ThreatTag
A label which groups Malware, ThreatDescriptor, and/or MalwareFamily objects. Once objects are tagged, you can use tags to narrow your search queries in TE.
Fields
| Parameter | Description | Type |
|---|---|---|
| Unique identifier of the threat tag |
|
| The text for this tag |
|
Legal Tags
The text of tags is case insensitive, restricted to letters, numbers, underscores, and colons, and must be UTF-8 friendly. So "שלום" is a valid text, but "#example-tag" is not.
Sample Usage
Example query for a specific ThreatTag: 908180082612873
Data returned:
{
"id": "908180082612873",
"text": "evilevil"
}Example of searching for a tag by text 'evilevil'. Note that partial tag search is supported.
https://graph.facebook.com/v2.7/threat_tags/?access_token=555|aSdF123GhK&text=evilevil
Data returned:
{
"data": [
{
"id": "908180082612873",
"text": "evilevil"
}
...
]
}Connections
| Name | Description | Type |
|---|---|---|
| The objects tagged with this text |
|
Sample Usage
Example of tagged objects for a specific ThreatTag: 908180082612873
https://graph.facebook.com/v2.7/908180082612873/tagged_objects/?access_token=555|aSdF123GhK
Data returned:
{
"data": [
{
"id": "1039423046092869",
"type": "THREAT_DESCRIPTOR",
"name": "test1464195852.evilevillabs.com"
},
...
]
}Example of tagged objects for a ThreatTag with the text 'ducks'
https://graph.facebook.com/v2.7/threat_tags/?access_token=555|aSdF123GhK&text=ducks&fields=id,text,tagged_objects
Data returned:
{
"data": [
{
"id": "501159930008561",
"text": "ducks"
"tagged_objects": {
"data": [
{
"id": "1162586023812794",
"type": "THREAT_DESCRIPTOR",
"name": "test1469481750.evilevillabs.com"
},
...
]
},
}
]
}Creating a New Tag
You can create a ThreatTag on-the-fly while creating a ThreatDescriptor. If the ThreatTag does not exist, a new one will be created and applied to the new ThreatDescriptor.
https://graph.facebook.com/v2.7/threat_descriptors?access_token=555|aSdF123GhK POST DATA: tags=cows,bar &type=DOMAIN &indicator=test1466722733.evilevillabs.com &description=this is an example with tags &privacy_type=VISIBLE &share_level=GREEN &status=UKNOWN
Data returned:
{
"success": true,
"id": "1162586023812794"
}To create a ThreatTag without labeling any objects, you can post to the /threat_tags endpoint explicitly:
https://graph.facebook.com/v2.7/threat_tags?access_token=555|aSdF123GhK POST DATA: text=superlongtagfortestingcreation &objects=973966502652751,898684593584287
Data returned:
{
"success": true,
"id": "1373232162693002"
}Example of updating a ThreatDescriptor with more tags. If the tag does not exist, a new one will be created and applied to this ThreatDescriptor.
https://graph.facebook.com/v2.7/1162586023812794?access_token=555|aSdF123GhK POST DATA: tags=ducks,chicken
Data returned:
{
"success": true
}Popular Tags
Here is a list of the most popular tags categorizing data related to attacks:
| Name | Description |
|---|---|
| Theft of an OAuth style or similar access token |
| A bogus IP address |
| A bot |
| Repeated attempts to access an authenticated resource |
| Any UI redressing or similar type of attack redirecting a person's clicks |
| The associated party has been compromised |
| A party which stalks another online |
| Associated with drugs |
| Sending of unsolicited email |
| Pornographic or otherwise explicit content |
| A set of tools used to take advantage of vulnerabilities |
| An account associated with no real entity, often used for abuse |
| Associated with financials, perhaps fraud |
| Infringement on the rights of an intellectual property holder |
| A malicious web app |
| A malicious name server |
| A malicious web server |
| The use of online advertising to spread malware |
| A malware-based attack |
| Interserver DNS messages are being captured, recorded, and potentially exfiltrated |
| An attempt to obtain credentials via a deceptive lure |
| Illegal replication of protected property |
| A proxy host |
| A generic type of scam |
| Port scanning to map a network |
| Systematic traversal of a network and recording of data |
| Attack where a person is social engineered into pasting malicious code into their brower's address bar or developer console |
| A person is convinced to share spammy content in exchange for a fictitious product or content |
| An attack conducted by a sophisticated actor and directed at a specific target |
| Associated with terrorist attacks or groups |
| Related to the illegal trade of arms |
| A malicious web app |
Here is a list of the most popular tags categorizing data by type:
| Name | Description |
|---|---|
| Details on a presumed bad actor (e.g. botherder, spammer) |
| The credential compromised by an attack (must be already publicly accessible) |
| For high-value victim targeting |
| A malicious advertisement |
| An API key which is being abused |
| A malicious post, image, or document |
| A malicious Internet domain |
| A malicious piece of code that injected into a another file, process, or DOM |
| A malicious IP address |
| A malicious IP address range |
| A malicious SSL certificate |
| A specific piece of Malware |
| A victim of Malware |
| An IP address known to be a proxy or VPN |
| Represents some means or pattern for detecting a threat |
| A full web request, optionally with GET query parameters |
| An Internet domain that should be treated as non-malicious |
| An IP address that should be treated as non-malicious |
| An URI that should be treated as non-malicious |