Skip to main content

Spectra Intelligence API reference (5.0.0)

Download OpenAPI specification:Download

ReversingLabs Spectra Intelligence offers REST web services providing file reputation, file analysis, malware hunting and network indicator information. These can be used for incident response triage, malware analysis, threat intelligence augmentation, and other uses. The output format of API results is either XML or JSON.

File Threat Intelligence

Get file reputation insights from ReversingLabs

TCA-0101: File Reputation (single query)

The File Reputation (Malware Presence) API provides file reputation status calculated by a proprietary ReversingLabs algorithm for the requested sample. The status can be: MALICIOUS, SUSPICIOUS, KNOWN (non-malicious or benign), UNKNOWN. Additional classification-related metadata and hashes can be requested using optional parameters.

Authorizations:
BasicAuth
path Parameters
hash_type
required
string
Enum: "md5" "sha1" "sha256"

Required parameter. Specifies which hash type will be used in the request. Supported values: md5, sha1, sha256.

hash_value
required
string

Required parameter. Hash of the file for which the user is requesting data from the service. The value must be a valid hash of the same type specified by the hash_type parameter.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

extended
boolean
Default: false
Example: extended=true

Optional parameter that specifies whether additional classification metadata for the requested sample should be returned in the response. Additional metadata includes information such as trust factor and threat level values; malware type, family name, and platform; first and last seen times, and more. If the parameter is not provided in the request, the default value is false (additional metadata is not returned).

show_hashes
boolean
Default: false
Example: show_hashes=true

Optional parameter that specifies whether MD5, SHA1, and SHA256 hashes should be returned in the response for the requested sample, in addition to the rest of the Malware Presence information. If the parameter is not provided in the request, the default value is false (hashes are not returned).

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/databrowser/malware_presence/query/sha1/2cfbb1d2ee28644934bbd3baf6a6667905eee27b?extended=true&show_hashes=true&format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0101: File Reputation (bulk query)

The File Reputation (Malware Presence) Bulk API provides file reputation status calculated by a proprietary ReversingLabs algorithm for the requested samples. Up to 100 hashes can be submitted in one request. The status can be: MALICIOUS, SUSPICIOUS, KNOWN (non-malicious or benign), UNKNOWN. Additional classification-related metadata and hashes can be requested using optional parameters.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

query Parameters
format
string
Enum: "xml" "json"

Optional parameter that allows choosing the response format. Supported values: json, xml. When the parameter is not included in the request, the response is in the same format specified by the post_format parameter.

extended
boolean
Default: false
Example: extended=true

Optional parameter that specifies whether additional classification metadata for the requested sample should be returned in the response. Additional metadata includes information such as trust factor and threat level values; malware type, family name, and platform; first and last seen times, and more. If the parameter is not provided in the request, the default value is false (additional metadata is not returned).

show_hashes
boolean
Default: false
Example: show_hashes=true

Optional parameter that specifies whether MD5, SHA1, and SHA256 hashes should be returned in the response for the requested sample, in addition to the rest of the Malware Presence information. If the parameter is not provided in the request, the default value is false (hashes are not returned).

Request Body schema: application/json
required

hashes is an array of valid hashes of the same type as specified in the hash_type parameter.

Up to 100 hashes can be submitted in one request.

required
object
required
object
hash_type
required
string
Enum: "md5" "sha1" "sha256"
hashes
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0102: File Reputation Override

The File Reputation Override (Malware Presence) API enables file reputation status override for the requested samples. Up to 100 hashes can be submitted in one request. The status can be: MALICIOUS, SUSPICIOUS, or KNOWN (non-malicious or benign). Additional classification-related metadata and can be specified using optional parameters.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Request Body schema: application/json
required

override_samples is an array of samples to override. Each sample must be defined by sha1, md5, and sha256, and include new status for those hashes and may include threat_name, threat_level and trust_factor depending on the status value. remove_override is an array of samples which already have an override that should be removed. Each sample must be defined by sha1, md5 and sha256. Up to 100 hashes can be submitted in one request.

required
object
required
object
Array of objects
Array of objects

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0102: File Reputation Override (list)

The File Reputation Override (list) API lists all existing file reputation status overrides for the requested user. The hashes are sorted. Up to 1000 hashes will be returned. If there are more than 1000 active overrides, next_hash value in the previous response may be provided as the start_hash of the subsequent request to enumerate all hashes. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
hash_type
required
string
Enum: "xml" "json"

