Skip to main content
API docs by Redocly

Spectra Intelligence OpenAPI Specification (latest)

Download OpenAPI specification:Download

ReversingLabs: support@reversinglabs.com License: ReversingLabs End-User Software License Agreement

ReversingLabs Spectra Intelligence offers REST web services providing file reputation, file analysis, malware hunting and network indicator information. These can be used for incident response triage, malware analysis, threat intelligence augmentation, and other uses. The output format of API results is either XML or JSON.

Complete documentation

File Threat Intelligence

Get file reputation insights from ReversingLabs

TCA-0101: File Reputation (single query)

The File Reputation (Malware Presence) API provides file reputation status calculated by a proprietary ReversingLabs algorithm for the requested sample. The status can be: MALICIOUS, SUSPICIOUS, KNOWN (non-malicious or benign), UNKNOWN. Additional classification-related metadata and hashes can be requested using optional parameters.

Authorizations:
BasicAuth
path Parameters
hash_type
required
string
Enum: "md5" "sha1" "sha256"

Required parameter. Specifies which hash type will be used in the request. Supported values: md5, sha1, sha256.

hash_value
required
string

Required parameter. Hash of the file for which the user is requesting data from the service. The value must be a valid hash of the same type specified by the hash_type parameter.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

extended
boolean
Default: false
Example: extended=true

Optional parameter that specifies whether additional classification metadata for the requested sample should be returned in the response. Additional metadata includes information such as trust factor and threat level values; malware type, family name, and platform; first and last seen times, and more. If the parameter is not provided in the request, the default value is false (additional metadata is not returned).

show_hashes
boolean
Default: false
Example: show_hashes=true

Optional parameter that specifies whether MD5, SHA1, and SHA256 hashes should be returned in the response for the requested sample, in addition to the rest of the Malware Presence information. If the parameter is not provided in the request, the default value is false (hashes are not returned).

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/databrowser/malware_presence/query/sha1/2cfbb1d2ee28644934bbd3baf6a6667905eee27b?extended=true&show_hashes=true&format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0101: File Reputation (bulk query)

The File Reputation (Malware Presence) Bulk API provides file reputation status calculated by a proprietary ReversingLabs algorithm for the requested samples. Up to 100 hashes can be submitted in one request. The status can be: MALICIOUS, SUSPICIOUS, KNOWN (non-malicious or benign), UNKNOWN. Additional classification-related metadata and hashes can be requested using optional parameters.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

query Parameters
format
string
Enum: "xml" "json"

Optional parameter that allows choosing the response format. Supported values: json, xml. When the parameter is not included in the request, the response is in the same format specified by the post_format parameter.

extended
boolean
Default: false
Example: extended=true

Optional parameter that specifies whether additional classification metadata for the requested sample should be returned in the response. Additional metadata includes information such as trust factor and threat level values; malware type, family name, and platform; first and last seen times, and more. If the parameter is not provided in the request, the default value is false (additional metadata is not returned).

show_hashes
boolean
Default: false
Example: show_hashes=true

Optional parameter that specifies whether MD5, SHA1, and SHA256 hashes should be returned in the response for the requested sample, in addition to the rest of the Malware Presence information. If the parameter is not provided in the request, the default value is false (hashes are not returned).

Request Body schema: application/json
required

hashes is an array of valid hashes of the same type as specified in the hash_type parameter.

Up to 100 hashes can be submitted in one request.

required
object
required
object
hash_type
required
string
Enum: "md5" "sha1" "sha256"
hashes
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0102: File Reputation Override

The File Reputation Override (Malware Presence) API enables file reputation status override for the requested samples. Up to 100 hashes can be submitted in one request. The status can be: MALICIOUS, SUSPICIOUS, or KNOWN (non-malicious or benign). Additional classification-related metadata and can be specified using optional parameters.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Request Body schema: application/json
required

override_samples is an array of samples to override. Each sample must be defined by sha1, md5, and sha256, and include new status for those hashes and may include threat_name, threat_level and trust_factor depending on the status value. remove_override is an array of samples which already have an override that should be removed. Each sample must be defined by sha1, md5 and sha256. Up to 100 hashes can be submitted in one request.

required
object
required
object
Array of objects
Array of objects

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0102: File Reputation Override (list)

The File Reputation Override (list) API lists all existing file reputation status overrides for the requested user. The hashes are sorted. Up to 1000 hashes will be returned. If there are more than 1000 active overrides, next_hash value in the previous response may be provided as the start_hash of the subsequent request to enumerate all hashes. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
hash_type
required
string
Enum: "xml" "json"

Required parameter that defines the type of hash to be returned. Supported options are sha1, md5, and sha256.

query Parameters
start_hash
string
Example: start_hash=9865c7ecda437034e1513cc43ae9a1f6f334bb7f

Optional parameter that specified the first hash in the response to be returned. Enables pagination.

format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/databrowser/malware_presence/user_override/list_hashes/sha1?start_hash=9865c7ecda437034e1513cc43ae9a1f6f334bb7f&format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0103: Historic Multi-AV Scan Records (single query)

The Historic Multi-AV Scan Records (XREF) API provides cross-reference data (AV scanner scanning information, first and last seen date-time (UTC), sample type and size, first and last scanned date, etc.) for the requested sample. An optional parameter history can be used in requests to this API to retrieve historical XREF record changes for the sample (if available).

