Our API

This is our documentation for all v1.0 APIs for the NetworkSage platform. All API endpoints begin with https://api.seclarity.io, and all (with the exception of the public sample viewer) require your API key. Note that if there are terms you are unfamiliar with in this documentation, please refer to our Glossary. If you cannot find what you need in that document, please let us know either via email (support at seclarity dot io) or by joining our Slack community!

If this is your first time working with NetworkSage via our APIs, we strongly recommend first walking through our Getting Started guide.

Samples

A sample is a group of one or more network flows that has been uploaded to NetworkSage. This is predominantly how data is added to or reviewed within the platform.

Upload sample

Uploads a sample from our supported sample types (secflow, zeek [JSON and TSV], pcap, pcapng) to your NetworkSage account. This will kick off processing the sample. To poll for successful processing (which usually occurs in less than one minute), you can use the Get secflows from sample API call.

Argument Name Description
type (required) one of the sample types supported by the NetworkSage platform
file (required) the binary data of the sample file
zeekDnsFile (optional) Because Zeek creates a separate file that stores its DNS information, we must also pass this in to get the benefit of DNS information learned from the Zeek capture. The format of this is the same as the file argument.
POST
/upload/v1.0/uploader

Example request

$ curl --location --request POST 'https://api.seclarity.io/upload/v1.0/uploader' \
--header 'apikey: {apikey}' \
--form 'type="{type}"' \
--form 'file=@"{file}"'

Example request body

{
  "type": "zeek",
  "file": binary_data,
  "zeekDnsFile": binary_data
}

Example response

{
  "error": false,
  "body": 
    {
      "sampleId": "{sample_id}"
    }
}

List samples

Provides a list of all samples you have uploaded to NetworkSage (based on your API key), along with minor metadata about each. Returns metadata about each of the samples you have uploaded.

GET
/upload/v1.0/uploads/list

Example request

$ curl --location --request GET 'https://api.seclarity.io/upload/v1.0/uploads/list' \
--header 'apikey: {apikey}

Example response

{
  "error": false,
  "body":
  [
    {
      "fullS3FilePath": "{s3_storage_location}", 
      "processed": "true", 
      "fileName": "2020-07-20-IcedID-infection-traffic.pcap", 
      "dateCreated": "13/09/2021 03:08:59", 
      "sk": "upload#{sample_id}", 
      "dateProcessed": "2021-09-13T15:08:59.616261", 
      "id": "{your_userid}", 
      "uuid": "{sample_id}", 
      "fileType": "pcap"
    }
  ]
}

Get sample metadata

Lists high-level metadata about a particular sample that you have uploaded or have access to (based on your API key). It does not provide the enriched data.

GET
/sec/v1.0/samples/{sample_id}

Example request

$ curl --location --request GET 'https://api.seclarity.io/sec/v1.0/samples/{sample_id}' \
--header 'apikey: {apikey}'

Example response

{
  "error": false,
  "body":
  [
    {
      "fileName": "78a7063925a14ee4ac4d25379dff25a7_filtered.json",
      "dateCreated": "13/09/2021 03:08:59",
      "sk": "sc#{sample_id}",
      "id": "{sampleowner_userid}",
      "trafficDate": "1595263653.900696",
      "hash": "{sample_id}"
    }
  ]
}

Get aggregated data from sample

Provides all known data (such as secflow, Destination, Behavior, and Event information) for a particular sample that you have uploaded or have access to (based on your API key).

GET
/sec/v1.0/samples/{sample_id}/aggregated

Example request

curl --location --request GET 'https://api.seclarity.io/sec/v1.0/samples/{sample_id}/aggregated' \
--header 'apikey: {apikey}'

Example response

{
  "error": false,
  "body":
  [
    {
      "secflow":
      {
        "flowCategory": "minorDataDownloadedViaLongSession",
        "sampleId": "{sample_id}",
        "destinationNameSource": "passive",
        "relativeStart": "0.595319",
        "uuid": "{individual_flowid}",
        "sourceBytes": "1307",
        "destinationPackets": "15",
        "duration": "37.904841",
        "destinationData": "accounts.google.com:443",
        "dateCreated": "03/04/2022 01:03:00",
        "sourcePackets": "13",
        "sk": "00000000.595319",
        "id": "{sampleowner_userid}#hash#{sample_id}",
        "sourceData": "10.10.220.5:51734",
        "flowId": "{secflow_id}",
        "protocolInformation": "",
        "destinationBytes": "2895"
      },
      "behavior":
      {
        "dateCreated": "20/09/2021 12:32:34",
        "createdBy": "{creator_userid}",
        "sk": "behaviorMeta",
        "description": "This itself isn\u0027t incredibly interesting, but when it occurs nearby another Behavior it indicates that the Chrome browser was started.",
        "id": "{secflow_id}",
        "title": "Google Account Loading",
        "relevance": "knownUninteresting"
      },
      "destination":
      {
        "dateCreated": "07/10/2021 01:59:51",
        "createdBy": "{creator_userid}",
        "sk": "destinationMeta",
        "description": "This Destination is used for many aspects related to one\u0027s Google account. It is used to register, manage, and access an account, to load preferences, to allow authentication (including \"login with Google\" capabilities on a site), and more.",
        "id": "{destination_id}",
        "title": "Google Accounts Site"
      },
      "flowIdCount": 260,
      "event": "null"
    }
  ]
}

Get secflows from sample

Provides all secflows for a particular sample that you have uploaded or have access to (based on your API key). If the sample has not yet finished processing, has no results (i.e. if the sample has no North-South data), or has failed to process, the response's body field will be [].

GET
/sec/v1.0/samples/{sample_id}/list

Example request

curl --location --request GET 'https://api.seclarity.io/sec/v1.0/samples/{sample_id}/list' \
--header 'apikey: {apikey}'

Example response

{
  "error": false,
  "body":
  [
    {
      "flowCategory": "someContentDownloaded",
      "destinationNameSource": "passive",
      "relativeStart": "0.01874",
      "uuid": "{individual_flowid}",
      "sourceBytes": "297",
      "destinationPackets": "153",
      "duration": "1.839624",
      "destinationData": "g0zh8lb3.com:80",
      "dateCreated": "13/09/2021 03:08:59",
      "sourcePackets": "90",
      "sk":"00000000.018740",
      "id": "{sampleowner_userid}#hash#{sample_id}",
      "sourceData":"10.7.20.102:50207",
      "flowId": "{secflow_id}",
      "destinationBytes": "205660"
    }
  ]
}

Get aggregated data from public sample ID

Provides all known data (such as secflow, Destination, Behavior, and Event information) for a particular sample's public ID. This public ID must be provided to you in order to access a sample that you do not own.

