Kaspersky Threat Intelligence Portal provides reliable, immediate intelligence about cyber-threats, legitimate objects, their interconnections and indicators, enriched with actionable context to inform your business or clients about the associated risks and implications. Now you can mitigate and respond to threats more effectively, defending your system against attacks even before they are launched.
Kaspersky Threat Intelligence Portal delivers all the knowledge acquired by Kaspersky Lab about cyber-threats and their relationships, brought together into a single, powerful web service. The goal is to provide your security teams with as much data as possible in order to prevent cyber-attacks that can impact your organization. The platform retrieves the latest detailed threat intelligence about URLs, domains, IP addresses, file hashes, statistical / behavioral data, WHOIS / DNS data, and so on. The result is global visibility of new and emerging threats, helping you secure your organization and boosting incident response.
Threat intelligence is aggregated from fused, heterogeneous, and highly reliable sources. Then, in real time, all the aggregated data is carefully inspected and refined using multiple preprocessing techniques, such as statistical criteria, Kaspersky Lab expert systems, validation by analysts, and white-listing verification.
Indicators of compromise can be looked up through a web-based interface or Kaspersky Threat Intelligence Portal API. Kaspersky Threat Intelligence Portal enables you to request threat intelligence about the following objects
- MD5 hashes
- IP addresses
- Domains
- URLs
Kaspersky Threat Intelligence Portal displays whether an object is in Good, Bad, or Not categorized zones, while providing a rich set of contextual data to answer the who, what, where, and when questions that help you respond to or investigate threats more effectively.
The following are the key features of Kaspersky Threat Intelligence Portal
-
APT Intelligence reports and Financial Threat Intelligence reports Increase your awareness and knowledge of high profile cyber-espionage campaigns with wide-ranging and practical advanced persistent threat (APT) reporting from Kaspersky Lab. Download reports in any available format.
-
Data feeds Security Threat Intelligence Services from Kaspersky Lab gives you access to the intelligence you need to mitigate cyber threats, provided by our world-class team of researchers and analysts.
-
Trusted threat intelligence The key benefit of threat intelligence is the reliability of data enriched with actionable context.
-
Comprehensive and real-time coverage Threat intelligence is automatically generated in real time, based on findings across the globe, providing high coverage and accuracy.
-
Rich data Threat intelligence delivered by Kaspersky Threat Intelligence Portal includes a vast amount of different data types such as hashes, URLs, IP addresses, WHOIS, GeoIP, pDNS, file attributes, statistical and behavioral data, download chains, time stamps, and much more. Empowered with this data, you have access to a diverse landscape of security threats.
-
Continuous availability Threat intelligence delivered by Kaspersky Threat Intelligence Portal is generated and monitored by a highly fault-tolerant infrastructure, ensuring continuous availability and consistent performance.
-
Continuous review by security experts Hundreds of experts, including security analysts from across the globe, world-famous security experts from Global Research & Analysis Team (GReAT), and leading-edge R&D teams, contribute to generating valuable and real-life threat intelligence.
-
Easy-to-use API Use the service in manual mode through a web portal or get access by means of a simple Kaspersky Threat Intelligence Portal API.
-
SaaS solution With software as a service (SaaS), there is no need to integrate additional systems or services into your company’s infrastructure. Start using the service immediately.
Outbound access required to resolve Kaspersky Threat Intelligence Portal lookup API
| Protocol | Source IP | Source Port | Direction | Destination Domain | Destination Port |
|---|---|---|---|---|---|
| TCP | DS,CR,A10 | Any | Egress | github.com | 443 |
| TCP | DS,CR,A10 | Any | Egress | kaspersky.com | 443 |
Note A .pem certificate from kaspersky is required
Details of the functions that can be used with the Kaspersky (TIP) lookup plugin are given in this section
get_ip_report
get_ip_report_file
get_url_report
get_url_report_file
get_domain_report
get_domain_report_file
get_hash_report
The Zone Details are as follows
| Zone | Description |
|---|---|
| Red | The investigated object can be classified as malicious |
| Grey | No data is available for the investigated object |
| Green | The investigated object cannot be classified as malicious |
| Yellow | The investigated object has the Adware and other status (Adware, Pornware, and other programs) |
In all the functions explained below, the examples use an event store named threatsample.