Authorizations:
BasicAuth
path Parameters
hash_type
required
string
Enum: "md5" "sha1" "sha256"

Required parameter. Specifies which hash type will be used in the request. Supported values: md5, sha1, sha256.

hash_value
required
string

Required parameter. Hash of the file for which the user is requesting data from the service. The value must be a valid hash of the same type specified by the hash_type parameter.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

history
boolean
Default: false
Example: history=true

Optional parameter that defines whether the response should contain a history of XREF records for a sample (when true) or the latest record only (when false). The default is false.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/xref/v2/query/sha1/7d8f177243cfa055c95cbbf32ebc2d7e8c71d4fb?format=json&history=true' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0103: Historic Multi-AV Scan Records (bulk query)

The Historic Multi-AV Scan Records Bulk API provides cross-reference data (AV scanner scanning information, first and last seen date-time (UTC), sample type and size, first and last scanned date, etc.) for up to 100 requested samples. An optional parameter history can be used in requests to this API to retrieve historical XREF record changes for each sample (if available).

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

query Parameters
format
string
Enum: "xml" "json"

Optional parameter that allows choosing the response format. Supported values: json, xml. When the parameter is not included in the request, the response is in the same format specified by the post_format parameter.

history
boolean
Default: false
Example: history=true

Optional parameter that defines whether the response should contain a history of XREF records for a sample (when true) or the latest record only (when false). The default is false.

Request Body schema: application/json
required

hashes is an array of valid hashes of the same type as specified in the hash_type parameter.

Up to 100 hashes can be submitted in one request.

required
object
required
object
hash_type
required
string
Enum: "md5" "sha1" "sha256"
hashes
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0104: File Analysis - Hash (single query)

The File Analysis - Hash [RLDATA] API provides analysis results for the requested hash. The extent of analysis data returned in the response varies based on the file type. Note that the dynamic analysis report is only available with additional permissions.

Authorizations:
BasicAuth
path Parameters
hash_type
required
string
Enum: "md5" "sha1" "sha256"

Required parameter. Specifies which hash type will be used in the request. Supported values: md5, sha1, sha256.

hash_value
required
string

Required parameter. Hash of the file for which the user is requesting data from the service. The value must be a valid hash of the same type specified by the hash_type parameter.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/databrowser/rldata/query/sha1/a45ab18fb7a06dd5ecb44bf6c221a951f974059f?format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0104: File Analysis - Hash (bulk query)

The File Analysis - Hash [RLDATA] Bulk API provides analysis results for up to 100 requested hashes in a single response. The extent of analysis data returned in the response varies based on the file type. Note that the dynamic analysis report is only available with additional permissions. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

query Parameters
format
string
Enum: "xml" "json"

Optional parameter that allows choosing the response format. Supported values: json, xml. When the parameter is not included in the request, the response is in the same format specified by the post_format parameter.

Request Body schema: application/json
required

hashes is an array of valid hashes of the same type as specified in the hash_type parameter.

Up to 100 hashes can be submitted in one request.

required
object
required
object
hash_type
required
string
Enum: "md5" "sha1" "sha256"
hashes
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0105: File Analysis - Non-Malicious (single query)

The File Analysis - Non-Malicious [RLDATA Goodware] API provides sample hashes, trust factor, relationships, size, and sources for benign samples only. If a malicious hash is queried, a 404 (Not Found) HTTP response will be returned.

Authorizations:
BasicAuth
path Parameters
hash_type
required
string
Enum: "md5" "sha1" "sha256"

Required parameter. Specifies which hash type will be used in the request. Supported values: md5, sha1, sha256.

hash_value
required
string

Required parameter. Hash of the file for which the user is requesting data from the service. The value must be a valid hash of the same type specified by the hash_type parameter.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/databrowser/rldata/goodware/query/sha1/a25b6db2d363eaa31de348399aedc5651280b52b?format=json' --user <username>:<password> --header 'Content-Type: application/json'

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0105: File Analysis - Non-Malicious (bulk query)

The File Analysis - Non-Malicious [RLDATA Goodware] Bulk API provides sample hashes, trust factor, relationships, size, and sources for benign samples only. Up to 100 hashes can be submitted in one request. If a malicious hash is queried, a 404 (Not Found) HTTP response will be returned. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

query Parameters
format
string
Enum: "xml" "json"

Optional parameter that allows choosing the response format. Supported values: json, xml. When the parameter is not included in the request, the response is in the same format specified by the post_format parameter.

Request Body schema: application/json
required

hashes is an array of valid hashes of the same type as specified in the hash_type parameter.

Up to 100 hashes can be submitted in one request.

required
object
required
object
hash_type
required
string
Enum: "md5" "sha1" "sha256"
hashes
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

Certificate Threat Intelligence

Get file certificate insights from ReversingLabs

TCA-0501: Certificate Index

The Certificate Index API provides a list of samples that are signed with the requested certificate. The certificate should be requested using its thumbprint value as a SHA1, SHA256, or MD5 hash. Only one certificate thumbprint can be submitted in one request. Optional parameters can be used in the request to retrieve additional sample metadata and filter the results by classification status.

