Network IOCs feed (TCF-0301)
This service returns a continuous list of malicious URLs detected in Spectra Intelligence. To enter the feed, a URL needs to match at least one of these two criteria:
-
ReversingLabs has downloaded a malicious file from the URL.
If this is the case, the URL record will also contain relevant metadata for the downloaded file: SHA1 hash, optional ReversingLabs threat name and optional SHA256 hash. The threat name can be further used to determine the malware platform, malware type, or malware family name.
-
A third party reputation provider that we partner with has determined that the URL is malicious.
Before entering the feed, URLs are first checked against our whitelist to avoid benign and well-known sites being included in the feed.
The feed stores records for the last 365 days.
The feed returns a maximum of 1000 records per request, and provides the latest queried timestamp up to which the records are included. In your next request, increment that timestamp by 1 to fetch the next batch of records.
If the requested timestamp is not within the last 365 days, the service will respond with the status code 400 Bad Request.
View OpenAPI SpecificationRequest
GET /api/feed/malware_uri/v1/query/{time_format}/{time_value}[?format=xml|json|tsv]
time_format- Format in which the time value will be specified. Supported values are: timestamp (number of seconds since 1970-01-01 00:00:00), utc (UTC date in the YYYY-MM-DDThh:mm:ss format). This will also determine which format will be used in the
last_timestampfield of the response. - Required
- Format in which the time value will be specified. Supported values are: timestamp (number of seconds since 1970-01-01 00:00:00), utc (UTC date in the YYYY-MM-DDThh:mm:ss format). This will also determine which format will be used in the
time_value- Accepts values in the format set by
time_format - Required
- Accepts values in the format set by
format- Specifies the format in which the resulting data will be returned. Supported values are: xml (default), json, tsv (Tab Separated Values, delimiter character
\t 0x09) - Optional
- Specifies the format in which the resulting data will be returned. Supported values are: xml (default), json, tsv (Tab Separated Values, delimiter character
To retrieve at most 1000 latest records, use the following query:
GET /api/feed/malware_uri/v1/query/latest[?format=xml|json|tsv]
Response
Records returned from third party sources contain only the uri, threat_level and uri_type fields.
{
"rl": {
"malware_uri_feed": {
"entries": [
{
"record_on": "string",
"uri": "string",
"samples": [
{
"threat_name": "string",
"sha1": "string",
"sha256": "string"
}
],
"uri_type": "string"
}
],
"last_timestamp": "string",
"time_range": {
"to": "string",
"from": "string"
}
}
}
}
rl.malware_uri_feed.entries[]
record_on- When the record was included in the feed. Format: utc (YYYY-MM-DDThh:mm:ss).
samples- List of samples with optional threat names. Contains the following:
sha1: SHA1 hash of the sample, for example 9300addf4d28d3c1419d0080fbb415bb50e8a19csha256: SHA256 hash of the sample, for example 9f0da89c727b6efb3d2a3f845254bf89c626980a70a5817918d9c43ae65858c0threat_name: optional threat name, for example Win32.Trojan.Dinwod
- List of samples with optional threat names. Contains the following:
uriA URL that we downloaded a malicious file from, or a third party reputation provider found it malicious.threat_level- Malware severity indicator expressed as an integer between 0 and 5. Values from
1to5indicate threats from lowest to highest severity,0is reserved for known URIs. For unknown URIs, this value is omitted. - In real-world situations, threat level values are typically interpreted in the following way:
- Threat Level 4, 5 - immediate response required (e.g., different types of Trojans, URI found on a blocklist or matches a known malware regex)
- Threat Level 2, 3 - should be examined within 24 hours (e.g., first stage exploits, URLs with homoglyph variations)
- Threat Level 1 - not urgent, but should be periodically reviewed (e.g. Adware / PUA, misleading subdomains).
- Malware severity indicator expressed as an integer between 0 and 5. Values from
uri_type- This field is included for the purpose of backward compatibility. Always equal to url.
Examples
Fetching all new URIs with changes from 2023-01-01 00:00:00
/api/feed/malware_uri/v1/query/utc/2023-01-01T00:00:00
Fetching all new URIs with changes from 2023-01-01 00:00:00 using the timestamp format; response in JSON, XML, and TSV format
/api/feed/malware_uri/v1/query/timestamp/1672527600?format=json
/api/feed/malware_uri/v1/query/timestamp/1672527600?format=xml
/api/feed/malware_uri/v1/query/timestamp/1672527600?format=tsv
Fetching the first available changes
/api/feed/malware_uri/v1/query/timestamp/0
Fetching all latest changes in XML, JSON, and TSV format
/api/feed/malware_uri/v1/query/latest?format=json
/api/feed/malware_uri/v1/query/latest?format=xml
/api/feed/malware_uri/v1/query/latest?format=tsv