GET
/public/v1.0/secflows//list/aggregated

Example request

curl --location --request GET 'https://api.seclarity.io/public/v1.0/secflows/{public_sampleid}/list/aggregated'

Example response

{
  "error": false,
  "body":
  [
    {
      "secflow":
      {
        "flowCategory": "minorDataDownloadedViaLongSession",
        "sampleId": "{sample_id}",
        "destinationNameSource": "passive",
        "relativeStart": "0.595319",
        "uuid": "{individual_flowid}",
        "sourceBytes": "1307",
        "destinationPackets": "15",
        "duration": "37.904841",
        "destinationData": "accounts.google.com:443",
        "dateCreated": "03/04/2022 01:03:00",
        "sourcePackets": "13",
        "sk": "00000000.595319",
        "id": "{sampleowner_userid}#hash#{sample_id}",
        "sourceData": "10.10.220.5:51734",
        "flowId": "{secflow_id}",
        "protocolInformation": "",
        "destinationBytes": "2895"
      },
      "behavior":
      {
        "dateCreated": "20/09/2021 12:32:34",
        "createdBy": "{creator_userid}",
        "sk": "behaviorMeta",
        "description": "This itself isn\u0027t incredibly interesting, but when it occurs nearby another Behavior it indicates that the Chrome browser was started.",
        "id": "{secflow_id}",
        "title": "Google Account Loading",
        "relevance": "knownUninteresting"
      },
      "destination":
      {
        "dateCreated": "07/10/2021 01:59:51",
        "createdBy": "{creator_userid}",
        "sk": "destinationMeta",
        "description": "This Destination is used for many aspects related to one\u0027s Google account. It is used to register, manage, and access an account, to load preferences, to allow authentication (including \"login with Google\" capabilities on a site), and more.",
        "id": "{destination_id}",
        "title": "Google Accounts Site"
      },
      "flowIdCount": 260,
      "event": "null"
    }
  ]
}

Generate sample summary

Asynchronous call that asks NetworkSage to generate a Sample Summary (which contains the verdict, summary, confidence, and details for a sample) for the specified sample. Once submitted, use the Retrieve existing sample summary API call to poll for the completed summary.

POST
/sec/v1.0/samples/{sample_id}/summary

Example request

curl --location --request POST 'https://api.seclarity.io/sec/v1.0/samples/{sample_id}/summary' \
--header 'apikey: {apikey}'

Example response

{
  "error": false,
  "body": "Request submitted. Use \u0027GET /samples/{sample_id}/summary\u0027 endpoint to get the result once it is ready"
}

Retrieve existing sample summary

Provides the verdict, confidence, summary, and details that NetworkSage has made about a specific sample that has already been successfully processed. This information is stored within the summary parameter that is returned and must be converted back from a string to JSON data. The status parameter also conveys information about whether the sample is still processing, has been generated, or has failed.

GET
/sec/v1.0/samples/{sample_id}/summary

Example request

curl --location --request GET 'https://api.seclarity.io/sec/v1.0/samples/{sample_id}/summary' \
--header 'apikey: {apikey}'

Example response -- Processing

{
  "error":false,
  "body": {
    "status": "processing"
  }
}

Example response -- Generated

{
  "error":false,
  "body": {
    "status": "generated",
    "summary": "{\"confidence\":\"Medium\",\"details\":\"_NetworkSage_ has observed activity to:\\n• 1 suspected `Impact` -causing site\\n• 2 suspected `Malicious` sites\\n\\nDetails about each are as follows:\\n\\nThere are no known or suspected Attack Vectors in this sample.\\nThere are no known Malicious Activities in this sample, but there are 2 which we suspect could be Malicious Activities. \\t1. `shopget24.com:443` (first seen here at 3.342673s.)\\n\\t*Confidence:* Medium\\n\\t*Description:* ```Despite our Internet search results seemingly indicating that this site is malicious, we\\u0027re unsure of its purpose.  Here is more information for you to review. The activity in this sample indicates the following. A C2-like channel exists and has sent at least 1KB, which is an amount great enough to arouse suspicion.  Our Internet search results say the following. Only 9 results, which is an extremely low number. This either indicates that the site is wildly unpopular (and therefore probably uninteresting) or it is a potentially unknown security threat. The results that most strongly indicated that this was a security threat have the following title snippets:\\n\\t1. Automated Malware Analysis Executive Report for ...\\n\\t2. LokiBot Trojan Malware Analysis, Overview by ANY.RUN\\n\\t3. Free Automated Malware Analysis Service - powered by Falcon ...\\n\\t4. https://allencommercialinteriors.company.site/ | ANY.RUN - Free ...\\n\\t5. threat intelligence tools and malware analysis online - VxCube\\nA snippet of the results that seem to suggest that this site is actually associated with a business (potentially a local business, which would most likely make the site uninteresting) are:\\n\\t1. Home\\n```\\n\\t2. `eminent-difficult-juice.glitch.me:443` (first seen here at 1.632533s.)\\n\\t*Confidence:* High\\n\\t*Description:* ```We have Medium-High confidence that this site is exhibiting Malicious Activity in this sample. Activity to this site occurs in a brief period of this sample where we believe a new website or page is being loaded. Moreover, the traffic from this site leads us to believe that it was the site that was actually loaded (for example, through a link click). This could be more interesting. There are at least 2 sessions to this destination. Based on the activity in this sample, it looks as though this site also has a form loading. This could be a form asking for credentials, for address and payment information, or for some other data that the user is expected to input. This site was active for a relatively long period of time. This could mean that someone was browsing the site, or it may indicate a connection that is continuously loading something in the background.  In addition, Internet search results mostly agree. Only 1 results, which is an extremely low number. This either indicates that the site is wildly unpopular (and therefore probably uninteresting) or it is a potentially unknown security threat. The results that most strongly indicated that this was a security threat have the following title snippets:\\n\\t1. https://allencommercialinteriors.company.site/ | ANY.RUN - Free ...\\nThe first result that suggests this may be a threat is actually the first and only search result, which is highly interesting.\\n```\\nThere are no known Impacts in this sample, but there is 1 which we suspect could be an Impact: \\n\\t1. `bosszblinks.com:443` (first seen here at 19.160644s.)\\n\\t*Confidence:* High\\n\\t*Description:* ```We have High confidence that this site is exhibiting Malicious Activity in this sample. A C2-like channel exists and has sent at least 1KB, which is an amount great enough to arouse suspicion. There are at least 2 sessions to this destination.  However, our Internet search results (which we\\u0027ve interpreted as identifying the site as a Potentially Malicious Generic Malicious Site with confidence of 10/10) don\\u0027t generally agree. We believe this to be true because this site is likely not something that an end user would be looking for, which skews our analysis towards believing that it may be a problem. No results when searched, which is highly suspicious. \\n```\\n\",\"summary\":\"In this 43 second sample, _NetworkSage_ has evidence to suggest that somehow a user visited the *phishing* site eminent-difficult-juice[.]glitch[.]me targeting Microsoft Corporation. We also believe that the user *entered information* (such as credentials) into bosszblinks[.]com. This means that there\\u0027s very likely *something to respond to* in this sample! For additional details about the destinations mentioned above as well as any other possible destinations of concern, please review the `Details` section below.\\n\",\"verdict\":\"Impact\"}"
  }
}

Example response -- Failed

{
  "error":false,
  "body": {
    "status": "failed",
    "message": "Something went wrong...try generating the summary again"
  }
}

Generate sample categorization

Asynchronous call that asks NetworkSage to generate a Sample Categorization (which categorizes all sample activity into one of 5 categories) for the specified sample. Once submitted, use the Retrieve existing sample categorization API call to poll for the completed categorization.