Required parameter that defines the type of hash to be returned. Supported options are sha1, md5, and sha256.

query Parameters
start_hash
string
Example: start_hash=9865c7ecda437034e1513cc43ae9a1f6f334bb7f

Optional parameter that specified the first hash in the response to be returned. Enables pagination.

format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/databrowser/malware_presence/user_override/list_hashes/sha1?start_hash=9865c7ecda437034e1513cc43ae9a1f6f334bb7f&format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0103: Historic Multi-AV Scan Records (single query)

The Historic Multi-AV Scan Records (XREF) API provides cross-reference data (AV scanner scanning information, first and last seen date-time (UTC), sample type and size, first and last scanned date, etc.) for the requested sample. An optional parameter history can be used in requests to this API to retrieve historical XREF record changes for the sample (if available).

Authorizations:
BasicAuth
path Parameters
hash_type
required
string
Enum: "md5" "sha1" "sha256"

Required parameter. Specifies which hash type will be used in the request. Supported values: md5, sha1, sha256.

hash_value
required
string

Required parameter. Hash of the file for which the user is requesting data from the service. The value must be a valid hash of the same type specified by the hash_type parameter.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

history
boolean
Default: false
Example: history=true

Optional parameter that defines whether the response should contain a history of XREF records for a sample (when true) or the latest record only (when false). The default is false.

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/xref/v2/query/sha1/7d8f177243cfa055c95cbbf32ebc2d7e8c71d4fb?format=json&history=true' --user <username>:<password>

Response samples

Content type
application/json
No sample

TCA-0103: Historic Multi-AV Scan Records (bulk query)

The Historic Multi-AV Scan Records Bulk API provides cross-reference data (AV scanner scanning information, first and last seen date-time (UTC), sample type and size, first and last scanned date, etc.) for up to 100 requested samples. An optional parameter history can be used in requests to this API to retrieve historical XREF record changes for each sample (if available).

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

query Parameters
format
string
Enum: "xml" "json"

Optional parameter that allows choosing the response format. Supported values: json, xml. When the parameter is not included in the request, the response is in the same format specified by the post_format parameter.

history
boolean
Default: false
Example: history=true

Optional parameter that defines whether the response should contain a history of XREF records for a sample (when true) or the latest record only (when false). The default is false.

Request Body schema: application/json
required

hashes is an array of valid hashes of the same type as specified in the hash_type parameter.

Up to 100 hashes can be submitted in one request.

required
object
required
object
hash_type
required
string
Enum: "md5" "sha1" "sha256"
hashes
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
{
  • "rl": {
    }
}

TCA-0104: File Analysis - Hash (single query)

The File Analysis - Hash [RLDATA] API provides analysis results for the requested hash. The extent of analysis data returned in the response varies based on the file type. Note that the dynamic analysis report is only available with additional permissions.

Authorizations:
BasicAuth
path Parameters
hash_type
required
string
Enum: "md5" "sha1" "sha256"

Required parameter. Specifies which hash type will be used in the request. Supported values: md5, sha1, sha256.

hash_value
required
string

Required parameter. Hash of the file for which the user is requesting data from the service. The value must be a valid hash of the same type specified by the hash_type parameter.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/databrowser/rldata/query/sha1/a45ab18fb7a06dd5ecb44bf6c221a951f974059f?format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0104: File Analysis - Hash (bulk query)

The File Analysis - Hash [RLDATA] Bulk API provides analysis results for up to 100 requested hashes in a single response. The extent of analysis data returned in the response varies based on the file type. Note that the dynamic analysis report is only available with additional permissions. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

query Parameters
format
string
Enum: "xml" "json"

Optional parameter that allows choosing the response format. Supported values: json, xml. When the parameter is not included in the request, the response is in the same format specified by the post_format parameter.

Request Body schema: application/json
required

hashes is an array of valid hashes of the same type as specified in the hash_type parameter.

Up to 100 hashes can be submitted in one request.

required
object
required
object
hash_type
required
string
Enum: "md5" "sha1" "sha256"
hashes
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0105: File Analysis - Non-Malicious (single query)

The File Analysis - Non-Malicious [RLDATA Goodware] API provides sample hashes, trust factor, relationships, size, and sources for benign samples only. If a malicious hash is queried, a 404 (Not Found) HTTP response will be returned.

