Professional Documents
Culture Documents
ThreatStream API Reference Guide
ThreatStream API Reference Guide
Reference Guide
Support
Support Portal https://support.threatstream.com
Email support@threatstream.com
Phone +1 844-4-THREATS
Twitter @threatstream
Documentation Updates
Date Description
3/29/2023 Updated the list of iTypes in "Indicator Types in ThreatStream API" on page 181.
3/17/2023 Updated descriptions of the skip _associations and skip_intelligence attributes and added the
endpoint for retrieving a list of entities of the specified Threat Model type in the "Threat Model " on page 89
section; added API calls for accessing data returned from the AbuseIPDB and Shodan enrichments in
"Intelligence Enrichments" on page 53, updated "Import (without approval)" on page 29
12/20/2022 Added the description of the remote_api attribute, added "Threat Model Entity Tags in Bulk" on page 162.
11/14/2022 Added "Managing up to 10,000 Tags in Bulk" on page 159. Updated "API Metadata" on page 8, the
description of the is_public attribute in "Intelligence" on page 40 and "Threat Model " on page 89, the
description of the tags attribute.
8/10/2022 Updated "Import (with approval)" on page 19, "Import (without approval)" on page 29, "Intelligence" on
page 40, "Observable Cloning" on page 52, and "Observable Tags in Bulk" on page 157.
7/19/2022 Updated "Import (with approval)" on page 19 and "Import (without approval)" on page 29.
7/8/2022 Updated "Import (with approval)" on page 19, updated "Import (without approval)" on page 29, added a note
to "Investigation" on page 59.
Appstorehistory 11
Confidence 13
Feed 15
Import 19
Import (with approval) 19
Import (without approval) 29
Import Observables from STIX files 38
Intelligence 40
Search Filter 51
Observable Cloning 52
Intelligence Enrichments 53
AbuseIPDB 56
Request 56
Example 56
Response 56
Example 56
Shodan Database 57
Request 57
Example 57
Response 57
Example 58
Investigation 59
Investigationelement 63
Investigationanalysis 64
Rules 66
Sandbox 73
Sandbox Search 77
Snapshot 79
SSO History 87
Threat Model 89
Threat Model Search 89
Actors 97
Attack Patterns 103
Campaigns 113
Incidents 119
Malware 124
Signatures 133
Tipreport 138
TTPs (Tactics, Techniques, and Procedures) 144
Vulnerabilities 149
Managing Threat Model Associations 154
Whitelist 173
The APIs allow you to pull threat intelligence from the ThreatStream platform for use with other third-
party tools, import observables into ThreatStream from any source, manage threat model entities
and investigations, and so on.
Prerequisites
l A user ID and API key is required to access ThreatStream through the APIs. If you do not have
these credentials, contact your ThreatStream Org Admin to create an account.
l APIs return attributes in the JavaScript Object Notation (JSON) format; therefore, familiarity with
JSON is recommended.
https://api.threatstream.com/api/<api_version>/<resource>/
where
<api_version> is either v1 or v2. Refer to each API call to determine the version to use.
Authenticating to ThreatStream
Making requests through the API requires authenticating to ThreatStream using your username—the
email address associated with your ThreatStream account—and your dedicated API Key. You can
reference your username and API Key on the My Profile tab within ThreatStream settings.
Specifying your username and API Key in the header of the request is the most secure method of
authentication. Anomali recommends using this authentication method, as shown in the following
example:
curl 'https://api.threatstream.com/api/v2/intelligence/?itype=bot_ip' -H
'Authorization: apikey <username>:<api_key>'
Note: Specifying usernames and API Keys in the URL of the request will be deprecated as an
available authentication method for ThreatStream in a future release.
Using Operators
The first API operator called after the resource must start with a question mark and subsequent
operators must begin with an ampersand.
