Skip to main content
Version: 5.2.0

Usage API

The usage API is the main interface for interacting with the file analysis engine.

With this API, users can submit files for analysis, check the status of file processing tasks, retrieve analysis reports when file processing is complete, and delete file processing tasks.

Worker API Authorization

The Worker can be configured to require an authorization token to be present in every API request. The authorization token is a string of alphanumeric characters, between 30 and 60 characters in length. There are several different tokens, depending on the accessed endpoint.

The authorization token should be provided in the HTTP Authorization header. The value of this field must be in this format:

Token exampletoken

where exampletoken should be replaced with the user's own authorization token string.

If the Worker is configured not to require an authorization token, the Authorization header field will be ignored.

curl https://tiscale-worker01/api/tiscale/v1/task/42 -H 'Authorization: Token exampletoken'

API Request Format

The base URL for the Spectra Detect API is in the following format:

https://{server}/api/tiscale/v1

API Response Status Codes

CodeNameDescription
200OKThe request has succeeded.
400Bad RequestThe request could not be understood by the server due to malformed syntax or missing parameters.
401UnauthorizedThe request requires authorization from the user.
403ForbiddenAuthorization has been provided in the request, but it is not valid.
404Not FoundThe server has not found anything matching the Request-URI.
500Internal Server ErrorThe server encountered an unexpected condition which prevented it from fulfilling the request.
503Service UnavailableThe server is currently unable to handle the request due to a temporary overloading or maintenance of the server. In case the Spectra Intelligence upload limit quota was exceeded, the response will contain the "Paused - TiCloud quota exceeded" error message. To continue analyzing files, users can temporarily disable Spectra Intelligence, wait until the daily quota renews, or contact ReversingLabs support to increase their daily upload limit. When using the Quotas API endpoints on a Worker instance without a configured Spectra Intelligence account, the response code will be 503, and the error message "TiCloud is not configured."

License appliances

Return License Information

Returns the current status and detailed licensing information for the appliance. If there is no machine ID, it will be generated, and the response will contain information associated with this newly generated machine ID.

Request

GET /api/license/v1/
curl https://tiscale-worker-01/api/license/v1/ -H 'Authorization: Token exampletoken'

Response

{
  "product" : "string",     // always "tiscale-worker"
  "machineId": "string",    // ID of the appliance
  "version": 1,             // version of the license file
  "serialNumber": "string", // serial number of the license file applied to the Worker
  "licenseType": "string",  // can either be to WILDCARD or REGULAR
  "company": "string",      // company name that the license file is provided for 
  "expiryDate": "string",   // date when the license will expire (YYYY-MM-DDTHH:mm:ssZ)
  "creationDate": "string", // starting date of the license
  "status": "string"        // licensing status
}

Description of fields:

  • licenseType can either be equal to WILDCARD or REGULAR:
    • WILDCARD licenses are independent of the machine ID and can last for a maximum of 45 days; trial licenses belong to this category
    • REGULAR licenses depend on the machine ID and have a custom duration
  • company is the company name that the license file is provided for; it will be equal to the Spectra Intelligence username in case the cloud is used for licensing
  • status can be one of the following:
    • VALID
    • ONLINE
    • INVALID
    • EXPIRED
    • NO_LICENSE
    • NO_MACHINE_ID

Return License Status

Returns the current licensing status of the appliance.

Request

GET /api/license/v1/status/
curl https://tiscale-worker-01/api/license/v1/status/ -H 'Authorization: Token exampletoken'

Response

{
  "status": "string"
}

Status can be one of the following:

  • VALID
  • ONLINE
  • INVALID
  • EXPIRED
  • NO_LICENSE
  • NO_MACHINE_ID

Generate Machine ID

Creates a new machine ID.

Request

POST http(s)://{server}/api/license/v1/machine-id/generate

The request body is empty.

curl -X POST https://tiscale-worker-01/api/license/v1/machine-id/generate -H 'Authorization: Token exampletoken'

Response

  • 200 OK

    { "machineId": "string" }

  • 500 Internal Server Error

    { "message": "string" }

Upload License File

Uploads a license file to the appliance. Not required for licenses configured using Spectra Intelligence.