Authorizations:
BasicAuth
path Parameters
thumbprint
required
string

Required parameter that specifies the thumbprint of the certificate for which the user is requesting data from the service. The thumbprint value should be provided as a valid hash. Supported hash types are: MD5, SHA1, SHA256.

query Parameters
limit
integer [ 1 .. 100 ]
Default: 100
Example: limit=50

Optional parameter; specifies the maximum number of sample SHA1 hashes to include in the response. This value has to be an integer in the range from 1 and 100. When the parameter is not included in the request, 100 hashes are returned by default.

extended
boolean
Default: false
Example: extended=true

If the extended option is selected, each SHA1 hash in the list will be expanded with additional metadata: certificate validation status, classification, threat level, trust factor, malware family name, threat name, malware type, targeted platform and subplatform; SHA1, MD5, PE_SHA1, PE_SHA256 and SHA256 hashes; sample size, sample type, download availability, first and last seen dates (UTC).

classification
string
Enum: "known" "malicious" "suspicious" "unknown"
Example: classification=malicious

Optional parameter that allows filtering the results by their classification status. If this parameter is provided in the request, the response will include only those samples that match the requested status. Supported values are: known, malicious, suspicious, unknown (case-insensitive).

format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/certificate/index/v1/query/thumbprint/A909502DD82AE41433E6F83886B00D4277A32A7B?format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0501: Certificate Index (paginated)

The Certificate Index API provides a list of samples that are signed with the requested certificate. The certificate should be requested using its thumbprint value as a SHA1, SHA256, or MD5 hash. Only one certificate thumbprint can be submitted in one request. Optional parameters can be used in the request to retrieve additional sample metadata and filter the results by classification status.

Authorizations:
BasicAuth
path Parameters
thumbprint
required
string

Required parameter that specifies the thumbprint of the certificate for which the user is requesting data from the service. The thumbprint value should be provided as a valid hash. Supported hash types are: MD5, SHA1, SHA256.

next_page
required
string

Optional parameter used for pagination. To get the next page of results from the API, use the next_page value from the response with this parameter in a new request. When the parameter is not included in the request, only the first page of results is returned.

query Parameters
limit
integer [ 1 .. 100 ]
Default: 100
Example: limit=50

Optional parameter; specifies the maximum number of sample SHA1 hashes to include in the response. This value has to be an integer in the range from 1 and 100. When the parameter is not included in the request, 100 hashes are returned by default.

extended
boolean
Default: false
Example: extended=true

If the extended option is selected, each SHA1 hash in the list will be expanded with additional metadata: certificate validation status, classification, threat level, trust factor, malware family name, threat name, malware type, targeted platform and subplatform; SHA1, MD5, PE_SHA1, PE_SHA256 and SHA256 hashes; sample size, sample type, download availability, first and last seen dates (UTC).

classification
string
Enum: "known" "malicious" "suspicious" "unknown"
Example: classification=malicious

Optional parameter that allows filtering the results by their classification status. If this parameter is provided in the request, the response will include only those samples that match the requested status. Supported values are: known, malicious, suspicious, unknown (case-insensitive).

format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/certificate/index/v1/query/thumbprint/A909502DD82AE41433E6F83886B00D4277A32A7B?format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "JSON Example Response for extended": {
    },
  • "rl": {
    }
}

TCA-0502: Certificate Analytics

The Certificate Analytics API provides certificate analytics for the requested certificate and its chain of trust. The certificate should be requested using its thumbprint value as a SHA1, SHA256, or MD5 hash. Sending requests using the GET method allows only one thumbprint per request, while the POST method accepts up to 100 thumbprints in one request. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
thumbprint
required
string

Required parameter that specifies the thumbprint of the certificate for which the user is requesting data from the service. The thumbprint value should be provided as a valid hash. Supported hash types are: MD5, SHA1, SHA256.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/certificate/analytics/v1/query/thumbprint/18254B1DC375B74E339EB99ABFE31AF0D735CB5A3B535570731175811D735B0D?format=json' --user <username>:<password> --header 'Content-Type: application/json'

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0502: Certificate Analytics

The Certificate Analytics API provides certificate analytics for the requested certificate and its chain of trust. The certificate should be requested using its thumbprint value as a SHA1, SHA256, or MD5 hash. Sending requests using the GET method allows only one thumbprint per request, while the POST method accepts up to 100 thumbprints in one request. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
thumbprint
required
string
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required

thumbprints is a required parameter that specifies a list of certificate thumbprints for which the user is requesting data from the service. Each thumbprint value should be provided as a valid hash. Supported hash types are: MD5, SHA1, SHA256. Up to 100 thumbprints can be submitted in one request.

required
object
required
object
thumbprints
required
Array of objects
format
required
string

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0503: Certificate Thumbprint Search

The Certificate Thumbprint Search API allows users to find certificate thumbprints by using the full or partial certificate common name as the search keyword. The results contain thumbprints of certificates that match the requested common name. Those thumbprints can be used with the TCA-0501 and TCA-0502 APIs to obtain a list of certificate-signed samples and certificate analytics, respectively.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
common_name
required
string

common_name is a required parameter that supports partial matching with * as the wildcard character. limit is an optional parameter that specifies the maximum number of thumbprints to return in the response (1-100, with 100 as the default).

limit
integer [ 1 .. 100 ]
Default: 100

Maximum number of certificate thumbprints to be returned.

page_common_name
string

An optional pagination parameter for retrieving the next page of the results. Pagination value for the next page is provided in the previous request response as next_page_common_name.

page_thumbprint
string

An optional pagination parameter for retrieving the next page of the results. Pagination value for the next page is provided in the previous request response as next_page_thumbprint.

response_format
string
Default: "xml"
Enum: "xml" "json"

response_format is an optional parameter that allows choosing the response format (XML or JSON; XML is the default).