Example:
curl 'https://api.threatstream.com/api/v2/intelligence/?itype=bot_
ip&status=active' -H 'Authorization: apikey <username>:<api_key>'
API Metadata
The following is an example of typical ThreatStream API metadata:
l total_count—the total number of results that can be retrieved by the API call.
l approximate_count—set to true in cases where API calls yield exceptionally large datasets to
indicate that the total count may not include all results.
Note: The approximate_count metadata attribute is only included in API query responses
under certain conditions. Typically, these are scenarios where results are exceptionally large
and approximation improves application performance.
l next—call that can be used to iteratively retrieve the next set of data in the total results.
l limit—number of results returned when API call is made. See "Limiting Results" below.
l offset—the current result row number. Used when iteratively retrieving large datasets. See
"Using “next” to Iteratively Retrieve Datasets" below.
Limiting Results
The limit variable controls the number of results returned every time an API call is made; the total
number of results may be much larger than returned in one API call.
If limit is not specified, 20 results are returned with each API call. Specifying limit=0 will return up
to a maximum of 1000 results (if available).
Note: For Intelligence API calls, if results number greater than 10,000, Anomali recommends
using update_id—instead of the next field—to iteratively retrieve the full dataset. See "Using
“update_id” to Retrieve Large Intelligence Datasets" on page 48 for more information.
Example:
curl 'https://api.threatstream.com/api/v2/intelligence/?limit=5' -H
'Authorization: apikey <username>:<api_key>'
meta: {
total_count: 6414,
took: 7,
next: "/api/v2/intelligence/<link_to_next_page>",
limit: 5,
offset: 0}
Therefore, you would use the following API call to retrieve the next five results:
curl 'https://api.threatstream.com/api/v2/intelligence/<link_to_next_page>' -H
'Authorization: apikey <username>:<api_key>'
where <link_to_next_page> is the value to use to retrieve the next set of results
Repeat this process iteratively until next = null. The total number of results you will retrieve by making
the intelligence API call iteratively is 6414.
Note: The total_count value may not represent the full dataset if approximate_count is set to
true in the metadata.
Filtering Results
You can filter returned results by specifying the attribute and a value. For example, “itype=bot_ip”.
Refer to each API call attributes to determine the attributes you can filter on and the operators you
can use for those attributes.
For example, the following call returns observables from your ThreatStream OnPrem deployment
using the Intelligence API:
curl "https://<ThreatStream_OnPrem_IP_or_
FQDN>/api/v2/intelligence/?&status=active&itype=fraud_email" -H 'Authorization:
apikey <username>:<api_key>'
where
From your ThreatStream OnPrem deployment, you can also access ThreatStream Cloud intelligence
by setting the remote_api parameter to true.
For example, the following call returns the details of a remote vulnerability whose ID is 21:
curl "https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/vulnerability/21/?remote_
api=true" -H 'Authorization: apikey <username>:<api_key>'
where
<api_key> is the API Key provided on the My Profile tab within ThreatStream OnPrem.
Request
/api/v1/appstorehistory/
Response
Format: JSON
Attributes
Attribute Description
Attribute Description
email Email address of the user in your organization who performed the action.
Note: Email addresses are only shown for actions taken by users in your
organization. Actions taken by vendors do not list an email address.
resource_ Resource URI of the APP store activity on the activity log.
uri
Example
Request:
curl "https://api.threatstream.com/api/v1/appstorehistory/" -H 'Authorization:
apikey <username>:<api_key>'
Response:
{
"edit_type": "Accepted Paid",
"id": 929,
"name": "Cofense Intelligence",
"resource_uri": "/api/v1/appstorehistory/929/",
"timestamp": "2020-06-05 20:32:56.511717+00:00"
}
Request
/api/v1/inteldetails/confidence_trend/
Request Attributes
Attribute Description
Response
Format: JSON
Response Attributes
Attribute Description
Example
Request:
curl "https://api.threatstream.com/api/v1/inteldetails/confidence_
trend/?type=confidence&value=118.172.14.234" -H 'Authorization: apikey
<username>:<api_key>'
Response:
{
"min_confidence": 66,
"average_confidence": 69,
"max_confidence": 70
}
Request
/api/v1/feed/
Attributes
expiry_time_in_ integer Length of time after import that observables remain active.
days
itype string Default indicator type assigned to observables imported from the
feed.