This event store does not exist in DNIF by default. However, it can be created/imported.
This function returns IP address investigation report
- IPv4 address
_fetch $SrcIP from threatsample limit 1
>>_lookup kaspersky get_ip_report $SrcIP
Click here to view the output of the above example.
The output of the lookup call has the following structure (for the available data)
| Fields | Description |
|---|---|
| $KLIPDNSResolustionsCategories | Category of the requested IP address |
| $KLIPDNSResolustionsDomains | Domain that resolves to the requested IP address |
| $KLCategory | Category of the requested IP address |
| $KLFirstSeen | Date and time when the requested IP address appeared in Kaspersky Lab expert systems statistics for the first time. |
| $KLHits | Hits number (popularity) of the requested IP address |
| $KLThreatScore | Probability of the requested IP address to appear dangerous (0 to 100) |
| $KLHasAdvancedPersistThreat | Shows whether the requested IP address is related to an advanced persistent threat (APT) attack |
| $KLCreated | Created Date of network that requested IP address belongs to |
| $KLChanged | Changed Date of network that requested IP address belongs to |
| $KLIPRange | Range of network that requested IP address belongs to |
| $KLNetname | Name of network that requested IP address belongs to |
| $KLNetDescription | Description of network that requested IP address belongs to |
| $KLZone |
|
| $KLASN | Autonomous system number |
| $KLASDescription | Autonomous system description |
IPWHOIS Information of the queried IP address contains contact information which vary depending on the roles present in the data For instance for role as Owner the data for available fields would be
| Fields | Description |
|---|---|
| $KLOwnerAddress | Address of owner present in the IPWHOIS data |
| $KLOwnerName | Name of the owner present in the IPWHOIS data |
| $KLOwnerFax | Fax of the owner present in the IPWHOIS data |
| $KLOwnerEmail | Email of the owner present in the IPWHOIS data |
| $KLOwnerOrganizationId | Organization Id of the owner present in the IPWHOIS data |
| $KLOwnerPhone | Phone details of the owner present in the IPWHOIS data |
This function returns URLs hosted by the IP address and files downloaded by the IP address
- IPv4 address
_fetch $SrcIP from threatsample limit 1
>>_lookup kaspersky get_ip_report_file $SrcIP
The output of the lookup call has the following structure (for the available data)
| Fields | Description |
|---|---|
| $KLHostedURL | List of detected URLs of the domain that resolves to the requested IP address |
| $KLRedMd5 | List of MD5 hash function of the downloaded file from the queried IP address belonging to Red Zone |
| $KLGreenMd5 | List of MD5 hash function of the downloaded file from the queried IP address belonging to Green Zone |
| $KLGreyMd5 | List of MD5 hash function of the downloaded file from the queried IP address belonging to Grey Zone |
| $KLYellowMd5 | List of MD5 hash function of the downloaded file from the queried IP address belonging to Yellow Zone |
This function returns investigation report for the queried URL
- URL
_fetch $URL from threatsample limit 1
>>_lookup kaspersky get_url_report $URL
Click here to view the output of the above example.