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

Network Threat Intelligence

Find files in Spectra Intelligence using network indicator metadata

TCA-0401: URI to Hash Search

The URI to Hash Search API provides a list of all available SHA1 hashes associated with the requested URI. The following URI types are supported: email, URL, IPv4 address, domain. Only one URI can be submitted in one request. Sending requests using the GET method requires the SHA1 value of the URI string, while the POST method accepts the URI string value in plain text.

Authorizations:
BasicAuth
path Parameters
hash
required
string

SHA1 hash value of the URI string for which the user is requesting data from the service. The user should generate a SHA1 hash of the URI string prior to submitting a request.

query Parameters
classification
string
Enum: "known" "malicious" "suspicious" "unknown"
Example: classification=malicious

Optional parameter that allows filtering the results by their classification status. If this parameter is provided in the request, the response will include only those samples that match the requested status. Supported values are: known, malicious, suspicious, unknown (case-insensitive).

format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/uri_index/v1/query/c2208abde9668e8e9815c3690855edd1e63abeac?format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0401: URI to Hash Search (paginated)

The URI to Hash Search API provides a list of all available SHA1 hashes associated with the requested URI. The following URI types are supported: email, URL, IPv4 address, domain. Only one URI can be submitted in one request. Sending requests using the GET method requires the SHA1 value of the URI string, while the POST method accepts the URI string value in plain text. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
hash
required
string

Next page hash value.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

header Parameters
Content-Type:
required
string
Enum: "application/json" "text/xml"

Required parameter that defines the POST payload format.

Request Body schema: application/json
required
object
object
uri
required
string

uri is a required parameter used to submit a plain text URI for which the user is requesting data from the service. Only one URI can be submitted in one request. Supported URI types are: email (e.g., user@domain.com), URL (e.g., http://domain.com/download/picture.jpg), IPv4 address (e.g., 127.0.0.1), domain (e.g., domain.com).

next_page_sha1
string

next_page_sha1 is an optional parameter used for pagination. To get the next page of results from the API, use the next_page_sha1 value from the response with this parameter in a new request. When the parameter is not included in the request, only the first page of results is returned.

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0401: URI to Hash Search

The URI to Hash Search service provides a list of all available SHA1 hashes associated with the requested URI. This service takes into account network IOCs extracted during file static analysis and uses that data to correlate URIs with samples. The following URI types are supported: email, URL, IPv4 address, and domain. Only one URI can be submitted in one request. Find more information in the official API documentation.

Authorizations:
BasicAuth
query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

header Parameters
Content-Type:
required
string
Enum: "application/json" "text/xml"

Required parameter that defines the POST payload format.

Request Body schema: application/json
required
object
object
uri
required
string

uri is a required parameter used to submit a plain text URI for which the user is requesting data from the service. Only one URI can be submitted in one request. Supported URI types are: email (e.g., user@domain.com), URL (e.g., http://domain.com/download/picture.jpg), IPv4 address (e.g., 127.0.0.1), domain (e.g., domain.com).

next_page_sha1
string

next_page_sha1 is an optional parameter used for pagination. To get the next page of results from the API, use the next_page_sha1 value from the response with this parameter in a new request. When the parameter is not included in the request, only the first page of results is returned.

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0401: URI to Hash Search (paginated)

The URI to Hash Search API provides a list of all available SHA1 hashes associated with the requested URI. The following URI types are supported: email, URL, IPv4 address, domain. Only one URI can be submitted in one request. Sending requests using the GET method requires the SHA1 value of the URI string, while the POST method accepts the URI string value in plain text.

Authorizations:
BasicAuth
path Parameters
uri_sha1
required
string

The SHA1 hash value of the URI string

next_page_sha1
required
string

Optional path parameter used for pagination. To get the next page of results from the API, use the next_page_sha1 value from the response in place of this parameter in a new request. When the parameter is not included in the request, only the first page of results is returned.

query Parameters
classification
string
Enum: "known" "malicious" "suspicious" "unknown"
Example: classification=malicious

Optional parameter that allows filtering the results by their classification status. If this parameter is provided in the request, the response will include only those samples that match the requested status. Supported values are: known, malicious, suspicious, unknown (case-insensitive).

format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/uri_index/v1/query/c2208abde9668e8e9815c3690855edd1e63abeac?format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0402: URI Statistics

The URI Statistics API provides statistical information on how many known, malicious, and suspicious samples are associated with a particular URI. The following URI types are supported: email, URL, IPv4 address, domain. Only one URI can be submitted in one request. This service accepts only SHA1 values of URI strings. Requested URI strings cannot be in plain text. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
uri_sha1
required
string

The SHA1 hash value of the URI string for which the user is requesting data from the service. The user should generate a SHA1 hash of the URI string prior to submitting a request. Supported URI types are: email (e.g., user@domain.com), URL (e.g., http://domain.com/download/picture.jpg), IPv4 address (e.g., 127.0.0.1), domain (e.g., domain.com).