Authorizations:
BasicAuth
path Parameters
hash_type
required
string
Enum: "md5" "sha1" "sha256"

Required parameter. Specifies which hash type will be used in the request. Supported values: md5, sha1, sha256.

hash_value
required
string

Required parameter. Hash of the file for which the user is requesting data from the service. The value must be a valid hash of the same type specified by the hash_type parameter.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/databrowser/rldata/goodware/query/sha1/a25b6db2d363eaa31de348399aedc5651280b52b?format=json' --user <username>:<password> --header 'Content-Type: application/json'

Response samples

Content type
application/json
Example
{
  • "rl": {
    }
}

TCA-0105: File Analysis - Non-Malicious (bulk query)

The File Analysis - Non-Malicious [RLDATA Goodware] Bulk API provides sample hashes, trust factor, relationships, size, and sources for benign samples only. Up to 100 hashes can be submitted in one request. If a malicious hash is queried, a 404 (Not Found) HTTP response will be returned. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

query Parameters
format
string
Enum: "xml" "json"

Optional parameter that allows choosing the response format. Supported values: json, xml. When the parameter is not included in the request, the response is in the same format specified by the post_format parameter.

Request Body schema: application/json
required

hashes is an array of valid hashes of the same type as specified in the hash_type parameter.

Up to 100 hashes can be submitted in one request.

required
object
required
object
hash_type
required
string
Enum: "md5" "sha1" "sha256"
hashes
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
Example
{
  • "rl": {
    }
}

Certificate Threat Intelligence

Get file certificate insights from ReversingLabs

TCA-0501: Certificate Index

The Certificate Index API provides a list of samples that are signed with the requested certificate. The certificate should be requested using its thumbprint value as a SHA1, SHA256, or MD5 hash. Only one certificate thumbprint can be submitted in one request. Optional parameters can be used in the request to retrieve additional sample metadata and filter the results by classification status.

Authorizations:
BasicAuth
path Parameters
thumbprint
required
string

Required parameter that specifies the thumbprint of the certificate for which the user is requesting data from the service. The thumbprint value should be provided as a valid hash. Supported hash types are: MD5, SHA1, SHA256.

query Parameters
limit
integer [ 1 .. 100 ]
Default: 100
Example: limit=50

Optional parameter; specifies the maximum number of sample SHA1 hashes to include in the response. This value has to be an integer in the range from 1 and 100. When the parameter is not included in the request, 100 hashes are returned by default.

extended
boolean
Default: false
Example: extended=true

If the extended option is selected, each SHA1 hash in the list will be expanded with additional metadata: certificate validation status, classification, threat level, trust factor, malware family name, threat name, malware type, targeted platform and subplatform; SHA1, MD5, PE_SHA1, PE_SHA256 and SHA256 hashes; sample size, sample type, download availability, first and last seen dates (UTC).

classification
string
Enum: "known" "malicious" "suspicious" "unknown"
Example: classification=malicious

Optional parameter that allows filtering the results by their classification status. If this parameter is provided in the request, the response will include only those samples that match the requested status. Supported values are: known, malicious, suspicious, unknown (case-insensitive).

format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/certificate/index/v1/query/thumbprint/A909502DD82AE41433E6F83886B00D4277A32A7B?format=json' --user <username>:<password>

Response samples

Content type
application/json
Example
{
  • "rl": {
    }
}

TCA-0501: Certificate Index (paginated)

The Certificate Index API provides a list of samples that are signed with the requested certificate. The certificate should be requested using its thumbprint value as a SHA1, SHA256, or MD5 hash. Only one certificate thumbprint can be submitted in one request. Optional parameters can be used in the request to retrieve additional sample metadata and filter the results by classification status.