Request

PUT /api/license/v1/upload

Content type: multipart/form-data

Example:

curl -X PUT https://tiscale-worker-01/api/license/v1/upload -H 'Authorization: Token exampletoken' -F 'file=@example_license_file'

Response

{
  "message": "string"
}

The message will differ depending on the response code:

  • 201: "License is applied"
  • 200: "License is already applied"
  • 400: returns an error message

Upload a file for processing

POST /api/tiscale/v1/upload

Description

Sends a file to the Worker or Hub. When the file is submitted for analysis via this endpoint, a file processing task is created and queued on the Worker. The API response includes a link to the processing task.

If the request is sent to a Hub with one or more connected Workers, the file(s) will be forwarded to the connected Workers using the round-robin scheduling algorithm, and the API response will include a link to the file processing task on the Worker. Analysis reports cannot be obtained from a Hub. To get the analysis report for each submitted file, users should send a request directly to the Worker using the link to the processing task returned in the API response. See Get information about a processing task for more information.

The file must be provided as an argument to the file parameter. The request payload type must be multipart/form-data.

Workers can be configured to require an authorization token in every API request. In that case, the Authorization header with a token must be included in the request. Users can provide an optional X-TiScale-Token header with a string that can be used to filter file processing tasks.

Users can also submit optional fields (also multipart/form-data) in the file upload request:

  • user_data

    type: string | format: JSON

    This parameter can be used to store metadata in the analysis reports sent to Splunk, or to enable additional report-related options. The report doesn't include the contents of user_data.

  • custom_data

    type: string | format: JSON

    This parameter can be used to append any additional information about a file to its analysis report. This allows users to filter, reference, or distinguish samples and their analysis reports more easily. The value provided in the parameter is saved and returned in all reports on the Worker appliance - in the Worker API response and the Callback response, in reports sent to Splunk, and in the reports saved to AWS S3 (if enabled).

    Note that it is not included in reports when the file has not been processed yet. If an integrity_check_hash field is included in the custom_data field, an integrity check of the uploaded file is triggered on the Worker. If the SHA1 hash of the uploaded sample doesn’t match the integrity_check_hash field sent by the client, the sample will be discarded with the following error message: "ERROR: Upload: failed to accept upload integrity check failed, calculated hash XX differs from the one passed in custom data YY." This field is optional and is implemented in the S3 connector.

    If the structure of custom_data isn't valid JSON, it will not be included in the report.

To get the analysis report for each submitted file, users should send a request to the Get information about a processing task endpoint.

note

Data retention

All processed files are deleted immediately after processing. The reports are retained on the Workers for up to 90 minutes (default value), configurable by the "Task Age Limit" setting in the Hub Configuration Group under Worker Configuration - Cleanup.

If a file is queued but not processed within the time configured by the "Unprocessed Task Limit", the processing task will be canceled, and the file will be deleted. However, the record of the unsuccessful task will still be present in the database for 1440 minutes (24 hours) before being deleted, as configured by the "File Age Limit" setting.

Request format

Request parameters

Parameter NameDescriptionRequired
filePath to the file that should be uploaded to the Worker for processing.Required
custom_dataAccepts any user-defined data as a JSON-encoded payload. This data is included in all file analysis reports (Worker API, Callback, AWS S3 and Splunk, if enabled) in its original, unchanged form. The custom_data field will not be returned in the taskinfo endpoint response if the file has not been processed yet.Optional
user_dataAdditional JSON-encoded payload can be supplied in a request in the user_data field. Portions of that data will be used in parts of the processing pipeline. The contents of user_data are not returned in the analysis report, except the network object in reports sent to Splunk (if configured). Supported objects are network, callbackOptional

user_data.network

Optional network-related metadata can be supplied in the file upload request. If the Worker is configured to integrate with Splunk, this network metadata will also be sent to Splunk.

{
  "network": {
    "src_ip": "10.1.10.42",
    "src_port": 10621,
    "dst_ip": "10.1.10.212",
    "dst_port": 8080
  }
}

user_data.callback

If the Callback feature is enabled and configured on the Worker instance, file analysis reports will be automatically sent to the configured Callback server. By default, only the medium (summary) report is sent to the Callback server.

However, users can include an optional callback JSON object in the user_data field of the file upload request to have an extended analysis report delivered to the Callback server. The prerequisite is that the Callback feature is enabled on the Worker instance.

{
  "callback": {
    "report_type": "large",
    "view": "flat",
    "url": "example.com:8080"
  }
}

By default, the report returned by the Worker is a medium (summary) report. Setting it to large will return the full report, whereas small and medium are default options that filter out certain fields.

The view parameter can be used to apply a custom view to the report. For example, to enable sending an extended analysis report for the submitted file to the Callback server, provide the view parameter with the extended value.

