ThreatExchange UI Overview

Finding the UI

Visit https://developers.facebook.com/apps and select your app:

Then find the ThreatExchange product within the navbar on the left:

Adding team members

  • Please visit https://developers.facebook.com/apps and select your app
  • Select Roles -> Roles
  • Please add teammates as either Administrators or Developers
  • Please do not add teammates as Test Users or Analytics Users -- these do not have meaning for ThreatExchange apps
  • If your organization has a ThreatExchange app ID but the only administrators/developers have since left your organization, please contact us at threatexchange@fb.com so that we can reset an admin to be a current employee of your organization -- at which point you'll be able to self-service add everyone else in your organization.

Status

Implemented:

  • The ThreatExchange user interface is in general beta as of October 2019.
  • The UI is fully up and running for privacy-group and tag editing.
  • Descriptors can be created and edited singly; they can be uploaded from CSV or JSON, and downloaded to CSV or JSON.
  • Non-paginated query results are available: you can access at most 1000 descriptors from any given query.

For bulk download we recommend the API:

To be implemented (present in the API, not yet present in the UI):

  • Complex queries for descriptors
  • Bulk edit of descriptors (e.g. apply a given tag to all on-screen results)
  • Ability to create/edit related-to for descriptors
  • Full paginated results for queries matching large numbers of descriptors
  • Descriptor deletion
  • Support for reactions
  • Support for connections
  • Support for non-descriptor malware types

Feedback

Please contact threatexchange@fb.com with any and all feedback on how we can better enable your success in using ThreatExchange!

Alternatively, feel free to use the bugnub to report issues:

Vocabulary

What do people do with ThreatExchange? Lots of things. Here we focus on the most basic subset:

  • People at various organizations want to share information about threats -- malware signatures, malicious URLs, and so on.
  • A threat indicator is the objective part -- a file hash, a URL, and so on -- along with a type (MD5, SHA1, URL, etc.).
  • A threat descriptor contains an indicator as well as the subjective parts -- how malicious a team thinks it is; when they first saw it; and so on.
  • Whereas Facebook privacy revolves around user IDs, ThreatExchange revolves around app IDs. For example, app ID 1064060413755420 is Media Hash Sharing Test. These are generally of the form Team T at company C.
  • When people share threat data, they can specify who they want to see each datum -- this is visibility or privacy type.
    • Visible/public means all ThreatExchange members can see it
    • Or for each datum they can make an app-whitelist of specific teams at specific companies.
    • Or for each datum they can specify a privacy-group which is simply a predefined list of app IDs.
  • People can tag their descriptors. These are tags in any other tool -- except that ThreatExchange tags have their own metadata including the subjective parts that descriptors have, and they also have their own visiblity (public/app-whitelist/privacy-group).
  • There's more about threat descriptors (review status and others), and other types of data shareable on ThreatExchange (malware analyses, malware families, and others) -- but for this little walkthrough we've just stuck to indicators, descriptors, visibility, and tags.

Please continue on to the UI Reference to learn more.