POST
/sec/v1.0/samples/{sample_id}/categorization

Example request

curl --location --request POST 'https://api.seclarity.io/sec/v1.0/samples/{sample_id}/categorization' \
--header 'apikey: {apikey}'

Example response

{
  "error": false,
  "body": "Request submitted. Use \u0027GET /samples/{sample_id}/categorization\u0027 endpoint to get the result once it is ready"
}

Retrieve existing sample categorization

Provides all sample activity categorized into one of the five categories used by NetworkSage. This API call will contain all information known about a sample (with the exception of the information contained in the sample summary call) that has already been successfully processed. This information is stored within the categorization parameter that is returned and must be converted back from a string to JSON data. The status parameter also conveys information about whether the sample is still processing, has been generated, or has failed.

GET
/sec/v1.0/samples/{sample_id}/categorization

Example request

curl --location --request GET 'https://api.seclarity.io/sec/v1.0/samples/{sample_id}/categorization' \
--header 'apikey: {apikey}'

Example response -- Processing

{
  "error":false,
  "body": {
    "status": "processing"
  }
}

Example response -- Generated

{
  "error":false,
  "body": {
    "status": "generated",
    "categorization": "{\"Attack Vector\":[],\"Common Activity\":[{\"activity_groups\":[{\"associated_cluster\":1.0,\"confidence\":\"High\",\"description\":\"We have High confidence that this site is acting as Common Activity in this sample. There is no evidence of this site doing anything interesting in this sample.  Our OSINT analysis, which we\\u0027ve interpreted as identifying the site as a Benign Semi-Popular Site, agrees. Additional details are as follows. This site appeared in 6 lists that are curated to capture commonly-seen activity that erroneously ends up triggering common techniques used to identify malicious behavior:\\n1. Top 1000 websites from Cisco Umbrella\\n2. Top 10 000 websites from Cisco Umbrella\\n3. Top 20 000 websites from Cisco Umbrella\\n4. Top 5000 websites from Cisco Umbrella\\n5. known Office 365 URLs\\n6. known Windows 10 connection endpoints\\n\\n\",\"destination_and_port\":\"g.live.com:443\",\"first_seen_in_this_group\":1.231835,\"has_known_metadata\":false,\"last_seen_in_this_group\":3.450347,\"overlapping_activities\":[{\"behavior\":{},\"destination\":{},\"event\":\"null\",\"flowIdCount\":9.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"2397\",\"destinationData\":\"g.live.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"13\",\"duration\":\"2.218512\",\"flowCategory\":\"minorResourcesDownloaded\",\"flowId\":\"{secflow_id}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"1.231835\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000001.231835\",\"sourceBytes\":\"623\",\"sourceData\":\"10.10.220.5:51735\",\"sourcePackets\":\"12\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":-1.0}],\"destination\":\"g.live.com\"},{\"activity_groups\":[{\"associated_cluster\":1.0,\"confidence\":\"Medium-High\",\"description\":\"We have Medium-High confidence that this site is acting as Common Activity in this sample. Activity to this site occurs in a brief period of this sample where we believe a new website or page is being loaded. Moreover, the traffic from this site leads us to believe that it was the site that was actually loaded (for example, through a link click). This could be more interesting. Based on the activity in this sample, it looks as though this site also has a form loading. This could be a form asking for credentials, for address and payment information, or for some other data that the user is expected to input.  Our OSINT analysis, which we\\u0027ve interpreted as identifying the site as a Benign Semi-Popular Site, mostly agrees. Additional details are as follows. This site appeared in 6 lists that are curated to capture commonly-seen activity that erroneously ends up triggering common techniques used to identify malicious behavior:\\n1. Top 1000 websites from Cisco Umbrella\\n2. Top 10 000 websites from Cisco Umbrella\\n3. Top 20 000 websites from Cisco Umbrella\\n4. Top 5000 websites from Cisco Umbrella\\n5. known Office 365 URLs\\n6. known Windows 10 connection endpoints\\n\\n\",\"destination_and_port\":\"oneclient.sfx.ms:443\",\"first_seen_in_this_group\":2.73457,\"has_known_metadata\":false,\"last_seen_in_this_group\":3.9611270000000003,\"overlapping_activities\":[{\"behavior\":{},\"destination\":{},\"event\":\"null\",\"flowIdCount\":9.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"53617\",\"destinationData\":\"oneclient.sfx.ms:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"22\",\"duration\":\"1.226557\",\"flowCategory\":\"someContentDownloaded\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"2.73457\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000002.734570\",\"sourceBytes\":\"823\",\"sourceData\":\"10.10.220.5:51744\",\"sourcePackets\":\"13\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":-1.0}],\"destination\":\"oneclient.sfx.ms\"},{\"activity_groups\":[{\"associated_cluster\":-1.0,\"confidence\":\"Medium-High\",\"description\":\"We have Medium-High confidence that this site is acting as Common Activity in this sample. This site is communicated with on a port that is not commonly seen.  Our OSINT analysis, which we\\u0027ve interpreted as identifying the site as a Benign Semi-Popular Site, mostly agrees. Additional details are as follows. This site appeared in 4 lists that are curated to capture commonly-seen activity that erroneously ends up triggering common techniques used to identify malicious behavior:\\n1. Top 1000 websites from Cisco Umbrella\\n2. Top 10 000 websites from Cisco Umbrella\\n3. Top 20 000 websites from Cisco Umbrella\\n4. Top 5000 websites from Cisco Umbrella\\n\\n\",\"destination_and_port\":\"maxcdn.bootstrapcdn.com:ICMP\",\"first_seen_in_this_group\":7.214216,\"has_known_metadata\":false,\"last_seen_in_this_group\":7.214216,\"overlapping_activities\":[{\"behavior\":{},\"destination\":{},\"event\":\"null\",\"flowIdCount\":5.0,\"interesting\":false,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"0\",\"destinationData\":\"maxcdn.bootstrapcdn.com:ICMP\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"1\",\"duration\":\"0.0\",\"flowCategory\":\"closedSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"ICMP\",\"relativeStart\":\"7.214216\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000007.214216\",\"sourceBytes\":\"0\",\"sourceData\":\"10.10.220.5\",\"sourcePackets\":\"0\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":-1.0},{\"associated_cluster\":17.0,\"confidence\":\"Medium-High\",\"description\":\"We have Medium-High confidence that this site is acting as Common Activity in this sample. There are at least 2 sessions to this destination. This site was active for a relatively long period of time, but it didn\\u0027t seem to be something that a user actively interacted with. This could mean that it is background activity on a site (such as tracking, analytics, or assets loading), or is some operating system functionality.  Our OSINT analysis, which we\\u0027ve interpreted as identifying the site as a Benign Semi-Popular Site, mostly agrees. Additional details are as follows. This site appeared in 4 lists that are curated to capture commonly-seen activity that erroneously ends up triggering common techniques used to identify malicious behavior:\\n1. Top 1000 websites from Cisco Umbrella\\n2. Top 10 000 websites from Cisco Umbrella\\n3. Top 20 000 websites from Cisco Umbrella\\n4. Top 5000 websites from Cisco Umbrella\\n\\n\",\"destination_and_port\":\"maxcdn.bootstrapcdn.com:443\",\"first_seen_in_this_group\":2.489366,\"has_known_metadata\":true,\"last_seen_in_this_group\":38.502632,\"overlapping_activities\":[{\"behavior\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"10/09/2021 12:59:12\",\"description\":\"Bootstrap is a framework that is intended to make it easier and faster for creators to build responsive and beautiful User Interfaces for their sites and applications. While it is certainly used often for legitimate purposes, it also serves as a great tool for phishers to set up a convincing lookalike portal for many services quickly.