Visit the descriptors-tab page to see more things you can do with threat descriptors within the ThreatExchange UI including searching, bulk download, and more.
Using the Create button you can upload a new descriptor, with tooltips to provide context. Here's an example of submitting a malicious domain using the UI:
Note : If you set a descriptor's privacy to has-whitelist and include no whitelist apps, the owner's app is automatically included. This is a "visible to self" or "storage mode" option.
Both CSV and JSON formats are supported.
Start by selecting the Bulk Upload button:
Select your file:
If you wish to revise your data before committing you can do so:
If there are errors detected before committing you'll be notified, and you can revise them. (Note that not all possible errors are surfaced here.)
Within the revision dialog you can fix the errors and hit OK to continue:
Once you hit the Confirm Upload button, your new descriptors are saved and their IDs are entered into the search bar. At that point, you can further revise them if you like.
The following screen recording shows the revise-before-upload feature in more detail:
You may submit data using the ThreatExchange API via an HTTP POST to the following URL:
NOTE: The call to /threat_indicators is deprecated as of v2.4 of the ThreatExchange API. If you attempt to access this endpoint in v2.4+, it will create a threat descriptor and the associated threat indicator behind the scenes.
Example submission of a malicious domain using the API:
https://graph.facebook.com/v4.0/threat_descriptors?access_token=555|aSdF123GhK POST DATA: indicator=evil-domain.biz &type=DOMAIN &tags=testingtags &status=MALICIOUS &description=This%20domain%20was%20hosting%20malware &privacy_type=VISIBLE
Data returned:
{
"id": "853037291373757",
"success": true
}Bold parameters are required.
| API Name and Example | UI CSV Name and Example | Description |
|---|---|---|
access_token555|aSdF123GhK | Not used for the UI | The key for authenticating to the API, in the format your-app-id|your-app-secretPlease visit the Access Token Toolto find values for your app(s). |
descriptionThis%20domain%20was%20hosting%20malware | td_descriptionThis domain was hosting malware | A short summary of the indicator and threat. |
indicatorevil-domain.biz | td_raw_indicatorevil-domain.biz | The indicator data being submitted. |
typeURI | td_indicator_typeURI | The kind of indicator being described. See IndicatorTypefor the list of allowed values. |
privacy_typeHAS_PRIVACY_GROUP | td_visibilityHAS_PRIVACY_GROUP | The kind of privacy for the indicator. See PrivacyTypefor the list of allowed values. |
privacy_members1064060413755420,494491891138576 | td_whitelist_apps1064060413755420,494491891138576td_privacy_groups438835087026293,468692780520730Or, for compatibility, you can use a column name of td_privacy_membersfor upload if you like. If visibility is HAS_WHITELIST, we will proceed as if your td_privacy_members column were named td_whitelist_apps; if visibility is HAS_PRIVACY_GROUP, we will proceed as if your td_privacy_members column were named td_privacy_groups. See CSV examples and JSON examples below. | A list of ThreatExchangeMembersallowed to see the indicator, and only applies when privacy_typeis set to HAS_WHITELISTor HAS_PRIVACY_GROUP. Delimiters are comma for the API and semicolon for the UI. |
share_levelAMBER | td_share_levelAMBER | A designation of how the indicator may be shared based on the US-CERT's Traffic Light Protocol. See ShareLevelTypefor the list of allowed values. Note: GREEN/WHITE requires VISIBLE, and AMBER/RED requires HAS_WHITELIST or HAS_PRIVACY_GROUP. |
statusMALICIOUS | td_statusMALICIOUS | Indicates if the indicator is labeled as malicious. See StatusTypefor the list of allowed values. |
tagstesting,pwny | td_subjective_tagstesting;pwny | API: a comma-separated list of tags you want to publish.
UI: a semicolon-separated list of tags you want to publish.
