Threat Lookup API

This section explains how to investigate objects by using the Kaspersky Threat Intelligence Portal API methods.

You can use the Threat Lookup API without a certificate, but by using an API token if it is allowed by your organization.

Before working with the Kaspersky Threat Intelligence Portal API, you must accept the Terms and Conditions online in your browser at https://tip.kaspersky.com.

To run a request by using Kaspersky Threat Intelligence Portal API:

  1. Make sure that the application you use for working with Kaspersky Threat Intelligence Portal API uses the certificate you received from Kaspersky.
  2. In the Authorization field of the HEADER section, specify the user name and password that you received from Kaspersky or your administrator.
  3. Specify the Bearer authentication scheme.
  4. Specify the HTTP GET method.
  5. Enter your query in the following format:

    https://tip.kaspersky.com/api/<request type>/<request>?count=<records count>[&sections=<sections names>][&format=<result format>]

    Here:

    • <request type>—Type of the object that you want to investigate.

      Available values:

      • hash—Specify this value to investigate a hash.
      • ip—Specify this value to investigate an IP address. If you want an IP address to be processed as a web address, add the http:// or https:// prefix to the IP address in your request. For example, 82.118.16.30 is processed as an IP address, and http://82.118.16.30 is processed as a web address.
      • domain—Specify this value to investigate a domain.
      • url—Specify this value to investigate a web address. Use percent-encoding (URL encoding) to convert certain characters into a valid ASCII format.
    • <request>—Object that you want to investigate.

      For a web address, it's length is limited to a maximum of 2000 characters. If the requested web address length exceeds the limit, an HTTP error 414 (URI Too Long) is returned.

    • <records count>—Maximum number of records in each data group to display.

      If this parameter is not specified, up to 1000 records will be displayed. This restriction does not apply to DetectionsInfo and FileParentCertificates groups. For these groups all records are displayed regardless of the number of records.

    • <sections names>—Sections that you want to investigate for the requested object. Use the comma to specify several sections.

      Use the question mark (?) to separate the first parameter from the request. Use the ampersand (&) to separate parameters from each other. The parameters can be specified in any order.

      Dates in all sections are displayed in Coordinated Universal Time (UTC) format.

    • <result format>—Investigation result format.

      This is an optional parameter.

      Available values:

      • json—Investigation results are returned in JSON format.
      • stix—Investigation results are returned in STIX format. If this value is specified, the <records count> and <sections names> parameters are ignored: data from all groups is returned.

      If the <result format> parameter is not specified, investigation results are returned in JSON format.

      For detailed information about investigation results, see related sections: hashes, IP addresses, domains, and web addresses.

See example

See also:

Managing API token

Lookup request for hash

Lookup request for IP address

Lookup request for domain

Lookup request for web address

Percent-encoding for web address investigation

Working with ktl_lookup utility

In this section

Managing API token

Lookup request for hash

Lookup request for IP address

Lookup request for domain

Lookup request for web address

Percent-encoding for web address investigation

Working with ktl_lookup utility

Page top