Reputation and metadata alerts (TCA-0206)
The Reputation and Metadata Changes service allows users to subscribe to up to one billion sample and URL hashes, tracking changes in their status over a period of time. These subscriptions, valid for a duration of 1 year, enable users to monitor any changes to the subscribed samples or URLs. When changes occur, they are delivered through the Data Change Feed API.
To subscribe to a list of samples, users can:
- use the Spectra Intelligence Alert Subscription API
- use the Spectra Intelligence file upload API to set the parameter
<?subscribe=data_change>
in their metadata upload requests
To unsubscribe from the Data Change Feed for previously subscribed samples or URLs, users can use the Alert Subscription API - Unsubscribe Query.
General Info about Requests/Responses
- All requests support the format parameter which allows changing the response format
- Default response format is xml, except for bulk queries, where default format is the same as the POST format
- The number of hashes in a bulk request must not be larger than one hundred (100)
- POST requests must set in HTTP header field Content-Type: application/octet-stream
How to Use Alert Subscription API and Data Change Feed
The subscription procedure consists of two general steps.
Step 1 - Subscribe to samples
Users submit a list of sample or URL hashes they want to track in a bulk HTTP POST request to the Alert Subscription API. The POST request can be sent as XML or JSON.
Example: submitting a list of hashes as JSON
curl –X POST https://<server>/api/subscription/data_change/v1/bulk_query/subscribe/json -d '
{ "rl": {
"query": {
"hash_type":"sha1",
"hashes": [
"84dbb381485e6ee9d69fbad3c6f020be88230e9b",
"81648fd7871017eef87e0efa166e00e891a6ea9d",
"0761c95bd639466aff2d65c1c092e2cae40f900c",
"552ec95c8ffe3a0cb014eee508b87730461c8f26",
"d234189a25892325746699fe2ab39a40b2d14d6e"
]
}}}
'
Step 2 - Monitor changes to subscribed samples
Users can poll the Data Change Feed using HTTP GET requests to check whether there have been any changes to the samples or URLs they have subscribed to.
The Data Change Feed returns the last_timestamp value that can be used in the next request up until 60 seconds from the current time. The value determines the time period for which the user wants to retrieve information about changes to subscribed samples.
For example:
- User sends a subscription request at timestamp T0.
- The user then issues a GET request at timestamp T1.
- The request contains the T0 timestamp as the last_timestamp value, and the API returns the changes that happened between T0 and T1 (if there have been any changes).
The response returned by the API contains SHA1 hashes of subscribed samples or URLs and sections that have changed in the requested period of time.
For every sample or URL with detected changes, the following sections are included:
Section | Description |
---|---|
xref | AV scanning results have been updated. |
sample_available | The sample has become available for processing. |
malware_presence | Sample's Malware Presence classification, or any part of its metadata, has changed (including changes to the sample's Malicious/Unknown/Suspicious/Known status). |
sample_became_shareable | The sample became shareable and is available for download. |
dynamic_analysis | Dynamic analysis report has been completed and is available for querying. |
Subscribe query
This query is used for subscribing to a list of samples or URLs for which the changed sections (if there are any) will be delivered in the Data Change Feed. To subscribe to a list of samples or URLs, the user should submit the sample or URL hashes in a POST request. All hashes in a request should be of the same type. The maximum amount of hashes that can be submitted in one request is 100.
Request
POST /api/subscription/data_change/v1/bulk_query/subscribe/{post_format}
Path parameters:
post_format
- Accepts the following values:
xml
orjson
. It defines the POST body format and the response format.
