Skip to main content

Cyware Orchestrate

Kaspersky TIP

App Vendor: Kaspersky

App Category: Data Enrichment & Threat Intelligence

Connector Version: 2.0.0

API Version: 1.0.0

About App

The Kaspersky TIP app provides integration with Kaspersky Threat Intelligence Portal (TIP). Kaspersky Threat Intelligence Portal provides reliable, immediate intelligence about cyber-threats, legitimate objects, their interconnections and indicators, enriched with actionable context to inform your business or clients about the associated risks and implications. You can mitigate and respond to threats more effectively, defending your system against attacks even before they are launched.

The Kaspersky TIP app is configured with the Orchestrate application to perform the following actions:

Action Name

Description

Hash Lookup

This action retrieves specific information for a hash.

IP Lookup

The action retrieves specific information for an IP address.

Domain Lookup

The action retrieves specific information for a domain.

URL Lookup

The action retrieves specific information for a hash.

Create a File Upload and Execution Task

This action creates a new execution task for an uploaded file.

Get List of Uploaded and Executed File Tasks

This action obtains results of uploaded file execution tasks.

Get Uploaded File Task Report

This action retrieves the execution task results.

Get Link to Uploaded File Task Report

This action retrieves the link to download the execution task results.

Create Web Address Browsing Task

This action creates a URL browsing task.

Get List of Web Address Browsing Tasks

This action retrieves a list of tasks for the web address.

Get URL Task Report Details

This action retrieves the URL browsing task report

Get Task Report URL

This action retrieves the link to download the web address browsing task results.

Configuration Parameters

The following configuration parameters are required for the Kaspersky TIP app to communicate with the Kaspersky TIP enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

API Username

Enter the API username to authenticate with the Kaspersky application.

Example:

"SampleUsername"

Text

Required

API Password

Enter the API password to authenticate with the Kaspersky application.

Example:

"ZZxP7qeryy92cKQq"

Text

Required

Certificate

Enter the PEM certificate file content to authenticate with the Kaspersky application.

Example:

"-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQ -----END CERTIFICATE-----"

Text

Required

Action: Hash lookup

This action displays specific information about a hash.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Hash

Enter the hash value that you want to investigate.

Example:

"E50CBDF74C1DFB6F60112D7641CEEB42"

Text

Required

Sections

Enter the sections that you want to investigate for the requested hash. Use a comma to specify multiple sections.

Example:

"LicenseInfo"

Text

Optional

Allowed values:

  • LicenseInfo

  • FilePaths

  • FileNames

Default value:

LicenseInfo

Example Request 

{
    [
        "hash_": "E50CBDF74C1DFB6F60112D7641CEEB42",
        "sections": "LicenseInfo,FilePaths,FileNames"
    }
]
Action: IP Lookup

This action displays specific information for an IP address.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IP Address

Enter the IP address that you want to investigate.

Example:

"103.234.36.190"

Text

Required

Sections

Enter the sections that you want to investigate for the requested IP address. Use a comma to specify multiple sections.

Example:

"FilesDownloadedFromIp"

Text

Optional

Default value:

ipwhois

Example Request 

[
    {
        "ip_address": "103.234.36.190",
        "sections": FilesDownloadedFromIp"
    }
]
Action: Domain Lookup

This action displays specific information for a domain.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Domain

Enter the domain that you want to investigate.

Example:

"differentia.ru"

Text

Required

Sections

Enter the sections that you want to investigate for the requested domain. Use a comma to specify multiple sections.

Example:

"LicenseInfo,Zone,FileAccessed"

Text

Optional

Default value:

licenseinfo

Example Request

[
    {
        "domain": "differentia.ru",
        "sections": LicenseInfo,Zone,FileAccessed"
    }
]
Action: URL Lookup

This action displays specific information for a hash.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

URL to Lookup

Enter the hash that you want to investigate.

Example:

"atomictrivia.ru/atomic.php"

Text

Required

Sections

Enter the sections that you want to investigate for the requested web address. Use a comma to specify multiple sections.

Example:

"Zone"

Text

Optional

Allowed values:

  • UrlReferrals

  • FilesDownloaded

  • FilesAccessed

  • UrlGeneralInf

Default value:

Zone

Example Request 

[
    {
        "url_to_lookup": "atomictrivia.ru/atomic.php",
        "sections": "Zone"
    }
]
Action: Create a file upload and execution task

This action creates a new execution task for an uploaded file.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

File path

Enter the file path to create and upload the file.

Text

Required

File name

Enter the file name. The value must not exceed 240 characters.

Example:

"New File Name"

Text

Required

File ext

Enter the file extension for the object that must be executed. This must be specified without a dot because it is added to the full object file name automatically. The value must not exceed 10 characters.

Example

"JPEG"

Text

Required

Processing type

Enter the object execution type.

Example:

"exec-only"

Text

Optional

Allowed values:

  • exec-only

  • unzip-and-exec

Default value:

exec-only

Exec env

Enter the operating system that you want to use as an execution environment.

Example:

"winxp"

Text

Optional

Allowed values:

  • winxp

  • win7_x64

  • win7

  • win10_x64

Default value:

win7_x64

Extra params

Enter the additional parameters.

