Skip to main content

Schema for the rl-uri report format

The Spectra Assure platform supports a special format for analysis reports called rl-uri. This format provides detailed information on all URIs (networking strings) detected in the software package version during analysis. It can be downloaded from the Networking page in the Portal UI.

To generate reports in the rl-uri format:

  • with rl-secure CLI, use the rl-secure report command
  • with the Spectra Assure Portal API, use the "Export analysis report" endpoint
Difference between Networking page and rl-uri file

Due to the removal of sensitive URIs, the number of rows on the Networking page in the Portal UI will not correspond to the number of rows in the exported rl-uri file.

This page describes the full schema of the rl-uri report format.

How to read the schema?โ€‹

The schema contents are displayed as a schema model and described in alphabetical order.

The full rl-uri report example is displayed below the schema.

Desktop browsers: To make the schema easier to read, you can hide the navigation sidebar by selecting the << button at the bottom left of the page.

rl-uri report schemaโ€‹

classification
required
string
Enum: "goodware" "malicious" "suspicious" "unknown"

Threat detection status of the detected URI. Any URI classified as a threat will have the classification status set to either malicious or suspicious.

encoded-uri
required
string

The URI string converted into a valid format by using URL encoding to ensure that it does not contain any special characters.

hostname
required
string

Part of the URI string that indicates the domain name or the IP address of the server.

scheme
required
string

The identifier stated before a colon in an URI. It tells the user what type of protocol is used to access the URI contents. Supported values include all commonly used URI schemes.

threat-name
required
string

The name of a threat constructed from the format name. Follows the ReversingLabs malware naming standard.

uri-occurrence
required
integer

Indicates how many instances of this URI have been detected in the software package version.

uri-tags
required
Array of strings

A pipe-separated list of brief descriptions of URI properties generated by the Spectra Assure engine during analysis. If the tag uri-credentials is present, the credentials will not be included in the rl-uri report.

{
  • "classification": "goodware",
  • "encoded-uri": "string",
  • "hostname": "string",
  • "scheme": "string",
  • "threat-name": "string",
  • "uri-occurrence": 0,
  • "uri-tags": [
    ]
}

rl-uri report exampleโ€‹

| classification | threat-name                 | scheme | hostname       | encoded-uri                                                                     | uri-occurrence | uri-tags                            |
|----------------|-----------------------------|--------|----------------|---------------------------------------------------------------------------------|----------------|-------------------------------------|
| unknown | | https | aka.ms | https://aka.ms/windowsappsdk/1.5/1.5.240627000/windowsappruntimeinstall-x86.exe | 1 | uri-interesting-file\|uri-shortened |
| malicious | Win32.Hyperlink.Blacklisted | ftp | 177.198.23.56 | ftp://177.198.23.56/get/malware.exe | 1 | uri-domain-blacklisted |
| suspicious | Email.Hyperlink.Homoglyph | http | g0ogle.com | http://www.g0ogle.com/login | 2 | uri-domain-homoglyph |