Contents
API that external systems can use to receive information about application alerts
Kaspersky Anti Targeted Attack Platform provides an API that lets external systems access information about all alerts of the application and not just to scan results for objects stored in these external systems.
In order to receive information only for alerts that satisfy certain conditions, you can specify filters in the request parameters.
The application does not automatically send information about new alerts based on prior requests. A new request must be sent to receive up-to-date information.
Special considerations for operation in the distributed solution
If the application runs in distributed solution mode, you must separately configure the integration with the external system for each PCN and SCN server from which you want to receive information about alerts. This limitation is due to the fact that the web interface of the PCN server displays information about all alerts, but the alerts database stores only those alerts that have been registered on that specific server.
Request to display alert information
To create a request to display information about Kaspersky Anti Targeted Attack Platform alerts, the HTTP GET method is used. You can create a request by using the cURL command-line utility, for example.
Command syntax
curl --cert <path to the TLS certificate file> --key <path to the private key file> -X GET "<URL of the server with the Central Node component>:<port, 443 by default>/kata/scanner/v1/sensors/<sensorId>/detects?detect_type=<one or more technologies that were used to generate the alert>&limit=<number of alerts in the response to the request>&token=<request ID>"
If the request is processed successfully, you will see a list of alerts generated by Kaspersky Anti Targeted Attack Platform on the server of the external system.
Settings
Setting |
Type |
Description |
|---|---|---|
|
String |
Unique ID of the external system used for authorization in Kaspersky Anti Targeted Attack Platform. |
|
Array |
The technology that created the alert. You can specify a comma-separated list of technologies. Possible values:
If the parameter is not specified, information about all alerts is provided. |
|
Integer |
Number of objects for which information is provided in response to the request. Allowed values: integers from 1 to 10,000. The default value is |
|
String |
Request ID. If this parameter is specified, a repeated request does not show alert information that was obtained by prior requests. This helps avoid the duplication of information about the same alerts in case of repeated requests. If this parameter is not specified, information about all alerts is provided. |
Response
HTTP code: 200
Format: JSON
|
Returned value
Return code |
Description |
|---|---|
|
Incorrect parameters. |
|
Number of requests exceeded. |
|
Authorization required. |
|
Internal server error. Repeat the request later. |
Example of entering a command with switches
|
Scope of transmitted data
Information that is transmitted for each detection is listed in the following table.
Scope of information transmitted for an alert
Setting |
Value |
Description |
|---|---|---|
|
Integer value. |
Alert ID. |
|
Date and time. |
Event time. |
|
Date and time. |
Time when alert information was recorded in the Kaspersky Anti Targeted Attack Platform database. |
|
One of the following values:
|
Alert importance. |
|
One of the following values:
|
Source of the detected object. |
|
One of the following values:
|
Technology that was used to detect the object. |
|
One of the following values:
|
Type of detected object. |
|
Depends on the type of detected object. |
|
|
Depends on the technology that was used to detect the object. |
|
|
Depends on the source of detected object. |
Data on detected objects
The scope of transmitted data on detected objects depending on the type of the object is listed in the following table.
Data on detected objects
|
Setting |
Data type |
Description |
Example |
|---|---|---|---|---|
|
|
MD5 |
MD5 hash of the file or composite object that was sent for scanning. |
|
|
SHA256 |
SHA256 hash of the file or composite object that was sent for scanning. |
|
|
|
String |
Name of the file or composite object that was sent for scanning. |
|
|
|
String |
Type of the file or composite object that was sent for scanning. |
|
|
|
Integer |
Size of the file or composite object that was sent for scanning, in bytes. |
|
|
|
MD5 |
MD5 hash of the file (simple object or file within a composite object) in which the threat was detected. |
|
|
|
String |
Name of the file (simple object or file within a composite object) in which the threat was detected. |
|
|
|
Integer |
Size of the file (simple object or file within a composite object) in which the threat was detected, in bytes. |
|
|
|
|
String |
URL of the detected object. |
|
|
|
Array |
List of domains to which detected objects belong. For the |
|
Data on detected threats
The scope of transmitted data on detected threats depending on the technology that was used to generate the alert is listed in the table below.
Data on detected threats
Technology |
Setting |
Description |
Data type |
Example |
|---|---|---|---|---|
One of the following technologies:
|
|
List of detected threats. |
Array |
|
|
Version of databases used to scan the file. |
Integer |
|
|
Sandbox |
|
List of detected threats. |
Array |
|
|
Name of the virtual machine image where the file was scanned. |
String |
|
|
|
Database version in the following format: |
Integer |
|
|
URL Reputation |
|
List of URL Reputation categories for the detected object (for objects of type |
Array |
|
Data on the environment of detected objects
The scope of transmitted data on the environment of detected objects depending on the source of the object is listed in the following table.
Data on the environment of detected objects
Object source |
Setting |
Description |
Data type |
Example |
|---|---|---|---|---|
|
|
IP address of the computer that established the connection. |
IP address |
|
|
Name of the computer that established the connection. |
String |
|
|
|
IP address of the computer with which the connection was established. |
IP address |
|
|
|
Port of the computer with which the connection was established. |
Integer |
|
|
|
URL of the web resource that was accessed. IDS technology detections do not have this parameter. For URL technology detections, this parameter has the same value as the |
String |
|
|
|
HTTP request method. |
String |
|
|
|
URL from which the redirect was made. |
String |
|
|
|
|
String |
|
|
|
|
Sender's email address. |
String |
|
|
Comma-separated list of recipient email addresses. |
Array |
|
|
|
Subject of the message. |
String |
|
|
|
Email message ID. |
String |
|
|
|
|
Name of the computer on which the detection was generated. |
String |
|
|
IP address of the computer on which the detection was generated. |
IP address |
|
|
|
|
IP address of the computer which initiated the DNS connection. |
IP address |
|
|
IP address of the computer with which the DNS connection was established (typically, a DNS server). |
IP address |
|
|
|
Port of the computer with which the DNS connection was established (typically, a DNS server). |
Integer |
|
|
|
Type of the DNS message:
|
String |
|
|
|
One of the following DNS request types:
|
String |
|
|
|
Domain name from the DNS request. |
String |
|