ThreatExchange UI Overview
Finding the UI
Visit https://developers.facebook.com/apps and select your app:
Then find the ThreatExchange product within the navbar on the left:
Adding team members
- Please visit https://developers.facebook.com/apps and select your app
- Select Roles -> Roles
- Please add teammates as either Administrators or Developers
- Please do not add teammates as Test Users or Analytics Users -- these do not have meaning for ThreatExchange apps
- If your organization has a ThreatExchange app ID but the only administrators/developers have since left your organization, please contact us at threatexchange@fb.com so that we can reset an admin to be a current employee of your organization -- at which point you'll be able to self-service add everyone else in your organization.
Searching Data Using the UI
A variety of search options is supported -- here we'll focus on the power-search option. (As of January 2020 multi-page search results are still in development.)
Here we search for all malicious URLs uploaded in the last week:
Publishing Data Using the UI
Please see the Submitting Data page for several examples.
Status
Implemented:
- The ThreatExchange user interface is in general beta as of October 2019.
- The UI is fully up and running for privacy-group and tag editing.
- Descriptors can be created and edited singly; they can be uploaded from CSV or JSON, and downloaded to CSV or JSON.
- Non-paginated query results are available: you can access at most 1000 descriptors from any given query.
- Bulk edit of descriptors (e.g. apply a given tag to all on-screen results)
- Complex queries for descriptors ("power search")
- Support for reactions (see also Reacting to Existing Data)
- Support for creating/editing related-to/connections for descriptors
For bulk download we recommend using the python package cli or consulting the API reference::
To be implemented (present in the API, not yet present in the UI):
- Improved user experience for complex descriptor queries
- Full paginated results for queries matching large numbers of descriptors
- Descriptor deletion
- Ability to query for all descriptors which have reactions on them
- Support for non-descriptor malware types
Feedback
Please contact threatexchange@fb.com with any and all feedback on how we can better enable your success in using ThreatExchange!
Alternatively, feel free to use the bugnub to report issues:
Vocabulary
What do people do with ThreatExchange? Lots of things. Here we focus on the most basic subset:
- People at various organizations want to share information about threats -- malware signatures, malicious URLs, and so on.
- A threat indicator is the objective part -- a file hash, a URL, and so on -- along with a type (MD5, SHA1, URL, etc.).
- A threat descriptor contains an indicator as well as the subjective parts -- how malicious a team thinks it is; when they first saw it; and so on.
- Whereas Facebook privacy revolves around user IDs, ThreatExchange revolves around app IDs. For example, app ID 1064060413755420 is Media Hash Sharing Test. These are generally of the form Team T at company C.
- When people share threat data, they can specify who they want to see each datum -- this is visibility or privacy type.
- Visible/public means all ThreatExchange members can see it
- Or for each datum they can make an app-whitelist of specific teams at specific companies.
- Or for each datum they can specify a privacy-group which is simply a predefined list of app IDs.
- People can tag their descriptors. These are tags in any other tool -- except that ThreatExchange tags have their own metadata including the subjective parts that descriptors have, and they also have their own visiblity (public/app-whitelist/privacy-group).
- There's more about threat descriptors (review status and others), and other types of data shareable on ThreatExchange (malware analyses, malware families, and others) -- but for this little walkthrough we've just stuck to indicators, descriptors, visibility, and tags.
Please continue on to the UI Reference to learn more.
