Graph API Version

Change Log

Changes as of February 13th, 2017

New Features

  • You can now react to data you consume in ThreatExchange. Descriptors can be marked as 'HELPFUL', 'NOT_HELPFUL', 'OUTDATED', 'SAW_THIS_TOO', and 'WANT MORE INFO' by anyone who can see them.
  • A new edge, /similar_malware, can now be used to identify malware samples we believe are related.
  • We've also rolled out additional Webhooks support for ThreatIndicators and ThreatTags, so your servers can be notified in real-time when new threat intel is available.


  • Our 'strict_text' search parameter now limits search result to exactly the search term you have submitted. For example, before this change, if you did a search for threat indicators with strict text enabled for '', you would get a lot of results, including things like “http://google[.]com/fusiontables” and ”[.]net/DE/1/?subid=1485323323mb29920939890”. The new search will return results for only, i.e. ID 826838047363868. When searching for threat descriptors, you can still use other parameters to limit the search results (e.g. owner or status). If you want to find , you have to search for that separately. A strict text search for will not return

Changes in API Version 2.8 (Oct 5th 2016)

New Features


  • AttackType and ThreatType are being deprecated in favor of ThreatTags. If you publish or read threat data using these fields, you will need to change your code to use ThreatTags instead. Starting December 5th 2016 these fields will no longer be accessible on all versions of the Graph API. To ease the transition, during the interim you'll be able to continue the use of these types on previous versions of the Graph API, alongside tags. We are also making the existing threat_type or attack_type data values available through tags. More specifically, if existing or new threat data has value to these types, the object will automatically be tagged with the equivalent string value. By the end of this period, you'll need to fully transition to use tags instead of threat_type or attack_type.

Changes in API Version 2.4

There were a large number of changes made in Platform version 2.4. You may continue to use Platform version 2.3, without those changes, until 8 Dec 2015. On that day support for version 2.3 will be disabled.

The most important change in version 2.4 was was the introduction of the descriptor model. On version 2.3 and below, all data was stored on the indicator. Beginning with version 2.4, we split information into objective and subjective categories. Objective information is data which everybody can see and agree upon. It may change over time, but everybody sees the same data. For example, the WHOIS registration for a domain name is objective. Subjective information represents somebody's opinion on the data. Different people may have different opinions. For example, the status of a domain as being MALICIOUS or NON_MALICIOUS.

Objective information will remain stored on indicators. For the most part, Facebook will be the only party updating objective information. Subjective information is now stored on a new structure called a descriptor. We have added API calls to create, edit, and search for descriptors. Each AppID may have one descriptor per indicator. Each descriptor has an edge connecting it to a threat indicator. Each indicator has edges to one or more descriptors.

We currently do not support connections between descriptors. Connections between indicators will remain the only way to associate threat information for the time being.