- Accepts the following values:
Request body:
{
"rl": {
"query": {
"hash_type": "string",
"hashes": [
"string"
]
}
}
}
hash_type
can be sha1, md5 or sha256 for samples, and sha1 for URLs that were seen by the Spectra Intelligence system. Note: Samples or URLs that have not yet been seen can be subscribed only with SHA1 hash values.- hash values must be valid hashes defined by the
hash_type
parameter
Response
{
"rl": {
"subscription_data_change": {
"hash_type": "string",
"subscribed": [
{}
],
"invalid_hashes": [
"string"
],
"unknown_hashes": [
"string"
]
}
}
}
hash_type
- The hash_type used in the request
subscribed
- A list of hashes that were successfully subscribed
invalid_hashes
- A list of invalid hashes
unknown_hashes
- A list of unknown hashes (only if MD5 and SHA256 hash_type is used)
Unsubscribe query
This query is used for unsubscribing from a list of samples or URLs that the user was previously subscribed to. Submitting a sample or URL hash in a POST request to this endpoint removes the associated sample or URL from the list of user's subscriptions.
The maximum amount of hashes that can be submitted in one request is 100. Changes for unsubscribed samples or URLs will no longer be delivered in the Data Change Feed.
Request
POST /api/subscription/data_change/v1/bulk_query/unsubscribe/{post_format}
Path parameters:
post_format
- Accepts the following values:
xml
orjson
. It defines the POST body format and the response format.
- Accepts the following values:
Request body:
{
"rl": {
"query": {
"hash_type": "string",
"hashes": [
"string"
]
}
}
}
-
hash_type
- The hash_type used in the request
-
unsubscribed
- A list of hashes that were successfully unsubscribed
-
invalid_hashes
- A list of invalid hashes
-
unknown_hashes
- A list of unknown hashes (only if MD5 and SHA256 hash_type is used)
-
hashes must be valid hashes defined by
hash_type
parameter -
hash_type
can be sha1, md5 or sha256 for samples, and sha1 for URLs that were seen by the Spectra Intelligence system. Samples or URLs that have not yet been seen can be unsubscribed only with SHA1 hash values.
Examples
Subscribe to a list of SHA1 hashes
/api/subscription/data_change/v1/bulk_query/subscribe/json
{
"rl": {
"query": {
"hash_type": "sha1",
"hashes": [
"84dbb381485e6ee9d69fbad3c6f020be88230e9b",
"81648fd7871017eef87e0efa166e00e891a6ea9d",
"0761c95bd639466aff2d65c1c092e2cae40f900c",
"552ec95c8ffe3a0cb014eee508b87730461c8f26",
"d234189a25892325746699fe2ab39a40b2d14d6e"
]
}
}
}
Unsubscribe from a list of SHA1 hashes
/api/subscription/data_change/v1/bulk_query/unsubscribe/json
{
"rl": {
"query": {
"hash_type": "sha1",
"hashes": [
"84dbb381485e6ee9d69fbad3c6f020be88230e9b",
"81648fd7871017eef87e0efa166e00e891a6ea9d",
"0761c95bd639466aff2d65c1c092e2cae40f900c",
"552ec95c8ffe3a0cb014eee508b87730461c8f26",
"d234189a25892325746699fe2ab39a40b2d14d6e"
]
}
}
}
Data change feed: PULL
This query returns the next set of samples or URLs to which the user is subscribed. The starting point for this query is defined using the START query.
If the user has not previously requested this query or called the START query, it will return records starting with the current timestamp. Every subsequent call will continue from the timestamp where the previous call ended.
Unless the limit parameter is specified, the query returns a maximum of 1000 records and any surplus records sharing the same timestamp. This ensures that all the records with the same timestamp will be included in the recordset. The limit parameter must not be greater than 1000.
This endpoint is built to be queried by a single thread (single instance). Any concurrent requests will be blocked until the previous one is fulfilled.
Request
GET /api/feed/data_change/v3/pull[?format=xml|json|tsv][&events=xref,sample_available,malware_presence,sample_became_shareable,dynamic_analysis][&limit=N]
Query parameters:
events
- Accepts a list of sections that should be included in the response, delimited by commas. If omitted, includes all values. Otherwise, list one or more of the sections:
xref
sample_available
malware_presence
sample_became_shareable
dynamic_analysis
- Optional
- Accepts a list of sections that should be included in the response, delimited by commas. If omitted, includes all values. Otherwise, list one or more of the sections:
format
- Specifies the response format. Supported values: xml (default), json, tsv (Tab Separated Values, delimiter character \t 0x09)
- Optional
limit
- Number of records to return in the response. The maximum value is 1000. Note that the response may include a little more than the requested number of records to ensure that all the records with the same timestamp are returned.