\",\"id\":\"{secflow_id}\",\"sk\":\"behaviorMeta\",\"title\":\"Site Using Bootstrap UI Components\"},\"destination\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"12/09/2021 05:09:20\",\"description\":\"Bootstrap is a framework that is intended to make it easier and faster for creators to build responsive and beautiful User Interfaces for their sites and applications.\",\"id\":\"{destination_id}\",\"sk\":\"destinationMeta\",\"title\":\"Bootstrap Site via MaxCDN\"},\"event\":\"null\",\"flowIdCount\":104.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"38407\",\"destinationData\":\"maxcdn.bootstrapcdn.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"31\",\"duration\":\"36.013266\",\"flowCategory\":\"someDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"2.489366\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000002.489366\",\"sourceBytes\":\"1255\",\"sourceData\":\"10.10.220.5:51742\",\"sourcePackets\":\"20\",\"uuid\":\"{individual_flowid}\"}},{\"behavior\":{},\"destination\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"12/09/2021 05:09:20\",\"description\":\"Bootstrap is a framework that is intended to make it easier and faster for creators to build responsive and beautiful User Interfaces for their sites and applications.\",\"id\":\"{destination_id}\",\"sk\":\"destinationMeta\",\"title\":\"Bootstrap Site via MaxCDN\"},\"event\":\"null\",\"flowIdCount\":12.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"0\",\"destinationData\":\"maxcdn.bootstrapcdn.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"0\",\"duration\":\"4.074282\",\"flowCategory\":\"unidirectional\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"3.139905\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000003.139905\",\"sourceBytes\":\"6250\",\"sourceData\":\"10.10.220.5:59411\",\"sourcePackets\":\"5\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":0.0}],\"destination\":\"maxcdn.bootstrapcdn.com\"},{\"activity_groups\":[{\"associated_cluster\":18.0,\"confidence\":\"High\",\"description\":\"We have High confidence that this site is acting as Common Activity in this sample. There is no evidence of this site doing anything interesting in this sample.  Our OSINT analysis, which we\\u0027ve interpreted as identifying the site as a Benign Semi-Popular Site, agrees. Additional details are as follows. This site appeared in 4 lists that are curated to capture commonly-seen activity that erroneously ends up triggering common techniques used to identify malicious behavior:\\n1. Top 1000 websites from Cisco Umbrella\\n2. Top 10 000 websites from Cisco Umbrella\\n3. Top 20 000 websites from Cisco Umbrella\\n4. Top 5000 websites from Cisco Umbrella\\n\\n\",\"destination_and_port\":\"edgedl.me.gvt1.com:80\",\"first_seen_in_this_group\":39.469633,\"has_known_metadata\":false,\"last_seen_in_this_group\":42.849988,\"overlapping_activities\":[{\"behavior\":{},\"destination\":{},\"event\":\"null\",\"flowIdCount\":1.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"1031716\",\"destinationData\":\"edgedl.me.gvt1.com:80\",\"destinationNameSource\":\"cache\",\"destinationPackets\":\"55\",\"duration\":\"3.380355\",\"flowCategory\":\"majorContentDownloaded\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"39.469633\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000039.469633\",\"sourceBytes\":\"1603\",\"sourceData\":\"10.10.220.5:51755\",\"sourcePackets\":\"51\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":-1.0}],\"destination\":\"edgedl.me.gvt1.com\"},{\"activity_groups\":[{\"associated_cluster\":18.0,\"confidence\":\"Medium-High\",\"description\":\"We have Medium-High confidence that this site is acting as Common Activity in this sample. This site is an IP address, which is more commonly seen when an attacker wants to quickly set up infrastructure and avoid registering a domain name.  Our OSINT analysis, which we\\u0027ve interpreted as identifying the site as a Benign Known site, mostly agrees. Additional details are as follows. This site appeared in 2 lists that are curated to capture commonly-seen activity that erroneously ends up triggering common techniques used to identify malicious behavior:\\n1. known Microsoft Azure Datacenter IP Ranges\\n2. Specialized list of IPv4 addresses belonging to common VPN providers and datacenters\\n\\n\",\"destination_and_port\":\"20.50.73.10:443\",\"first_seen_in_this_group\":43.407385,\"has_known_metadata\":false,\"last_seen_in_this_group\":43.410323999999996,\"overlapping_activities\":[{\"behavior\":{},\"destination\":{},\"event\":\"null\",\"flowIdCount\":4.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"0\",\"destinationData\":\"20.50.73.10:443\",\"destinationNameSource\":\"active\",\"destinationPackets\":\"2\",\"duration\":\"0.002939\",\"flowCategory\":\"unclassified\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"43.407385\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000043.407385\",\"sourceBytes\":\"197\",\"sourceData\":\"10.10.220.5:51756\",\"sourcePackets\":\"3\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":-1.0}],\"destination\":\"20.50.73.10\"},{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"High\",\"destination_and_port\":\"accounts.google.com:443\",\"first_seen_in_this_group\":0.595319,\"has_known_metadata\":true,\"last_seen_in_this_group\":38.50016,\"overlapping_activities\":[{\"behavior\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"20/09/2021 12:32:34\",\"description\":\"This itself isn\\u0027t incredibly interesting, but when it occurs nearby another Behavior it indicates that the Chrome browser was started.\",\"id\":\"{secflow_id}\",\"relevance\":\"knownUninteresting\",\"sk\":\"behaviorMeta\",\"title\":\"Google Account Loading\"},\"destination\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"07/10/2021 01:59:51\",\"description\":\"This Destination is used for many aspects related to one\\u0027s Google account. It is used to register, manage, and access an account, to load preferences, to allow authentication (including \\\"login with Google\\\" capabilities on a site), and more.\",\"id\":\"{destination_id}\",\"sk\":\"destinationMeta\",\"title\":\"Google Accounts Site\"},\"event\":\"null\",\"flowIdCount\":274.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"2895\",\"destinationData\":\"accounts.google.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"15\",\"duration\":\"37.904841\",\"flowCategory\":\"minorDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"0.595319\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000000.595319\",\"sourceBytes\":\"1307\",\"sourceData\":\"10.10.220.5:51734\",\"sourcePackets\":\"13\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":0.0}],\"destination\":\"accounts.google.com\"},{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"High\",\"destination_and_port\":\"fonts.googleapis.com:443\",\"first_seen_in_this_group\":2.468659,\"has_known_metadata\":true,\"last_seen_in_this_group\":38.502429,\"overlapping_activities\":[{\"behavior\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"09/09/2021 02:05:13\",\"description\":\"Google stores their fonts in a few locations that allows them to be retrieved quickly. This is a sign that a font is currently loading, which often means that a new page is loading.\",\"id\":\"{secflow_id}\",\"sk\":\"behaviorMeta\",\"title\":\"Font Download from Google During Pageload\"},\"destination\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"21/09/2021 12:55:46\",\"description\":\"This site is used by Google to store fonts that can be used on websites.\",\"id\":\"{destination_id}\",\"relevance\":\"knownUninteresting\",\"sk\":\"destinationMeta\",\"title\":\"Google\\u0027s Font Site\"},\"event\":\"null\",\"flowIdCount\":435.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"3245\",\"destinationData\":\"fonts.googleapis.