Response
Format: JSON
Attributes
allow_unresolved_ N/A This attribute is for internal use and can be ignored.
domain
allow_update N/A This attribute is for internal use and can be ignored.
child_page_url_template N/A This attribute is for internal use and can be ignored.
circles list Trusted circles with which data from streams is shared.
created_ts datetime Time stamp of when the feed was created, in UTC
format.
disable_notifications N/A This attribute is for internal use and can be ignored.
engine N/A This attribute is for internal use and can be ignored.
expiry_date N/A This attribute is for internal use and can be ignored.
expiry_source N/A This attribute is for internal use and can be ignored.
feed_category N/A This attribute is for internal use and can be ignored.
feed_type N/A This attribute is for internal use and can be ignored.
feedgroups N/A This attribute is for internal use and can be ignored.
hidden N/A This attribute is for internal use and can be ignored.
id_regex N/A This attribute is for internal use and can be ignored.
imap_host N/A This attribute is for internal use and can be ignored.
imap_port N/A This attribute is for internal use and can be ignored.
imap_subject_regexp N/A This attribute is for internal use and can be ignored.
is_autoprov N/A This attribute is for internal use and can be ignored.
is_cloneable N/A This attribute is for internal use and can be ignored.
is_owner N/A This attribute is for internal use and can be ignored.
notes N/A This attribute is for internal use and can be ignored.
organization array Organization which owns the feed. Contains id, name,
and resource_uri attributes.
reference_url N/A This attribute is for internal use and can be ignored.
severity N/A This attribute is for internal use and can be ignored.
should_reactivate_intel N/A This attribute is for internal use and can be ignored.
sleep_time N/A This attribute is for internal use and can be ignored.
use_proxy N/A This attribute is for internal use and can be ignored.
Examples
1. To retrieve the first 100 feeds to which you have access on ThreatStream:
curl 'https://api.threatstream.com/api/v1/feed/?limit=100' -H
'Authorization: apikey <username>:<api_key>'
Note: Anomali recommends reviewing the indicator data being imported for all file formats
except JSON, which can be imported directly if the data is in the format described in this
document.
To import data in any format and require approval on ThreatStream before the import is complete:
See "Import (with approval)" below.
To import data without requiring an approval before the import is complete: See "Import (without
approval)" on page 29.
This method can be used to import unstructured and structured data. See "Supported Data Formats"
on page 24 for more information.
When importing unstructured data, all intelligence is associated with the same attributes—threat
type, classification, confidence. For example, if a file has two IP addresses, each IP will be assigned
the same indicator type based on the threat type you specify. See "Request Attributes" on the next
page for a list of global settings that can be specified for imported observables.
However, when importing structured data, you can specify a different itype and tags for each
observable in the structured file, which is different from the global settings. When a local setting is
specified, it overrides the global setting.
Request
/api/v2/intelligence/import/
Request Attributes
These attributes specify global settings for imported observables. If an imported observable does not
have an explicitly specified value for these settings, the global setting is applied. However, if an
imported observable does have an explicitly specified value, it overrides the global value.
actors string IDs of the actors with which you want to associate the imported
intelligence.
campaigns string IDs of the campaigns with which you want to associate the
imported intelligence.
default_state string Whether the import job must be approved from the
ThreatStream user interface before observables become
active.
file string Path to the file from which the observables will be imported.
incidents string IDs of the incidents with which you want to associate the
imported intelligence.
malware string IDs of the malware with which you want to associate the
imported intelligence.
severity string Gauges the potential impact of the indicator type the observable
is thought to be associated with.
source_ numeric Specifies the ratio between the amount of the source
confidence_weight confidence of each observable and the ThreatStream
confidence. For example, if this setting = 30%, when calculating
the final source_confidence, 30% weight is given to the
confidence specified by the source of the observable and 70%
weight is given to the confidence deemed by ThreatStream
(based on the machine-learning algorithms).
