In response to lots of great feedback on the ThreatExchange UI, we're proud to announce the following updates:
Thanks for the great feedback, and please keep hitting the bugnub at the upper-right-hand corner of the UI and let us know how we can improve ThreatExchange!
A new parameter in Threatexchange, 'sort_by', allows you to choose whether to sort search results by RELEVANCE or by CREATE_TIME. When sorting by RELEVANCE, your query will return results sorted by similarity against your text query.
There were a large number of changes made in Platform version 2.4. You may continue to use Platform version 2.3, without those changes, until 8 Dec 2015. On that day support for version 2.3 will be disabled.
The most important change in version 2.4 was was the introduction of the descriptor model. On version 2.3 and below, all data was stored on the indicator. Beginning with version 2.4, we split information into objective and subjective categories. Objective information is data which everybody can see and agree upon. It may change over time, but everybody sees the same data. For example, the WHOIS registration for a domain name is objective. Subjective information represents somebody's opinion on the data. Different people may have different opinions. For example, the status of a domain as being MALICIOUS or NON_MALICIOUS.
Objective information will remain stored on indicators. For the most part, Facebook will be the only party updating objective information. Subjective information is now stored on a new structure called a descriptor. We have added API calls to create, edit, and search for descriptors. Each AppID may have one descriptor per indicator. Each descriptor has an edge connecting it to a threat indicator. Each indicator has edges to one or more descriptors.
We currently do not support connections between descriptors. Connections between indicators will remain the only way to associate threat information for the time being.