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/uri/statistics/uri_state/sha1/234988566c9a0a9cf952cec82b143bf9c207ac16?format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0403: URL Threat Intelligence (report)

This service returns the report for the submitted URL. The report contains the ReversingLabs URL classification status, URL reputation from various reputation sources, metadata for performed URL analyses, statistics of files found on the submitted URL mapped to their classification, and an overview of the most common threats.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
url
required
string <uri>
response_format
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0403: URL Threat Intelligence (downloaded files)

This service provides a list of hashes for files downloaded from the submitted URL, across all analyses, during the last analysis, or those downloaded during a specific analysis.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
url
string <uri>

Cannot be used in combination with analysis_id.

analysis_id
string

Cannot be used in combination with url.

last_analysis
boolean
Default: false
response_format
string
Default: "xml"
Enum: "json" "xml"
limit
integer
Default: 1000
classification
string
Enum: "KNOWN" "SUSPICIOUS" "MALICIOUS" "UNKNOWN"
extended
boolean
Default: false

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0403: URL Threat Intelligence (notifications) (time range)

This service provides a continuous list of completed analyses. The records enter the feed once the submitted URL is analyzed to completion and the report is ready.

Authorizations:
BasicAuth
path Parameters
time_format
required
string
Enum: "timestamp" "utc"

Required parameter that specifies the time format for the time_value parameter. Supported values: timestamp (Unix epoch time as the number of seconds since 1970-01-01 00:00:00); utc (YYYY-MM-DDThh:mm:ss).

time_value
required
string <Unix timestamp OR date-time>

Accepts values formatted according to the format set in the time_format parameter.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

limit
integer [ 1 .. 1000 ]
Default: 1000
Example: limit=50

Specifies the maximum number of reports to return in the response.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/networking/url/v1/notifications/query/latest?limit=1' --user <username>:<password>

Response samples

Content type
application/json
{}

TCA-0403: URL Threat Intelligence (notifications) (time range) (paginated)

This service provides a continuous list of completed analyses. The records enter the feed once the submitted URL is analyzed to completion and the report is ready.

Authorizations:
BasicAuth
path Parameters
time_format
required
string
Enum: "timestamp" "utc"

Required parameter that specifies the time format for the time_value parameter. Supported values: timestamp (Unix epoch time as the number of seconds since 1970-01-01 00:00:00); utc (YYYY-MM-DDThh:mm:ss).

time_value
required
string

Accepts values formatted according to the format set in the time_format parameter.

page
required
string

The pagination value for the next page is provided in the previous request response

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

limit
integer [ 1 .. 1000 ]
Default: 1000
Example: limit=50

Specifies the maximum number of reports to return in the response.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/networking/url/v1/notifications/query/latest?limit=1' --user <username>:<password>

Response samples

Content type
application/json
{}

TCA-0403: URL Threat Intelligence (notifications) (latest)

This service provides a continuous list of completed analyses. The records enter the feed once the submitted URL is analyzed to completion and the report is ready.

Authorizations:
BasicAuth
query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

limit
integer [ 1 .. 1000 ]
Default: 1000
Example: limit=50

Specifies the maximum number of reports to return in the response.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/networking/url/v1/notifications/query/latest?limit=1' --user <username>:<password>

Response samples

Content type
application/json
{}

TCA-0403: URL Threat Intelligence (notifications) (latest) (paginated)

This service provides a continuous list of completed analyses. The records enter the feed once the submitted URL is analyzed to completion and the report is ready.

Authorizations:
BasicAuth
path Parameters
page
required
string
query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

limit
integer [ 1 .. 1000 ]
Default: 1000
Example: limit=50

Specifies the maximum number of reports to return in the response.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/networking/url/v1/notifications/query/latest?limit=1' --user <username>:<password>

Response samples

Content type
application/json
{}

TCA-0404: Analyze URL

This service allows users to submit a URL for analysis. The analysis is a crawling process that will start looking for files to download from the submitted URL. When downloaded, the files are sent for analysis to the ReversingLabs file processing pipeline.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST body format.

header Parameters
Content-Type
required
string
Value: "application/octet-stream"

Required parameter that defines the POST payload format.

Request Body schema: application/json
required
object
object
url
required
string <uri>
response_format
required
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{}

Response samples

Content type
application/json
{
  • "rl": {}
}

TCA-0405 Domain Threat Intelligence (resolutions)

This service provides a list of domain-to-IP mappings for the requested domain.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
domain
string
limit
integer
Default: 1000
response_format
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0405 Domain Threat Intelligence (URLs)

This service provides a list of URLs associated with the requested domain.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
domain
string
response_format
string
limit
integer

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{}

TCA-0405 Domain Threat Intelligence (report)

This service returns threat intelligence data for the submitted domain. The report contains domain reputation from various reputation sources, classification statistics for files downloaded from the domain, the most common threats found on the domain DNS information about the domain, and parent domain information.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
domain
string
response_format
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0405 Domain Threat Intelligence (downloaded files)

This service provides a list of hashes for files downloaded from the submitted domain.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
domain
string
limit
integer
extended
boolean
classification
string
response_format
string

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0406 IP Threat Intelligence (resolutions)

This service provides a list of IP-to-domain mappings for the specified IP.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
ip
string
limit
integer
Default: 1000
response_format
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0406 IP Threat Intelligence (URLs)

This service provides a list of URLs associated with the requested IP. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
ip
string
limit
integer
Default: 1000
response_format
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{}

