ThreatExchange
Graph API Version

ThreatIndicator

An indicator of compromise.

Fields

Parameter Description Type

id

Unique identifier of the threat indicator. Automatically assigned at create time, and non-editable.

number

indicator

The value of the indicator. Non-editable after initial creation of the indicator.

string

type

The type of indicator. Non-editable after initial creation of the indicator.

List of IndicatorType

Sample Usage

Example query for a specific indicator: 788497497903212:

https://graph.facebook.com/v2.7/788497497903212/?access_token=555|aSdF123GhK

Data returned:

{
   "indicator": "facebook.com",
   "type": "DOMAIN",
   "id": "788497497903212"
}

Connections

Name Description Type

descriptors

Subjective opinions about the indicator

ThreatDescriptor

malware_analyses

Malware analyses linked to the indicator

Malware

related

Other threat indicators that have been associated

ThreatIndicator

Sample Usage

Example query for malware analyses related to a specific indicator: 768629009848617

https://graph.facebook.com/v2.7/768629009848617/malware_analyses/?access_token=555|aSdF123GhK

Data returned:

{
  "data": [
    {
      "added_on": "2014-06-05T19:52:11+0000",
      "md5": "7914a485bdc6df7103e7cae379f7a152",
      "sha1": "fd1b83fc4c1f5b5a68ddfdec8ba97d59d78e6065",
      "sha256": "ab402de2c79ad620a84cf651d7cf4f8287acf8564a8c551e5b39bb82813abbc6",
      "status": "MALICIOUS",
      "victim_count": 0,
      "id": "673692009351404"
    },
    ...
  ]
}

Example query for descriptors related to a specific indicator: 852121234856016

https://graph.facebook.com/v2.7/852121234856016/descriptors/?access_token=555|aSdF123GhK

Data returned:

 {
   "data": [
  {
    "id": "811927545529339",
    "indicator": {
      "indicator": "test1434227164.evilevillabs.com",
      "type": "DOMAIN",
      "id": "852121234856016"
    },
    "owner": {
      "id": "588498724619612",
      "name": "Facebook CERT ThreatExchange"
    },
    "type": "DOMAIN",
    "raw_indicator": "test1434227164.evilevillabs.com",
    "description": "This is our test domain. It's harmless",
    "status": "NON_MALICIOUS"
  },
  {
    "id": "799906626794304",
    "indicator": {
      "indicator": "test1434227164.evilevillabs.com",
      "type": "DOMAIN",
      "id": "852121234856016"
    },
    "owner": {
      "id": "682796275165036",
      "name": "Facebook Site Integrity ThreatExchange"
    },
    "type": "DOMAIN",
    "raw_indicator": "test1434227164.evilevillabs.com",
    "description": "Malware command and control",
    "status": "MALICIOUS"
  }
],
"paging": {
  "cursors": {
    "before": "ODExOTI3NTQ1NTI5MzM5",
    "after": "Nzk5OTA2NjI2Nzk0MzA0"
  }
}