Authorizations:
BasicAuth
path Parameters
thumbprint
required
string

Required parameter that specifies the thumbprint of the certificate for which the user is requesting data from the service. The thumbprint value should be provided as a valid hash. Supported hash types are: MD5, SHA1, SHA256.

next_page
string

Optional parameter used for pagination. To get the next page of results from the API, use the next_page value from the response with this parameter in a new request. When the parameter is not included in the request, only the first page of results is returned.

query Parameters
limit
integer [ 1 .. 100 ]
Default: 100
Example: limit=50

Optional parameter; specifies the maximum number of sample SHA1 hashes to include in the response. This value has to be an integer in the range from 1 and 100. When the parameter is not included in the request, 100 hashes are returned by default.

extended
boolean
Default: false
Example: extended=true

If the extended option is selected, each SHA1 hash in the list will be expanded with additional metadata: certificate validation status, classification, threat level, trust factor, malware family name, threat name, malware type, targeted platform and subplatform; SHA1, MD5, PE_SHA1, PE_SHA256 and SHA256 hashes; sample size, sample type, download availability, first and last seen dates (UTC).

classification
string
Enum: "known" "malicious" "suspicious" "unknown"
Example: classification=malicious

Optional parameter that allows filtering the results by their classification status. If this parameter is provided in the request, the response will include only those samples that match the requested status. Supported values are: known, malicious, suspicious, unknown (case-insensitive).

format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/certificate/index/v1/query/thumbprint/A909502DD82AE41433E6F83886B00D4277A32A7B?format=json' --user <username>:<password>

Response samples

Content type
application/json
Example
{
  • "rl": {
    }
}

TCA-0502: Certificate Analytics

The Certificate Analytics API provides certificate analytics for the requested certificate and its chain of trust. The certificate should be requested using its thumbprint value as a SHA1, SHA256, or MD5 hash. Sending requests using the GET method allows only one thumbprint per request, while the POST method accepts up to 100 thumbprints in one request. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
thumbprint
required
string

Required parameter that specifies the thumbprint of the certificate for which the user is requesting data from the service. The thumbprint value should be provided as a valid hash. Supported hash types are: MD5, SHA1, SHA256.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/certificate/analytics/v1/query/thumbprint/18254B1DC375B74E339EB99ABFE31AF0D735CB5A3B535570731175811D735B0D?format=json' --user <username>:<password> --header 'Content-Type: application/json'

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0502: Certificate Analytics

The Certificate Analytics API provides certificate analytics for the requested certificate and its chain of trust. The certificate should be requested using its thumbprint value as a SHA1, SHA256, or MD5 hash. Sending requests using the GET method allows only one thumbprint per request, while the POST method accepts up to 100 thumbprints in one request. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
thumbprint
required
string
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required

thumbprints is a required parameter that specifies a list of certificate thumbprints for which the user is requesting data from the service. Each thumbprint value should be provided as a valid hash. Supported hash types are: MD5, SHA1, SHA256. Up to 100 thumbprints can be submitted in one request.

required
object
required
object
thumbprints
required
Array of objects
format
required
string non-empty

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0503: Certificate Thumbprint Search

The Certificate Thumbprint Search API allows users to find certificate thumbprints by using the full or partial certificate common name as the search keyword. The results contain thumbprints of certificates that match the requested common name. Those thumbprints can be used with the TCA-0501 and TCA-0502 APIs to obtain a list of certificate-signed samples and certificate analytics, respectively.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
common_name
required
string

common_name is a required parameter that supports partial matching with * as the wildcard character. limit is an optional parameter that specifies the maximum number of thumbprints to return in the response (1-100, with 100 as the default).

limit
integer [ 1 .. 100 ]
Default: 100

Maximum number of certificate thumbprints to be returned.

page_common_name
string

An optional pagination parameter for retrieving the next page of the results. Pagination value for the next page is provided in the previous request response as next_page_common_name.

page_thumbprint
string

An optional pagination parameter for retrieving the next page of the results. Pagination value for the next page is provided in the previous request response as next_page_thumbprint.

response_format
string
Default: "xml"
Enum: "xml" "json"

response_format is an optional parameter that allows choosing the response format (XML or JSON; XML is the default).

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

Network Threat Intelligence

Find files in Spectra Intelligence using network indicator metadata

TCA-0401: URI to Hash Search

The URI to Hash Search API provides a list of all available SHA1 hashes associated with the requested URI. The following URI types are supported: email, URL, IPv4 address, domain. Only one URI can be submitted in one request. Sending requests using the GET method requires the SHA1 value of the URI string, while the POST method accepts the URI string value in plain text.

