TOTP login—One-time password is used to sign in. |
Actions |
The Generate QR code button allows the administrators to generate and download a QR code for accounts with a one-time password as the second two-factor authentication method. |
You can sort items in the table by any column, except Actions.
Also, you can view detailed information for specific accounts.
To view a specific account:
Matching results will be displayed, with the list automatically updating as you type.
The side-bar containing the user's information opens.
The following procedure tells you how to add a new account.
To add an account:
The Accounts tab of the Access control page opens.
The Access control page opens.
The Add account side-bar opens.
The Access control field is not available for editing.
The password must contain uppercase and lowercase letters, numbers, and special characters. In addition, the use of other character types is also allowed. The password length must be between 15 and 64 characters
The following procedure tells you how to view detailed information for a specific account.
To view account information:
The Accounts tab of the Access control page opens.
The Access control page opens.
The side-bar containing user's information opens.
This field cannot be edited. To change the user name, you have to create a new account.
The Role field is not available for editing.
The Access control field is not available for editing.
The password must be 8 to 64 characters long. Leaving these fields empty keeps the existing user password.
This tab displays Kaspersky Threat Intelligence Portal services and features that are available for your organization.
The Save button is not available on the Change history tab.
For users with a one-time password specified as the second two-factor authentication method, you must generate and provide a QR code so the user can sign in to Kaspersky Threat Intelligence Portal.
To provide a QR code to a user:
The TOTP QR code window, that displays the generated QR code, opens.
The <user login>.png file is downloaded.
The following procedure tells you how to view actions performed on an account (history).
To view account history:
The Accounts tab of the Access control page opens.
The Access control page opens.
The side-bar containing user's information opens.
The following procedure tells you how to delete an account.
To delete an account:
The Accounts tab of the Access control page opens.
The Access control page opens.
The following procedure shows how to configure email notifications that Kaspersky Threat Intelligence Portal sends when certain events occur.
For APT Intelligence, Crimeware Threat Intelligence, and Industrial Threat Intelligence reports, personal customization is available. Kaspersky Threat Intelligence Portal will send notifications only for reports that match the options you specified.
The list of notification events depends on the licenses your organization has purchased. The License expiration check box is available only for Admin accounts.
To configure email notifications:
The Notifications page opens.
If you select the License expiration check box, email notifications will be sent 90, 60, 30, and 7 days before a license expires.
The options in each section are provided in alphabetic order.
If necessary, click the Select all or Clear all button to select or clear all check boxes.
You can also use the search field to find an option and click the Add button to select it.
The number of selected options is displayed in the corresponding tabs. Click Show all / Show less to view the full or collapsed option list.
The side-bar closes automatically.
By selecting any of the check boxes, specifying your email address, and clicking the Save button, you agree to receive automatic email notifications from Kaspersky Threat Intelligence Portal about selected events. Your user name (login), full name, and email address will be processed in accordance with our Privacy Policy. You can cancel email notifications and your email address storage at any time.
The email notifications settings are saved. You can configure or disable email notifications at any time.
Page top
The following procedure shows how to change your password for Kaspersky Threat Intelligence Portal.
To change a password for Kaspersky Threat Intelligence Portal:
The Account page opens.
The password must be 8 to 64 characters in length and should not be the same as the previous one.
By using the feedback form, you can send your comments and suggestions about services and our website to the Kaspersky Threat Intelligence Portal team.
To send your feedback about Kaspersky Threat Intelligence Portal:
The Feedback form window opens.
The feedback length is limited to 2000 characters.
The comment field must have a comment and must not have only spaces entered. Otherwise, this button is unavailable.
If you need more information about Kaspersky Threat Intelligence Portal services, want to purchase a license for services, or apply for more APT Intelligence reports or Crimeware Threat Intelligence reports formats available for downloading, you can click the support request icon () in the menu. A new message window in your mail client opens.
Page top
If you need more information about Kaspersky Threat Intelligence Portal services, want to purchase a license for services, or apply for more APT Intelligence reports or Crimeware Threat Intelligence reports formats available for downloading, you can apply for support.
To request support:
Click the request support icon () in the menu.
A new message window in your mail client opens.
Also, you can purchase or renew the licenses at the Licenses page.
Page top
This section explains how to use Kaspersky Threat Intelligence Portal API.
OpenAPI specification
Digital Footprint Intelligence
You must convert the certificate received from your dedicated Kaspersky Technical Account Manager to PEM format before working with Kaspersky Threat Intelligence Portal API.
It is recommended that you use the OpenSSL toolkit to convert your certificate to PEM format.
To convert your certificate to PEM format in Windows,
Type the following string at the command prompt:
openssl.exe pkcs12 -in <certificate name>.pfx -clcerts -out ktl_lookup.pem -nodes
To convert your certificate to PEM format in Linux,
Execute the following command:
openssl pkcs12 -in <certificate name>.pfx -clcerts -out ktl_lookup.pem -nodes
Argument |
Description |
---|---|
|
Name of your certificate. |
|
Name of your certificate in PEM format. |
Your ktl_lookup.pem certificate must be stored in the same directory where you store the ktl_lookup utility.
Page top
If you receive an error (60) SSL certificate problem: unable to get local issuer certificate
, do the
following:
--cacert [certificate file name]
You can use the Threat Lookup API, Digital Footprint Intelligence API, and Data Feeds API without a certificate if it is allowed by the organization. In this case, the API token is required.
Only users with the Full account type can request an API token by using Kaspersky Threat Intelligence Portal web interface. If the type of account is later changed to API, you can continue using the requested valid API token.
To obtain an API token, you must sign in to Kaspersky Threat Intelligence Portal via your browser, and then request an API token. You can also view and copy your API token.
The generated API token is used as the authorization parameter when you run requests using the Kaspersky Threat Intelligence Portal API.
The maximum API token validity period is one year.
To request an API token:
The Account page opens.
The validity period for the API token cannot be changed after it is generated. You can only request another API token, and then specify a new required date. If you request a new API token, the previous one is deleted.
The generated API token appears in the text field. You can view your API token at any time on the Account page.
Information about the API token's validity period is displayed below the text field. A warning is displayed if there is less than one week left until the API token expires.
If necessary, you can copy the API token by clicking on the text field or the Copied to clipboard icon ().
Page top
This section explains how to request reports by using Kaspersky Threat Intelligence Portal API.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms and Conditions online in your browser at https://tip.kaspersky.com.
The main purpose of the API is to give automated access for retrieving data from Kaspersky Threat Intelligence Portal. More precisely, the API is used to export reports for further integration using other external services. This documentation is valid for Kaspersky Threat Intelligence Portal API version 1.0.
To request reports by using Kaspersky Threat Intelligence Portal API:
Obtaining certificate, user name, and password
A certificate, user name, and password are required to work with Kaspersky Threat Intelligence Portal.
You must obtain a certificate, user name, and password from Kaspersky. The user name and password are used to refer to the service through Kaspersky Threat Intelligence Portal API.
Converting certificate to PEM format
You must convert the certificate received from your dedicated Kaspersky Technical Account Manager to PEM format before working with Kaspersky Threat Intelligence Portal API.
API Location
Unless otherwise instructed, you will access Kaspersky Threat Intelligence Portal API at the following location:
https://tip.kaspersky.com/api/publications/<endpoint>
Authentication
Access to the API is obtained by two authentication methods:
Authentication error message
For invalid user login details, the server will return a 401 Unauthorized
HTTP error message.
Request examples:
Successful authentication:
Invalid authentication:
|
Endpoint return data
Each endpoint will return a JSON encoded array that has three entries: status
, status_msg
, and return_data
.
status
entry can be: ok
or error
.status_msg
entry will describe the error string
(a text part according to section 10 of RFC 2616) in case status
is not ok
.return_data
entry will be documented accordingly
by each endpoint.Methods
APT and Crimeware Threat Intelligence reporting API methods
Method |
Description |
---|---|
Obtains the list of reports published on Kaspersky Threat Intelligence Portal. |
|
Obtains specific information for a publication. |
|
Obtains a Master IOC file, that contains indicators of compromise in CSV file format. |
|
Obtains a Master YARA file. |
The publications/get_list
endpoint is used to display the
list of reports published on Kaspersky Threat Intelligence Portal between date_start
and date_end
(optionally). The
publications will be returned based on the type (access) of the API caller. By default, if date_start
and date_end
are not specified,
the API lists all reports.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/publications/get_list
Query parameters:
Expected parameters
Parameter |
Description |
---|---|
date_start |
Include only reports that were published starting from and including the specified date onwards. Optional parameter. Default value: |
date_end |
Include only reports that were published only until and including the specified date. Optional parameter. Default value: |
The date_start
and date_end
parameters must be specified in the UNIX™ time stamp system (the
number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970). You can convert the date into UNIX
format at www.epochconverter.com.
If these parameters are not specified, Kaspersky Threat Intelligence Portal API returns a list of all reports.
Request examples: Get all publications:
Get publications within a specific timeframe:
|
Responses
Click the links below for information about possible responses.
451 Unavailable For Legal Reasons
The publications/get_one
endpoint is used to display
specific information for a publication, identified by publication_id
. For
each publication, a set of reports can be requested, such as: PDF report, summary report, YARA Rules, IOCs,
Suricata rules. If request is successful, the requested publication ID will be returned, alongside with the
publication metadata and reports to which the API user has access to. For example, if publication ID 1337
is requested with the following reports: PDF, Summary, YARA & IOCs, but
the API user has access only to YARA Rules, it will receive only the rules and nothing else. The request will have
status ok
.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/publications/get_one
Query parameters:
Expected parameters
Parameter |
Description |
---|---|
publication_id |
Report ID: the |
include_info |
List of the optional parameters separated by comma:
|
lang |
Language for a report or an executive summary. The value can be one of the following:
|
Request examples: Get specific information about publication ID
Get specific information about publication ID
|
Responses
Click the links below for information about possible responses.
451 Unavailable For Legal Reasons
The publications/get_master_ioc
endpoint is used to
display a Master IOC file, that contains indicators of compromise in CSV file format.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/publications/get_master_ioc
Query parameters:
Expected parameters
Parameter |
Description |
---|---|
report_group |
Report group. Required parameter. Available values:
|
Request example:
|
Responses
Click the links below for information about possible responses.