The url parameter specifies to which URL the report will be sent. If this is not specified, the report is sent to the default URL configured.

If there is no callback object in the file upload request, the Worker uses preconfigured values.

Request examples

curl -X POST https://tiscale-worker-01/api/tiscale/v1/upload -H 'Authorization: Token exampletoken' -F file=@Classification.pdf -F 'user_data={"callback" : {"view" : "flat", "report_type" : "large", "url": "https://example.com:8080" }}'

curl -X POST https://tiscale-worker-01/api/tiscale/v1/upload -H 'Authorization: Token exampletoken' -F file=@Classification.pdf -F 'custom_data={ "file_source" : { "uploader" : "malware_analyst", "origin" : "example" }}'

curl -X POST https://tiscale-worker-01/api/tiscale/v1/upload -H 'Authorization: Token exampletoken' -H 'X-TiScale-Token: Token custom' -F file=@Classification.pdf

For additional workflows, such as scanning entire directories, see our SDK documentation and its cookbook.

Response format

The response is a JSON-encoded object with a task_url field which contains the URL of the processing task started by the file submission.

If the task URL in the response is missing the server component, the same server value used for the file submission request should be used to access the task URL.

The response will also contain a link to an S3 report if an output report bucket is configured.

Response example

{
  "task_url": "https://tiscale-worker01:8080/api/tiscale/v1/task/1"
}

List processing tasks

GET /api/tiscale/v1/task?age=700&token=token

Description

Lists processing tasks generated by file submission requests.

When a file is submitted for analysis to a Worker, a file processing task is created and queued on the Worker server.

note

Data retention

All processed files are deleted immediately after processing. The reports are retained on the Workers for up to 90 minutes (default value), configurable by the "Task Age Limit" setting in the Hub Configuration Group under Worker Configuration - Cleanup.

If a file is queued but not processed within the time configured by the "Unprocessed Task Limit", the processing task will be canceled, and the file will be deleted. However, the record of the unsuccessful task will still be present in the database for 1440 minutes (24 hours) before being deleted, as configured by the "File Age Limit" setting.

This endpoint returns a list of processing tasks that have not yet expired; that is, tasks for which it is still possible to retrieve the analysis report. Every processing task is assigned a unique ID, returned in the task_id response field. This ID can be used in requests to other Worker API endpoints.

If the optional age parameter is supplied in the request, only tasks older than the specified number of seconds are returned in the response. Task age is calculated as being the difference between the current system timestamp and the timestamp of the task submission. Timestamps are specified in the Unix time format, as the number of seconds since 1970-01-01 00:00:00.

When submitting files for analysis, users can add an optional X-TiScale-Token header with a custom string to the file upload request. That custom string can be provided as the value for the optional token parameter in the request to this endpoint. The response will list only the tasks for files submitted with the specified custom string. These parameters should not be confused with the mandatory authorization token that must be provided in the header of every request.

Request format

Request parameters

Parameter NameDescriptionRequired
ageSpecify the number of seconds to filter processing tasks by age. When provided in the request, the API returns only those processing tasks that are older than the specified number of seconds. Task age is the difference between the current system time and the time when the file processing task was created.Optional
tokenSpecify a custom string to filter processing tasks, if there are any files that were uploaded with that custom string in the X-TiScale-Token header.Optional

Request examples

Listing all available tasks for files uploaded with a custom X-TiScale-Token string:

curl -X GET 'https://tiscale-worker-01/api/tiscale/v1/task?token=custom' -H 'Authorization: Token exampletoken'

Listing all available tasks older than 500 seconds:

curl -X GET 'https://tiscale-worker-01/api/tiscale/v1/task?age=500' -H 'Authorization: Token exampletoken'
import requests

url = "https://tiscale-worker-01/api/tiscale/v1/task"

querystring = {"age":"500"}

headers = {'Authorization': 'Token exampletoken'}

response = requests.request("GET", url, headers=headers, params=querystring)

print(response.text)

Response format

If the request was successfully sent, the response includes a 200 OK status code and the list of processing tasks for which it is still possible to retrieve the analysis report.

