Network IOCs feed (TCF-0301)
This service returns a continuous list of malicious URLs detected in Spectra Intelligence. To enter the feed, a URL needs to match at least one of these two criteria:
-
ReversingLabs has downloaded a malicious file from the URL.
If this is the case, the URL record will also contain relevant metadata for the downloaded file: SHA1 hash, optional ReversingLabs threat name and optional SHA256 hash. The threat name can be further used to determine the malware platform, malware type, or malware family name.
-
A third party reputation provider that we partner with has determined that the URL is malicious.
Before entering the feed, URLs are first checked against our whitelist to avoid benign and well-known sites being included in the feed.
The feed stores records for the last 365 days.
Request Format
The feed returns a maximum of 1000 records per request, and provides the latest queried timestamp up to which the records are included. In your next request, increment that timestamp by 1 to fetch the next batch of records.
If the requested timestamp is not within the last 365 days, the service will respond with the status code 400 Bad Request.
GET /api/feed/malware_uri/v1/query/{time_format}/{time_value}[?format=xml|json|tsv]
time_format
- Format in which the time value will be specified. Supported values are: timestamp (number of seconds since 1970-01-01 00:00:00), utc (UTC date in the YYYY-MM-DDThh:mm:ss format). This will also determine which format will be used in the
last_timestamp
field of the response. - Required
- Format in which the time value will be specified. Supported values are: timestamp (number of seconds since 1970-01-01 00:00:00), utc (UTC date in the YYYY-MM-DDThh:mm:ss format). This will also determine which format will be used in the
time_value
- Accepts values in the format set by
time_format
- Required
- Accepts values in the format set by
format
- Specifies the format in which the resulting data will be returned. Supported values are: xml (default), json, tsv (Tab Separated Values, delimiter character
\t 0x09
) - Optional To retrieve at most 1000 latest records, use the following query:
- Specifies the format in which the resulting data will be returned. Supported values are: xml (default), json, tsv (Tab Separated Values, delimiter character
GET /api/feed/malware_uri/v1/query/latest[?format=xml|json|tsv]
Response
Records returned from third party sources contain only the uri
, threat_level
and uri_type
fields.
{
"rl": {
"malware_uri_feed": {
"entries": [
{
"record_on": "string",
"uri": "string",
"samples": [
{
"threat_name": "string",
"sha1": "string",
"sha256": "string"
}
],
"uri_type": "string"
}
],
"last_timestamp": "string",
"time_range": {
"to": "string",
"from": "string"
}
}
}
}
rl.malware_uri_feed.entries[]
record_on
- When the record was included in the feed. Format: utc (YYYY-MM-DDThh:mm:ss).
samples
- List of samples with optional threat names. Contains the following:
sha1
: SHA1 hash of the sample, for example 9300addf4d28d3c1419d0080fbb415bb50e8a19csha256
: SHA256 hash of the sample, for example 9f0da89c727b6efb3d2a3f845254bf89c626980a70a5817918d9c43ae65858c0threat_name
: optional threat name, for example Win32.Trojan.Dinwod
- List of samples with optional threat names. Contains the following:
uri
A URL that we downloaded a malicious file from, or a third party reputation provider found it malicious.threat_level
- Malware severity indicator expressed as an integer between 0 and 5. Values from
1
to5
indicate threats from lowest to highest severity,0
is reserved for known URIs. For unknown URIs, this value is omitted. - In real-world situations, threat level values are typically interpreted in the following way:
- Threat Level 4, 5 - immediate response required (e.g., different types of Trojans, URI found on a blocklist or matches a known malware regex)
- Threat Level 2, 3 - should be examined within 24 hours (e.g., first stage exploits, URLs with homoglyph variations)
- Threat Level 1 - not urgent, but should be periodically reviewed (e.g. Adware / PUA, misleading subdomains).
- Malware severity indicator expressed as an integer between 0 and 5. Values from
uri_type
- This field is included for the purpose of backward compatibility. Always equal to url.
Examples
Fetching all new URIs with changes from 2023-01-01 00:00:00
/api/feed/malware_uri/v1/query/utc/2023-01-01T00:00:00
Fetching all new URIs with changes from 2023-01-01 00:00:00 using the timestamp format; response in JSON, XML, and TSV format
/api/feed/malware_uri/v1/query/timestamp/1672527600?format=json
/api/feed/malware_uri/v1/query/timestamp/1672527600?format=xml
/api/feed/malware_uri/v1/query/timestamp/1672527600?format=tsv
Fetching the first available changes
/api/feed/malware_uri/v1/query/timestamp/0
Fetching all latest changes in XML, JSON, and TSV format
/api/feed/malware_uri/v1/query/latest?format=json
/api/feed/malware_uri/v1/query/latest?format=xml
/api/feed/malware_uri/v1/query/latest?format=tsv