451 Unavailable For Legal Reasons
The publications/get_master_yara
endpoint is used to
display a Master YARA file. Results are provided in base64 gzip format, and must be decoded.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/publications/get_master_yara
Query parameters:
Expected parameters
Parameter |
Description |
---|---|
report_group |
Report group. Required parameter. Available values:
|
Request example: Request a Master YARA file for APT Intelligence reports:
|
Responses
Click the links below for information about possible responses.
451 Unavailable For Legal Reasons
This section describes how you can request reports in different formats using the cURL utility.
To get a list of all available reports, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_list'
To get a list of all available reports within a specific time frame, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_list?date_start=1490628942&date_end=1490628942'
You can convert the date into UNIX format at www.epochconverter.com.
To request a certain report, execute:
curl -u <user name>-H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_one?publication_id=1166'
To request a report in a PDF format, execute:
curl –u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_one?publication_id=627&include_info=pdf,execsum'
If an invalid include_info
value is used to get specific information about the report, an
incorrect value will be ignored.
Using an invalid include_info value to get specific information about the report:
curl –u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_one?publication_id=627&include_info=pdf,<invalid_value>'
To request a Master IOC, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_master_ioc'
To request a Master YARA, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_master_yara'
To request an executive summary, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_one?publication_id=1187&include_info=execsum'
To request a report in all available formats, execute:
curl -u <user name> -H 'Content-Length: 0' --cert <full path to the certificate on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_one?publication_id=627&include_info=all'
This section explains how to obtain available APT and Crimeware actor profiles by using the Kaspersky Threat Intelligence Portal API methods.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms and Conditions online in your browser at https://tip.kaspersky.com.
Actor profile API methods
Method |
Description |
---|---|
Obtains the list of actor profiles that are available for you according to your Kaspersky Threat Intelligence Portal license. |
|
Obtains specific information for an actor. |
The actor_profiles/get_list
endpoint is used to display
the list of actor profiles that are available for you according to your Kaspersky Threat Intelligence Portal license.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/actor_profiles/get_list
Query parameter:
Expected parameter
Parameter |
Description |
---|---|
actor_group |
Group of actors, the list of which you want to obtain. Optional parameter. If this parameter is not specified, a list of profiles for both APT and Crimeware related actors is returned. Available values:
|
Request example: Get a list of actor profiles:
|
Responses
Click the links below for information about possible responses.
451 Unavailable For Legal Reasons
The actor_profiles/get_one
endpoint is used to display
specific information for an actor, identified by id
.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/actor_profiles/get_one
Query parameters:
Expected parameters
Parameter |
Description |
---|---|
id |
Actor's ID: the |
Request example: Get a specific actor profile:
|
Responses
Click the links below for information about possible responses.
451 Unavailable For Legal Reasons
This section explains how to request a list of dangerous IP addresses by using the Kaspersky Threat Intelligence Portal API.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms and Conditions online in your browser at https://tip.kaspersky.com.
To work with C&C Tracking by using the Kaspersky Threat Intelligence Portal API:
api/apt_cnc/{country}
method described below.Request
Request method: GET
Endpoint: https://tip.kaspersky.com/api/apt_cnc/{country}
Query parameters:
Expected parameters
Parameter |
Description |
---|---|
country |
The two-letter code of a country you want to receive a feed for. Required parameter. Available values:
The two-letter country code (lowercase). |
Request example: Get a list of dangerous IP addresses:
|
Responses
Click the links below for information about possible responses.
451 Unavailable For Legal Reasons
Page top
This section explains how to request Industrial Threat Intelligence reports by using the Kaspersky Threat Intelligence Portal API methods.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms and Conditions online in your browser at https://tip.kaspersky.com.
Industrial Threat Intelligence reporting API methods
Method |
Description |
---|---|
Obtains the list of Industrial Threat Intelligence reports published on Kaspersky Threat Intelligence Portal. |
|
Obtains specific information for an Industrial Threat Intelligence report. |
|
Obtains a Master IOC file that contains indicators of compromise, which are reported in the CSV file format. |
|
Obtains a Master YARA file. |
The ics/get_list
endpoint is used to display the list of
Industrial Threat Intelligence reports published on Kaspersky Threat Intelligence Portal.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/ics/get_list
Query parameters:
Expected parameters
Parameter |
Description |
---|---|
date_start |
Optional parameter. Includes only Industrial Threat Intelligence reports that were
published starting from and including the specified date onwards. The default value is |
date_end |
Optional parameter. Includes only Industrial Threat Intelligence reports that were
published only until and including the specified date. The default value is |
The date_start
and date_end
parameters must be specified in the UNIX time stamp system (the number
of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970). If these parameters are not specified, the
Kaspersky Threat Intelligence Portal API returns a list of all Industrial Threat Intelligence reports.
Request example: Get a list of Industrial reports:
|
Responses
Click the links below for information about possible responses.
451 Unavailable For Legal Reasons
The ics/get_one
endpoint is used to display specific
information for an Industrial Threat Intelligence report, identified by publication_id
.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/ics/get_one
Query parameters:
Expected parameters
Parameter |
Description |
---|---|
publication_id |
Industrial Threat Intelligence report ID: the |
include_info |
List of the optional parameters separated by comma:
|
lang |
Language for an Industrial Threat Intelligence report. The value can be one of the
following: |
Request example: Retrieve the executive summary and the PDF report for the specific Industrial report:
|
Responses
Click the links below for information about possible responses.
451 Unavailable For Legal Reasons
The ics/get_master_ioc
endpoint is used to display a
Master IOC file that contains indicators of compromise, which are reported in the CSV file format.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/ics/get_master_ioc
Query parameters: The endpoint does not expect any parameters.
Request example: Request a Master IOC:
|
Responses
Click the links below for information about possible responses.
451 Unavailable For Legal Reasons
The ics/get_master_yara
endpoint is used to display a
Master YARA file. Results are provided in the base64 gzip format and must be decoded.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/ics/get_master_yara
Query parameters: The endpoint does not expect any parameters.
Request example: Request a Master YARA for APT Intelligence reports:
|
Responses
Click the links below for information about possible responses.
451 Unavailable For Legal Reasons
You can investigate objects by using the Kaspersky Threat Intelligence Portal API methods.
Endpoints, required parameters, responses, and usage examples are described in the OpenAPI documentation.
You can use the Threat Lookup API without a certificate, by using an API token if it is allowed by your organization.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms and Conditions online in your browser at https://tip.kaspersky.com.
To run a request by using Kaspersky Threat Intelligence Portal API:
https://tip.kaspersky.com/api/<request type>/<request>?count=<records count>[§ions=<sections names>][&format=<result format>]
Here:
<request type>
—Type of object that
you want to investigate.Available values:
hash
—Specify this value to investigate
a hash.ip
—Specify this value to investigate
an IP address. If you want an IP address to be processed as a web address, add the http://
or https://
prefix to
the IP address in your request. For example, 104.132.161.0 is processed as an IP address, and
http://104.132.161.0 is processed as a web address.domain
—Specify this value to
investigate a domain.url
—Specify this value to investigate
a web address. Use percent-encoding (URL encoding) to convert certain characters into a valid ASCII
format.<request>
—Object that you want to
investigate.For a web address, its length is limited to a maximum of 2000 characters. If the requested web address length exceeds the limit, an HTTP error 414 (URI Too Long) is returned.
<records count>
—Maximum number of
records in each data group to display.If this parameter is not specified, up to
1000 records will be displayed. This restriction does not apply to DetectionsInfo
and FileParentCertificates
groups. For these groups, all records are
displayed regardless of the number of records.
<sections names>
—Sections that you
want to process for the requested object. Use the comma to specify several sections.If the parameter is not specified, all sections will be processed.
For faster request processing, we recommend that, in the <sections names>
field, you specify only required sections you
want to receive and, in the <records count>
field, you specify
the number of entries you want to receive.
Use the question mark (?) to separate the first parameter from the request. Use the ampersand (&) to separate parameters from each other. The parameters can be specified in any order.
Dates in all sections are displayed in Coordinated Universal Time (UTC) format.
<result format>
—Investigation result
format.This is an optional parameter.
Available values:
json
—Investigation results are
returned in JSON format.stix
—Investigation results are
returned in STIX format. If this value is specified, the <records count>
and <sections names>
parameters are ignored: data from all groups is
returned.If the <result format>
parameter is not
specified, investigation results are returned in JSON format.
For detailed information about investigation results, see related sections: hashes, IP addresses, domains, and web addresses.
View usage examples in the OpenAPI specification
The table below contains characters that must be percent-encoded if you investigate a web address using the Kaspersky Threat Intelligence Portal API.
Characters to be percent-encoded
Character |
Percent-encoded character |
---|---|
space |
%20 |
! |
%21 |
$ |
%24 |
& |
%26 |
' |
%27 |
( |
%28 |
) |
%29 |
* |
%2A |
+ |
%2B |
, |
%2C |
; |
%3B |
= |
%3D |
: |
%3A |
/ |
%2F |
? |
%3F |
# |
%23 |
[ |
%5B |
] |
%5D |
@ |
%40 |
This section explains how you can run requests using the ktl_lookup utility, which is used to run requests and change some of its parameters if necessary. This section also explains how to download the ktl_lookup utility. Formats of investigation results are also described.
You can download the ktl_lookup utility from ktl_lookup.py.
You can work with the ktl_lookup utility using its default parameters or change the default parameters if necessary.
To change the default parameters in the ktl_lookup utility:
KTL_HOST
—If you have to specify a
different Kaspersky Threat Intelligence Portal host.By default, KTL_HOST = 'tip.kaspersky.com'
.
PROXY
—If you have to specify a proxy
server.The format is as follows: (http|https)://<user name>:<password>@<host>:<port>
VERBOSE
—If you want to enable the verbose
option, specify VERBOSE = True
. This option allows you to display
detailed information.By default, VERBOSE = False
.
PEM_FILE
—If you have to specify a
different name for your certificate in PEM format.By default, PEM_FILE = 'ktl_lookup.pem'
.
65001
(UTF-8):chcp 65001
PYTHONIOENCODING
is set to UTF-8:Select Start → Control Panel → System → Advanced system settings → Environment Variables → System variables.
This section explains how to investigate objects using the ktl_lookup utility.