Response example

[
  {
    "submitted": 1481137280,
    "task_id": 27637,
    "processed": 1481137281
  },
  {
    "submitted": 1481137302,
    "task_id": 27638,
    "processed": 1481137303
  }
]

Response fields

Field NameDescription
submittedTimestamp indicating the time when the file was submitted for analysis, formatted as the number of seconds since 1970-01-01 00:00:00.
processedTimestamp indicating the time when the file was processed by the Worker, formatted as the number of seconds since 1970-01-01 00:00:00.
task_idUnique identification number assigned to each file processing task on the Worker instance. This task ID can be used in requests to other Worker API endpoints; for example, to retrieve the analysis report for a task, or to delete a task from Worker. To ensure backward compatibility with previous Worker versions, the task ID values are currently integers instead of strings.

Get information about a processing task

GET /api/tiscale/v1/task/{task_id}?report_type={large}&view={flat}

Description

Retrieves information about a completed file processing task.

The task_id parameter is required, as it specifies which processing task the user is interested in.

Obtaining the task ID

The unique ID value for every processing task is returned in the response when the file is submitted for analysis, as the last part of the task_url field. For example, in https://tiscale-worker01:8080/api/tiscale/v1/task/23, the task_id value is 23.

The task ID can also be obtained from the List processing tasks endpoint.

Request format

Request parameters

Parameter NameDescriptionType
task_idUnique identification number assigned to each file processing task on the Worker instance.path
report_typeApplied report filter (see Customizing Analysis Reports <report-customization>). If empty, a medium ("summary") report is returned.query
viewApplied report transformation.query

Deprecated and experimental parameters

These parameters are maintained for backward compatibility or are experimental.

  • include_fields

    experimental | query

    Instead of creating a report type as a configuration file, you can pass the fields you want to include as a query parameter. The format is: ?include_fields=["metadata.media.image.exif","classification"]. You can access nested fields using the dot (.) operator. All required fields should be passed as an array of strings in a single query parameter.

  • exclude_fields

    experimental | query

    Instead of creating a report type as a configuration file, you can pass the fields you want to exclude as a query parameter. The format is: ?exclude_fields=["metadata.media.image.exif","classification"]. You can access nested fields using the dot (.) operator. All required fields should be passed as an array of strings in a single query parameter.

  • full

    deprecated | query

    Specifies whether the full (value 1; equals true) or summary (value 0; equals false) report should be returned. If this parameter is not provided in the request, and the view parameter is, the built-in summary transformation will be applied to the analysis report view. To avoid this transformation, the full parameter should be set to true if the view parameter is set to extended.

  • v13

    deprecated | query

    Specifies whether the report should be returned in the format used on Worker 1.3 (value 1, equals true) or in an improved format (value 0, equals false). Reports in version 1.3 represented enumerated values in their internal numeric value instead of as descriptive string values.

    For example, metadata for application library types was returned as numerical values 0 through 13 in version 1.3 instead of labels "ad", "social", "graphical" in the current version. This parameter should be used only for backward compatibility purposes because it does not take advantage of caching, which may slow down the API requests.

Request examples

curl 'https://tiscale-worker-01/api/tiscale/v1/task/7?report_type=large&view=flat' -H 'Authorization: Token exampletoken'
import requests
url = "https://tiscale-worker-01/api/tiscale/v1/task/7"
query_params = {"report_type": "large", "view": "flat"}
auth = {'Authorization': 'Token exampletoken'}
response = requests.get(url, headers=auth, params=query_params)
print(response.text)

Response format

The response returns information about the requested file processing task, and if the task has completed successfully, includes the analysis report.

Field NameDescription
submittedUnix timestamp indicating the time when the file was submitted for analysis.
task_idUnique identification number assigned to each file processing task on the Worker instance. This task ID can be used in requests to other Worker API endpoints; for example, to delete a task from Worker. To ensure backward compatibility with previous Worker versions, the task ID values are currently integers instead of strings.
processedUnix timestamp indicating the time when the file was processed by the Worker. If the file has not been processed yet, this field returns a null value until both the report and the file link are ready.
worker_ipList of IP addresses associated with the Worker that processed the file.
worker_addressList of DNS records associated with the Worker that processed the file.
worker_hostnameHostname of the Worker that processed the file.
direct_senderIP address of the machine that sent the file to Spectra Detect. This is the immediate sender, the last hop in the forwarding chain (if the request was forwarded).
forwarded_forList of IP addresses that were part of the forwarding chain for that request, including the original sender.
tc_reportResults of the static file analysis performed by the engine embedded in the Worker. If the report is already available, but the file has not yet been saved to S3, this field will return a null value.
file_linkReturned only if the S3 integration is configured on the Worker, and if saving samples to S3 is enabled. When this field is present in the response, it includes a link to the sample stored in an S3 bucket. If Spectra Analyze integration and S3 are enabled on the Worker, the file link will point to the Spectra Analyze instance connected to the Worker. If report splitting is enabled, this link will point to the parent sample.
custom_dataReturned only if the user submitted an optional custom_data parameter in the file upload request. This parameter can be passed to the upload endpoint to save arbitrary, user-defined data in the analysis report. The data must be submitted as a JSON-encoded payload, and it is returned in the report in its original, unchanged form.