Key Value

Optional

Allowed values:

  • exec_time

  • unzip_password

  • decrypt_https

  • click_on_links

  • channel

Example Request

{
    [
        "file_path": "/tasks/files/image.JPEG",
        "file_name": "New File Name",
        "file_ext": "JPEG",
        "exec_env": "Win7_x64",
        "processing_type": "exec-only"
    }
]
Action: Get the list of uploaded and executed file tasks

This action retrieves the results of uploaded file execution tasks.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

State

Enter the state of the file.

Example:

"all"

Text

Optional

Allowed values:

  • all - all object execution tasks

  • active - object execution tasks with one of the following states:

    • in-progress

    • completed

    • completed-with-errors

    • failed

Default value:

active

Count

Enter the maximum number of entries to return.

Example:

200

Integer

Optional

Default value:

100

Example Request 

[
    {
        "state": "all",
        "count": 200
    }
]
Action: Get uploaded file task report

This action retrieves the execution task results.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Task ID

Enter the task ID to retrieve the task report.

Example:

"5cf8cbb4-1d50-492c-986b-86d5c7596535"

Text

Required

Section

Enter the sections to retrieve the task report.

Example:

"all"

Text

Optional

Allowed values:

  • sample-and-execution-properties

  • detection-names

  • triggered-network-rules

  • suspicious-activities

  • loaded-pe

  • file-operations

  • registry-operations

  • process-operations

  • synchronize-operations

  • pcap

  • downloaded-files-list

  • dropped-files-list

  • all

Default value:

all

Example Request 

[
    {
        "task_id": "5cf8cbb4-1d50-492c-986b-86d5c7596535",
        "section": "all"
    }
]
Action: Get the link to an uploaded file task report

This action retrieves the link to download the execution task results.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Task ID

Enter the object execution task ID.

Example:

"5cf8cbb4-1d50-492c-986b-86d5c7596535"

Text

Required

Section

Enter the sections. Use a comma to specify multiple sections.

Example:

"loaded-pe"

Text

Optional

Allowed values:

  • sample-and-execution-properties

  • detection-names

  • triggered-network-rules

  • suspicious-activities

  • loaded-pe

  • file-operations

  • registry-operations

  • process-operations

  • synchronize-operations

  • pcap

  • downloaded-files-list

  • dropped-files-list

  • all

Default value: all

Example Request 

[
    {
        "task_id": "5cf8cbb4-1d50-492c-986b-86d5c7596535",
        "section": "loaded-pe"
    }
]
Action: Create web address browsing task

This action creates a URL browsing task.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

URL to browse

Enter the URL to browse.

Example:

"https://reqres.in/api/products/3"

Text

Required

Exec Env

Enter the execution environment to create web address browsing task.

Example:

"win7"

Text

Optional

Allowed values:

  • winxp(sp3 x86)

  • win7_x64

  • win7

  • win10_x64

Default value: win7

Channel

Enter the channel to create a web address browsing task.

Example:

"any"

Text

Optional

Allowed values:

  • any

  • tor

Default value:

any

Example Request 

[
    {
        "url": "example.com/test-01",
        "exec_env": "win7",
        "channel": "any"
    }
]
Action: Get the list of web address browsing tasks

This action retrieves a list of tasks for the web address.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

State

Enter the task state.

Example:

"all"

Text

Optional

Allowed values:

  • all - all tasks

  • in-progress - task is running

  • completed - process completed successfully

  • completed-with-errors - error occurred during web address browsing but task completed

  • failed - failed to complete the task

Count

Enter the maximum number of entries to return.

Example:

200

Integer

Optional

Default value:

2000

Example Request

[
    {
        "state": "all",
        "count": 200
    }
]
Action: Get URL Task Report Details

This action retrieves the URL browsing task report.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Task ID

Enter the task ID.

Example:

"5cf8cbb4-1d50-492c-986b-86d5c7596535"

Text

Required

Section

Enter the sections. Use a comma to specify several sections.

Example:

"categories"

Text

Optional

Allowed values:

  • url-and-analysis-properties

  • categories

  • publications

  • detection-names

  • hosts-ips

  • whois

  • triggered-network-rules

  • pcap

  • all

Example Request

[
    {
        "task_id": "5cf8cbb4-1d50-492c-986b-86d5c7596535",
        "section": "categories"
    }
]
Action: Get URL Task Report URL

This action retrieves the link to download the web address browsing task results.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Task ID

Enter the task ID.

Example:

"5cf8cbb4-1d50-492c-986b-86d5c7596535"

Text

Required

Section

Enter the section. Use a comma to specify multiple sections.

Example:

"detection-names"

Text

Optional

Allowed values:

  • download-url-properties

  • sample-and-execution-properties

  • detection-names

  • triggered-network-rules

  • suspicious-activities

  • loaded-pe

  • file-operations

  • registry-operations

  • process-operations

  • synchronize-operations

  • pcap

  • downloaded-files-list

  • dropped-files-list

  • all

Example Request

[
    {
        "task_id": "5cf8cbb4-1d50-492c-986b-86d5c7596535",
        "section": "detection-names"
    }
]