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"14\",\"duration\":\"36.03377\",\"flowCategory\":\"minorDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"2.468659\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000002.468659\",\"sourceBytes\":\"1187\",\"sourceData\":\"10.10.220.5:51741\",\"sourcePackets\":\"13\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":0.0}],\"destination\":\"fonts.googleapis.com\"},{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"High\",\"destination_and_port\":\"ajax.googleapis.com:443\",\"first_seen_in_this_group\":2.468548,\"has_known_metadata\":true,\"last_seen_in_this_group\":38.502632,\"overlapping_activities\":[{\"behavior\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"29/10/2021 09:06:55\",\"description\":\"This Behavior indicates that at least one of the most common open-source libraries (on which the Internet is largely built) is loading from Google\\u0027s infrastructure.\",\"id\":\"{secflow_id}\",\"sk\":\"behaviorMeta\",\"title\":\"Open-Source Library Loading from Google Site\"},\"destination\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"04/10/2021 04:49:24\",\"description\":\"Google hosts many of the most commonly-used Javascript libraries in order to speed up page loads.\",\"id\":\"{destination_id}\",\"sk\":\"destinationMeta\",\"title\":\"Google Site Hosting Common Javascript Libraries\"},\"event\":\"null\",\"flowIdCount\":1.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"33221\",\"destinationData\":\"ajax.googleapis.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"22\",\"duration\":\"36.034084\",\"flowCategory\":\"someDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"2.468548\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000002.468548\",\"sourceBytes\":\"1178\",\"sourceData\":\"10.10.220.5:51740\",\"sourcePackets\":\"15\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":0.0}],\"destination\":\"ajax.googleapis.com\"},{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"High\",\"destination_and_port\":\"logo.clearbit.com:443\",\"first_seen_in_this_group\":3.459699,\"has_known_metadata\":true,\"last_seen_in_this_group\":38.508932,\"overlapping_activities\":[{\"behavior\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"16/09/2021 01:44:01\",\"description\":\"Clearbit is a company that aims to be the marketing data engine for customer interactions. While the company does a lot of things, this Behavior specifically identifies when a logo is requested from their site via their API. This is perfectly legitimate, but has been seen in phishing attacks (since an adversary can request any company\\u0027s logo from this API endpoint). Beware if this seems to be loaded by a Suspicious or Malicious site.\",\"id\":\"{secflow_id}\",\"sk\":\"behaviorMeta\",\"title\":\"Logo Downloaded from Clearbit\"},\"destination\":{},\"event\":\"null\",\"flowIdCount\":8.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"13618\",\"destinationData\":\"logo.clearbit.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"21\",\"duration\":\"35.049233\",\"flowCategory\":\"someDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"3.459699\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000003.459699\",\"sourceBytes\":\"1203\",\"sourceData\":\"10.10.220.5:51749\",\"sourcePackets\":\"16\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":0.0}],\"destination\":\"logo.clearbit.com\"},{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"High\",\"destination_and_port\":\"update.googleapis.com:443\",\"first_seen_in_this_group\":8.711097,\"has_known_metadata\":true,\"last_seen_in_this_group\":38.509375,\"overlapping_activities\":[{\"behavior\":{},\"destination\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"07/10/2021 02:10:25\",\"description\":\"This Destination is used by Google to keep its software up to date. This includes checks for any updates to any of the installed software, as well as the downloads themselves.\",\"id\":\"{destination_id}\",\"sk\":\"destinationMeta\",\"title\":\"Google\\u0027s Component Update Site\"},\"event\":\"null\",\"flowIdCount\":104.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"3621\",\"destinationData\":\"update.googleapis.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"15\",\"duration\":\"29.798278\",\"flowCategory\":\"asNeededChannel\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"8.711097\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000008.711097\",\"sourceBytes\":\"3036\",\"sourceData\":\"10.10.220.5:51752\",\"sourcePackets\":\"14\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":-1.0}],\"destination\":\"update.googleapis.com\"},{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"High\",\"destination_and_port\":\"www.google.com:443\",\"first_seen_in_this_group\":1.926741,\"has_known_metadata\":true,\"last_seen_in_this_group\":38.522729,\"overlapping_activities\":[{\"behavior\":{},\"destination\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"21/09/2021 01:04:00\",\"description\":\"This Destination is first and foremost Google\\u0027s homepage. However, it also serves as the endpoint for many more functions, including loading search results, advertisements, Recaptchas, and Google Drive. Look for more context about how this Destination was used in the Behaviors and Events layers.\",\"id\":\"{destination_id}\",\"sk\":\"destinationMeta\",\"title\":\"Google Homepage -- Multi-use\"},\"event\":\"null\",\"flowIdCount\":416.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"1848\",\"destinationData\":\"www.google.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"6\",\"duration\":\"36.595417\",\"flowCategory\":\"minorDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"1.926741\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000001.926741\",\"sourceBytes\":\"597\",\"sourceData\":\"10.10.220.5:51738\",\"sourcePackets\":\"8\",\"uuid\":\"{individual_flowid}\"}},{\"behavior\":{},\"destination\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"21/09/2021 01:04:00\",\"description\":\"This Destination is first and foremost Google\\u0027s homepage. However, it also serves as the endpoint for many more functions, including loading search results, advertisements, Recaptchas, and Google Drive. Look for more context about how this Destination was used in the Behaviors and Events layers.\",\"id\":\"{destination_id}\",\"sk\":\"destinationMeta\",\"title\":\"Google Homepage -- Multi-use\"},\"event\":\"null\",\"flowIdCount\":416.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"1848\",\"destinationData\":\"www.google.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"6\",\"duration\":\"36.595396\",\"flowCategory\":\"minorDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"1.927333\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000001.927333\",\"sourceBytes\":\"597\",\"sourceData\":\"10.10.220.5:51739\",\"sourcePackets\":\"7\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":0.0}],\"destination\":\"www.google.com\"},{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"High\",\"destination_and_port\":\"content-autofill.googleapis.com:443\",\"first_seen_in_this_group\":3.980037,\"has_known_metadata\":true,\"last_seen_in_this_group\":38.509032000000005,\"overlapping_activities\":[{\"behavior\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"09/09/2021 12:42:25\",\"description\":\"This Behavior occurs when a form exists on a website. Google attempts to figure out which data the form is requesting so that you can automatically fill in the form. This does not mean that a user has entered any information -- nor does this mean that a site is in malicious -- on its own. Look for follow-on behavior to Suspicious or Malicious sites, which may indicate that a user has entered credentials.\",\"id\":\"{secflow_id}\",\"sk\":\"behaviorMeta\",\"title\":\"Autofill Form Exists on Site\"},\"destination\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"10/09/2021 02:38:57\",\"description\":\"This Destination is generally contacted when a site has a form. Google attempts to figure out which data the form is requesting so that it can be automatically filled in. If we don\\u0027t recognize the  particular Behavior for this Destination, it may be related to another site that is already open.