Lookup request for IP address
Expand all | Collapse all
The endpoint is used to display specific information for an IP address.
Request
Request method: GET
Endpoint: https://tip.kaspersky.com/api/ip/<request>
Query parameters:
Expected parameters
Parameter
|
Description
|
request
|
IP address that you want to investigate.
If you want an IP address to be processed as a web address, add the http:// or https:// prefix to the IP address in your request. For example, 82.118.16.30 is processed as an IP address, and http://82.118.16.30 is processed as a web address.
|
count
|
Maximum number of records in each data group to display.
If this parameter is not specified, up to 1000 records will be displayed. This restriction does not apply to DetectionsInfo and FileParentCertificates groups. For these groups all records are displayed regardless of the number of records.
|
sections
|
Sections that you want to investigate for the requested IP address. Use the comma to specify several sections.
|
format
|
Investigation result format.
Optional parameter.
Available values:
json—Investigation results are returned in JSON format.
stix—Investigation results are returned in STIX format. If this value is specified, the count and sections parameters are ignored: data from all groups is returned.
If the format parameter is not specified, investigation results are returned in JSON format.
|
Use the question mark (?) to separate the first parameter from the request. Use the ampersand (&) to separate parameters from each other. The parameters can be specified in any order.
Dates in all sections are displayed in Coordinated Universal Time (UTC) format.
Key values are case-sensitive.
Request examples:
Investigate FilesDownloadedFromIp, HostedUrls, IpWhoIs, and IpDnsResolutions sections for the IP address 103.234.36.190:
curl --cert <file name>.pem --user <user name> https://tip.kaspersky.com/api/ip/103.234.36.190?sections=FilesDownloadedFromIp,HostedUrls,IpWhoIs,IpDnsResolutions&count=10&format=stix
Run the same request by using an API token:
curl -H "Authorization: Bearer <API token>" https://tip.kaspersky.com/api/ip/103.234.36.190?sections=FilesDownloadedFromIp,HostedUrls,IpWhoIs,IpDnsResolutions&count=10&format=stix
|
Responses
200 OK
Request processed successfully.
The table below contains possible sections available for an IP address investigation.
Certain objects can be assigned to the suspicious status. Suspicious is the internal name that is only used to identify objects with a threat score between 50 and 74, and it means not trusted.
For reserved IP addresses, only LicenseInfo, Zone, IpGeneralInfo, and IpWHOIS sections are provided.
200 OK response parameters
Parameter
|
Description
|
LicenseInfo
|
Information on the license used.
AccessType—License type ("Commercial" or "Trial").
DayRequests—Number of requests performed in the current day (for a commercial license).
DayQuota—Daily limit of requests (for a commercial license).
TokenExpirationDate—Date when an API token expires. If there is no API token requested, the null value is returned.
|
Zone
|
Color of the zone that an IP address belongs to.
|
RelatedObjects
|
Information about the presence of malicious objects associated with the indicator.
HasRedZone—Shows whether there are malicious objects (zone=red) related to the indicator: true—there are related malicious objects; false—no related malicious objects.
|
IpGeneralInfo
|
General information about the requested IP address.
HitsCount—Hits number (popularity) of the requested IP address.
FirstSeen—Date and time when the requested IP address appeared in Kaspersky expert systems statistics for the first time, according to your computer local time zone.
ThreatScore—Probability of the requested IP address to appear dangerous (0 to 100).
Ip—Requested IP address.
CountryCode—Two-letter country code (ISO 3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP addresses, the NULL value is exported.
Status—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and NoInfo for IP addresses that do not belong to any country and are not reserved).
Categories—Category of the requested IP address.
CategoriesWithZone—Categories of the requested IP address and zones that the category belongs to.
HasApt—Shows whether the requested IP address is related to an advanced persistent threat (APT) attack.
RelatedAptReports—Array of objects that describe APT Intelligence reports, Crimeware Threat Intelligence reports, and ICS reports, to which the requested IP address is related. Each object contains a report's ID, type, and title. The report ID can be used as an argument (publication_id) for the get_one endpoint, which is used to obtain specific information for a report. If the requested IP address is not related to reports, an empty array is returned.
|
FilesDownloadedFromIp
|
Information that is provided about files that were downloaded from the requested IP address and domains that resolve to the requested IP address.