Python 3.5.3 or a later version must be installed on the computer that you will use to work with Kaspersky Threat Intelligence Portal API.
To run the ktl_lookup utility in Windows,
Type the following string at the command prompt:
python.exe <path>\ktl_lookup --user=<user name> --pass=<password> [--recordsCount=<count>] --url|--domain|--ip|--hash=<value> [--sections=<sections names>]
To run the ktl_lookup utility in Linux®,
Execute the following command:
./<path>/ktl_lookup --user=<user name> --pass=<password> [--recordsCount=<count>] --url|--domain|--ip|--hash=<value> [--sections=<sections names>]
You can investigate only one object at a time.
Keys |
Description |
---|---|
|
Your user name received from your dedicated Kaspersky Technical Account Manager. |
|
Your password received from your dedicated Kaspersky Technical Account Manager. |
|
Optional key. Maximum number of records to display. If this key is not specified, the ktl_lookup utility displays all available results. |
|
Hash that you want to investigate. |
|
IP address that you want to investigate. |
|
Domain that you want to investigate. |
|
Web address that you want to investigate. |
|
Optional key. Names of specific sections for the objects that you want to investigate. |
If you want an IP address to be processed as a web address, add the http:// or https:// prefix to the IP address in your request. For example, 104.132.161.0 is processed as an IP address, and http://104.132.161.0 is processed as a web address.
Responses
Click the links below for information about possible responses.
451 Unavailable For Legal Reasons
Page top
You can execute an object or browse a web address, and view task results by using the Kaspersky Threat Intelligence Portal API methods.
You can execute files separately with Kaspersky Sandbox or Kaspersky Threat Attribution Engine, or by using both technologies simultaneously. For web addresses, only execution in Kaspersky Sandbox is available.
Endpoints, required parameters, responses, and usage examples are described in the OpenAPI documentation.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms and Conditions online in your browser at https://tip.kaspersky.com.
To work with Threat Analysis by using the Kaspersky Threat Intelligence Portal API:
View the OpenAPI specification describing requests to the Kaspersky Threat Intelligence Portal API
Page top
This section explains how to request Digital Footprint Intelligence notifications and reports by using the Kaspersky Threat Intelligence Portal API methods.
Endpoints, required parameters, responses, and usage examples are described in the OpenAPI documentation.
You can use the Digital Footprint Intelligence API without a certificate, by using an API token if it is allowed by your organization.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms and Conditions online in your browser at https://tip.kaspersky.com.
Digital Footprint Intelligence API methods
Method |
Description |
---|---|
|
Gets the list of available threat notifications. |
|
Gets the file associated with the specified threat notification. The archive may contain objects that could harm your device or data, if handled improperly. By downloading, you agree that you are informed and accept full responsibility for the handling of downloaded objects contained in the archive. You can only use the downloaded content to increase the level of protection of your devices and systems. |
|
Gets the list of available Digital Footprint Intelligence reports. |
|
Gets the specified Digital Footprint Intelligence report. |
As a tenant manager, you can work with the Digital Footprint Intelligence API by using an API token. For each tenant group, a separate API token is required.
To run a request by using Digital Footprint Intelligence API with your API token:
You can obtain Threat Data Feeds by using the Kaspersky Threat Intelligence Portal API methods.
Endpoints, required parameters, responses, and usage examples are described in the OpenAPI documentation.
You can use the Data Feeds API with an API token. In this case, the Bearer authentication scheme is required. Also, you can use the Data Feeds API with a certificate, if using an API token is not allowed by your organization. In this case, the Basic authentication scheme is required.
Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms and Conditions online in your browser at https://tip.kaspersky.com.
To obtain an API token, you must sign in to Kaspersky Threat Intelligence Portal via your browser, and then request an API token.
To obtain Data Feeds by using Kaspersky Threat Intelligence Portal API with your API token:
If necessary, you can specify the Basic authentication scheme and use your API token as described below.
To obtain Data Feeds by using the Kaspersky Threat Intelligence Portal API with Basic authentication scheme:
api_token
and your API token as
password.Login api_token
is the same for all
users within the Data Feeds API service.
View the OpenAPI specification describing requests to the Kaspersky Threat Intelligence Portal API
Kaspersky Threat Intelligence Portal has the following limitation.
Lifetime of links in notifications and direct links to Threat Lookup reports
Links in notifications and direct links to Threat Lookup reports are supported for two years. After this period, the correct operation of the links is not guaranteed.
Page top
If you cannot find a solution to your problem in Help, we recommend that you contact your dedicated Kaspersky Technical Account Manager or send email to ktlsupport@kaspersky.com.
Page top
This section provides reference information for using Kaspersky Threat Intelligence Portal.
If you select the CSV Archive (.zip) option when exporting all investigation results, Kaspersky Threat Intelligence Portal saves investigation results as a .zip archive. Each .zip archive contains files in a comma-separated values (CSV) format, with commas used as field separators.
By default, the format of the archive name is as follows: <entered request>-en.zip
. You can change the archive name if necessary.
Example: If you export investigation results for the hash 45D52E4061983C4EFDA8D978A2B25A3C-en.zip |
The contents of the files that are included in the CSV archive are described in the table below. The first string in all files contains column names.
CSV archive contents for hash
File name |
Description |
Columns |
|
---|---|---|---|
ContainerCertificates.csv |
Information about the signatures and certificates of a container. |
ParentMd5—MD5 hash of the container's certificate. SerialNumber—Serial number of the container's certificate. Vendor—Owner of the container's certificate. Publisher—Publisher of the container's certificate. TimeStamp—Date and time when the container's certificate was signed. Issued—Date and time when the container's certificate was issued. Expires—Expiration date of the container's certificate. IsDirectlySigned—Shows whether a container's certificate is embedded into the file. IsDiscredited—Shows whether the container's certificate is discredited. IsTrusted—Shows whether the container's certificate is trusted. IsRevoked—Shows whether the container's certificate is revoked. IsGray—Shows whether the container's certificate is in a Gray zone. IsGood—Shows whether the container's certificate is in a Good zone. |
|
FileThreats.csv |
Information about detected objects related to the requested hash (for example, HEUR:Exploit.Script.Blocker). |
LastDetectDate—Date and time when the object was last detected by Kaspersky expert systems. DescriptionUrl—Link to the detected object description in Kaspersky threats website (if available). Zone—Color of the zone that the detection object belongs to. DetectionName—Name of the detected object. DetectionMethod—Method used to detect the object. |
|
FileUrls.csv |
Information about web addresses that were accessed by the file identified by the requested hash. |
Url—Web addresses accessed by the file identified by the requested hash. IsUrlTruncated—Shows whether private data was filtered in the displayed web address. Zone—Color of the zone that the web address belongs to. Domain—Upper domain of the web address used to download the file identified by the requested hash. LastDownloadDate—Date and time when the file identified by the requested hash was last downloaded from the web address / domain. IpsCount—Number of IP addresses that the domain resolves to. |
|
FileDownloadedBy.csv |
Information about objects that were downloaded by the file identified by the requested hash. |
Zone—Color of the zone that a file belongs to. HitsCount—Number of times the object was downloaded as detected by Kaspersky expert systems. Md5—MD5 hash of the downloaded object. Location—Root folder or drive where the downloaded object is located on user computers. Path—Path of the downloaded object on user computers. Name—Name of the downloaded object. LastDownloadDate—Date and time when the object was last downloaded by the file identified by the requested hash. DetectionName—Name of the detected object. |
|
FileDownloadedFromUrls.csv |
Information about web addresses and domains from which the file identified by the requested hash was downloaded. |
Url—Web addresses accessed by the file identified by the requested hash. IsUrlTruncated—Shows whether private data was filtered in the displayed web address. Zone—Color of the zone that the web address belongs to. Domain—Upper domain of the web address accessed by the file identified by the requested hash. LastDownloadDate—Date and time when the file identified by the requested hash last accessed the web address. IpsCount—Number of IP addresses that the domain resolves to. |
|
FileNames.csv |
Information about known names of the file identified by the requested hash on computers using Kaspersky software. |
FileName—Name of the file identified by the requested hash. FileNamesHitsCount—Number of file name detections by Kaspersky expert systems. |
|
FilePaths.csv |
Information about known paths to the file identified by the requested hash on computers using Kaspersky software. |
Path—Path to the file on user computers identified by the requested hash. Location—Root folder or drive where the file identified by the requested hash is located on user computers. FilePathHitsCount—Number of path detections by Kaspersky expert systems. |
|
FileCertificates.csv |
Information about signatures and certificates of the file identified by the requested hash. |
ParentMd5—MD5 hash of the certificate. SerialNumber—Serial number of the certificate. Vendor—Owner of the certificate. Publisher—Publisher of the certificate. TimeStamp—Date and time when the certificate was signed. Issued—Date and time when the certificate was issued. Expires—Expiration date of the certificate. IsDirectlySigned—Shows whether a certificate is embedded into the file. IsDiscredited—Shows whether the certificate is discredited. IsTrusted—Shows whether the certificate is trusted. IsRevoked—Shows whether the certificate is revoked. IsGray—Shows whether the certificate is in a Gray zone. IsGood—Shows whether the certificate is in a Good zone. |
|
FileStarters.csv |
Information about objects that started the file identified by the requested hash. |
Zone—Color of the zone that a file belongs to. HitsCount—Number of times the file identified by the requested hash was started as detected by Kaspersky expert systems. Md5—MD5 hash of the object that started the file identified by the requested hash. Location—Root folder or drive where the object is located on user computers. Path—Path to the object on user computers. Name—Name of the object that started the file identified by the requested hash. LastStartDate—Date and time when the file identified by the requested hash was last started. DetectionName—Name of the detected object. |
|
FileDownloaders.csv |
Information about objects that downloaded the file identified by the requested hash. |