\",\"id\":\"{destination_id}\",\"sk\":\"destinationMeta\",\"title\":\"Google Autofill Form Site\"},\"event\":\"null\",\"flowIdCount\":94.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"2876\",\"destinationData\":\"content-autofill.googleapis.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"14\",\"duration\":\"34.528995\",\"flowCategory\":\"minorDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"3.980037\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000003.980037\",\"sourceBytes\":\"1219\",\"sourceData\":\"10.10.220.5:51750\",\"sourcePackets\":\"13\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":0.0}],\"destination\":\"content-autofill.googleapis.com\"},{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"High\",\"destination_and_port\":\"i.gyazo.com:443\",\"first_seen_in_this_group\":4.027751,\"has_known_metadata\":true,\"last_seen_in_this_group\":38.50925,\"overlapping_activities\":[{\"behavior\":{},\"destination\":{\"activityPurposeTags\":\"\",\"associatedAppOrServiceTags\":\"\",\"attackVectorTags\":\"\",\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"08/12/2021 10:12:43\",\"description\":\"This Destination is used to grab images from Gyazo\\u0027s site. There are all sorts of images available (billions, according to their website). This site is known to be used by attackers to show partially-blurred screenshots that aim to convince users that they are viewing a legitimate authentication popup from an app. If this occurs near Suspicious, Malicious, or highly uncommon sites, it could be an indication of a phishing attempt.\",\"destinationTags\":\"\",\"id\":\"{destination_id}\",\"impactsTags\":\"\",\"platformHintTags\":\"\",\"relevance\":\"seenNearBad\",\"securityTags\":\"\",\"sk\":\"destinationMeta\",\"threatTags\":\"\",\"title\":\"Gyazo Image Hosting Site\"},\"event\":\"null\",\"flowIdCount\":7.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"27142\",\"destinationData\":\"i.gyazo.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"22\",\"duration\":\"34.481499\",\"flowCategory\":\"someDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"4.027751\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000004.027751\",\"sourceBytes\":\"1159\",\"sourceData\":\"10.10.220.5:51751\",\"sourcePackets\":\"15\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":0.0}],\"destination\":\"i.gyazo.com\"},{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"High\",\"destination_and_port\":\"fonts.gstatic.com:443\",\"first_seen_in_this_group\":2.967137,\"has_known_metadata\":true,\"last_seen_in_this_group\":38.522158000000005,\"overlapping_activities\":[{\"behavior\":{},\"destination\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"21/09/2021 07:56:59\",\"description\":\"This site is used by Google to store fonts that can be used on websites.\",\"id\":\"{destination_id}\",\"relevance\":\"knownUninteresting\",\"sk\":\"destinationMeta\",\"title\":\"Google\\u0027s Font Site\"},\"event\":\"null\",\"flowIdCount\":100.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"1991\",\"destinationData\":\"fonts.gstatic.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"7\",\"duration\":\"35.555021\",\"flowCategory\":\"minorDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"2.967137\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000002.967137\",\"sourceBytes\":\"597\",\"sourceData\":\"10.10.220.5:51745\",\"sourcePackets\":\"7\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":0.0}],\"destination\":\"fonts.gstatic.com\"},{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"High\",\"destination_and_port\":\"code.jquery.com:443\",\"first_seen_in_this_group\":2.559943,\"has_known_metadata\":true,\"last_seen_in_this_group\":38.508788,\"overlapping_activities\":[{\"behavior\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"10/09/2021 12:53:00\",\"description\":\"jQuery is a fast, small, and feature-rich JavaScript library that is used by a considerable amount of websites. This Behavior indicates that a site that is currently loading very likely uses jQuery.\",\"id\":\"{secflow_id}\",\"sk\":\"behaviorMeta\",\"title\":\"jQuery Library Loading for Site\"},\"destination\":{},\"event\":\"null\",\"flowIdCount\":145.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"32388\",\"destinationData\":\"code.jquery.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"18\",\"duration\":\"35.948845\",\"flowCategory\":\"someDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"2.559943\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000002.559943\",\"sourceBytes\":\"1104\",\"sourceData\":\"10.10.220.5:51743\",\"sourcePackets\":\"13\",\"uuid\":\"{individual_flowid}\"}},{\"behavior\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"10/09/2021 12:53:00\",\"description\":\"jQuery is a fast, small, and feature-rich JavaScript library that is used by a considerable amount of websites. This Behavior indicates that a site that is currently loading very likely uses jQuery.\",\"id\":\"{secflow_id}\",\"sk\":\"behaviorMeta\",\"title\":\"jQuery Library Loading for Site\"},\"destination\":{},\"event\":\"null\",\"flowIdCount\":145.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"26173\",\"destinationData\":\"code.jquery.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"22\",\"duration\":\"35.529676\",\"flowCategory\":\"someDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"2.979112\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000002.979112\",\"sourceBytes\":\"1143\",\"sourceData\":\"10.10.220.5:51746\",\"sourcePackets\":\"14\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":0.0}],\"destination\":\"code.jquery.com\"},{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"High\",\"destination_and_port\":\"cdnjs.cloudflare.com:443\",\"first_seen_in_this_group\":3.333553,\"has_known_metadata\":true,\"last_seen_in_this_group\":38.508932,\"overlapping_activities\":[{\"behavior\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"29/10/2021 09:06:03\",\"description\":\"This Behavior indicates that at least one of the most common open-source libraries (on which the Internet is largely built) is loading.\",\"id\":\"{secflow_id}\",\"sk\":\"behaviorMeta\",\"title\":\"CDNJS Open-Source Library Loading for Site\"},\"destination\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"04/10/2021 04:51:49\",\"description\":\"This Destination serves many of the most common open-source libraries on which the Internet is largely built. The site stays up to date with the content served via the CDNJS project.\",\"id\":\"{destination_id}\",\"sk\":\"destinationMeta\",\"title\":\"Cloudflare Site Hosting CDNJS Open-Source Libraries\"},\"event\":\"null\",\"flowIdCount\":1.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"9020\",\"destinationData\":\"cdnjs.cloudflare.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"16\",\"duration\":\"35.175379\",\"flowCategory\":\"minorDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"3.333553\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000003.333553\",\"sourceBytes\":\"1161\",\"sourceData\":\"10.10.220.5:51747\",\"sourcePackets\":\"13\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":0.0}],\"destination\":\"cdnjs.cloudflare.com\"},{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"High\",\"destination_and_port\":\"clientservices.googleapis.com:443\",\"first_seen_in_this_group\":0.215571,\"has_known_metadata\":true,\"last_seen_in_this_group\":38.528276999999996,\"overlapping_activities\":[{\"behavior\":{},\"destination\":{\"createdBy\":\"{creator_userid}\",\"dateCreated\":\"07/10/2021 02:10:49\",\"description\":\"This Destination is used by Google (especially in Chrome-based browsers) to track metrics about a system\\u0027s connection (such as latency and crash reports), as well as to keep track of what kinds of backend experiments are happening in the browser. You\\u0027ll see this when Chrome is first launched (and possibly other times when Chrome is launched), in addition to metrics.