TCA-0406 IP Threat Intelligence (report)

This service returns threat intelligence data for the submitted IP. The report contains IP reputation from various reputation sources, classification statistics for files downloaded from the IP, and the top threats hosted on the submitted IP.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
ip
string
response_format
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0406 IP Threat Intelligence (downloaded files)

This service provides a list of hashes for files downloaded from the submitted IP address.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
required
object
required
object
ip
required
string
limit
integer
Default: 1000
response_format
string
Default: "xml"
Enum: "json" "xml"
classification
string
Enum: "KNOWN" "SUSPICIOUS" "MALICIOUS" "UNKNOWN"
extended
boolean
Default: false

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0407: Network Reputation API

The Network Reputation service provides information regarding the reputation of a requested URL, domain, or IP address. When a URL is submitted, the service provides its ReversingLabs classification, along with an overview of detections from our partners. It also includes the category of the URL (for example phishing, gambling, adult content) and indicates whether we have encountered any malware samples associated with the submitted URL.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
object
object
required
Array of objects <= 100 items
response_format
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0408: Network Reputation User Override

The Network Reputation User Override service enables URL classification overrides. Any URL can be overridden to malicious, suspicious, or known. Overrides are visible to all users within the same organization. The service also supports listing existing overrides.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
response_format
string
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0408: List User Overrides

The Network Reputation User Override service enables URL classification overrides. Any URL can be overridden to malicious, suspicious, or known. Overrides are visible to all users within the same organization. The service also supports listing existing overrides.

Authorizations:
BasicAuth
query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

next_network_location
string <sha1>

Optional parameter used for pagination. To get the next page of results from the API, use the next_network_location value from the response in place of this parameter in a new request. When the parameter is not included in the request, only the first page of results is returned.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/networking/user_override/v1/query/list_overrides?format=json' --user <username>:<password>

Response samples

Content type
application/json
{}

Automation

Manage files in Spectra Intelligence

TCA-0201: File Download Request

The External Sample Exchange Service allows users to download files from ReversingLabs Spectra Intelligence. This query returns the contents of a file matching the requested hash. The contents are returned as a byte stream. Only one file can be downloaded per request.

Authorizations:
BasicAuth
path Parameters
hash_type
required
string
Enum: "md5" "sha1" "sha256"

Required parameter. Specifies which hash type will be used in the request. Supported values: md5, sha1, sha256.

hash_value
required
string

Required parameter. Hash of the file for which the user is requesting data from the service. The value must be a valid hash of the same type specified by the hash_type parameter.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/spex/download/v2/query/sha1/a45ab18fb7a06dd5ecb44bf6c221a951f974059f' --user <username>:<password>

TCA-0201: File Download Status Request

The External Sample Exchange Service allows users to download files from ReversingLabs Spectra Intelligence. This query returns the file size of samples matching the requested hash values, but only if they are available for download. If the requested samples are not available for download, their size is represented as -1 in the response. Up to 1000 hashes can be submitted in one download status request.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples 

curl -X POST --url 'https://data.reversinglabs.com/api/spex/download/v2/status/bulk_query/json' --header 'Content-Type: application/json' --data '{
  "rl": {
    "query": {
      "hash_type": "sha1",
      "hashes": [
        "a7afddb68260a60f86c02a021efba7f216c2e7cf",
        "ca03064987d3c4465f91552ba8b6a883eecfd3e5",
        "b363713a938afcd3c74603827fab79e935b2b09b"
      ]
    }
  }
}' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0202/0203: File Upload Request

The External Sample Exchange Service allows users to upload files to Spectra Intelligence. This query uploads the file contents using a byte stream and the SHA1 hash of the file provided in the request. The file metadata must be uploaded after the file contents in a separate request for file processing to occur. Depending on the user's Spectra Intelligence account configuration, files are uploaded as public (sent to TCA-0202), or private (sent to TCA-0203).

Authorizations:
BasicAuth
path Parameters
hash_value
required
string

Must be a valid SHA1 hash of the uploaded file.

Request Body schema: application/octet-stream
required
string <binary>

Responses

Request samples 

curl --request POST 'https://data.reversinglabs.com/api/spex/upload/3715b867a6ce91aec3ce21d3703c68f80cf1cbc6' --data-binary @example_file.tar.gz --user <username>:<password>

TCA-0202/0203: File Metadata Upload Request

The External Sample Exchange Service allows users to upload files from ReversingLabs Spectra Intelligence. This query uploads the metadata of the file that matches the SHA1 hash provided in the request. Metadata must be provided in the XML format. The file metadata must be uploaded after the file contents in a separate request for file processing to occur. Depending on the user's Spectra Intelligence account configuration, files are uploaded as public (sent to TCA-0202), or private (sent to TCA-0203).

Authorizations:
BasicAuth
path Parameters
hash_value
required
string

Must be a valid SHA1 hash of a previously uploaded file.

query Parameters
subscribe
string
Value: "data_change"

Optional parameter. If set, adds the file to the user's data_change feed subscription list.

Request Body schema: application/octet-stream
required

Metadata must be provided in the XML format, while the request for the metadata must be sent using the Content-Type: application/octet-stream header. Metadata must contain the domain field and at least one property field. When submitting an archive for upload, it is recommended to include the archive object when uploading sample metadata. If not included, the sample will be processed as a regular sample and not as an archive, therefore it is possible that the content of the zip will not be processed completely.