Zone—Color of the zone that a file belongs to. HitsCount—Number of times the file identified by the requested hash was downloaded as detected by Kaspersky expert systems. Md5—MD5 hash of the object that downloaded the file identified by the requested hash. Location—Root folder or drive where the object is located on user computers. Path—Path to the object on user computers. Name—Name of the object that downloaded the file identified by the requested hash. LastDownloadDate—Date and time when the file identified by the requested hash was last downloaded. DetectionName—Name of the detected object. |
|
FileStartedBy.csv |
Information about objects that were started by the file that was identified by the requested hash. |
Zone—Color of the zone that a file belongs to. HitsCount—Number of times the file identified by the requested hash started the object as detected by Kaspersky expert systems. Md5—MD5 hash of the started object. Location—Root folder or drive where the started object is located on user computers. Path—Path to the object on user computers. Name—Name of the started object. LastStartDate—Date and time when the object was last started by the file identified by the requested hash. DetectionName—Name of the detected object. |
|
FileHashes.csv |
Information about file hashes and size. |
Md5—MD5 hash of the file requested by hash. Sha1—SHA1 hash of the file requested by hash. Sha256—SHA256 hash of the file requested by hash. Size—Size of the object that is being investigated by hash (in bytes). |
|
FileProperties.csv |
General information about the requested hash. |
Md5—MD5 hash of the file requested by hash. Sha256—SHA256 hash of the file requested by hash. FirstNotificationDate—Date and time when the requested hash was detected by Kaspersky expert systems for the first time. LastNotificationDate—Date and time when the requested hash was detected by Kaspersky expert systems for the last time. Signer—Organization that signed the requested hash. SignerZone—Color of the zone indicating the signer's trust level (red, gray, green). SignerStatus—Trust level of the object signature (Discredited, Not trusted, Trusted). Packer—Packer name. Size—Size of the object that is being investigated by hash (in bytes). Type—Format of the object that is being investigated by hash. HitsCount—Number of hits (popularity) of the requested hash detected by Kaspersky expert systems. HasApt—Shows whether the file is related to an advanced persistent threat (APT) attack. RelatedAptReports—IDs of APT Intelligence
reports and Crimeware Threat Intelligence reports, to which the requested object is related. For each
report, its ID, type (fin or apt), and
title are provided in a JSON-like format (pseudo-JSON), for example: Categories—Categories of the requested
object and zones that the category belongs to. Category and zone are provided in a
JSON-like format (pseudo-JSON), for example: |
|
FileUnpackedFrom.csv |
Information about parent objects of the file identified by the requested hash. |
Zone—Color of the zone that the parent object belongs to. ParentMd5—MD5 hash of the parent object. ChildMd5—MD5 hash of the child object. For
direct parent objects ( ParentFileSize—Size of the parent object (in bytes). ParentFileType—File type of the parent object. ParentDetectionName—Detected objects related to the parent object (for example, HEUR:Exploit.Script.Blocker). Level—Parent level. The direct parent of the
requested object has |
|
FileUnpackedObjects.csv |
Information about child objects of the file identified by the requested hash. |
Zone—Color of the zone that the child object belongs to. ChildMD5—MD5 hash of the child object. ParentMD5—MD5 hash of the parent object. For
direct child objects ( ChildFileSize—Size of the child object (in bytes). ChildFileType—File type of the child object. ChildDetectionName—Detected objects related to the child object (for example, HEUR:Exploit.Script.Blocker). Level—Child level. The |
|
SimilarFiles.csv |
Information about files that are similar to the requested object. |
MD5—MD5 hash of the object similar to the file identified by the requested hash. Zone—Color of the zone that the object similar to the file identified by the requested hash belongs to. Confidence—Level of confidence that the object is similar to the file identified by the requested hash. Kaspersky Threat Intelligence Portal displays similar files with a confidence level from 8 to 11. DetectionName—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Hits—Number of hits (popularity) for the object similar to the identified file (by the requested hash) detected by Kaspersky expert systems (rounded to nearest power of 10). FirstSeen—Date and time when the similar object was detected by Kaspersky expert systems for the first time (for your local time zone). LastSeen—Date and time, accurate to one minute, when the similar object was detected by Kaspersky expert systems for the last time (for your local time zone). Type—Type of the object similar to the file identified by the requested hash. Size—Size of the object similar to the file identified by the requested hash (in bytes). |
|
SpamReport.csv |
Information about spam attacks in which the requested object was attached to email messages. |
HitsCount—Number of email messages in which the requested object was attached. HitsByDate—Number of email messages in which the requested object was attached during one day. Subjects—Subjects of spam messages. FileNames—Names of attachments in spam messages. |
RelatedAptReports—IDs of APT Intelligence reports and
Crimeware Threat Intelligence reports, to which the requested object is related. For each report, its ID, type
(fin or apt), and title are provided in a
JSON-like format (pseudo-JSON), for example: {Id : 632-apt , Type : apt , Title : Sofacy-Delphocy Toolset}
. If there are
several reports for the requested object, each report is enclosed in braces, and reports are separated by a comma.
The report ID can be used as an argument (publication_id
) for the get_one
endpoint, which is used to obtain specific information for a report.
For reserved IP addresses, only IpProperties.csv and IpWhoIsInfo.csv files are exported.
CSV archive contents for IP address
File name |
Description |
Columns |
---|---|---|
IpPdnsDomains.csv |
pDNS information for the requested IP address. |
Zone—Color of the zone that a domain (resolved to the requested IP address) belongs to. Domain—Domain that resolves to the requested IP address. FirstSeen—Date and time when the domain first resolved to the requested IP address, according to your computer local time zone. LastSeen—Date and time when the domain last resolved to the requested IP address, according to your computer local time zone. HitsCount—Number of times that the domain resolved to the requested IP address. DailyPeak—Maximum number of domain resolutions to the requested IP address per day. PeakDate—Date of maximum number of domain resolutions to the requested IP address. Categories—Categories of the requested IP address. |
IpFiles.csv |
Information about MD5 hashes of files that are related to web addresses containing domains that resolve to the requested IP address. Also, MD5 hashes of files that accessed the requested IP address are displayed. |
Zone—Color of the zone that a file belongs to. DownloadHitsCount—Number of times that a file was downloaded from the requested IP address as detected by Kaspersky expert systems. Md5—MD5 hash of the downloaded file. LastSeen—Date and time that the file was last downloaded from the requested IP address, according to your computer local time zone. FirstSeen—Date and time the file was first downloaded from the requested IP address, according to your computer local time zone. DetectionName—Name of the detected object. Url—Web addresses used to download the file. |
IpUrls.csv |
Information about web addresses that contain the requested IP address and web addresses of the domain that resolves to the requested IP address. |
Zone—Color of the zone that a web address belongs to. UrlHitsCount—Number of web address detections by Kaspersky expert systems. Url—Detected web address (including web addresses that contain the requested IP address). IsUrlTruncated—Shows whether private data was filtered in the displayed web address. FirstSeen—Date and time when the web address was first detected, according to your computer local time zone. LastSeen—Date and time when the web address was last detected, according to your computer local time zone. |
IpFeedMasks.csv |
Information about masks of detected by Kaspersky expert systems web addresses that contain the requested IP address and web addresses of the domain that resolves to the requested IP address. If a mask is included in Threat Data Feeds, the feed names are also provided. |
Zone—Color of the zone that web addresses
covered by the corresponding mask ( NormalizedMask—Mask of the web address. FeedNames—Threat Data Feeds that contain the web address mask (Malicious URL Feed, Phishing URL Feed, Botnet C&C URL Feed, APT URL Data Feed, and APT IP Data Feed. MaskType—Type of the web address mask. |
IpProperties.csv |
General information about the requested IP address. |
Status—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and NoInfo for IP addresses that do not belong to any country and are not reserved). CountryCode—Two-letter country code (ISO
3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP
addresses, the HitsCount—Hits number (popularity) of the requested IP address. FirstSeen—Date and time when the requested IP address appeared in Kaspersky expert systems statistics for the first time, according to your computer local time zone. ThreatScore—Probability that the requested
IP address appears dangerous (0 to 100). RelatedAptReports—IDs of
APT Intelligence reports and Crimeware Threat Intelligence reports, to which the requested object is
related. For each report, its ID, type (fin or apt), and title are provided in a JSON-like format (pseudo-JSON), for
example: |
IpReputation.csv |
Information about the requested IP address reputation and categories. |
Ip—Requested IP address. Zone—Color of the zone that an IP address belongs to. Categories—Categories of the requested
object and zones that the category belongs to. Category and zone are provided in a
JSON-like format (pseudo-JSON), for example: HasApt—Shows whether the requested IP address is related to an advanced persistent threat (APT) attack. BotnetCnCThreatName—Name of the detected Botnet C&C. |
IpWhoIsInfo.csv |
WHOIS information about the requested IP address. |
Asn—Autonomous system number. Net—Information about the network that the requested IP address belongs to. Contacts—Contact information of the owner of the requested IP address. |
IPSpamInfo.csv |
Information about spam attacks associated with the requested IP address. |
spam_attacks—Number of spam attacks. spam_ratio—Ratio of spam generated by the requested IP address to the rest of the content. last_attack_date—Date of the latest spam attack. spam_attack_types—Array of attack types. |
IPPhishingInfo.csv |
Information about spam attacks associated with the requested IP address. |
phishing_attacks—Number of phishing attacks. phish_kit—Phishing kit name (set of materials and tools) used during the phishing attack. last_attack_date—Date of the latest phishing attack. regions—Top 10 regions affected by the phishing attack. stolen_data_type—Type of data stolen during phishing attack, for example, user names, passwords. attacked_industry—Target industry of a phishing attack. attacked_organization—Target organization of a phishing attack. |
IpTimeline.csv |
Information about detection statistics and requested object status changes during the certain historical periods. The timeline is generated only when the detection statistics for the period is available for a specific object. |
historical_zone—Object zone during the certain period. historical_status—Object status during the certain period. start_date—Start date and time of the period when the object was assigned to the certain status. end_date—End date and time of the period when the object was assigned to the certain status. categories—Categories assigned to the object during the specified period. |
The contents of the files that are included in the CSV archive are described in the table below. The first string in all files contains column names.
