Obtaining execution map

Kaspersky Research Sandbox provides an API to obtain the object execution map (information about sequence of file activities and relationships between them).

Request

Request method: GET

Endpoint for Windows and Linux environments: https://<server name>/api/v1/sandbox/tasks/{task ID}/activity-tree

Endpoint for Android environments: https://<server name>/api/v1/sandbox/tasks/{task ID}/executionmap-proc

Parameters

Obtaining execution map

Parameter	Data type	Occurrence	Description
`task_id`	string	Required	Object execution task ID (GUID).

cURL command sample for Windows and Linux:

$ curl --user <user name> --request GET 'https://<server name>/api/v1/sandbox/tasks/<task ID>/activity-tree'

cURL command sample for Android:

$ curl --user <user name> --request GET 'https://<server name>/api/v1/sandbox/tasks/<task ID>/executionmap-proc'

You will be asked to enter your password. The password is not displayed while you type it.

Responses

Endpoint returns a JSON object that contains the object execution map.

200 OK

Object execution map obtained successfully.

200 OK response parameters for Windows and Linux

Parameter	Data type	Description
`Id`	integer	Object ID.
`ParentId`	integer	ID of the object parent. For the root (executed) object, `ParentId=0`.
`Name`	string	Name of object. For the root (executed) object, `Name=ROOT`.
`Class`	string	Type of event (`action` or `susp`).
`InterestLevel`	integer	Parameter required to build a tree. If `InterestLevel=100`, this means the object is a tree node.
`Severity`	integer	Numerical value for the danger level of the registered activity (integer 1–1500).
`Zone`	string	Danger zone (level) of the object.
`Description`	string	Object description. For the root (executed) object, this field is not displayed.
`KeyFields`	array	Array of fields that are displayed on the execution map in the Kaspersky Research Sandbox web interface.
`MainProps`	array	Array of fields and their values that are displayed on the execution map in the Kaspersky Research Sandbox web interface.
`Techniques`	integer	Techniques, sub techniques, and tactics in MITRE classification.
`Props`	array	General process parameters.
`Children`	array	Detailed description of child objects. For each child object, parameters described in this table are displayed.

200 OK response parameters for Android

Parameter	Data type	Description
`execMap`	array	Array containing data about objects in the execution map. Parameters are described in the table below.
`ID`	integer	Object ID.
`class`	string	Type of event.
`name`	string	Object name.
`timestamp`	string	Date and time the event task was registered, specified in the ISO 8601:2004 format (YYYY-MM-DDThh:mm:ssZ).
`properties`	array	Description of the event.
`severity`	integer	Numerical value of the danger level of the registered activity (integer 1–1000).
`severity_status`	string	Value of the danger level of the registered activity.
`component_class`	string	Class of component.
`component_type`	string	Type of component.
`ext_description`	string	Detailed description.
`Locale`	array	Description template.
`total`	integer	Total number of objects.
`limit`	integer	Limit.

400 Bad Request

Failed to obtain information about the object execution map due to incorrect query.

400 Bad Request response parameters

Parameter	Data type	Description
`code`	string	Error ID.
`message`	string	Error description.
`meta`	string	Additional information, if available.

Error examples:

Incorrect task_id parameter:

{"code":6,"message":"task not found"}

Incorrect task_id parameter format:

{"code":29,"message":"bad task id"}

401 Unauthorized

Failed to obtain information about the object execution map due to incorrect user credentials.

404 Not Found

Task with specified ID not found.

Error example:

The task_id parameter for a Windows task was specified for an Android endpoint:

{"code":35, "message":"task section not found"}

500 Internal Server Error

Failed to obtain information about the object execution map due to an internal server error.

Page top