The output of the lookup call has the following structure (for the available data)
| Fields | Description |
|---|---|
| $KLZone |
|
| $KLRedUrlReferredTo | URL accessed by the queried URL which belong to Red Zone |
| $KLGreenUrlReferredTo | URL accessed by the queried URL which belong to Green Zone |
| $KLGreyUrlReferredTo | URL accessed by the queried URL which belong to Grey Zone |
| $KLYellowUrlReferredTo | URL accessed by the queried URL which belong to Yellow Zone |
| $KLRedUrlReferrals | URL that refers to the queried URL which belong to Red Zone |
| $KLGreenUrlReferrals | URL that refers to the queried URL which belong to Green Zone |
| $KLGreyUrlReferrals | URL that refers to the queried URL which belong to Grey Zone |
| $KLYellowUrlReferrals | URL that refers to the queried URL which belong to Yellow Zone |
| $KLURLCategories | Category of the requested URL |
| $KLFilesCount | Number of files for the requested URL |
| $KLIPv4Count | Number of IP addresses (IPv4) for the requested URL |
| $KLHasAdvancedPersistThreat | Shows whether the requested URL is related to an advanced persistent threat (APT) attack |
| $KLURL | The requested URL |
| $KLHost | Name of the upper-level domain of the requested URL |
| $KLRedIPResoutions | IP address obtained from DomainDnsResoutions which belong to Red Zone |
| $KLGreenIPResoutions | IP address obtained from DomainDnsResoutions which belong to Green Zone |
| $KLGreyIPResoutions | IP address obtained from DomainDnsResoutions which belong to Grey Zone |
| $KLYellowIPResoutions | IP address obtained from DomainDnsResoutions which belong to Yellow Zone |
| $KLCreated | Date when the domain for the requested URL was registered |
| $KLDomainName | Name of the domain of the requested URL |
| $KLDomainStatus | Statuses of the domain |
| $KLExpires | Expiration date of the prepaid domain registration term. |
| $KLNameServers | Name servers of the domain for the requested URL |
| $KLRegistrationOrganization | Name of the registration organization |
| $KLUpdated | Date when registration information about the domain for the requested URL was last updated |
| $KLRegistrarEmail | Email of the registrar of the domain |
| $KLRegistrarIanaId | IANA ID of the registrar of the domain |
| $KLRegistrarInfo | Name of the registrar of the domain |
UrlDomainWhoIs Information of the queried URL contains contact information which vary depending on the contact type present in the data For instance for contact type as Technical the data for available fields would be
| Fields | Description |
|---|---|
| $KLTechnicalAddress | Address of Technical contact present in the UrlDomainWhoIs data |
| $KLTechnicalCity | City of the Technical contact present in the UrlDomainWhoIs data |
| $KLTechnicalCountryCode | Country Code of the Technical contact present in the UrlDomainWhoIs data |
| $KLTechnicalEmail | Email of the Technical contact present in the UrlDomainWhoIs data |
| $KLTechnicalFax | Fax of the Technical contact present in the UrlDomainWhoIs data |
| $KLTechnicalName | Name of the Technical contact present in the UrlDomainWhoIs data |
| $KLTechnicalOrganization | Organization of the Technical contact present in the UrlDomainWhoIs data |
| $KLTechnicalPhone | Phone details of the Technical contact present in the UrlDomainWhoIs data |
| $KLTechnicalPostalCode | Postal Code of the Technical contact present in the UrlDomainWhoIs data |
| $KLTechnicalState | State of the Technical contact present in the UrlDomainWhoIs data |
This function returns files accessed by and downloaded from URL
- URL
_fetch $URL from threatsample limit 1
>>_lookup kaspersky get_url_report_file $URL
Click here to view the output of the above example.
The output of the lookup call has the following structure (for the available data)
| Fields | Description |
|---|---|
| $KLRedFileAccessedMd5 | List of MD5 hashes of files that accessed the requested URL belonging to Red Zone |
| $KLGreenFileAccessedMd5 | List of MD5 hashes of files that accessed the requested URL belonging to Green Zone |
| $KLGreyFileAccessedMd5 | List of MD5 hashes of files that accessed the requested URL belonging to Grey Zone |
| $KLYellowFileAccessedMd5 | List of MD5 hashes of files that accessed the requested URL belonging to Yellow Zone |
| $KLRedFileDownloadedMd5 | List of MD5 hashes of files that were downloaded from the requested URL belonging to Red Zone |
| $KLGreenFileDownloadedMd5 | List of MD5 hashes of files that were downloaded from the requested URL belonging to Green Zone |
| $KLGreyFileDownloadedMd5 | List of MD5 hashes of files that were downloaded from the requested URL belonging to Grey Zone |
| $KLYellowFileDownloadedMd5 | List of MD5 hashes of files that were downloaded from the requested URL belonging to Yellow Zone |
This function returns investigation report for queried Domain
- Domain
_fetch $Domain from threatsample limit 1
>>_lookup kaspersky get_domain_report $Domain
Click here to view the output of the above example.