CSV archive contents for domain
File name |
Description |
Columns |
---|---|---|
HostPdnsIps.csv |
Information about IP addresses that the requested domain resolves to. |
Zone—Color of the zone that the domain belongs to. Ip—IP address. Status—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and NoInfo for IP addresses that do not belong to any country and are not reserved). CountryCode—Two-letter country code (ISO
3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP
addresses, the HitsCount—Number of IP address detections by Kaspersky expert systems. FirstSeen—Date and time when the requested domain first resolved to the IP address, according to your computer local time zone. LastSeen—Date and time when the requested domain last resolved to the IP address, according to your computer local time zone. DailyPeak—Maximum number of domain resolutions to the IP address per day. PeakDate—Date of maximum number of domain resolutions to the IP address. ThreatScore—Probability that the requested domain will be dangerous (0 to 100). |
HostReferredTo.csv |
Information about links, forwards, or redirects to following web addresses. |
Zone—Color of the zone that a web address belongs to. LastSeen—Date and time when the requested domain was last referred to by listed web addresses, according to your computer local time zone. Url—Web address that refers to the requested domain. IsUrlTruncated—Shows whether private data was filtered in the displayed web address. |
HostFiles.csv |
Information about MD5 hashes of files that accessed the requested domain. |
Zone—Color of the zone that a file belongs to. AccessedHitsCount—Number of file downloads from the requested domain as detected by Kaspersky expert systems. Md5—MD5 hash of the downloaded file. LastSeen—Date and time when the file was last downloaded from the requested domain, according to your computer local time zone. FirstSeen—Date and time when the file was first downloaded from the requested domain, according to your computer local time zone. DetectionName—Name of the detected object. |
HostGeoPlot.csv |
Information about domain access spread across the world. |
countryCode—Two-letter country code. value—Number of domain access in a certain country. |
HostDownloaders.csv |
Information about MD5 hashes of files that were downloaded from the requested domain and web addresses of the requested domain. |
Zone—Color of the zone that a file belongs to. DownloadedHitsCount—Number of file downloads from the requested domain as detected by Kaspersky expert systems. Md5—MD5 hash of the downloaded file. LastSeen—Date and time when the file was last downloaded from the requested domain, according to your computer local time zone. FirstSeen—Date and time when the file was first downloaded from the requested domain, according to your computer local time zone. DetectionName—Date and time when the file was first downloaded from the requested domain. Url—Web address from which the file was downloaded. |
HostProperties.csv |
General information about the requested domain. |
TotalFilesCount—Number of known files. TotalUrlsCount—Number of known web addresses. HitsCount—Number of IP addresses related to the domain. RelatedAptReports—IDs of APT Intelligence
reports and Crimeware Threat Intelligence reports, to which the requested object is related. For each
report, its ID, type (fin or apt), and
title are provided in a JSON-like format (pseudo-JSON), for example: |
HostReputation.csv |
Information about the requested domain reputation and categories. |
Domain—Name of the requested domain. Zone—Color of the zone that a domain belongs to. Categories—Categories of the requested
object and zones that the category belongs to. Category and zone are provided in a
JSON-like format (pseudo-JSON), for example: HasApt—Shows whether the requested domain is related to an advanced persistent threat (APT) attack. BotnetCnCThreatName—Name of the detected Botnet C&C. |
HostReferredBy.csv |
Information about web addresses that refer to the requested domain. |
Zone—Color of the zone that a web address belongs to. LastSeen—Date and time when the requested domain was last referred to by listed web addresses, according to your computer local time zone. Url—Web address that refers to the requested domain. IsUrlTruncated—Shows whether private data was filtered in the displayed web address. |
HostSubDomains.csv |
Information about hosts related to the requested domain (subdomains). |
Zone—Color of the zone that a subdomain belongs to. Subdomain—Name of the detected subdomain. UrlsCount—Number of web addresses related to the subdomain. FilesCount—Number of files hosted on the detected subdomain. FirstSeen—Date and time when the subdomain was first detected, according to your computer local time zone. |
HostFeedMasks.csv |
Information about the requested domain and web address masks detected by Kaspersky expert systems. |
Zone—Color of the zone that a domain belongs to
( NormalizedMask—Requested domain mask. FeedNames—Threat Data Feeds that contain the requested domain mask. |
HostWhoIsInfo.csv |
WHOIS information about the requested domain. |
DomainName—Name of the requested domain. Created—Date when the requested domain was registered. Updated—Date when registration information about the requested domain was last updated. Expires—Expiration date of the requested domain. NameServers—Name servers of the requested domain. Contacts—Contact information for the owner of the requested domain. Registrar—Name, IANA ID, and email of the registrar of the requested domain. DomainStatus—Statuses of the requested domain. RegistrationOrganization—Name of the registration organization. |
HostSimilarDomains.csv |
Information about domains with similar names to the requested domain. |
Zone—Color of the zone that a similar domain belongs to. Domain—Similar domain name. Registration—Date when a similar domain was registered. Expiration—Expiration date of a similar domain. Http_open—Shows whether an HTTP port is open. Https_open—Shows whether an HTTPS port is open. |
HostSpamInfo.csv |
Information about spam attacks associated with the requested domain. |
spam_attacks—Number of spam attacks. spam_ratio—Ratio of spam generated by the requested domain to the rest of the content. last_attack_date—Date of the latest spam attack. spam_attack_types—Array of attack types. |
HostPhishingInfo.csv |
Information about spam attacks associated with the requested domain. |
phishing_attacks—Number of phishing attacks. phish_kit—Phishing kit name (set of materials and tools) used during the phishing attack. last_attack_date—Date of the latest phishing attack. regions—Top 10 regions affected by the phishing attack. stolen_data_type—Type of data stolen during phishing attack, for example, user names, passwords. attacked_industry—Target industry of a phishing attack. attacked_organization—Target organization of a phishing attack. |
HostTimeline.csv |
Information about detection statistics and requested object status changes during the certain historical periods. The timeline is generated only when the detection statistics for the period is available for a specific object. |
historical_zone—Object zone during the certain period. historical_status—Object status during the certain period. start_date—Start date and time of the period when the object was assigned to the certain status. end_date—End date and time of the period when the object was assigned to the certain status. categories—Categories assigned to the object during the specified period. |
The contents of the files that are included in the CSV archive are described in the table below. The first string in all files contains column names.
CSV archive contents for web address
File name |
Description |
Columns |
---|---|---|
UrlPdnsIps.csv |
Information about IP addresses that the domain for the requested web address resolves to. |
Zone—Color of the zone that the domain belongs to. Ip—IP address. Status—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and NoInfo for IP addresses that do not belong to any country and are not reserved). CountryCode—Two-letter country code (ISO
3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP
addresses, the HitsCount—Number of IP address detections by Kaspersky expert systems. FirstSeen—Date and time when the domain for the requested web address first resolved to the IP address, according to your computer local time zone. LastSeen—Date and time when the domain for the requested web address last resolved to the IP address, according to your computer local time zone. DailyPeak—Maximum number of domain resolutions to the IP address per day. PeakDate—Date of maximum number of domain resolutions to the IP address. ThreatScore—Probability that the requested web address will be dangerous (0 to 100). |
UrlDownloaders.csv |
Information about MD5 hashes of files that accessed the requested web address. |
Zone—Color of the zone that a file belongs to. AccessedHitsCount—Number of file downloads from the requested web address as detected by Kaspersky expert systems. Md5—MD5 hash of the downloaded file. LastSeen—Date and time when the file was last downloaded from the requested web address, according to your computer local time zone. FirstSeen—Date and time when the file was first downloaded from the requested web address, according to your computer local time zone. DetectionName—Name of the detected object. |
UrlFiles.csv |
Information about objects that were downloaded from the requested web address. |
Zone—Color of the zone that a file belongs to. DownloadedHitsCount—Number of file downloads from the requested web address as detected by Kaspersky expert systems. Md5—MD5 hash of the downloaded file. LastSeen—Date and time when the file was last downloaded from the requested web address, according to your computer local time zone. FirstSeen—Date and time when the file was first downloaded from the requested web address, according to your computer local time zone. DetectionName—Name of the detected object. Url—Web address from which the file was downloaded. |
UrlFeedMasks.csv |
Information about masks of the requested web address domain that are detected by Kaspersky expert systems. |
Zone—Color of the zone that a domain belongs to
( Type—Type of the requested domain and web addresses mask. NormalizedMask—Mask of the requested web address domain. FeedNames—Threat Data Feeds that contain the mask of the requested web address domain. |
UrlGeoPlot.csv |
Information about web address access spread across the world. |
countryCode—Two-letter country code. value—Number of web address access in a certain country. |
UrlReferredBy.csv |
Information about web addresses that refer to the requested web address. |
Zone—Color of the zone that a web address belongs to. LastSeen—Date and time when the requested web address was last referred to, according to your computer local time zone. Url—Web address that refers to the requested web address. IsUrlTruncated—Shows whether private data was filtered in the displayed web address. |
UrlReferredTo.csv |
Information about links, forwards, or redirects to displayed web addresses. |
Zone—Color of the zone that a web address belongs to. LastSeen—Date and time when the requested web address last linked, forwarded, or redirected to listed web addresses, according to your computer local time zone. Url—Web address accessed by the requested web address. IsUrlTruncated—Shows whether private data was filtered in the displayed web address. |
UrlProperties.csv |
General information about the requested web address. |
Url—Requested web address. Host—Name of the upper-level domain of the requested web address. RelatedAptReports—IDs of APT Intelligence
reports and Crimeware Threat Intelligence reports, to which the requested object is related. For each
report, its ID, type (fin or apt), and
title are provided in a JSON-like format (pseudo-JSON), for example: |
UrlReputation.csv |
Information about the requested web address reputation and categories. |
Url—Requested web address. Zone—Color of the zone that a web address belongs to. Categories—Categories of the requested
object and zones that the category belongs to. Category and zone are provided in a
JSON-like format (pseudo-JSON), for example: HasApt—Shows whether the requested web address is related to an advanced persistent threat (APT) attack. BotnetCnCThreatName—Name of the detected Botnet C&C. |
UrlWhoIsInfo.csv |
WHOIS information about the requested web address. |
Type—Object type. DomainName—Name of the domain of the requested web address. Created—Date when the domain for the requested web address was registered. Updated—Date when registration information about the domain for the requested web address was last updated. Expires—Expiration date of the prepaid domain registration term. NameserverHostnames—Name servers of the domain for the requested web address. Contacts—Contact information for the owner of the domain. Registrar—Name, IANA ID, and email of the registrar of the domain. DomainStatus—Statuses of the domain. RegistrationOrganization—Name of the registration organization. |
UrlSpamInfo.csv |
Information about spam attacks associated with the requested web address. |
spam_messages—Number of spam messages containing the requested web address. |
UrlPhishingInfo.csv |
Information about spam attacks associated with the requested web address. |
phishing_status—Shows whether the requested web address can be considered as a phishing one. phishing_attacks—Number of phishing attacks. phish_kit—Phishing kit name (set of materials and tools) used during the phishing attack. last_attack_date—Date of the latest phishing attack. regions—Top 10 regions affected by the phishing attack. stolen_data_type—Type of data stolen during phishing attack, for example, user names, passwords. attacked_industry—Target industry of a phishing attack. attacked_organization—Target organization of a phishing attack. |
UrlTimeline.csv |
Information about detection statistics and requested object status changes during the certain historical periods. The timeline is generated only when the detection statistics for the period is available for a specific object. |
historical_zone—Object zone during the certain period. historical_status—Object status during the certain period. start_date—Start date and time of the period when the object was assigned to the certain status. end_date—End date and time of the period when the object was assigned to the certain status. categories—Categories assigned to the object during the specified period. |
This section contains examples of OpenIOC files with investigation results for a hash, IP address, domain, and web address.