Notes:
tags=[{“name”:"my_tag",“tlp”:"red"},{"name":"my_
tag2",“tlp”:"white"},{"name":"my_tag3"}]
Tag Attributes:
Default: white
tipreports string IDs of the tipreports with which you want to associate the
imported intelligence.
trustedcircles numeric ID of the trusted circle to which this threat data should be
imported. If you want to import the threat data to multiple trusted
circles, enter the list of comma-separated IDs.
ttps string IDs of the ttps with which you want to associate the imported
intelligence.
Type-specific mappings
Note: If you do not specify a threat_type in your request, you must specify indicator type
mappings for each of the following attributes. See Indicator Types for a complete list of
supported values. See "Fraud Indicator Types for ThreatStream OnPrem" on page 204 for a
list of indicator types exclusive to ThreatStream OnPrem.
domain_mapping string Indicator type to assign if a specific type is not associated with
an observable.
email_mapping string Indicator type to assign if a specific type is not associated with
an observable.
ip_mapping string Indicator type to assign if a specific type is not associated with
an observable.
md5_mapping string Indicator type to assign if a specific type is not associated with
an observable.
url_mapping string Indicator type to assign if a specific type is not associated with
an observable.
Unstructured Data
There are no specific requirements for unstructured data.
Structured Data
Follow these guidelines when importing structured data:
l The structured data must be contained in a valid CSV file with the following header line: value,
itype, tags. Optional columns include private_tags, is_anonymous, and tlp.
is_
privat anonymo
value itype tags e_tags us tlp
l The value header label is mandatory. This column must contain data.
l For domain, email, IP, MD5, and URL observables, itype, tags, and private_tags header
labels can be omitted if no data will be specified for these columns. For all other observables, you
must specify a value for itype. See "Import (with approval)" on page 19 of indicator types (itype).
l tags is a comma-separated list of tags. Tags included in the tags column are assigned the
Anomali Community visibility setting and visible to all users with access to the observable.
l private_tags is a comma-separated list of tags. Tags included in the private_tags column are
assigned the My Organization visibility setting and visible only to users in your organization.
l is_anonymous sets whether the organization and user information for the observable is
anonymized. Possible values include true and false. If no value is specified, observables will
not be anonymized.
l tlp sets a TLP color for the observable. Possible values include white, green, amber, and red.
l The data specified in itype and tags columns overrides the global settings specified in the
"Request Attributes" on page 20 settings. For example, if the structured CSV contains the
following: value=1.2.3.4, itype=phish_ip, and Request Attribute ip_mapping=mal_ip, then itype
for the observable 1.2.3.4 will be set to phish_ip because the setting in the file (local value) will
override the Request Attribute setting (global value).
l If the itype and tags columns are empty, the data for these columns is derived from the
"Request Attributes" on page 20 settings. For example, if value=1.2.3.4, itype is not specified in
the file, tags is not specified in the file, and the Request Attribute ip_mapping=mal_ip, then itype
for the observable will be set to mal_ip.
Examples
1. To import observables from a file. The file can contain unstructured or structured data.
curl example:
Python example:
curl example:
Python example:
curl example:
Python example:
4. To import observables associated with tags that are private to your organization
5. To import observables and share them with trusted circles whose ids are 1 and 2:
6. To automatically approve imported observables. An import job is created and observables are
set to active.
7. To import observables and create an association between the import job and an Actor whose ID
is 77:
Response
HTTP 202 Accepted {"import_session_id": IMPORT_SESSION_ID, "success": STATUS, "job_id":
BACKGROUND_JOB_ID}
where
import_session_id is the ID for the import job. You will need this ID to check the status of the
import job.
Example Response:
where import_session_id is the identifier that was returned in the response of the Import call.