Delete a processing task

DELETE /api/tiscale/v1/task/{task_id}

Description

Deletes a processing task record from the system. All file processing results are automatically removed from the system 30 minutes after processing is completed. However, users can manually delete task records from the system at any time. When a task record is deleted, it is no longer listed in the response of the List processing tasks endpoint.

The task_id parameter is required in the request, as it specifies which task record should be deleted.

To bulk-delete task records, use the Delete multiple processing tasks endpoint.

Request format

Request parameters

Parameter NameDescriptionRequired
task_idUnique identification number assigned to each file processing task on the Worker instance. The unique ID value for every processing task is returned in the response when the file is submitted for analysis, as the last part of the task_url. For example, in "task_url": "https://tiscale-worker01:8080/api/tiscale/v1/task/23", the task_id value is 23. The task ID can also be obtained from the List processing tasks <listapi> endpoint.Required

Request example

curl -X DELETE https://tiscale-worker01:8080/api/tiscale/v1/task/999 -H 'Authorization: Token exampletoken'

Response format

If a task was successfully removed from the system, the API returns the 200 OK status code with an empty response body.

Delete multiple processing tasks

DELETE /api/tiscale/v1/task?{age=seconds}

Description

Deletes task records from the system based on the time when they were submitted.

All file processing results are automatically removed from the system 30 minutes after processing is completed. However, users can manually delete task records from the system at any time. When task records are deleted, they are no longer listed in the response of the List processing tasks endpoint.

The age parameter is required, and it sets the limit for task age, expressed in seconds. Task age is calculated as being the difference between the current system timestamp and the timestamp of the task submission. Timestamps are specified in the Unix time format, as the number of seconds since 1970-01-01 00:00:00.

All task records older than the number of seconds specified in the request will be deleted.

To delete all tasks, set the age parameter to zero.

Request format

Request parameters

Parameter NameDescriptionRequired
ageSpecify the number of seconds to delete processing tasks based on their age. Task age is the difference between the current system time and the time when the file processing task was created. The value must be specified in seconds.Required

Request examples

Delete tasks older than 500 seconds:

curl -X DELETE 'https://tiscale-worker01:8080/api/tiscale/v1/task?age=500' -H 'Authorization: Token exampletoken'

Delete all tasks on the system:

curl -X DELETE 'https://tiscale-worker01:8080/api/tiscale/v1/task?age=0' -H 'Authorization: Token exampletoken'

Response format

The endpoint returns an empty body with one of the status codes, depending on the success of the request.

  • 200
    • The request has succeeded.
  • 400
    • The request could not be understood by the server due to malformed syntax or missing parameters.
  • 401
    • The request requires authorization from the user.
  • 403
    • Authorization has been provided in the request, but it is not valid.
  • 404
    • The server has not found anything matching the Request-URI.
  • 500
    • The server encountered an unexpected condition which prevented it from fulfilling the request.
  • 503
    • The server is currently unable to handle the request due to a temporary overloading or maintenance of the server.
    • In case the Spectra Intelligence upload limit quota was exceeded, the response will contain the "Paused - TiCloud quota exceeded" error message. To continue analyzing files, users can temporarily disable Spectra Intelligence, wait until the daily quota renews, or contact ReversingLabs support to increase their daily upload limit. When using the Quotas API endpoints on a Worker instance without a configured Spectra Intelligence account, the response code will be 503, and the error message "TiCloud is not configured."

Get the identifier for YARA rules currently on Worker

GET /api/tiscale/v1/yara

Description

Retrieves an identifier for the current set of YARA rules on the Worker.

If there are any changes to the set of YARA rules, the identifier will change. Therefore, this endpoint can be used to monitor changes to YARA rules by comparing the responses retrieved over multiple time intervals.

Read more about managing YARA rulesets on the Worker.

Request format

Request example

curl https://tiscale-worker-01/api/tiscale/v1/yara -H 'Authorization: Token exampletoken'

Response format

Response example

{
  "id": "790473eae77e007cff9b88bc37a44596fa6a495a"
}

Worker - Get YARA rule synchronization status.