This format is not available for exporting investigation results for reserved IP addresses.
By default, the format of the file name is as follows: <request type>_<request>.ioc
Here:
<request type>
—The type of object that
you export investigation results for.Possible values include:
MD5
—If hash investigation results are
exported.IP
—If IP address investigation results are
exported.DOMAIN
—If domain investigation results are
exported.URL
—If web address investigation results
are exported.<request>
is the object that you export
investigation results for.For domains and web address, a domain / web address UUID hash in hex format is used.
You can change the file name if necessary.
OpenIOC for a hash
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the hash 495DB359D61411F0688211C8DD473CB7 in OpenIOC format.
OpenIOC for an IP address
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the IP address 14.14.14.14 in OpenIOC format.
OpenIOC for a domain
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the domain ddns.net in OpenIOC format.
OpenIOC for a web address
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the web address go.spaceshipads.com-afu.php-zone in OpenIOC format.
Page top
This section contains examples of STIX files with investigation results for a hash, IP address, domain, and web address.
This format is not available for exporting investigation results for reserved IP addresses.
By default, the format of the file name is as follows: <request type>_<request>_stix.xml
Here:
<request type>
—The type of object that
you export investigation results for.Possible values include:
MD5
—If hash investigation results are
exported.IP
—If IP address investigation results are
exported.DOMAIN
—If domain investigation results are
exported.URL
—If web address investigation results
are exported.<request>
is the object that you export
investigation results for.For domains and web address, a domain / web address UUID hash in hex format is used.
You can change the file name if necessary.
STIX for a hash
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the hash 495DB359D61411F0688211C8DD473CB7 in STIX format.
STIX for an IP address
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the IP address 195.175.254.2 in STIX format.
STIX for a domain
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the domain ddns.net in STIX format.
STIX for a web address
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the web address go.spaceshipads.com-afu.php-zone in STIX format.
Below is an example of investigation results that Kaspersky Threat Intelligence Portal may return for the web address 54.171.124.134/upd/updsetup.exe in STIX format.
Page top
This section contains description of Threat Lookup API results in JSON format.
The table below contains possible sections available for a hash investigation in JSON format.
Certain objects can be assigned to the suspicious
status.
Suspicious is the internal name that is only used to identify objects with a
threat score between 50 and 74, and it means not trusted.
200 OK response parameters
Section in API |
Section in web interface |
Description |
---|---|---|
LicenseInfo |
— |
Information on the license used.
|
Zone |
On the Threat Lookup results page, the panel with the requested object and its status appears in a certain color, depending on the zone of the investigated object. |
Color of the zone that a hash belongs to. |
RelatedObjects |
— |
Information about the presence of malicious objects associated with the indicator.
|
FileGeneralInfo |
Overview |
General information about the requested hash.
|
DetectionsInfo |
Detection names |
Information about detected objects.
|
FilePaths |
File paths |
Information about known paths to the file identified by the requested hash on computers using Kaspersky software.
|
FileNames |
File names |
Information about known names of the file identified by the requested hash on computers using Kaspersky software.
|
FileDownloadedFromUrls |
File downloaded from URLs and domains |
Information about web addresses and domains from which the file identified by the requested hash was downloaded.
|
FileAccessedUrls |
File accessed the following URLs |
Information about web addresses that were accessed by the file identified by the requested hash.
|
FileStartedObjects |
File started the following objects |
Information about objects that started the file identified by the requested hash.
|
FileStartedBy |
File was started by the following objects |
Information about objects that were started by the file that was identified by the requested hash.
|
FileDownloadedObjects |
File downloaded the following objects |
Information about objects that were downloaded by the file identified by the requested hash.
|
FileDownloadedBy |
File was downloaded by the following objects |
Information about objects that downloaded the file identified by the requested hash.
|
FileCertificates |
File signatures and certificates |
Information about signatures and certificates of the file identified by the requested hash.
|
FileParentCertificates |
Container signatures and certificates |
Information about container certificates of the file identified by the requested hash.
|
FileUnpackedFrom |
File was unpacked from the following objects |
Information about parent objects of the file identified by the requested hash.
|
FileUnpackedObjects |
File contains the following objects |
Information about child objects of the file identified by the requested hash.
|
SimilarFiles |
Similar files |
|
DataFeeds |
Data Feeds |
List of Threat Data Feeds that contain information about the requested hash. If the requested hash is not mentioned in Threat Data Feeds, this section is not returned. |
The table below contains possible sections available for an IP address investigation in JSON format.
Certain objects can be assigned to the suspicious
status.
Suspicious is the internal name that is only used to identify objects with a
threat score between 50 and 74, and it means not trusted.
For reserved IP addresses, only LicenseInfo
, Zone
, IpGeneralInfo
, and IpWHOIS
sections are provided.
200 OK response parameters
Section in API |
Section in web interface |
Description |
---|---|---|
LicenseInfo |
— |
Information on the license used.
|
Zone |
On the Threat Lookup results page, the panel with the requested object and its status appears in a certain color, depending on the zone of the investigated object. |
Color of the zone that an IP address belongs to. |
RelatedObjects |
Files related to IP address |
Information about the presence of malicious objects associated with the indicator.
|
IpGeneralInfo |
Overview |
General information about the requested IP address.
|
FilesDownloadedFromIp |
— |
Information that is provided about files that were downloaded from the requested IP address and domains that resolve to the requested IP address, and MD5 hashes of files that accessed the requested IP address.
|
HostedUrls |
Hosted URLs |
Information about web addresses of the domain that resolves to the requested IP address.
|
FeedMasks |
URL masks |
Information about the web address covered by the mask.
|
IpWhoIs |
WHOIS |
WHOIS information about the requested IP address.
|
IpDnsResolutions |
DNS resolutions for IP address |
Information about the requested IP address.
|
IPSpamInfo |
Spam attacks |
Information about spam attacks associated with the requested IP address.
|
IPPhishingInfo |
Phishing attacks |
Information about phishing attacks associated with the requested IP address.
|
|
Data Feeds |
List of Threat Data Feeds that contain information about the requested IP address. If the requested IP address is not mentioned in Threat Data Feeds, this section is not returned. |
The table below contains possible sections available for a domain investigation in JSON format.
Certain objects can be assigned to the suspicious
status.
Suspicious is the internal name that is only used to identify objects with a
threat score between 50 and 74, and it means not trusted.
200 OK response parameters
Section in API |
Section in web interface |
Description |
---|---|---|
LicenseInfo |
— |
Information on the license used:
|
Zone |
On the Threat Lookup results page, the panel with the requested object and its status appears in a certain color, depending on the zone of the investigated object. |
Color of the zone that a domain belongs to. |
RelatedObjects |
— |
Information about the presence of malicious objects associated with the indicator.
|
DomainGeneralInfo |
Overview |
The following information about the requested domain will be provided:
|
FilesAccessed |
Files that accessed the requested domain |
Information about files that accessed the requested domain:
|
FilesDownloaded |
Files downloaded from requested domain |
Information about objects that were downloaded from the requested domain and web addresses of the requested domain:
|
Subdomains |
Subdomains |
Information about hosts related to the requested domain (subdomains):
|
UrlReferrals |
Referrals to domain |
Information about web addresses that refer to the requested domain:
|
UrlReferredTo |
Domain referred to the following URLs |
Information about web addresses that the requested domain refers to:
|
DomainWhoIsInfo |
WHOIS |
The following information about the requested domain will be provided:
|
DomainDnsResolutions |
DNS resolutions for domain |
The following information about the requested domain will be provided:
|
FeedMasks |
URL masks |
The following information about the requested domain will be provided:
|
hostSimilarDomains |
Similar domains |
The following information about domains whose names are close in spelling to the name of the requested domain is provided:
|
hostSpamInfo |
Spam attacks |
The following information about spam attacks associated with the requested domain is provided:
|
hostPhishingInfo |
Phishing attacks |
The following information about phishing attacks associated with the requested domain is provided:
|
|
Data Feeds |
List of Threat Data Feeds that contain information about the requested domain. If the requested domain is not mentioned in Threat Data Feeds, this section is not returned. |
The table below contains possible sections available for a web address investigation in JSON format.
Certain objects can be assigned to the suspicious
status.
Suspicious is the internal name that is only used to identify objects with a
threat score between 50 and 74, and it means not trusted.
200 OK response parameters
Section in API |
Section in web interface |
Description |
---|---|---|
LicenseInfo |
— |
Information on the license used.
|
Zone |
On the Threat Lookup results page, the panel with the requested object and its status appears in a certain color, depending on the zone of the investigated object. |
Color of the zone that a web address belongs to. |
RelatedObjects |
— |
Information about the presence of malicious objects associated with the indicator.
|
UrlGeneralInfo |
Overview |
General information about the requested web address.
|
FilesAccessed |
Files that accessed requested URL |
Information about MD5 hashes of files that accessed the requested web address.
|
FilesDownloaded |
Files downloaded from requested URL |
Information about objects that were downloaded from the requested web address.
|
UrlReferrals |
Referrals to requested URL |
Information about web addresses that refer to the requested web address.
|
UrlReferredTo |
Requested object linked, forwarded, or redirected to the following URLs |
Information about web addresses that the requested object linked, forwarded, or redirected to.
|
UrlDomainWhoIs |
WHOIS |
Information about the requested web address will be provided.
|
DomainDnsResolutions |
DNS resolutions for domain |
Information about the requested web address:
|
FeedMasks |
URL masks |
Information about the requested web address.
|
UrlSpamInfo |
Spam attacks |
Information about spam attacks associated with the requested web address.
|
UrlPhishingInfo |
Phishing attacks |
Information about phishing attacks associated with the requested web address.
|
|
Data Feeds |
List of Threat Data Feeds that contain information about the requested web address. If the requested web address is not mentioned in Threat Data Feeds, this section is not returned. |
Kaspersky Threat Intelligence Portal automatically detects the type of an executed file if you do not specify it manually when creating a file execution task (Executing a file, Starting a file upload and execution).