This call returns one of the following statuses in the "status" attribute:
At this point, the call also returns numIndicators and numRejected attributes that denote the
number of observables that were accepted for importing and the observables that were rejected,
respectively. This information is the same as the one displayed on the Import Review page of the
ThreatStream UI.
Note: Before executing this call, make sure that the import job belongs to your organization.
curl -X GET 'https://api.threatstream.com/api/v1/importsession/<import_session_
id>/intelligence' -H 'Authorization: apikey <username>:<api_key>'
This call returns the information about the import job. You can view IDs of the observables in the "id"
attribute.
Note:
l Before executing this call, make sure that the import job belongs to your organization.
l You must have the Approve Intel user permission to use this API call. Org Admins can grant
this permission from the ThreatStream user interface.
Note:
l Before executing this call, make sure that the import job belongs to your organization.
l You must have the Approve Intel user permission to use this API call. Org Admins can grant
this permission from the ThreatStream user interface.
where
Notes:
l You must have the Approve Intel user permission to import without approval via the API.
Org Admins can grant this permission from the ThreatStream user interface.
Request
/api/v2/intelligence/
The Import (without approval) API requires that you specify payload in JSON format. It has two
properties: meta—for specifying global settings which apply to all observables—and objects—
which specify settings per observable.
Specifying global settings is not mandatory. Per observable settings take precedent over global
settings in cases where both are specified for a given attribute. For example, if classification=private
in the meta section, and an imported observable has classification=public at the object level, the
indicator will be marked public.
Meta Attribute
The following table contains an attribute which can be specified in the meta section only.
allow_ boolean When set to true, domain observables included in the file which do
unresolved not resolve will be accepted as valid in ThreatStream and imported.
Shared Attributes
The attributes in the table below can be used to specify settings in the meta or objects section of the
JSON file.
Default: public
type.
By default, UTC time is used. You can specify your local time by
appending your timezone to the value. For example, to specify
PST: 2019-04-28T14:00:00-08:00
severity string Severity you want to assign to the observable when it is imported.
tags=[{“name”:"my_tag",“tlp”:"red"},{"name":"my_
tag2",“tlp”:"white"},{"name":"my_tag3"}]
Tag Attributes:
Default: white
trustedcircles list ID of the trusted circle with which this threat data should be
shared. If you want to import the threat data to multiple trusted
circles, enter a list of comma-separated IDs.
Required Fields
Fields which must contain data vary based on the type of observable. The following table lists the
mandatory fields for each observable type.
IP srcip, itype
Response
HTTP 202 Accepted
Note: This response indicates that the JSON you submitted was valid. However, in cases where
data is incorrect or required fields are left unspecified, observables can be ignored or imported
as false positive. For example, if confidence is not specified for md5 or email observables, the
observables are imported as false positive. Alternatively, if allow_unresolved is not set to true
when importing unresolved domains, these observables will be ignored.