Zone—Color of the zone that a file belongs to.
DownloadHitsCount—Number of times that a file was downloaded from the requested IP address as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded file.
LastSeen—Date and time that the file was last downloaded from the requested IP address, according to your computer local time zone.
FirstSeen—Date and time the file was first downloaded from the requested IP address, according to your computer local time zone.
DetectionName—Name of the detected object.
Url—Web addresses used to download the file.
|
HostedUrls
|
Information about web addresses of the domain that resolves to the requested IP address.
Zone—Color of the zone that a web address belongs to.
UrlHitsCount—Number of web address detections by Kaspersky expert systems.
Url—Detected web address (including web addresses that contain the requested IP address).
IsUrlTruncated—Shows whether private data was filtered in the displayed web address.
FirstSeen—Date and time when the web address was first detected, according to your computer local time zone.
LastSeen—Date and time when the web address was last detected, according to your computer local time zone.
|
FeedMasks
|
Information about the web address covered by the mask.
Zone—Zone of the web address covered by the corresponding mask (Red, Orange, or Yellow).
Status—Danger level of the web address covered by the corresponding mask (Dangerous, Not trusted, or Adware and other).
NormalizedMask—Normalized mask of the web address.
FeedNames—Threat Data Feeds that contain the mask of the web address (Malicious URL Feed, Phishing URL Feed, Botnet CC URL Feed, APT URL Feed, or APT IP Feed.).
MaskType—Type of the mask.
|
IpWhoIs
|
WHOIS information about the requested IP address.
Type
Status—Status of the IP address (Known if the country is detected, Reserved for reserved special-purpose IP addresses (see RFC 6890), and NoInfo for IP addresses that do not belong to any country and are not reserved).
Asn—Autonomous system number, including:
Origin
Description
Net—Information about the network that the requested IP address belongs to, including:
RangeStart
RangeEnd
Created
Changed
Name
Description
Contacts—Contact information for the owner of the requested IP address, including:
Address
OrganizationId
Name
ContactRole
ContactType
Fax
Phone
Email
|
IpDnsResolutions
|
Information about the requested IP address.
Zone—Color of the zone that a domain (resolved to the requested IP address) belongs to.
Domain—Domain that resolves to the requested IP address.
FirstSeen—Date and time when the domain first resolved to the requested IP address, according to your computer local time zone.
LastSeen—Date and time when the domain last resolved to the requested IP address, according to your computer local time zone.
HitsCount—Number of times that the domain resolved to the requested IP address.
DailyPeak—Maximum number of domain resolutions to the requested IP address per day.
PeakDate—Date of maximum number of domain resolutions to the requested IP address.
Categories—Categories of the requested IP address.
|
IPSpamInfo
|
Information about spam attacks associated with the requested IP address.
spam_attacks—Number of spam attacks.
spam_ratio—Ratio of spam generated by the requested IP address to the rest of the content.
last_attack_date—Date of the latest spam attack.
spam_attack_types—Array of attack types.
|
IPPhishingInfo
|
Information about phishing attacks associated with the requested IP address.
phishing_attacks—Number of phishing attacks.
last_attack_date—Date of the latest phishing attack.
regions—Top 10 regions affected by the phishing attack.
phish_kit—Name of a phishing kit (a set of materials and tools) used during the phishing attack.
stolen_data_type—Type of data stolen during phishing attack, for example, user names, passwords.
attacked_industry—Target industry of a phishing attack.
attacked_organization—Target organization of a phishing attack.
|
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
If you use an API token, 401 error code is returned when your API token validity period is expired. Request a new API token, and then try to run the query again.
402 License Expired
Request not processed: license expired.
If the service license expires, access to the Kaspersky Threat Intelligence Portal API is prohibited. Please contact your dedicated Kaspersky Technical Account Manager.
403 Forbidden
Request not processed.
This error is returned if you do not have access to this service.
Purchase a license and try again.
451 Unavailable For Legal Reasons
Page top