In this section, possible file types are listed. The following list of file types is not fixed, and can be modified during components update.
3
3gp.
7
7z.
A
a3x, access, ace, adts, alzip, amr, andbxml, apk, apple_enc, arch, arj, asf, au3, avi.
B
beam, bencode, binder, bmp, bplist, bzip2.
C
cab, cert, chm, class, cmd, coff, cpl, crx, csc.
D
daa, dds, delta_compr, dex, dicom, djvu, dll, doc, docm, docx, dotm, dotx, dqy, dsstore, dwg.
E
emf, eml, eot, exe.
F
f4v, flac, flv, freearch, fxc.
G
gbi, gif, gz.
H
hlp, hta, html.
I
ico, iqy, iso.
J
jar, jetdb, jetdb2016, jpeg, js, jsc, jse, jserobj.
K
khi.
L
le, leveldb, lha, lnk, lx.
M
macho, midi, mkv, mo, mp3, mpp, msbuild, msg, msi, mz.
N
ne, nls.
O
odex, odp, ods, odt, ogg, one.
P
pack200, pcap, pdb, pdf, pe64_com, pe64_cpl, pe64_dll, pe64_exe, pe64_srv, pe64_sys, pe_com, pe_cpl, pe_dll, pe_exe, pe_srv, pe_sys, pea, pl, png, potm, potx, ppam, ppsm, ppsx, ppt, pptm, pptx, ps1, psd, pst, pub, pycode.
R
rar, raw, reg, ri64, riff, riffw64, rpm, rqy, rtf.
S
script, sct, sdb, sh, sqlite, svg, swf, sylk, szdd.
T
tar, tga, tiff, tnef, ts, ttcf, ttf, txt, type1_font.
U
udif.
V
vba, vbe, vbs, vsd, vsdx, vss.
W
wav, webm, wim, wmf, woff, wordml, wsf.
X
xap, xar, xcf, xlam, xls, xlsb, xlsm, xlsx, xltm, xltx, xml, xpi, xsl, xz.
Z
z, zip, zlibstream.
Page top
This section describes categories that Kaspersky Threat Intelligence Portal returns for IP addresses.
IP address categories
Category name |
Category code (used in API and exporting) |
Description |
---|---|---|
APT |
CATEGORY_APT |
The host with this IP address is related to an APT attack and/or mentioned in a report. |
APT C&C Tracking |
CATEGORY_APT_CNC_TRACKING |
IP addresses involved in Advanced Persistent Threat (APT) infrastructure as Command and Control (C&C) server. |
Botnet C&C |
CATEGORY_BOTNET_CNC |
Command and control (C&C) servers that remotely send malicious commands to a botnet, or other resources, access to which indicates a possible infection. |
Compromised |
CATEGORY_COMPROMISED |
The host with this IP address is usually legitimate but is infected or compromised at the moment of the analysis. |
Crimeware |
CATEGORY_CRIMEWARE |
The host with this IP address is used in attacks on any organization for the purpose of stealing/extorting funds. |
Denial of service attacks |
CATEGORY_NETATTACK_DDOS |
The host with this IP address performs DDoS attacks. |
Industrial Threat |
CATEGORY_ICS_THREAT |
The host with this IP address is used in malicious campaigns targeting industrial organizations, as well as in vulnerabilities found in the most popular industrial control systems and underlying technologies. |
Intrusion attacks |
CATEGORY_NETATTACK_INTRUSION |
Represents external IP addresses attempting exploitation, potentially leading to remote code execution. |
Malware |
CATEGORY_MALWARE |
The host with this IP address hosts malware. |
Multi-User IP |
CATEGORY_NAT_GATEWAY |
Identifies IP addresses related to Network Address Translation (NAT) gateways. |
Network port scanning |
CATEGORY_NETATTACK_SCAN |
Indicates systematic scanning activities, often as a precursor to more targeted attacks (searching for network vulnerabilities). |
Password brute-force attempts |
CATEGORY_NETATTACK_BRUTEFORCE |
Identifies repeated and aggressive attempts to gain unauthorized access by systematically trying different user name and password combinations. |
Phishing |
CATEGORY_PHISHING |
The host with this IP address hosts phishing web pages. |
Proxy |
CATEGORY_PROXY |
Indicates a public proxy server. |
Sinkhole |
CATEGORY_SINKHOLE |
Identifies traffic directed towards a sinkhole—a network component strategically employed by anti-malware researchers to redirect and isolate malicious traffic away from its intended targets. |
Spam |
CATEGORY_SPAM |
IP address sends spam. |
Tor Exit Node |
CATEGORY_TOR_EXIT_NODE |
Indicates a Tor exit node. |
Tor Node |
CATEGORY_TOR_NODE |
Indicates a Tor node. |
VPN |
CATEGORY_VPN |
The host with this IP address is used by public VPN providers to host VPN servers. |
When working with Dark web or Surface web data, you should typically run a custom search based on keywords. These include your company, brand, product name, or unique strings related to your organization.
For the Dark web posts, social media publications, and other hidden publications, Kaspersky Threat Intelligence Portal supports simple Elasticsearch queries.
The following search operators can be used:
Example: keyword1 + keyword2
— returns
messages containing both keyword1
and keyword2
.
Example: -keyword1
— returns messages that
do not contain keyword1
.
Example: keyword1 keyword2
/ keyword1 | keyword2
— returns messages containing keyword1
or keyword2
.
Example: "keyword1 keyword2"
.
Example: keyw*
— returns all messages that
begin with keyw
: keyword1
, keyword2
, keywhat
, etc.
Example: darknet_site.com*
— returns all
publications found on the darknet_site.com web site.
Do not use schemes (HTTP or HTTPS) or slash character (/) to perform the search.
Example: (keyword1 | keyword2) + YYYY*
—
returns messages for the specified year (YYYY
) that contain keyword1
or keyword2
.
Example: keyword~2
— returns messages which
allow two edits to make the keyword
.
Example: "keyword1 keyword2"~2
—
returns messages which allow two changes in word sequence to make the "keyword1 keyword2
" phrase.
Example: \" + keyw*
— Returns messages
containing " (double quotes) and keyword1
, keyword2
, keywhat
, etc.
Example: "Kaspersky Lab" + -keys + 202112*
— returns messages that
contain the phrase "Kaspersky Lab"
and do not contain the word
"keys"
, posted in December, 2021.
More information on syntax and working with search operators is available at: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-simple-query-string-query.html#simple-query-string-syntax.
Page top
Kaspersky Threat Intelligence Portal supports various archive formats that can be unpacked during the object execution.
The following list of archive formats is not fixed and can be modified during a component update.
7
7z.
A
ACE, ALZ, ARJ.
B
BZ2.
C
CAB.
F
FXC.
G
GZ.
H
HKI.
L
LHA, LZH.
P
PEA.
R
RAR.
T
Tar.
X
XZ.
Z
Z, ZIP.
Page top
Kaspersky Threat Intelligence Portal allows you to start object execution with specific command line parameters. The Command line parameters field is optional and available only when a Microsoft Windows execution environment is selected.
You can use environment variables by placing the %
sign in
front of and after the variable name, for example: %SYSTEMROOT%
. By default,
the environment variables are expanded on the user's host before the object is transferred to and executed in the
Sandbox. To transfer environment variables to the Sandbox as is, without expansion, use the %%
sign, for example: %%SYSTEMROOT%%
.
The command line may contain a $sample
variable that will
be replaced in the Sandbox with the actual path to the object in the operating system (for example, <notepad path> /A $sample
).
A command in the command line must not exceed 1024 characters, otherwise Kaspersky Threat Intelligence Portal shortens it. Depending on the technical constraints of an operating system that is used as an execution environment in the Sandbox, the command may be further shortened.
Examples: Specify an application that you want to execute the object with:
Specify a file to write the output of the object to:
Execute an object and write the output into a file that includes the computer name as the file name:
|
Environment variables usage
Environment variables |
Microsoft Windows 10 x64 |
Microsoft Windows 7 x64 |
Microsoft Windows 7 |
Microsoft Windows XP |
---|---|---|---|---|
ALLUSERSPROFILE |
||||
APPDATA |
||||
CLIENTNAME |
. |
|||
CommonProgramFiles |
||||
CommonProgramFiles(x86) |
||||
CommonProgramW6432 |
||||
COMPLUS_ProfAPI_ProfilerCompatibilitySetting |
||||
COMPUTERNAME |
||||
ComSpec |
||||
COR_ENABLE_PROFILING |
||||
COR_PROFILER |
||||
DriverData |
||||
FP_NO_HOST_CHECK |
||||
HOME |
||||
HOMEDRIVE |
||||
HOMEPATH |
||||
LOCALAPPDATA |
||||
LOGNAME |
||||
LOGONSERVER |
||||
|
||||
NUMBER_OF_PROCESSORS |
||||
OneDrive |
||||
OS |
||||
Path |
||||
PATHEXT |
||||
PROCESSOR_ARCHITECTURE |
||||
PROCESSOR_IDENTIFIER |
||||
PROCESSOR_LEVEL |
||||
PROCESSOR_REVISION |
||||
ProgramData |
||||
ProgramFiles |
||||
ProgramFiles(x86) |
||||
ProgramW6432 |
||||
PROMPT |
||||
PSModulePath |
||||
PUBLIC |
||||
PWD |
||||
SESSIONNAME |
||||
SHELL |
||||
SHLVL |
||||
SystemDrive |
||||
SystemRoot |
||||
TEMP |
||||
TERM |
||||
TMP |
||||
USER |
||||
USERDOMAIN |
||||
USERDOMAIN_ROAMINGPROFILE |
||||
USERNAME |
||||
USERPROFILE |
||||
windir |
||||
windows_tracing_flags |
||||
windows_tracing_logfile |
||||
XDG_RUNTIME_DIR |
||||
XDG_SEAT |
||||
XDG_SESSION_ID |
||||
XDG_VTNR |
Kaspersky Threat Intelligence Portal allows you to select a region or an individual country for a network channel that the executed file can use to access the internet. There are individual countries among the regions through which the executed file can access the internet.