Examples
1. To import private observables of different types:
curl example:
{
"meta":{
"classification":"private",
"confidence":60
},
"objects":[
{
"srcip":"1.2.3.4",
"itype":"bot_ip",
"tags":[
{
"name": "private_tag",
"tlp": "red"
},
{
"name": "public_tag",
"tlp": "white"
}
],
"severity":"high"
},
{
"domain":"idfsdszqylwjzq.biz",
"itype":"mal_domain",
"severity":"very-high"
},
{
"url":"http://malicious.pl/wp-content/themes/credenza-wp/cr_
mss3.exe",
"itype":"mal_url",
"severity":"high"
},
{
"email":"email@domain.com",
"itype":"compromised_email",
"tags":[
{
"name": "private_tag",
"tlp": "red"
},
{
"name": "public_tag",
"tlp": "white"
}
],
"severity":"low"
},
{
"md5":"1d37556b8aeb5cb5fbf08cd5b4790075",
"itype":"apt_md5",
"severity":"medium",
"expiration_ts":"2017-01-26T00:00:00"
}
]
}
Python example:
{
"value": ""msfbckupsc.com",
"itype": ""apt_domain",
"severity": "high",
"tags": [{"name": "private_tag", "tlp": "red"}]
},
{
"value": "106.210.164.198",
"itype": "mal_ip",
"severity": "high"
}
]
}
response = requests.patch(url, headers=headers, json=payload)
print (response.status_code)
print (response.content)
{
"objects":[
{
"srcip":"5.253.63.134",
"itype":"bot_ip"
}
]
}
3. To import an email address with one private and one public tag:
{
"meta":{
"classification":"public",
"tags":[
{
"name":"private_tag",
"tlp":"red"
},
{
"name":"public_tag",
"tlp":"white"
}
]
},
"objects":[
{
"email":"email@test.com",
"itype":"apt_email"
}
]
}
4. To import an email address with the minimum required fields and globally configured
classification:
{
"meta":{
"classification":"private"
},
"objects":[
{
"email":"joe@example.com",
"itype":"mal_email"
}
]
}
{
"meta":{
"source_confidence_weight":100
},
"objects":[
{
"domain":"www.example.com",
"itype":"apt_domain",
"confidence":99
}
]
}
{
"meta":{
"confidence":100
},
"objects":[
{
"srcip":"345.678.45.7",
"itype":"mal_ip",
"confidence":50
},
{
"srcip":"322.609.78.33",
"itype":"apt_ip"
}
]
}
In the above example, the confidence value specified for the first observable overrides the
globally specified confidence value.
Request
/api/v1/stix_import/
Attributes
confidence string Default confidence scores assigned to observables from the stream.
Level of certainty that an observable is of the reported indicator
type.
file string Path and name of the file from which the observables will be
imported.
is_anonymous boolean Whether you want to anonymize your organization and user
information. Users outside of your organization with access to the
observables will see "Analyst" in all fields that would otherwise
display an organization or user name.
tags=[{“name”:"my_tag",“tlp”:"red"},{"name":"my_
tag2",“tlp”:"white"},{"name":"my_tag3"}]
Tag Attributes:
Default: white
trustedcircles integer ID of the trusted circle to which this threat data should be imported. If
you want to import the threat data to multiple trusted circles, enter
the list of comma-separated IDs.
Examples
1. To import observables from a STIX compatible file:
2. To import observables and share them with trusted circles whose ids are 1 and 2:
ThreatStream provides multiple methods for retrieving threat intelligence. Use the following criteria to
determine which method is appropriate for your needs:
Downloading large intelligence sets–those Use the Snapshot API. See "Snapshot" on
spanning thousands of pages–on an ad-hoc page 79 for more information.
basis.
You can specify criteria by which the intelligence should be retrieved, as shown in the examples
below.
Request
/api/v2/intelligence/
HTTP Methods:
Do not set this attribute to false for retrieving local observables. Doing
so will generate errors.
Response
Format: JSON
Ordering of attributes: The attributes are sorted by the modified_ts attribute, in descending order
Attributes
Filter
Attribute Type Operators Description
can_add_ boolean "exact" Indicates whether a user can add public tags to a
public_tags Threat Model entity.
confidence long "exact", "lt", "lte", Level of certainty that an observable is of the
"gte", "gt" reported indicator type.
created_ts date "exact", "lt", "lte", When the indicator was first seen on the
"gte", "gt" ThreatStream cloud platform.
Filter
Attribute Type Operators Description
expiration_ts date "exact", "lt", "lte", Time stamp of when intelligence will expire on
"gte", "gt" ThreatStream, in UTC time.
feed_id long "exact" Numeric ID of the threat feed that generated the
indicator.
import_ long "exact" ID of import session in which the indicator was
session_id imported.
is_editable boolean Not available for Indicates whether the imported entity can be
filtering updated by an intelligence source.
