ThreatExchange UI Overview

Finding the UI

Visit https://developers.facebook.com/apps and select your app:

Then find the ThreatExchange product within the navbar on the left:

Adding team members

• Please visit https://developers.facebook.com/apps and select your app
• Select Roles -> Roles
• Please add teammates as either Administrators or Developers
• Please do not add teammates as Test Users or Analytics Users -- these do not have meaning for ThreatExchange apps
• If your organization has a ThreatExchange app ID but the only administrators/developers have since left your organization, please contact us at threatexchange@fb.com so that we can reset an admin to be a current employee of your organization -- at which point you'll be able to self-service add everyone else in your organization.

Status

Implemented:

• The ThreatExchange user interface is in general beta as of October 2019.
• The UI is fully up and running for privacy-group and tag editing.
• Descriptors can be created and edited singly; they can be uploaded from CSV or JSON, and downloaded to CSV or JSON.
• Non-paginated query results are available: you can access at most 1000 descriptors from any given query.
• Bulk edit of descriptors (e.g. apply a given tag to all on-screen results)
• Complex queries for descriptors ("power search")
• Support for reactions (see also Reacting to Existing Data)
• Support for creating/editing related-to/connections for descriptors

For bulk download we recommend the API:

• API docs
• Reference Java design wrapping the API for tag-based queries

To be implemented (present in the API, not yet present in the UI):

• Improved user experience for complex descriptor queries
• Full paginated results for queries matching large numbers of descriptors
• Descriptor deletion
• Ability to query for all descriptors which have reactions on them
• Support for non-descriptor malware types

Feedback

Please contact threatexchange@fb.com with any and all feedback on how we can better enable your success in using ThreatExchange!

Alternatively, feel free to use the bugnub to report issues:

Vocabulary

What do people do with ThreatExchange? Lots of things. Here we focus on the most basic subset:

• People at various organizations want to share information about threats -- malware signatures, malicious URLs, and so on.
• A threat indicator is the objective part -- a file hash, a URL, and so on -- along with a type (MD5, SHA1, URL, etc.).
• A threat descriptor contains an indicator as well as the subjective parts -- how malicious a team thinks it is; when they first saw it; and so on.
• Whereas Facebook privacy revolves around user IDs, ThreatExchange revolves around app IDs. For example, app ID 1064060413755420 is Media Hash Sharing Test. These are generally of the form Team T at company C.
• When people share threat data, they can specify who they want to see each datum -- this is visibility or privacy type.

  • Visible/public means all ThreatExchange members can see it
  • Or for each datum they can make an app-whitelist of specific teams at specific companies.
  • Or for each datum they can specify a privacy-group which is simply a predefined list of app IDs.
• People can tag their descriptors. These are tags in any other tool -- except that ThreatExchange tags have their own metadata including the subjective parts that descriptors have, and they also have their own visiblity (public/app-whitelist/privacy-group).
• There's more about threat descriptors (review status and others), and other types of data shareable on ThreatExchange (malware analyses, malware families, and others) -- but for this little walkthrough we've just stuck to indicators, descriptors, visibility, and tags.

Please continue on to the UI Reference to learn more.