GET /api/tiscale/v2/sync-status

Description

Retrieves the current YARA rule synchronization status. Use the optional errorOnly query parameter to filter the response to include only rulesets with errors.

If there are any changes to the set of YARA rules, the identifiers will change. Therefore, this endpoint can be used to monitor changes to YARA rules.

Request format

Request example

curl https://tiscale-worker-01/api/tiscale/v2/sync-status -H 'Authorization: Token exampletoken'

Response format

Response example

{
  "revision": 0,
  "rulesets": [
    {
      "revision": 0,
      "key": "string",
      "hash": "string",
      "errors": []
    }
  ]
}

Appliances utilize revision numbers and keys as unique identifiers during ruleset synchronization.

Worker - Resynchronize all YARA rules

POST /api/tiscale/v1/pull/all

Description

Resynchronizes all YARA rules, ensuring the latest versions are retrieved and applied. This endpoint updates all rulesets regardless of their current revision status.

Request format

Request example

curl -X POST https://tiscale-worker-01/api/tiscale/v1/pull/all -H 'Authorization: Token exampletoken'

Response format

Response example

If the request was successfully sent, the response includes a 200 OK status code. In case the YARA synchronization is disabled, or the request fails, the response is 417 Expectation Failed.

Get information on usage quotas and limits

The following endpoints can be used to return quota usage and quota limits for the Spectra Intelligence account configured on the Worker, or at the company level based on the Spectra Intelligence username. Products are grouped into one object if they share the usage quota and access rights. This means that the same users and products can appear multiple times in the response.

Workers can be configured to require an authorization token in every API request. In that case, the Authorization header with a token must be included in the request.

GET /api/tiscale/v1/quota
GET /api/tiscale/v1/quota/company

Request Example

curl https://{server}/api/tiscale/v1/quota -H 'Authorization: Token exampletoken'

Response Example

{
  "limits": [
    {
      "limit": 10,
      "limit_type": "daily",
      "limit_exceeded": false,
      "products": [
        "TCA-0319 YARA Retroactive Hunting",
        "TCA-0303 YARA Hunting"
      ],
      "users": [
        "u/company/user"
      ]
    },
    {
      "limit": 500,
      "limit_type": "count",
      "limit_exceeded": false,
      "products": [
        "TCA-0319 YARA Retroactive Hunting",
        "TCA-0303 YARA Hunting"
      ],
      "users": [
        "u/company/user"
      ]
    }
  ],
  "usages": {
    "daily": {
      "date": "2023-11-23",
      "usage_report": [
        {
          "product": "TCA-0103 Historic Multi-AV Scan Records",
          "number_of_queries": 6453
        },
        {
          "product": "TCA-9999",
          "number_of_queries": 87
        },
        {
          "product": "TCAI-0001 RCA2",
          "number_of_queries": 6415
        },
        {
          "product": "TCAI-0011 Sample Submission Counter",
          "number_of_queries": 17,
          "used_bytes": 171871643
        }
      ]
    },
    "monthly": {
      "month": "2023-11",
      "usage_report": [
        {
          "product": "TCA-0103 Historic Multi-AV Scan Records",
          "number_of_queries": 7183
        },
        {
          "product": "TCA-0104 File Analysis - Hash",
          "number_of_queries": 6
        },
        {
          "product": "TCA-0201 File Download",
          "number_of_queries": 6
        },
        {
          "product": "TCA-0206 Alert on Reputation and Metadata Changes",
          "number_of_queries": 12
        },
        {
          "product": "TCA-0303 (Matches Feed)",
          "number_of_queries": 32642
        },
        {
          "product": "TCA-0319 (Matches Feed)",
          "number_of_queries": 32638
        },
        {
          "product": "TCA-0403 URL Threat Intelligence",
          "number_of_queries": 5
        },
        {
          "product": "TCA-0407 Network Reputation API",
          "number_of_queries": 20
        },
        {
          "product": "TCA-9999",
          "number_of_queries": 6273
        },
        {
          "product": "TCAI-0001 RCA2",
          "number_of_queries": 7403
        },
        {
          "product": "TCAI-0011 Sample Submission Counter",
          "number_of_queries": 64,
          "used_bytes": 352578582
        },
        {
          "product": "TCAI-0402 URI Statistics (RCA2)",
          "number_of_queries": 5
        },
        {
          "product": "TCF-0110 Data Change Feed",
          "number_of_queries": 427016
        }
      ]
    }
  }
}