Authorizations:
BasicAuth
path Parameters
hash
required
string

SHA1 hash value of the URI string for which the user is requesting data from the service. The user should generate a SHA1 hash of the URI string prior to submitting a request.

query Parameters
classification
string
Enum: "known" "malicious" "suspicious" "unknown"
Example: classification=malicious

Optional parameter that allows filtering the results by their classification status. If this parameter is provided in the request, the response will include only those samples that match the requested status. Supported values are: known, malicious, suspicious, unknown (case-insensitive).

format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/uri_index/v1/query/c2208abde9668e8e9815c3690855edd1e63abeac?format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0401: URI to Hash Search (paginated)

The URI to Hash Search API provides a list of all available SHA1 hashes associated with the requested URI. The following URI types are supported: email, URL, IPv4 address, domain. Only one URI can be submitted in one request. Sending requests using the GET method requires the SHA1 value of the URI string, while the POST method accepts the URI string value in plain text. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
hash
required
string

Next page hash value.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

header Parameters
Content-Type:
required
string
Enum: "application/json" "text/xml"

Required parameter that defines the POST payload format.

Request Body schema: application/json
required
object
object
uri
required
string

uri is a required parameter used to submit a plain text URI for which the user is requesting data from the service. Only one URI can be submitted in one request. Supported URI types are: email (e.g., user@domain.com), URL (e.g., http://domain.com/download/picture.jpg), IPv4 address (e.g., 127.0.0.1), domain (e.g., domain.com).

next_page_sha1
string

next_page_sha1 is an optional parameter used for pagination. To get the next page of results from the API, use the next_page_sha1 value from the response with this parameter in a new request. When the parameter is not included in the request, only the first page of results is returned.

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0401: URI to Hash Search

The URI to Hash Search service provides a list of all available SHA1 hashes associated with the requested URI. This service takes into account network IOCs extracted during file static analysis and uses that data to correlate URIs with samples. The following URI types are supported: email, URL, IPv4 address, and domain. Only one URI can be submitted in one request. Find more information in the official API documentation.

Authorizations:
BasicAuth
query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

header Parameters
Content-Type:
required
string
Enum: "application/json" "text/xml"

Required parameter that defines the POST payload format.

Request Body schema: application/json
required
object
object
uri
required
string

uri is a required parameter used to submit a plain text URI for which the user is requesting data from the service. Only one URI can be submitted in one request. Supported URI types are: email (e.g., user@domain.com), URL (e.g., http://domain.com/download/picture.jpg), IPv4 address (e.g., 127.0.0.1), domain (e.g., domain.com).

next_page_sha1
string

next_page_sha1 is an optional parameter used for pagination. To get the next page of results from the API, use the next_page_sha1 value from the response with this parameter in a new request. When the parameter is not included in the request, only the first page of results is returned.

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0401: URI to Hash Search (paginated)

The URI to Hash Search API provides a list of all available SHA1 hashes associated with the requested URI. The following URI types are supported: email, URL, IPv4 address, domain. Only one URI can be submitted in one request. Sending requests using the GET method requires the SHA1 value of the URI string, while the POST method accepts the URI string value in plain text.

Authorizations:
BasicAuth
path Parameters
uri_sha1
required
string

The SHA1 hash value of the URI string

next_page_sha1
required
string

Optional path parameter used for pagination. To get the next page of results from the API, use the next_page_sha1 value from the response in place of this parameter in a new request. When the parameter is not included in the request, only the first page of results is returned.

query Parameters
classification
string
Enum: "known" "malicious" "suspicious" "unknown"
Example: classification=malicious

Optional parameter that allows filtering the results by their classification status. If this parameter is provided in the request, the response will include only those samples that match the requested status. Supported values are: known, malicious, suspicious, unknown (case-insensitive).

format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/uri_index/v1/query/c2208abde9668e8e9815c3690855edd1e63abeac?format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0402: URI Statistics

The URI Statistics API provides statistical information on how many known, malicious, and suspicious samples are associated with a particular URI. The following URI types are supported: email, URL, IPv4 address, domain. Only one URI can be submitted in one request. This service accepts only SHA1 values of URI strings. Requested URI strings cannot be in plain text. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
uri_sha1
required
string

The SHA1 hash value of the URI string for which the user is requesting data from the service. The user should generate a SHA1 hash of the URI string prior to submitting a request. Supported URI types are: email (e.g., user@domain.com), URL (e.g., http://domain.com/download/picture.jpg), IPv4 address (e.g., 127.0.0.1), domain (e.g., domain.com).