- Optional
Response
{
"rl": {
"data_change_feed": {
"entries": [],
"last_timestamp": 0,
"time_range": {}
}
}
}
rl.data_change_feed.entries[]
{
"record_on": "string",
"sha1": "string",
"updated_sections": [
"string"
],
"sha256": "string",
"md5": "string"
}
sha1
- SHA1 hash value of the sample or URL
md5
- MD5 hash value of the sample, if available
sha256
- SHA256 hash value of the sample, if available
updated_sections
- See
rl.data_change_feed.entries[].updated_sections
- See
rl.data_change_feed.entries[].updated_sections
xref
- Changed AV scanning results
malware_presence
- Changed Malware Presence result
sample_became_shareable
- Sample become shareable and is available for download
dynamic_analysis
- Dynamic analysis report completed and available for querying
Data change feed: START
This query sets the starting timestamp for the previously described PULL query.
Request
PUT /api/feed/data_change/v3/start/{time_format}/{time_value}
Path parameters:
time_format
- parameter accepts these options: timestamp, utc. timestamp is the number of seconds since 1970-01-01 00:00:00. utc is the date and time in format YYYY-MM-DDThh:mm:ss
- Required
time_value
- Accepts values defined by individual option set by
time_format
- Required
- Accepts values defined by individual option set by
Continuous data change feed query
This query returns a recordset with samples or URLs that the user is subscribed to from the requested timestamp onwards. The feed returns up to 1000 records and any surplus records sharing the same timestamp. The response also contains the latest timestamp up to which the events are included in the response.
To fetch the next recordset, use the the last_timestamp value from the response, increase it by 1 and submit it in a new request.
The response format is the same as with the PULL query.
Request
GET /api/feed/data_change/v3/query/{time_format}/{time_value}[?format=xml|json|tsv][&events=xref,sample_available,malware_presence,sample_became_shareable,dynamic_analysis]
time_format
- Accepts these options: timestamp, utc. timestamp is the number of seconds since 1970-01-01 00:00:00. utc is the date and time in format YYYY-MM-DDThh:mm:ss
- Required
time_value
- Accepts values defined by individual option set by time_format.
- Required
events
- Accepts a list of sections that should be included in the response, delimited by commas. If omitted, includes all values. Otherwise, list one or more of the sections:
xref
,sample_available
,malware_presence
,sample_became_shareable
,dynamic_analysis
- Optional
- Accepts a list of sections that should be included in the response, delimited by commas. If omitted, includes all values. Otherwise, list one or more of the sections:
format
- Specifies the response format. Supported values: xml (default), json, tsv (Tab Separated Values, delimiter character \t 0x09)
- Optional
Examples
Fetching records with the PULL query
/api/feed/data_change/v3/pull?format=json
Fetching samples that changed their classification
/api/feed/data_change/v3/pull?events=malware_presence
Fetching sample_available and xref changes
/api/feed/data_change/v3/pull?events=sample_available,xref
Fetching sample_available and xref changes and setting the response format
/api/feed/data_change/v3/pull?events=sample_available,xref&format=json
Fetching dynamic_analysis changes
/api/feed/data_change/v3/pull?events=dynamic_analysis
Fetching dynamic_analysis changes and setting the response format
/api/feed/data_change/v3/pull?events=dynamic_analysis&format=json
Setting the starting timestamp for the PULL query
Using the timestamp format
/api/feed/data_change/v3/start/timestamp/1430485200
Using the utc format
/api/feed/data_change/v3/start/utc/2015-05-01T13:00:00