Obtaining suspicious activities list

Kaspersky Research Sandbox provides an API to obtain the list of suspicious activities.

Request

Request method: GET

Endpoint for Windows and Linux environments: https://<server name>/api/v1/sandbox/tasks/{task ID}/activity-susp

Endpoint for Android environments: https://<server name>/api/v1/sandbox/tasks/{task ID}/activity-susp-android

Parameters

Obtaining suspicious activities list

Parameter	Data type	Occurrence	Description
`task_id`	string	Required	Object execution task ID (GUID).

cURL command sample for Windows and Linux:

$ curl --user <user name> --request GET 'https://<server name>/api/v1/sandbox/tasks/<task ID>/activity-susp'

cURL command sample for Android:

$ curl --user <user name> --request GET 'https://<server name>/api/v1/sandbox/tasks/<task ID>/activity-susp-android'

You will be asked to enter your password. The password is not displayed while you type it.

Responses

Endpoint returns a JSON object that contains the suspicious activities list.

200 OK

A JSON object that contains the suspicious activities list obtained successfully.

200 OK response parameters for Windows and Linux

Parameter	Data type	Description
`Id`	integer	Unique activity ID.
`ParentId`	integer	ID of the activity parent.
`Name`	string	Suspicious activity type. Use the `locales/en/sa_template` endpoint to get the template description.
`Class`	string	Type of the activity (`susp`).
`InterestLevel`	integer	If `InterestLevel=100`, this means the event will be shown on the execution map of the object.
`Severity`	integer	Numerical value for the danger level of the registered activity (integer 1–1500).
`Zone`	string	Color code of the activity danger zone (level).
`Description`	string	Activity description.
`KeyFields`	array	List of activity key parameters that are displayed on the execution map in the Kaspersky Research Sandbox web interface.
`MainProps`	array	Main properties of the registered activity: key fields and its values.
`Techniques`	integer	Information about known tactics, techniques, and procedures (TTPs), and mapping with MITRE ATT&CK classification for the executed object.
`Props`	array	The full list of available activity properties.

200 OK response parameters for Android

Parameter	Data type	Description
`ComponentClass`	string	Class of the event.
`ComponentType`	string	Type of the event.
`Timestamp`	string	Date and time the event task was registered, specified in the UNIX time stamp system: the number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970.
`ComponentIsMain`	boolean	Indicates a subset of main-components.
`Zone`	string	The danger zone (level) of the activity.
`Severity`	integer	Numerical value of the danger level of the registered activity (integer 1–1000).
Description	array	Object description. May include name of the activity, it's description and a number of related properties.

400 Bad Request

Failed to obtain a JSON object that contains the suspicious activities list due to incorrect query.

400 Bad Request response parameters

Parameter	Data type	Description
`code`	string	Error ID.
`message`	string	Error description.
`meta`	string	Additional information, if available.

Error examples:

Incorrect task_id parameter:

{"code":6,"message":"task not found"}

Incorrect task_id parameter format:

{"code":29,"message":"bad task id"}

401 Unauthorized

Failed to obtain a JSON object that contains the suspicious activities list due to incorrect user credentials.

404 Not Found

Task with specified ID not found.

Error example:

The task_id parameter for a Windows task was specified for an Android endpoint:

{"code":35, "message":"task section not found"}

500 Internal Server Error

Failed to obtain a JSON object that contains the suspicious activities due to an internal server error.