This will replace any existing tags. |
add_tagspwny,testing | Not used for the UI | To add tags to an object without overwriting existing tags. |
remove_tagspwny,testing | Not used for the UI | Remove tags associated with an object. |
confidence100 | td_confidence100 | A score for how likely the indicator's statusis accurate, ranging from 0 to 100. |
expired_on | td_expire_time2019-11-07T22:25:00-05:00 | Time the indicator is no longer considered a threat, in ISO 8601 date format. |
first_active | td_first_active2019-11-07T22:25:00-05:00 | Time when the opinion first became valid. |
last_active | td_last_active2019-11-07T22:25:00-05:00 | Time when the opinion stopped being valid. |
review_statusPENDING | td_review_statusPENDING | Describes how the indicator was vetted. See ReviewStatusTypefor the list of allowed values. |
severitySEVERE | td_severitySEVERE | A rating of how severe the indicator is when found in an incident. See SeverityTypefor the list of allowed values. |
When you download as CSV, we put whitelist apps and privacy groups in the format id1:name1;id2:name2. Tags are always text-only, delimited by semicolons:
id 2494923897281868
td_description This is an example descriptor
td_status UNKNOWN
td_confidence 0
td_severity SEVERE
td_share_level AMBER
td_indicator_type URI
td_raw_indicator https://evilevillabs.com/evil.php
td_visibility HAS_WHITELIST
td_creation_time 2019-11-07T22:25:00-05:00
td_update_time 2019-11-07T22:25:01-05:00
td_expire_time
td_owner_id 494491891138576
td_owner_name Media Hash Sharing RF Test
td_subjective_tags testing;pwny
td_whitelist_apps 1064060413755420:Media Hash Sharing Test;494491891138576:Media Hash Sharing RF Test
When upload from CSV, you may specify whitelist apps and privacy groups in the format id1;id2 if you prefer:
td_description This is an example descriptor
td_status UNKNOWN
td_confidence 0
td_severity SEVERE
td_share_level AMBER
td_indicator_type URI
td_raw_indicator https://evilevillabs.com/evil.php
td_visibility HAS_WHITELIST
td_creation_time 2019-11-07T22:25:00-05:00
td_update_time 2019-11-07T22:25:01-05:00
td_expire_time
td_owner_id 494491891138576
td_owner_name Media Hash Sharing RF Test
td_subjective_tags testing;pwny
td_whitelist_apps 1064060413755420;494491891138576
When you download as JSON, we put whitelist app, privacy groups, and tags in nested ID/name pairs:
{
"id": "2699570156799349",
"td_description": "Testing bulk upload",
"td_status": "NON_MALICIOUS",
"td_confidence": 100,
"td_severity": "UNKNOWN",
"td_share_level": "AMBER",
"td_creation_time": 1575824153,
"td_update_time": 1575824154,
"td_expire_time": 0,
"td_indicator_type": "HASH_MD5",
"td_raw_indicator": "e8b19da37825a3056e84c522f05ed0c0",
"td_owner": {
"id": "1064060413755420",
"name": "Media Hash Sharing Test"
},
"td_subjective_tags": [
{
"id": "2055943881194599",
"td_name": "pwny"
},
{
"id": "1977957082312815",
"td_name": "testing"
}
],
"td_visibility": "HAS_WHITELIST",
"td_whitelist_apps": [
{
"id": "1064060413755420",
"name": "Media Hash Sharing Test"
},
{
"id": "494491891138576",
"name": "Media Hash Sharing RF Test"
}
],
"td_privacy_groups": []
}
When you upload from JSON, if you prefer, you can write whitelist apps and privacy groups as simply arrays of IDs, and tags as arrays of text:
{
"td_description": "This is an example descriptor",
"td_status": "UNKNOWN",
"td_confidence": 0,
"td_severity": "SEVERE",
"td_share_level": "AMBER",
"td_creation_time": 1573183500,
"td_update_time": 1573183501,
"td_expire_time": 0,
"td_indicator_type": "URI",
"td_raw_indicator": "https://evilevillabs.com/evil.php",
"td_subjective_tags": ["testing", "pwny"],
"td_visibility": "HAS_WHITELIST",
"td_whitelist_apps": ["1064060413755420", "494491891138576"]
}