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/uri/statistics/uri_state/sha1/234988566c9a0a9cf952cec82b143bf9c207ac16?format=json' --user <username>:<password>

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0403: URL Threat Intelligence (report)

This service returns the report for the submitted URL. The report contains the ReversingLabs URL classification status, URL reputation from various reputation sources, metadata for performed URL analyses, statistics of files found on the submitted URL mapped to their classification, and an overview of the most common threats.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
url
required
string <uri>
response_format
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0403: URL Threat Intelligence (downloaded files)

This service provides a list of hashes for files downloaded from the submitted URL, across all analyses, during the last analysis, or those downloaded during a specific analysis.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
url
string <uri>

Cannot be used in combination with analysis_id.

analysis_id
string

Cannot be used in combination with url.

last_analysis
boolean
Default: false
response_format
string
Default: "xml"
Enum: "json" "xml"
limit
integer
Default: 1000
classification
string
Enum: "KNOWN" "SUSPICIOUS" "MALICIOUS" "UNKNOWN"
extended
boolean
Default: false

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
Example
{
  • "rl": {
    }
}

TCA-0403: URL Threat Intelligence (notifications) (time range)

This service provides a continuous list of completed analyses. The records enter the feed once the submitted URL is analyzed to completion and the report is ready.

Authorizations:
BasicAuth
path Parameters
time_format
required
string
Enum: "timestamp" "utc"

Required parameter that specifies the time format for the time_value parameter. Supported values: timestamp (Unix epoch time as the number of seconds since 1970-01-01 00:00:00); utc (YYYY-MM-DDThh:mm:ss).

time_value
required
string <Unix timestamp OR date-time>

Accepts values formatted according to the format set in the time_format parameter.

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

limit
integer [ 1 .. 1000 ]
Default: 1000
Example: limit=50

Specifies the maximum number of reports to return in the response.

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/networking/url/v1/notifications/query/latest?limit=1' --user <username>:<password>

Response samples

Content type
application/json
{}

TCA-0403: URL Threat Intelligence (notifications) (time range) (paginated)

This service provides a continuous list of completed analyses. The records enter the feed once the submitted URL is analyzed to completion and the report is ready.

Authorizations:
BasicAuth
path Parameters
time_format
required
string
Enum: "timestamp" "utc"

Required parameter that specifies the time format for the time_value parameter. Supported values: timestamp (Unix epoch time as the number of seconds since 1970-01-01 00:00:00); utc (YYYY-MM-DDThh:mm:ss).

time_value
required
string

Accepts values formatted according to the format set in the time_format parameter.

page
required
string

The pagination value for the next page is provided in the previous request response

query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

limit
integer [ 1 .. 1000 ]
Default: 1000
Example: limit=50

Specifies the maximum number of reports to return in the response.

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/networking/url/v1/notifications/query/latest?limit=1' --user <username>:<password>

Response samples

Content type
application/json
{}

TCA-0403: URL Threat Intelligence (notifications) (latest)

This service provides a continuous list of completed analyses. The records enter the feed once the submitted URL is analyzed to completion and the report is ready.

Authorizations:
BasicAuth
query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

limit
integer [ 1 .. 1000 ]
Default: 1000
Example: limit=50

Specifies the maximum number of reports to return in the response.

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/networking/url/v1/notifications/query/latest?limit=1' --user <username>:<password>

Response samples

Content type
application/json
{}

TCA-0403: URL Threat Intelligence (notifications) (latest) (paginated)

This service provides a continuous list of completed analyses. The records enter the feed once the submitted URL is analyzed to completion and the report is ready.

Authorizations:
BasicAuth
path Parameters
page
required
string
query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

limit
integer [ 1 .. 1000 ]
Default: 1000
Example: limit=50

Specifies the maximum number of reports to return in the response.

Responses

Request samples

curl --url 'https://data.reversinglabs.com/api/networking/url/v1/notifications/query/latest?limit=1' --user <username>:<password>

Response samples

Content type
application/json
{}

TCA-0404: Analyze URL

This service allows users to submit a URL for analysis. The analysis is a crawling process that will start looking for files to download from the submitted URL. When downloaded, the files are sent for analysis to the ReversingLabs file processing pipeline.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST body format.

header Parameters
Content-Type
required
string
Value: "application/octet-stream"

Required parameter that defines the POST payload format.