\",\"id\":\"{destination_id}\",\"sk\":\"destinationMeta\",\"title\":\"Google\\u0027s Metrics and Experiments Site\"},\"event\":\"null\",\"flowIdCount\":190.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"2641\",\"destinationData\":\"clientservices.googleapis.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"12\",\"duration\":\"38.312706\",\"flowCategory\":\"minorDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"0.215571\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000000.215571\",\"sourceBytes\":\"1040\",\"sourceData\":\"10.10.220.5:51733\",\"sourcePackets\":\"12\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":0.0}],\"destination\":\"clientservices.googleapis.com\"}],\"Impact\":[{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"Medium-High\",\"description\":\"We have High confidence that this site is exhibiting Malicious Activity in this sample. A C2-like channel exists and has sent at least 1KB, which is an amount great enough to arouse suspicion. There are at least 2 sessions to this destination.  However, our Internet search results (which we\\u0027ve interpreted as identifying the site as a Potentially Malicious Generic Malicious Site with confidence of 10/10) don\\u0027t generally agree. We believe this to be true because this site is likely not something that an end user would be looking for, which skews our analysis towards believing that it may be a problem. No results when searched, which is highly suspicious. \\n\",\"destination_and_port\":\"bosszblinks.com:443\",\"first_seen_in_this_group\":19.160644,\"has_known_metadata\":false,\"last_seen_in_this_group\":38.543839000000006,\"overlapping_activities\":[{\"behavior\":{},\"destination\":{},\"event\":\"null\",\"flowIdCount\":4.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"0\",\"destinationData\":\"bosszblinks.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"3\",\"duration\":\"19.383195\",\"flowCategory\":\"asNeededChannel\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"19.160644\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000019.160644\",\"sourceBytes\":\"517\",\"sourceData\":\"10.10.220.5:51753\",\"sourcePackets\":\"4\",\"uuid\":\"{individual_flowid}\"}},{\"behavior\":{},\"destination\":{},\"event\":\"null\",\"flowIdCount\":4.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"0\",\"destinationData\":\"bosszblinks.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"3\",\"duration\":\"10.501207\",\"flowCategory\":\"asNeededChannel\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"28.042615\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000028.042615\",\"sourceBytes\":\"517\",\"sourceData\":\"10.10.220.5:51754\",\"sourcePackets\":\"4\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":-1.0}],\"destination\":\"bosszblinks.com\"}],\"Malicious Activity\":[{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"High\",\"description\":\"We have Medium-High confidence that this site is exhibiting Malicious Activity in this sample. Activity to this site occurs in a brief period of this sample where we believe a new website or page is being loaded. Moreover, the traffic from this site leads us to believe that it was the site that was actually loaded (for example, through a link click). This could be more interesting. There are at least 2 sessions to this destination. Based on the activity in this sample, it looks as though this site also has a form loading. This could be a form asking for credentials, for address and payment information, or for some other data that the user is expected to input. This site was active for a relatively long period of time. This could mean that someone was browsing the site, or it may indicate a connection that is continuously loading something in the background.  In addition, Internet search results mostly agree. Only 1 results, which is an extremely low number. This either indicates that the site is wildly unpopular (and therefore probably uninteresting) or it is a potentially unknown security threat. The results that most strongly indicated that this was a security threat have the following title snippets:\\n\\t1. https://allencommercialinteriors.company.site/ | ANY.RUN - Free ...\\nThe first result that suggests this may be a threat is actually the first and only search result, which is highly interesting.\\n\",\"destination_and_port\":\"eminent-difficult-juice.glitch.me:443\",\"first_seen_in_this_group\":1.632533,\"has_known_metadata\":false,\"last_seen_in_this_group\":38.502316,\"overlapping_activities\":[{\"behavior\":{},\"destination\":{},\"event\":\"null\",\"flowIdCount\":4.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"1964\",\"destinationData\":\"eminent-difficult-juice.glitch.me:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"5\",\"duration\":\"0.182506\",\"flowCategory\":\"minorResourcesDownloadedQuickly\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"1.632533\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000001.632533\",\"sourceBytes\":\"597\",\"sourceData\":\"10.10.220.5:51736\",\"sourcePackets\":\"7\",\"uuid\":\"{individual_flowid}\"}},{\"behavior\":{},\"destination\":{},\"event\":\"null\",\"flowIdCount\":4.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"155101\",\"destinationData\":\"eminent-difficult-juice.glitch.me:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"45\",\"duration\":\"36.868656\",\"flowCategory\":\"someDataDownloadedViaLongSession\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"1.63366\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000001.633660\",\"sourceBytes\":\"1415\",\"sourceData\":\"10.10.220.5:51737\",\"sourcePackets\":\"27\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":0.0}],\"destination\":\"eminent-difficult-juice.glitch.me\"},{\"activity_groups\":[{\"associated_cluster\":17.0,\"confidence\":\"Medium\",\"description\":\"Despite our Internet search results seemingly indicating that this site is malicious, we\\u0027re unsure of its purpose.  Here is more information for you to review. The activity in this sample indicates the following. A C2-like channel exists and has sent at least 1KB, which is an amount great enough to arouse suspicion.  Our Internet search results say the following. Only 9 results, which is an extremely low number. This either indicates that the site is wildly unpopular (and therefore probably uninteresting) or it is a potentially unknown security threat. The results that most strongly indicated that this was a security threat have the following title snippets:\\n\\t1. Automated Malware Analysis Executive Report for ...\\n\\t2. LokiBot Trojan Malware Analysis, Overview by ANY.RUN\\n\\t3. Free Automated Malware Analysis Service - powered by Falcon ...\\n\\t4. https://allencommercialinteriors.company.site/ | ANY.RUN - Free ...\\n\\t5. threat intelligence tools and malware analysis online - VxCube\\nA snippet of the results that seem to suggest that this site is actually associated with a business (potentially a local business, which would most likely make the site uninteresting) are:\\n\\t1. Home\\n\",\"destination_and_port\":\"shopget24.com:443\",\"first_seen_in_this_group\":3.342673,\"has_known_metadata\":false,\"last_seen_in_this_group\":38.509249999999994,\"overlapping_activities\":[{\"behavior\":{},\"destination\":{},\"event\":\"null\",\"flowIdCount\":4.0,\"interesting\":true,\"secflow\":{\"dateCreated\":\"09/02/2022 02:34:15\",\"destinationBytes\":\"2136\",\"destinationData\":\"shopget24.com:443\",\"destinationNameSource\":\"passive\",\"destinationPackets\":\"12\",\"duration\":\"35.166577\",\"flowCategory\":\"asNeededChannel\",\"flowId\":\"{secflow_flowid}\",\"id\":\"{sampleowner_userid}#hash#{sample_id}\",\"protocolInformation\":\"\",\"relativeStart\":\"3.342673\",\"sampleId\":\"{sample_id}\",\"sk\":\"00000003.342673\",\"sourceBytes\":\"1155\",\"sourceData\":\"10.10.220.5:51748\",\"sourcePackets\":\"10\",\"uuid\":\"{individual_flowid}\"}}],\"subcluster\":0.0}],\"destination\":\"shopget24.com\"}],\"Suspicious Activity\":[]}"
  }
}

