Static Analysis Report API
Retrieve Spectra Core analysis results for a local sample
GET /api/v2/samples/{hash_value}/ticore/
Get the full Spectra Core static analysis report for the requested sample. The requested sample must be present on the appliance.
If the optional fields parameter is not provided in the request, all available parts of the static analysis report are returned in the response. With this parameter, users can select which parts of the report they want to receive in the response.
Request Format
Request Parameters
| NAME | REQUIRED | DESCRIPTION | TYPE |
|---|---|---|---|
| hash_value | Required | Hash of the sample for which the analysis report should be returned. The sample must be present on the appliance. Supported hash types are SHA1, SHA256, SHA512, MD5. | path, string |
| fields | Optional | Comma-separated list of report fields to include in the response. Supported values: sha1, sha256, sha512, md5, imphash, info, application, protection, security, behaviour, certificate, document, mobile, media, web, email, strings, interesting_strings, classification, indicators, tags, attack, story, signatures, browser, software_package, malware | query, string |
Request Examples
cURL
# Add --insecure before the URL if you are using a self-signed SSL certificate
curl -X GET 'https://appliance.example.com/api/v2/samples/988881adc9fc3655077dc2d4d757d480b5ea0e11/ticore/?fields=sha256,story,interesting_strings' \
--header 'Authorization: Token exampletoken'
Python
import requests
# Change the values of token and hash_value
token = "exampletoken"
hash_value = "examplehash"
# Change the host name in the URL and the fields to be included in the response
url = f"https://appliance.example.com/api/v2/samples/{hash_value}/ticore/?fields=sha256,story,interesting_strings"
headers = {
"Authorization": f"Token {token}"
}
# Add verify=False in the request if you are using a self-signed SSL certificate
response = requests.get(url, headers=headers)
print(response.text)
Response Format
Response Examples
{
"sha1": "988881adc9fc3655077dc2d4d757d480b5ea0e11",
"sha256": "aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f",
"sha512": "e79b8ad22b34a54be999f4eadde2ee895c208d4b3d83f1954b61...", # shortened for clarity
"md5": "14758f1afd44c09b7992073ccf00b43d",
"imphash": # for PE files only
"info": {...},
"application": {...},
"protection": {...},
"security": {...},
"behaviour": {...},
"certificate": {...},
"signatures": {...},
"document": {...},
"mobile": {...},
"media": {...},
"web": {...},
"email": {...},
"strings": [...],
"interesting_strings": [...],
"classification": {...},
"indicators": [...],
"attack": [...],
"tags": [...],
"story": {...},
}
Response Fields
| FIELD NAME | TYPE | DESCRIPTION |
|---|---|---|
| sha1 | string | SHA1 hash of the sample |
| sha256 | string | SHA256 hash of the sample |
| sha512 | string | SHA512 hash of the sample |
| md5 | string | MD5 hash of the sample |
| imphash | string | Import hash of the sample. Retrieved only for PE files |
| info | object | Information about file type, size, embedded files, and hashes computed for the sample |
| application | object | If the sample is an application, contains information about its structure and capabilities |
| protection | object | Detected protection features and mechanisms such as cryptographic or compression algorithms |
| security | object | Detected security-related features, such as exploits |
| behaviour | object | Detected behavior properties of the sample |
| certificate | object | Certificate-related information extracted from the sample, such as issuer, thumbprint, signature |
| signatures | object | Signature-related information extracted from the sample, such as issuer, thumbprint, signature |
| document | object | If the sample is a document, contains information about its structure and capabilities |
| mobile | object | If the sample is a mobile application, contains information about its structure and capabilities |
| media | object | If the sample is a multimedia file, such as an image, contains information about its properties |
| web | object | If the sample is a web application or browser addon, contains information about its structure and capabilities |
| object | If the sample is an email message, contains information about its metadata | |
| strings | array | Strings extracted from the sample |
| interesting_strings | array | URI strings extracted from the sample |
| classification | object | Sample status and source of classification |
| indicators | array | Detected actions that the sample is capable of performing, and their descriptions |
| attack | array | Spectra Core indicators mapped to MITRE threat IDs and techniques |
| tags | array | Labels automatically generated by Spectra Core during analysis based on the sample’s metadata properties (“ticore”) or added by the users on the appliance (“user”) |
| story | string | Natural language file behavior description |
| browser | object | Browser-related data |
| software_package | object | Software package data |
| malware | object | Malware-related data |
Response Status Codes
| CODE | DESCRIPTION |
|---|---|
| 200 | OK |
| 403 | Forbidden |
| 404 | Not found |