The output of the lookup call has the following structure (for the available data)
| Fields | Description |
|---|---|
| $KLCategories | Category of the requested Domain |
| $KLDomain | Name of the requested Domain |
| $KLFilesCount | Number of files malicious/all files |
| $KLHits | Number of IP addresses related to the domain |
| $KLIPv4Count | Number of IP addresses (IPv4) for the requested domain |
| $KLURLCount | Number of known malicious/all URLs |
| $KLHasAdvancedPersistThreat | Shows whether the requested domain is related to an advanced persistent threat (APT) attack. |
| $KLRedDomainDnsResolutionsIP | IP address obtained from DomainDnsResoutions which belong to Red Zone |
| $KLGreenDomainDnsResolutionsIP | IP address obtained from DomainDnsResoutions which belong to Green Zone |
| $KLGreyDomainDnsResolutionsIP | IP address obtained from DomainDnsResoutions which belong to Grey Zone |
| $KLYellowDomainDnsResolutionsIP | IP address obtained from DomainDnsResoutions which belong to Yellow Zone |
| $KLRedURLReferrals | URL that refers to the queried domain which belong to Red Zone |
| $KLGreenURLReferrals | URL that refers to the queried domain which belong to Green Zone |
| $KLGreyURLReferrals | URL that refers to the queried domain which belong to Grey Zone |
| $KLYellowURLReferrals | URL that refers to the queried domain which belong to Yellow Zone |
| $KLRedURLReferredTo | URL refered by the queried domain which belong to Red Zone |
| $KLGreenURLReferredTo | URL refered by the queried domain which belong to Green Zone |
| $KLGreyURLReferredTo | URL refered by the queried domain which belong to Grey Zone |
| $KLYellowURLReferredTo | URL refered by the queried domain which belong to Yellow Zone |
| $KLCreated | Date when the requested domain was registered |
| $KLDomainName | Name of the requested domain |
| $KLDomainStatus | Statuses of the domain |
| $KLExpires | Expiration date of the prepaid domain registration term |
| $KLNameServers | Name servers of the requested domain |
| $KLRegistrarEmail | Email of the registrar of the domain |
| $KLRegistrarIanaId | IANA ID of the registrar of the domain |
| $KLRegistrarInfo | Name of the registrar of the domain |
| $KLRegistrationOrganization | Name of the registration organization |
| $KLUpdated | Date when registration information about the requested domain was last updated |
| $KLZone |
|
| $KLSubdomainsFilesCount | Count of number of sub domains |
| $KLRedSubdomains | List of sub-domains belonging to Red Zone |
| $KLGreenSubdomains | List of sub-domains belonging to Green Zone |
| $KLGreySubdomains | List of sub-domains belonging to Grey Zone |
| $KLYellowSubdomains | List of sub-domains belonging to Yellow Zone |
DomainWhoIsInfo Information of the queried domain contains contact information which vary depending on the contact present in the data For instance for contact as Registrant the data for available fields would be
| Fields | Description |
|---|---|
| $KLRegistrantAddress | Address of Registrant present in the DomainWhoIsInfo data |
| $KLRegistrantCity | City of the Registrant present in the DomainWhoIsInfo data |
| $KLRegistrantCountryCode | Country Code of the Registrant present in the DomainWhoIsInfo data |
| $KLRegistrantEmail | Email of the Registrant present in the DomainWhoIsInfo data |
| $KLRegistrantFax | Fax of the Registrant present in the DomainWhoIsInfo data |
| $KLRegistrantName | Name of the Registrant present in the DomainWhoIsInfo data |
| $KLRegistrantOrganization | Organization of the Registrant present in the DomainWhoIsInfo data |
| $KLRegistrantPhone | Phone details of the Registrant present in the DomainWhoIsInfo data |
| $KLRegistrantPostalCode | Postal Code of the Registrant present in the DomainWhoIsInfo data |
| $KLRegistrantState | State of the Registrant present in the DomainWhoIsInfo data |
This function returns the files accessed by and downloaded by Domain
- Domain
_fetch $Domain from threatsample limit 1
>>_lookup kaspersky get_domain_report_file $Domain
Click here to view the output of the above example.