Request Body schema: application/json
required
object
object
url
required
string <uri>
response_format
required
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{}

Response samples

Content type
application/json
{}

TCA-0405 Domain Threat Intelligence (resolutions)

This service provides a list of domain-to-IP mappings for the requested domain.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
domain
string
limit
integer
Default: 1000
response_format
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
Example
{
  • "rl": {
    }
}

TCA-0405 Domain Threat Intelligence (URLs)

This service provides a list of URLs associated with the requested domain.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
domain
string
response_format
string
limit
integer

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
Example
{
  • "rl": {
    }
}

TCA-0405 Domain Threat Intelligence (report)

This service returns threat intelligence data for the submitted domain. The report contains domain reputation from various reputation sources, classification statistics for files downloaded from the domain, the most common threats found on the domain DNS information about the domain, and parent domain information.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
domain
string
response_format
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0405 Domain Threat Intelligence (downloaded files)

This service provides a list of hashes for files downloaded from the submitted domain.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
domain
string
limit
integer
extended
boolean
classification
string
response_format
string

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
Example
{
  • "rl": {
    }
}

TCA-0406 IP Threat Intelligence (resolutions)

This service provides a list of IP-to-domain mappings for the specified IP.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
ip
string
limit
integer
Default: 1000
response_format
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
Example
{
  • "rl": {
    }
}

TCA-0406 IP Threat Intelligence (URLs)

This service provides a list of URLs associated with the requested IP. Find more information in the official API documentation.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
ip
string
limit
integer
Default: 1000
response_format
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
Example
{
  • "rl": {
    }
}

TCA-0406 IP Threat Intelligence (report)

This service returns threat intelligence data for the submitted IP. The report contains IP reputation from various reputation sources, classification statistics for files downloaded from the IP, and the top threats hosted on the submitted IP.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
ip
string
response_format
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0406 IP Threat Intelligence (downloaded files)

This service provides a list of hashes for files downloaded from the submitted IP address.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
required
object
required
object
ip
required
string
limit
integer
Default: 1000
response_format
string
Default: "xml"
Enum: "json" "xml"
classification
string
Enum: "KNOWN" "SUSPICIOUS" "MALICIOUS" "UNKNOWN"
extended
boolean
Default: false

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
Example
{
  • "rl": {
    }
}

TCA-0407: Network Reputation API

The Network Reputation service provides information regarding the reputation of a requested URL, domain, or IP address. When a URL is submitted, the service provides its ReversingLabs classification, along with an overview of detections from our partners. It also includes the category of the URL (for example phishing, gambling, adult content) and indicates whether we have encountered any malware samples associated with the submitted URL.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
object
object
required
Array of objects <= 100 items
response_format
string
Default: "xml"
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0408: Network Reputation User Override

The Network Reputation User Override service enables URL classification overrides. Any URL can be overridden to malicious, suspicious, or known. Overrides are visible to all users within the same organization. The service also supports listing existing overrides.

Authorizations:
BasicAuth
path Parameters
post_format
required
string
Enum: "xml" "json"

Required parameter that defines the POST payload format. Supported options are xml and json. By default, the response format matches the format defined by this parameter.

Request Body schema: application/json
required
object
object
response_format
string
Enum: "json" "xml"

Responses

Request samples

Content type
application/json
{
  • "rl": {
    }
}

Response samples

Content type
application/json
{
  • "rl": {
    }
}

TCA-0408: List User Overrides

The Network Reputation User Override service enables URL classification overrides. Any URL can be overridden to malicious, suspicious, or known. Overrides are visible to all users within the same organization. The service also supports listing existing overrides.

Authorizations:
BasicAuth
query Parameters
format
string
Default: "xml"
Enum: "xml" "json"
Example: format=json

Optional parameter that allows choosing the response format. Supported values: xml, json. When the parameter is not included in the request, defaults to xml.

next_network_location
string <sha1>

Optional parameter used for pagination. To get the next page of results from the API, use the next_network_location value from the response in place of this parameter in a new request. When the parameter is not included in the request, only the first page of results is returned.

Responses