The domain name should represent the web domain where the sample was found/downloaded. If the domain name is not known, the domain name should be set to an empty string.

The property_name and property_value can be any kind of string. They can represent some properties of the sample, such as its application name, version, file name of the sample, or tags.

The archive_type specifies the compression algorithm used to create the archive, and is a mandatory field if the archive field is provided. The archive_password is the password used to extract the content, and is optional.

object
required
object
domain
required
string
object

Responses

Request samples

Content type
application/octet-stream
<rl>
  <properties>
    <property>
      <name>application</name>
      <value>TestApplication</value>
    </property>
    <property>
      <name>author</name>
      <value>Test_Author</value>
    </property>
  </properties>
  <domain>testdomain.com</domain>
  <archive>
    <archive_type>zip</archive_type>
    <archive_password>password123</archive_password>
  </archive>
</rl>

TCA-0204: Delete File Single Query

The Delete File API provides the functionality of deleting files submitted and owned exclusively by the user sending the request. This query allows the user to delete a single file.

Authorizations:
BasicAuth
path Parameters
hash_type
required
string
Enum: "md5" "sha1" "sha256"

Required parameter. Specifies which hash type will be used in the request. Supported values: md5, sha1, sha256.

hash_value
required
string

Required parameter. Hash of the file for which the user is requesting data from the service. The value must be a valid hash of the same type specified by the hash_type parameter.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

delete_on
string
Example: delete_on=1437464369

Optional parameter that specifies when the file will be deleted, allowing users to schedule file removal for a specific time. Expressed as a Unix timestamp in seconds.

Responses

Request samples 

curl --request DELETE --url 'https://data.reversinglabs.com/api/delete/sample/v1/query/sha1/bc7a6c7bba614456412fcd11d870f207be1bf6a5' --user <username>:<password>

TCA-0204: Delete File Bulk Query

The Delete File API provides the functionality of deleting files submitted and owned exclusively by the user sending the request. Up to 100 hashes can be submitted in one request.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

query Parameters
format
string
Enum: "xml" "json"

Optional parameter that allows choosing the response format. Supported values: json, xml. When the parameter is not included in the request, the response is in the same format specified by the post_format parameter.

Request Body schema: application/json
required

hashes is an array of valid hashes of the same type as specified in the hash_type parameter.

Up to 100 hashes can be submitted in one request.

required
object
required
object
hash_type
required
string
Enum: "md5" "sha1" "sha256"
hashes
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0205: Re-Analyze File Single Query

The Rescan API allows users to submit files for re-analysis in the ReversingLabs Spectra Intelligence system. Re-analysis includes all components of the ReversingLabs Classification Algorithm: Spectra Intelligence antivirus scan results, threat and trust factors, parent/child relationships, certificates, and other metadata-specific information.

Authorizations:
BasicAuth
path Parameters
hash_type
required
string
Enum: "md5" "sha1" "sha256"

Required parameter. Specifies which hash type will be used in the request. Supported values: md5, sha1, sha256.

hash_value
required
string

Required parameter. Hash of the file for which the user is requesting data from the service. The value must be a valid hash of the same type specified by the hash_type parameter.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/rescan/v1/query/sha1/289512144b8b4e9e25e7a7d6250da24cda02eee0' --user <username>:<password>

TCA-0205: Re-Analyze File Bulk Query

The Rescan API allows users to submit files for (re)analysis in the ReversingLabs Spectra Intelligence system. Up to 100 hashes can be submitted in one request. Re-analysis includes all components of the ReversingLabs Classification Algorithm: Spectra Intelligence antivirus scan results, threat and trust factors, parent/child relationships, certificates, and other metadata-specific information.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

query Parameters
format
string
Enum: "xml" "json"

Optional parameter that allows choosing the response format. Supported values: json, xml. When the parameter is not included in the request, the response is in the same format specified by the post_format parameter.

Request Body schema: application/json
required

hashes is an array of valid hashes of the same type as specified in the hash_type parameter.

Up to 100 hashes can be submitted in one request.

required
object
required
object
hash_type
required
string
Enum: "md5" "sha1" "sha256"
hashes
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0206: Alert Subscribe Query

This query is used for subscribing to a list of samples and URLs for which the changed sections (if there are any) will be delivered in the Data Change Feed. To subscribe to a list of samples or URLs, the user should submit the sample or URL hashes in a POST request. All hashes in a request should be of the same type. The maximum amount of hashes that can be submitted in one request is 100.

Subscriptions never expire on their own. Users need to manually unsubscribe using the TCA-0206 Unsubscribe Query. Note: Samples or URLs that have not yet been seen can be subscribed to only using SHA1 hash values.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

query Parameters
format
string
Enum: "xml" "json"

Optional parameter that allows choosing the response format. Supported values: json, xml. When the parameter is not included in the request, the response is in the same format specified by the post_format parameter.

Request Body schema: application/json
required

hashes is an array of valid hashes of the same type as specified in the hash_type parameter.

Up to 100 hashes can be submitted in one request.

required
object
required
object
hash_type
required
string
Enum: "md5" "sha1" "sha256"
hashes
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0206: Alert Unsubscribe Query

This query is used for unsubscribing from a list of samples that the user was previously subscribed to. Submitting a sample hash in a POST request to this endpoint removes the associated sample from the list of user's subscriptions.