The output of the lookup call has the following structure (for the available data)
| Fields | Description |
|---|---|
| $KLRedFileAccessedMd5 | List of MD5 hashes of files that accessed the requested domain belonging to Red Zone |
| $KLGreenFileAccessedMd5 | List of MD5 hashes of files that accessed the requested domain belonging to Green Zone |
| $KLGreyFileAccessedMd5 | List of MD5 hashes of files that accessed the requested domain belonging to Grey Zone |
| $KLYellowFileAccessedMd5 | List of MD5 hashes of files that accessed the requested domain belonging to Yellow Zone |
| $KLRedFileDownloadedMd5 | List of MD5 hashes of files that were downloaded from the requested domain belonging to Red Zone |
| $KLGreenFileDownloadedMd5 | List of MD5 hashes of files that were downloaded from the requested domain belonging to Green Zone |
| $KLGreyFileDownloadedMd5 | List of MD5 hashes of files that were downloaded from the requested domain belonging to Grey Zone |
| $KLYellowFileDownloadedMd5 | List of MD5 hashes of files that were downloaded from the requested domain belonging to Yellow Zone |
This function returns investigation report for the queried Hash
- Hash (Md5/SHA-1/SHA-256)
_fetch $Filehash from threatsample limit 1
>>_lookup kaspersky get_hash_report $Filehash
Click here to view the output of the above example.
The output of the lookup call has the following structure (for the available data)
| Fields | Description |
|---|---|
| $KLHits | Number of hits (popularity) of the requested hash detected by Kaspersky Lab expert systems |
| $KLFirstSeen | Date and time when the requested hash was detected by Kaspersky Lab expert systems for the first time |
| $KLLastSeen | Date and time when the requested hash was detected by Kaspersky Lab expert systems for the last time |
| $KLMd5 | MD5 hash function of the file requested by hash |
| $KLSha1 | SHA-1 hash function of the file requested by hash |
| $KLSha256 | SHA-256 hash function of the file requested by hash |
| $KLFormat | Format of the object that is being investigated by hash |
| $KLSize | Size of the object that is being investigated by hash (in bytes) |
| $KLSigner | Organization that signed the requested hash |
| $KLPacker | Packer name |
| $KLDetectionNames | Name of the detected object |
| $KLDescriptionURL | Permalink containing description of detected object |
| $KLFileNames | Name of the file identified by the requested hash |
| $KLZone |
|
| $KLRedFileAccessedURL | URLs accessed by the file identified by the requested hash belonging to Red Zone |
| $KLGreenFileAccessedURL | URLs accessed by the file identified by the requested hash belonging to Green Zone |
| $KLGreyFileAccessedURL | URLs accessed by the file identified by the requested hash belonging to Grey Zone |
| $KLYellowFileAccessedURL | URLs accessed by the file identified by the requested hash belonging to Yellow Zone |
| $KLRedFileAccessedDomain | Upper domain of the URL used to download the file identified by the requested hash belonging to Red Zone |
| $KLGreenFileAccessedDomain | Upper domain of the URL used to download the file identified by the requested hash belonging to Green Zone |
| $KLGreyFileAccessedDomain | Upper domain of the URL used to download the file identified by the requested hash belonging to Grey Zone |
| $KLYellowFileAccessedDomain | Upper domain of the URL used to download the file identified by the requested hash belonging to Yellow Zone |
The Kaspersky Threat Intelligence Portal API is found on github at
https://github.com/dnif/lookup-kaspersky
- ACCESS DNIF CONTAINER VIA SSH : Click To Know How
$cd /dnif/CnxxxxxxxxxxxxV8/lookup_plugins/
git clone https://github.com/dnif/lookup-kaspersky.git kaspersky
- You must convert the certificate received from your dedicated Kaspersky Lab Technical Account Manager to PEM format before working with the Kaspersky Threat Intelligence Portal API
- For coverting refer to : Click To Know How
- Save the .pem certificate in a safe path
-
Edit dnifconfig.yml configuration file by moving to the ‘/dnif/<Deployment-key/lookup_plugins/kaspersky/’ folder path
Replace the fields with your Kaspersky Threat Intelligence Portal credentials
lookup_plugin:
KASPERSKY_API_USERNAME: <Add_your_api_username_here>
KASPERSKY_API_PASSWORD: <Add_your_api_path_here>
KASPERSKY_API_CERT_PATH: </path/to/your/.pem>