Example response -- Failed

{
  "error":false,
  "body": {
    "status": "failed",
    "message": "Something went wrong...try generating the categorization again"
  }
}

Secflows

A secflow is a record that contains all the fields needed by NetworkSage to identify and label some network traffic with our proprietary flow labels. This is the least-specific activity type within the system.

Get secflow details

Provides details about a particular secflow.

GET
/sec/v1.0/secflows/{secflow_id}

Example request

$ curl --location --request GET 'https://api.seclarity.io/sec/v1.0/secflows/{secflow_id}' \
--header 'apikey: {apikey}'

Example response

{
  "error": false,
  "body":
    [
      {
        "dateCreated":"05/04/2022 10:13:28"
      },
      "destinationBytes": "592453",
      "destinationData": "cardenascontractingroofingandsolar.com:443",
      "destinationNameSource": "passive",
      "destinationPackets": "244",
      "duration": "7.12889",
      "flowCategory": "someContentDownloaded",
      "flowId": "{secflow_id}",
      "relativeStart": "0.385611",
      "sampleId": "{sample_id}",
      "sk": "00000000.385611",
      "sourceBytes": "9221",
      "sourceData": "10.0.2.15:51172",
      "sourcePackets": "229",
      "uuid": "{individual_flowid}",
      "pii": false
    ]
}

Get global commonality of secflow

Provides the number of global samples a given secflow has been observed in. This can be easily used to understand how common some kind of activity (such as a largeUpload) to a particular Destination (such as www.mybadsite[.]tld:443) is globally.

GET
/sec/v1.0/secflows/{secflow_id}/count

Example request

$ curl --location --request GET 'https://api.seclarity.io/sec/v1.0/secflows/{secflow_id}/count' \
--header 'apikey: {apikey}'

Example response

{
  "error": false,
  "body": 3
}

Destinations

Destination (note the capital D) refers to a destination FQDN and its port (such as mail.google.com:443) that has been enriched with additional metadata, such as title, description, and relevance. This is useful for providing users with some basic information about the purpose of a destination when more specific information about its particular flow categories is not known.

Get Destination metadata

Provides any metadata known about a specified Destination.

GET
/sec/v1.0/destinations/{destination_name:port}

Example request

$ curl --location --request GET 'https://api.seclarity.io/sec/v1.0/destinations/{destination_name:port}' \
--header 'apikey: {apikey}'

Example response

{
  "error": false,
  "body":
  {
    "activityPurposeTags": "",
    "associatedAppOrServiceTags": "",
    "attackVectorTags": "",
    "destinationTags": "['FileSharingPlatform', 'CloudHostingPlatform']",
    "impactsTags": "",
    "platformHintTags": "",
    "securityTags": "",
    "threatTags": "",
    "dateCreated": "16/02/2022 07:20:58",
    "createdBy": "{creator_userid}",
    "sk": "destinationMeta",
    "description": "This Destination is one of the root domains where Replit, Inc. hosts users\u0027 websites, and/or web apps. Seeing this Destination may mean that a dynamically-hosted web app is open in a user\0027s browser. Be on the lookout for download or C2 activity to any uncommon sites hosted on top of this, especially if this activity is unexpected in your environment.",
    "id": "{destination_id}",
    "title": "Replit\u0027s Web App Hosting Site",
    "relevance": ""
  }
}

Behaviors

Behavior refers to a secflow that has been enriched with additional metadata, such as what the behavior is, what it means, and its relevance. This is useful for describing certain kinds of behavior known to be associated with this secflow.

Get Behavior metadata

Provides any metadata known about a specified Behavior.

GET
/sec/v1.0/behaviors/{secflow_id}

Example request

$ curl --location --request GET 'https://api.seclarity.io/sec/v1.0/behaviors/{secflow_id}' \
--header 'apikey: {apikey}'

Example response

{
  "error": false,
  "body":
  {
    "activityPurposeTags": "",
    "associatedAppOrServiceTags": "",
    "attackVectorTags": "",
    "destinationTags": "",
    "impactsTags": "",
    "platformHintTags": "",
    "securityTags": "",
    "threatTags": "",
    "dateCreated": "20/09/2021 12:32:34",
    "createdBy": "{creator_userid}",
    "sk": "behaviorMeta",
    "description": "This itself isn\u0027t incredibly interesting, but when it occurs nearby another Behavior it indicates that the Chrome browser was started.",
    "id": "{secflow_id}",
    "title": "Google Account Loading",
    "relevance": "knownUninteresting"
  }
}

Events

Event refers to a metadata-enriched group of two to five Behaviors that have occurred in order and whose relative start times are separated by no more than a specified time period. This is useful for describing more complex activity -- such as user behavior -- that spans more than one Behavior.

Get Event metadata

Provides any metadata known about a specified Event.

GET
/sec/v1.0/events/{event_id}

Example request

$ curl --location --request GET 'https://api.seclarity.io/sec/v1.0/events/{event_id}' \
--header 'apikey: {apikey}'

Example response

{
  "error": false,
  "body":
  {
    "activityPurposeTags": "['Redirect']",
    "associatedAppOrServiceTags": "",
    "attackVectorTags": "['Redirect']",
    "destinationTags": "['URLShortener']",
    "impactsTags": "",
    "platformHintTags": "",
    "securityTags": "",
    "threatTags": "",
    "dateCreated": "18/11/2021 12:27:08",
    "createdBy": "{creator_userid}",
    "sk": "eventMeta",
    "description": "This Event appears when a user has clicked on a Cutt.ly URL. Be on the lookout for suspicious, malicious, or impact-causing activity following this Event.",
    "id": "{event_id}",
    "title": "Cutt.ly URL Shortener -- Link Clicked",
    "relevance": "seenNearBad",
    "maximumThreshold": "0.5"
  }
}
Show examples in:
SeclarityIO API Documentation