ThreatExchange
Graph API Version

Submitting New Data

You may submit data to the graph via an HTTP POST request the following URL:

  • https://graph.facebook.com/v2.8/threat_descriptors

NOTE: The call to /threat_indicators is deprecated as of v2.4 of the ThreatExchange API. If you attempt to access this endpoint in v2.4+, it will create a threat descriptor and the associated threat indicator behind the scenes.

Parameters

The following submission parameters are available (bold parameters are required):

  • access_token - The key for authenticating to the API, in the format <your-app-id>|<your-app-secret>. For example, if our app ID was 555 and our app secret aSdF123GhK, our access_token would be "555|aSdF123GhK";
  • confidence - A score for how likely the indicator's status is accurate, ranges from 0 to 100;
  • description - A short summary of the indicator and threat;
  • expired_on - Time the indicator is no longer considered a threat, in ISO 8601 date format;
  • first_active - Time when the opinion first became valid;
  • last_active - Time when the opinion stopped being valid;
  • indicator - The indicator data being submitted;
  • precision - The degree of accuracy of the indicator, see PrecisionType for the list of allowed values;
  • privacy_type - The kind of privacy for the indicator, see PrivacyType for the list of allowed values;
  • privacy_members - A comma-delimited list of ThreatExchangeMembers allowed to see the indicator and only applies when privacy_type is set to HAS_WHITELIST;
  • review_status - Describes how the indicator was vetted, see ReviewStatusType for the list of allowed values;
  • severity - A rating of how severe the indicator is when found in an incident, see SeverityType for the list of allowed values;
  • share_level - A designation of how the indicator may be shared based on the US-CERT's Traffic Light Protocol, see ShareLevelType for the list of allowed values;
  • status - Indicates if the indicator is labeled as malicious;
  • tags - A comma seperated list of tags you want to publish. This will overwrite any existing tags.
  • add_tags - To add tags to an object without overwriting existing tags
  • remove_tags - Remove tags asocciated with an object
  • type - The kind of indicator being described, see IndicatorType for the list of allowed values.

Example submission of a malicious domain:

https://graph.facebook.com/v2.8/threat_descriptors?access_token=555|aSdF123GhK

POST DATA:
  indicator=evil-domain.biz
  &amp;type=DOMAIN
  &amp;tags=testingtags
  &amp;status=MALICIOUS
  &amp;description=This%20domain%20was%20hosting%20malware
  &amp;privacy_type=VISIBLE

Data returned:

{
  "id": "853037291373757",
  "success": true
}