The maximum amount of hashes that can be submitted in one request is 100. Changes for unsubscribed samples will no longer be delivered in the Data Change Feed.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

query Parameters
format
string
Enum: "xml" "json"

Optional parameter that allows choosing the response format. Supported values: json, xml. When the parameter is not included in the request, the response is in the same format specified by the post_format parameter.

Request Body schema: application/json
required

hashes is an array of valid hashes of the same type as specified in the hash_type parameter.

Up to 100 hashes can be submitted in one request.

required
object
required
object
hash_type
required
string
Enum: "md5" "sha1" "sha256"
hashes
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0206: Data Change Feed Start Query

This query sets the starting timestamp for TCA-0206 Data Change Feed Pull Query.

Authorizations:
BasicAuth
path Parameters
time_format
required
string
Enum: "timestamp" "utc"

Required parameter; accepts these options: timestamp, utc. timestamp is the number of seconds since 1970-01-01 00:00:00. utc is the date and time in format YYYY-MM-DDThh:mm:ss

time_value
required
string

Required parameter; Accepts values defined by the time_format parameter

Responses

Request samples 

curl --request PUT --url 'https://data.reversinglabs.com/api/feed/data_change/v3/start/timestamp/1640991600' --user <username>:<password>

TCA-0206: Data Change Feed Pull Query

This query returns the next recordset with samples and URLs to which the user is subscribed. The starting point for this query is defined using the TCA-0206 Start Query.

If the user has not previously requested this query or called the START query, it will return records starting with the current timestamp. Every subsequent call will continue from the timestamp where the previous call ended.

Unless the limit parameter is specified, the query returns a maximum of 1000 records, or a little bit more than 1000 if there are records with the same timestamp. This ensures that all the records with the same timestamp will be included in the recordset. The limit parameter must not be greater than 1000.

This endpoint is built to be queried by a single thread (single instance). Any concurrent requests will be blocked until the previous one is fulfilled.

Authorizations:
BasicAuth
query Parameters
events
string
Default: "default"
Enum: "default" "sections"

Optional parameter that accepts a list of sections that should be included in the response, delimited by commas. Supported values: default - all events will be included in the response; sections - include info, sources, xref, analysis, sample_available, malware_presence, sample_became_shareable, dynamic_analysis

format
string
Default: "xml"
Enum: "xml" "json" "tsv"

Optional parameter; Specifies the response format. Supported values: xml (default), json, tsv (Tab Separated Values, delimiter character \t 0x09)

limit
integer [ 1 .. 1000 ]
Default: 1000

Optional parameter; Specifies the number of records to return in the response. The maximum value is 1000. Note that the response may include a little more than the requested number of records to ensure that all the records with the same timestamp are returned.

Request Body schema: application/json
required

hashes is an array of valid hashes of the same type as specified in the hash_type parameter.

Up to 100 hashes can be submitted in one request.

required
object
required
object
hash_type
required
string
Enum: "md5" "sha1" "sha256"
hashes
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0206: Data Change Continuous Feed Query

This query returns a recordset with samples and URLs that the user is subscribed to from the requested timestamp onwards. The feed will return 1000 records at most, or a little bit more than 1000 if there are some records with the same timestamp. The response also contains the latest timestamp up to which the events are included in the response.

To fetch the next recordset, use the the last_timestamp value from the response, increase it by 1 and submit it in a new request.

Authorizations:
BasicAuth
path Parameters
time_format
required
string
Enum: "timestamp" "utc"

Required parameter; accepts these options: timestamp, utc. timestamp is the number of seconds since 1970-01-01 00:00:00. utc is the date and time in format YYYY-MM-DDThh:mm:ss

time_value
required
string

Required parameter; Accepts values defined by the time_format parameter

query Parameters
events
string
Default: "default"
Enum: "default" "sections"

Optional parameter that accepts a list of sections that should be included in the response, delimited by commas. Supported values: default - all events will be included in the response; sections - include info, sources, xref, analysis, sample_available, malware_presence, sample_became_shareable, dynamic_analysis

format
string
Default: "xml"
Enum: "xml" "json" "tsv"

Optional parameter; Specifies the response format. Supported values: xml (default), json, tsv (Tab Separated Values, delimiter character \t 0x09)

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/feed/data_change/v3/query/utc/2022-01-01T13:00:00?format=json&events=xref' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

Dynamic Analysis (ReversingLabs Cloud Sandbox)

Detonate files in ReversingLabs Cloud Sandbox and retrieve reports

TCA-0106: Dynamic Analysis Report (merged report)

The File and URL Dynamic Analysis Report service allows users to retrieve dynamic analysis reports for files and URLs executed in the cloud sandbox. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
hash_type
required
string
Enum: "md5" "sha1" "sha256"

Required parameter. Specifies which hash type will be used in the request. Supported values: md5, sha1, sha256.

hash_value
required
string

Required parameter. Hash of the file for which the user is requesting data from the service. The value must be a valid hash of the same type specified by the hash_type parameter.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

artifacts_url
boolean
Value: true

Optional parameter that includes artifact links for specific reports in the history part of the merged report.

Responses

Request samples 

curl --url 'https://data.reversinglabs.com/api/dynamic/analysis/report/v1/query/sha1/cac61424fb5414d589687bfd35452a351604ef11?format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {