Whitelisted files (changes)
This service provides a continuous list of samples whose whitelisted status changed; i.e. samples that changed classification from KNOWN to MALICIOUS or SUSPICIOUS.
Every record in the list includes hashes (MD5, SHA1, SHA256) and the platform
field associated with the sample. Users can extract samples related to a specific platform based on the value of the platform
field.
The feed stores records for the last 365 days.
Continuous Whitelisted Change Feed Query
This query returns the samples which changed their whitelist status since the requested time. The feed returns up to 1000 records and any surplus records sharing the same timestamp.
To fetch the next batch of records, use the timestamp from the response increased by 1.
If the requested timestamp is not within the last 365 days, the service will respond with the status code 400 Bad Request.
GET /api/feed/whitelisted_change/v1/query/{time_format}/{time_value}[?format=xml|json|tsv][&sample_available=true]
Request format
time_format
- Time format in which the date and time should be requested. It is possible to choose between
utc
andtimestamp
- Required
- Time format in which the date and time should be requested. It is possible to choose between
time_value
- Accepts values in the format set by
time_format
. If the format is set toutc
, the value should be expressed in the format YYYY-MM-DDThh:mm:ss. If the format is set totimestamp
, the value should be expressed as the number of seconds since 1970-01-01 00:00:00 - Required
- Accepts values in the format set by
format
- An optional parameter that allows choosing the response format. Supported values are
xml
,json
,tsv
(Tab Separated Values, delimiter character t 0x09). The default isxml
- Optional
- An optional parameter that allows choosing the response format. Supported values are
sample_available
- Optional parameter. If this parameter is set to true in the request, filtering will be applied and the response will contain only samples that are present in the ReversingLabs storage and available for download. When set to false, the query will return all samples, regardless of their download availability status. The default is false, meaning that if the parameter is not provided in the request, filtering is not applied
- Optional
To retrieve at most 1000 latest records with changes in their whitelist status, use the following endpoint:
GET /api/feed/whitelisted_change/v1/query/latest[?format=xml|json|tsv]
Response format
For the requested timestamp, the response contains a list of records. Every record in the list includes hashes (MD5, SHA1, SHA256), the record_on
field associated with the time when the record entered the feed, and the platform
field associated with the sample. For samples with an undetermined platform, the value of the platform
field will be Unknown
.
The format of the last_timestamp
value should match the requested time format.
{
"rl": {
"whitelisted_change_feed": {
"time_range": {
"from": "YYYY-MM-DDTHH:MM:SS",
"to": "YYYY-MM-DDTHH:MM:SS"
},
"entries": [
{
"sha1" : "sha1_value",
"md5" : "md5_value",
"sha256" : "sha256_value",
"platform" : "platform_value",
"record_on" : "record_on_value"
},
{...},
...],
"last_timestamp": "YYYY-MM-DDTHH:MM:SS_or_timestamp",
}
}
}
Examples
1) Retrieving all samples with whitelist changes from 2016-02-09 12:00:00
The examples return responses in XML as the default format, since the response format parameter is not specified.
/api/feed/whitelisted_change/v1/query/timestamp/1455019200
/api/feed/whitelisted_change/v1/query/utc/2016-02-09T12:00:00
2) Retrieving all samples with whitelist changes from 2016-02-09 12:00:00 that are available in the storage
The examples use the timestamp format in the request. The first example returns the response in XML (as the default, not specified in the request), and the second example returns JSON (as requested).
/api/feed/whitelisted_change/v1/query/timestamp/1455019200?sample_available=true
/api/feed/whitelisted_change/v1/query/timestamp/1455019200?sample_available=true&format=json
3) Retrieving all samples with whitelist changes from 2016-02-09 12:00:00 in JSON and XML format
/api/feed/whitelisted_change/v1/query/timestamp/1430485200?format=json
/api/feed/whitelisted_change/v1/query/timestamp/1406203200?format=xml