Skip to main content

Network IOCs feed

This service returns a continuous list of malicious URLs detected in Spectra Intelligence. To enter the feed, a URL needs to match at least one of these two criteria:

  1. ReversingLabs has downloaded a malicious file from the URL.

    If this is the case, the URL record will also contain relevant metadata for the downloaded file: SHA1 hash, optional ReversingLabs threat name and optional SHA256 hash. The threat name can be further used to determine the malware platform, malware type, or malware family name.

  2. A third party reputation provider that we partner with has determined that the URL is malicious.

Before entering the feed, URLs are first checked against our whitelist to avoid benign and well-known sites being included in the feed.

The feed stores records for the last 365 days.

Request Format

The feed returns a maximum of 1000 records per request, and provides the latest queried timestamp up to which the records are included. In your next request, increment that timestamp by 1 to fetch the next batch of records.

If the requested timestamp is not within the last 365 days, the service will respond with the status code 400 Bad Request.

GET /api/feed/malware_uri/v1/query/{time_format}/{time_value}[?format=xml|json|tsv]
  • time_format
    • Format in which the time value will be specified. Supported values are: timestamp (number of seconds since 1970-01-01 00:00:00), utc (UTC date in the YYYY-MM-DDThh:mm:ss format). This will also determine which format will be used in the last_timestamp field of the response.
    • Required
  • time_value
    • Accepts values in the format set by time_format
    • Required
  • format
    • Specifies the format in which the resulting data will be returned. Supported values are: xml (default), json, tsv (Tab Separated Values, delimiter character \t 0x09)
    • Optional To retrieve at most 1000 latest records, use the following query:
GET /api/feed/malware_uri/v1/query/latest[?format=xml|json|tsv]

Response

Records returned from third party sources contain only the uri, threat_level and uri_type fields.

{
"rl": {
"malware_uri_feed": {
"entries": [
{
"record_on": "string",
"uri": "string",
"samples": [
{
"threat_name": "string",
"sha1": "string",
"sha256": "string"
}
],
"uri_type": "string"
}
],
"last_timestamp": "string",
"time_range": {
"to": "string",
"from": "string"
}
}
}
}

rl.malware_uri_feed.entries[]

  • record_on
    • When the record was included in the feed. Format: utc (YYYY-MM-DDThh:mm:ss).
  • samples
    • List of samples with optional threat names. Contains the following:
      • sha1: SHA1 hash of the sample, for example 9300addf4d28d3c1419d0080fbb415bb50e8a19c
      • sha256: SHA256 hash of the sample, for example 9f0da89c727b6efb3d2a3f845254bf89c626980a70a5817918d9c43ae65858c0
      • threat_name: optional threat name, for example Win32.Trojan.Dinwod
  • uri A URL that we downloaded a malicious file from, or a third party reputation provider found it malicious.
  • threat_level
    • Malware severity indicator for suspicious and malicious URIs, expressed as an integer between 0 and 5, where 5 indicates the most dangerous threats (highest severity).
    • For known URIs, the value is 0.
    • For suspicious and malicious URIs, the values are 1, 2, 3, 4, or 5.
    • For unknown URIs, the value is omitted.
  • uri_type
    • This field is included for the purpose of backward compatibility. Always equal to url.

Examples

Fetching all new URIs with changes from 2023-01-01 00:00:00

/api/feed/malware_uri/v1/query/utc/2023-01-01T00:00:00

Fetching all new URIs with changes from 2023-01-01 00:00:00 using the timestamp format; response in JSON, XML, and TSV format

/api/feed/malware_uri/v1/query/timestamp/1672527600?format=json
/api/feed/malware_uri/v1/query/timestamp/1672527600?format=xml
/api/feed/malware_uri/v1/query/timestamp/1672527600?format=tsv

Fetching the first available changes

/api/feed/malware_uri/v1/query/timestamp/0

Fetching all latest changes in XML, JSON, and TSV format

/api/feed/malware_uri/v1/query/latest?format=json
/api/feed/malware_uri/v1/query/latest?format=xml
/api/feed/malware_uri/v1/query/latest?format=tsv