The table below contains descriptions for available internet channel parameter values. For other regions, a value detected by Kaspersky Threat Intelligence Portal during the file execution is displayed.
Available internet channel parameter's values
Value in website |
Value in API |
Description |
---|---|---|
Any channel |
any |
The internet channel belongs to any region and does not direct traffic through the TOR network. If no region is available, the Tarpit value is selected. |
Tor |
tor |
The internet channel that does not belong to any region and directs traffic through the TOR network. |
Tarpit |
tarpit |
The access to the internet is emulated. This option is used when internet is not available or the analyzed object should not have access to the internet. |
Kaspersky Threat Intelligence Portal uses the following default passwords to unpack password-protected archives, if you did not specify a password when creating an object analysis task. These passwords can be used both for Kaspersky Sandbox and Kaspersky Threat Attribution Engine tasks.
The table below describes the structure of a JSON file that includes metadata about a phishing attack. You can download an archive containing the JSON file via Kaspersky Threat Intelligence Portal web interface or API method.
The described fields are optional and may be omitted in the JSON file if the relevant information is not available. Also, the JSON file may contain fields that are not described in the table.
JSON fields
Field |
Description |
---|---|
|
Phishing web address. |
|
Indicator that shows whether the phishing web address redirects to another web
address ( |
|
Web address which the phishing web address redirects to. |
|
Name of the brand mentioned on the web page located at the phishing web address. |
|
Date and time when the phishing web address was first detected, specified in the UNIX time stamp system (number of seconds elapsed since 00:00:00 UTC, 1 January 1970). For a web address detected for the first time, the values of the |
|
Date and time when the phishing web address was last detected, specified in the UNIX time stamp system (number of seconds elapsed since 00:00:00 UTC, 1 January 1970). |
|
Phishing web address popularity index for the last three months. |
|
Top 10 countries from which Kaspersky users have accessed the phishing web address in the last three months. |
|
IP addresses to which the phishing web address resolves. |
|
Types of stolen data. |
|
Type of attack. |
|
Section containing WHOIS information about an object. |
|
Name of an object for which WHOIS information is provided. |
|
Section containing general information about the object specified in the |
|
Date of last information update about the domain or network in the registrar database. |
|
Date of the domain or network registration. |
|
Date until which the domain registration is paid. |
|
Network ID, the unique descriptor assigned to the network by the registrar. |
|
Maximum value of the IP address range in the network. |
|
Minimum value of the IP address range in the network. |
|
DNS server name. |
|
Object status. |
|
Country code. |
|
Description of a domain or network. |
|
Network name, the unique descriptor assigned to the network by the registrar. |
|
Data source. |
|
Section containing contact information. |
|
Name of the domain or network owner. |
|
Name of the organization that owns the domain or network. |
|
Contact role (owner, admin, tech). |
|
Address where the contact is registered. |
|
Country in which the contact is registered. |
|
City in which the contact is registered. |
|
Date when the contact information was last modified. |
|
Contact registration date. |
|
Contact email address. |
|
Contact ID, the unique descriptor assigned to the contact by the registrar. |
|
Contact phone number. |
|
Contact fax number. |
|
Data source for the contact. |
|
Contact description. |
APT C&C Tracking Service delivers IP addresses of infrastructure connected to advanced threats. For each IP address, there is a name of an APT group, operation, or malware it is associated with, internet service provider, and autonomous system, collection of associated IP addresses hosting information, and dates when this was first and last seen.
A report on advanced persistent threats (APT) that include investigation results and full technical data. APT Intelligence reports are provided in PDF, OpenIOC, YARA Rules, and Suricata Rules formats. Available formats depend on a user's license type.
Resource that is usually legitimate but is infected or compromised at the moment of the analysis.
A report that provides information on attacks on a bank's infrastructure, ATMs, and point-of-sale (POS) devices. It describes Mobile Trojan bankers, new cyber-criminal techniques to bypass security solutions, and hybrid attacks with monitoring of cyber-criminal activities at early stage. Crimeware Threat Intelligence reports are provided in PDF, OpenIOC, YARA Rules, and Suricata Rules formats. The formats available depend on a user's license type.
The utility that can be used to run lookup searches and report requests by using the Kaspersky Threat Intelligence Portal API.
Recently published topics, comments, or advertisements on the Dark web forums, shops, communication channels, and onion sites.
Defacement (also website or web defacement) is an attack on a website that alters its visual appearance or informational content.
A report that contains threat intelligence that is specific for your organization. Digital Footprint Intelligence reports provide information about the following: identification of threat vectors, malware and cyberattack tracking analysis, third-party attacks, information leakage, and current attack status.
The certificate used by Kaspersky Threat Intelligence Portal for customer authentication when working with the service online and / or using the Kaspersky Threat Intelligence Portal API. The certificate and its password are provided by a Kaspersky Technical Account Manager.
Provided permissions depend on Kaspersky Threat Intelligence Portal user's account settings and can be changed by a Kaspersky Technical Account Manager.
Kaspersky Industrial Threat Intelligence Reporting Service provides customers with heightened intelligence and awareness of malicious campaigns targeting industrial organizations, as well as information on vulnerabilities found in the most popular industrial control systems and underlying technologies. Industrial reports are provided in PDF, OpenIOC, YARA Rules, and Suricata Rules formats. Available formats depend on a user's license type.
The utility that can be used to run requests using the Kaspersky Threat Intelligence Portal API. The utility can be downloaded from this Help document.
Provides any kind of information related to the company that was found on online content hosting services such as Pastebin. Compromised employee accounts, client's bank cards, credentials for access to the internal systems, as well as other sensitive information.
Notifications about malicious activity that involve company's resources. Provides alerts on:
A cryptographic hash function that produces a 128-bit hash value. The 128-bit hash value is represented as a sequence of 32 hexadecimal digits.
Information on the company's employees (email address, position, social network accounts, and more) found in public sources.
Ransomware is a type of Trojan that modifies user data on a victim's computer so that the victim can no longer use the data or fully run the computer. Once the data has been "taken hostage" (blocked or encrypted), the user receives a ransom demand. The last tells the victim to send the malefactor money; on receipt of this, the cybercriminal promises to send a program to the victim to restore the data or restore the computer's performance.
An isolated safe environment that allows you to upload and execute files.
A cryptographic hash function that produces a 160-bit hash value. The 160-bit hash value is represented as a sequence of 40 hexadecimal digits.
A cryptographic hash function that produces a 256-bit hash value. The 256-bit hash value is represented as a sequence of 64 hexadecimal digits.
A group of reasons evaluated as unusual actions by the detection technology, insufficient for complete incident generation, and thus listed for informational or further investigation purposes.
Continuously updated reports informing about risks and implications associated with cyber threats. Threat Data Feeds are available in JSON, CSV, OpenIOC, and STIX formats, and provided with connectors for SIEMs, including Splunk, ArcSight, IBM QRadar, RSA NetWitness, LogRhythm, and McAfee Enterprise Security Manager (ESM).
Notifications about newly discovered security issues on the company's network perimeter resource. Provides information about vulnerable or misconfigured service, and short-term recommendations for remediation.
Vulnerabilities of incorrectly designed, implemented, or configured web resources that could be exploited by attackers to compromise their integrity, availability, or confidentiality.
A protocol that is used for querying databases that store the registered users or assignees of internet resources such as domains, IP addresses, or autonomous systems.
Page top
Information about third-party code is contained in a file legal_notices.txt.
Page top
Registered trademarks and service marks are the property of their respective owners.
Adobe, Flash are either registered trademarks or trademarks of Adobe in the United States and/or other countries.
Apache is either a registered trademark or a trademark of the Apache Software Foundation.
iPhone, Safari are trademarks of Apple Inc.
Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.
Cisco is a registered trademark or trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Dropbox is a trademark of Dropbox, Inc.
Elasticsearch, Kibana, Logstash are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.
FortiSIEM is either a registered trademark or trademark of Fortinet, Inc. in the United States and/or other countries.
Google, Android, Chrome, Google Chrome are trademarks of Google LLC.
Intel, Pentium are trademarks of Intel Corporation in the U.S. and/or other countries.
IBM, QRadar are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide.
Intel, Pentium are trademarks of Intel Corporation in the U.S. and/or other countries.
LinkedIn is a registered trademark or trademark of LinkedIn Corporation and its affiliates in the United States and/or other countries.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Cyber Kill Chain is a registered trademark or trademark of Lockheed Martin Corporation or its subsidiaries, in the United States and/or other countries or jurisdictions.
McAfee is a trademark or registered trademark of McAfee LLC or its subsidiaries in the United States and other countries.
Microsoft, Edge, Excel, Internet Explorer, Microsoft Edge, MS-DOS, Win32, Windows are trademarks of the Microsoft group of companies.
CVE is a registered trademark of The MITRE Corporation.
OVAL and the OVAL logo are registered trademarks of The MITRE Corporation.
Mozilla, Firefox are trademarks of the Mozilla Foundation in the U.S. and other countries.
OpenSSL is a trademark owned by the OpenSSL Software Foundation.
Java is a registered trademark of Oracle and/or its affiliates.
Python is a trademark or registered trademark of the Python Software Foundation.
Splunk is a trademark and registered trademark of Splunk Inc. in the United States and other countries.
PGP is a trademark or registered trademark of Symantec Corporation or its affiliates in the U.S. and other countries.
OpenAPI is a trademark of The Linux Foundation.
Tor is a trademark of The Tor Project, U.S. Registration No. 3,465,432.
The names, images, logos and pictures identifying UserGate's products and services are proprietary marks of UserGate and/or its subsidiaries or affiliates, and the products themselves are proprietary to UserGate.
UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company Limited.
Page top