You may submit data to the graph via an HTTP POST request the following URL:
NOTE: The call to /threat_indicators is deprecated as of v2.4 of the ThreatExchange API. If you attempt to access this endpoint in v2.4+, it will create a threat descriptor and the associated threat indicator behind the scenes.
The following submission parameters are available for API use (bold parameters are required). Column names for bulk upload/download in the UI (click here for more information) are also indicated.
API Name | UI Display Name | UI CSV Name | Description |
---|---|---|---|
access_token | Not used for the UI | Not used for the UI | The key for authenticating to the API, in the format your-app-id|your-app-secret . For example, if our app ID was 555 and our app secret aSdF123GhK, our access_token would be "555|aSdF123GhK". |
description | Description | td_description | A short summary of the indicator and threat. |
indicator | Raw indicator | td_raw_indicator | The indicator data being submitted. |
type | Indicator type | td_indicator_type | The kind of indicator being described, see IndicatorTypefor the list of allowed values. |
privacy_type | Visibility | td_visibility | The kind of privacy for the indicator. See PrivacyTypefor the list of allowed values. |
privacy_members | Whitelist apps , Privacy groups | td_whitelist_apps , td_privacy_groups | A comma-delimited list of ThreatExchangeMembersallowed to see the indicator, and only applies when privacy_type is set to HAS_WHITELIST or HAS_PRIVACY_GROUP . |
share_level | Share level | td_share_level | A designation of how the indicator may be shared based on the US-CERT's Traffic Light Protocol. See ShareLevelTypefor the list of allowed values. Note: GREEN/WHITE requires VISIBLE, and AMBER/RED requires HAS_WHITELIST or HAS_PRIVACY_GROUP. |
status | Status | td_status | Indicates if the indicator is labeled as malicious. See StatusTypefor the list of allowed values. |
tags | Subjective tags | td_subjective_tags | A comma-separated list of tags you want to publish. (This will replace any existing tags.) Tags are not strictly required but do note that they are essential for your collaborators to discover data you contribute. |
add_tags | Not used for the UI. | Not used for bulk upload/download in the UI. | To add tags to an object without overwriting existing tags. |
remove_tags | Not used for the UI. | Not used for bulk upload/download in the UI. | Remove tags asocciated with an object. |
confidence | Confidence | td_confidence | A score for how likely the indicator's status is accurate, ranging from 0 to 100. |
expired_on | Expire time | td_expire_time | Time the indicator is no longer considered a threat, in ISO 8601 date format. |
first_active | First active | td_first_active | Time when the opinion first became valid. |
last_active | Last active | td_last_active | Time when the opinion stopped being valid. |
review_status | Review status | td_review_status | Describes how the indicator was vetted. See ReviewStatusTypefor the list of allowed values. |
severity | Severity | td_severity | A rating of how severe the indicator is when found in an incident. See SeverityTypefor the list of allowed values. |
Example submission of a malicious domain using the UI:
Example bulk upload from CSV/JSON using the UI: click here.
Example submission of a malicious domain using the API:
https://graph.facebook.com/v4.0/threat_descriptors?access_token=555|aSdF123GhK POST DATA: indicator=evil-domain.biz &type=DOMAIN &tags=testingtags &status=MALICIOUS &description=This%20domain%20was%20hosting%20malware &privacy_type=VISIBLE
Data returned:
{ "id": "853037291373757", "success": true }