Filter
Attribute Type Operators Description
Default: 0/False
itype string "exact", Indicator type. See Indicator Types. See "Fraud
"startswith", Indicator Types for ThreatStream OnPrem" on
"contains" page 204 for a list of indicator types exclusive to
ThreatStream OnPrem.
latitude double "exact", "lt", "lte", Latitude associated with the Geo location of the
"gte", "gt" IP.
longitude double "exact", "lt", "lte", Longitude associated with the Geo location of
"gte", "gt" the IP.
meta.detail string "exact", A string that contains a tag associated with the
"startswith", indicator; the tag can be used to search for
"contains" related indicators.
meta.maltype string "exact", Tag that specifies the malware associated with
"startswith", an indicator.
"contains"
meta.registrant_ string Not available for Information available from WHOIS about the
* filtering domain of the indicator (if any) at the time it was
imported to ThreatStream.
Filter
Attribute Type Operators Description
modified_ts date "exact", "lt", "lte", When the indicator was last updated on the
"gte", "gt" ThreatStream Cloud platform.
retina_ long "exact", "lt", "lte", Confidence score assigned to the observable by
confidence "gte", "gt" Anomali machine learning algorithms.
search_filter integer "exact" ID of the saved search filter you want to execute.
Filter
Attribute Type Operators Description
curl 'https://<OnPrem_IP_or_
FQDN>/api/v2/intelligence/?searc
h_filter=<filter_id>&remote_
api=true' -H 'Authorization:
apikey <username>:<api_key>'
Filter
Attribute Type Operators Description
source string Not available for Usually an obfuscated description of the source
filtering of the indicator; the description may not be
obfuscated if the user belongs to your
organization.
source_created datetime "exact", "lt", "lte", Time stamp of when the entity was created by its
"gte", "gt" original source.
source_ datetime "exact", "lt", "lte", Time stamp of when the entity was last updated
modified "gte", "gt" by its original source.
Tag Attributes:
Filter
Attribute Type Operators Description
Default: white
trusted_circle_ integer "exact" IDs of the trusted circles with which the indicator
ids is shared.
update_id__gt=0&order_by=update_id
After the first call is made, locate the update_id of the last returned object. The following is an
example:
Use this value for the update_id__gt variable in your next API call. Repeat this process iteratively
until no further results are returned.
Example:
You run the following API call to retrieve all active intelligence that has been added or modified since
January 10, 2018:
curl 'https://api.threatstream.com/api/v2/intelligence/?modified_ts__gt=2018-01-
10&status=active&update_id__gt=0&order_by=update_id' -H 'Authorization: apikey
<username>:<api_key>'
The update_id of the last retrieved result—the 1,000th result in this case—is 11849.
curl 'https://api.threatstream.com/api/v2/intelligence/?modified_ts__gt=2018-01-
10T00:00:00&status=active&update_id__gt=11849&order_by=update_id' -H
'Authorization: apikey <username>:<api_key>'
Example:
curl 'https://api.threatstream.com/api/v2/intelligence/?modified_ts__lt=<minus_
1_minute>&status=active&update_id__gt=0&order_by=update_id' -H 'Authorization:
apikey <username>:<api_key>'
where <minus_1_minute> is the time stamp of the current time minus one minute in
YYYYMMDDThhmmss format
Examples
As Intelligence API calls can yield large numbers of results, the following examples use the limit
attribute to limit the number of results displayed in an API call.
By default, if the limit parameter is not specified, 20 records are fetched at a time. However, when
limit=0, a maximum of 1000 the total records that meet the query are fetched.
If the total records returned exceed the defined limit or number greater than 1,000 but fewer than
10,000, use the next field of the returned metadata to make iterative API calls until all records are
returned. If total records number greater than 10,000, follow the directions under "Using “update_id”
to Retrieve Large Intelligence Datasets" on the previous page to fetch complete results.
curl 'https://api.threatstream.com/api/v2/intelligence/?limit=100' -H
'Authorization: apikey <username>:<api_key>'
2. To retrieve the first 20 threat intelligence entries with a confidence greater than 80, and a
severity of “low”:
curl 'https://api.threatstream.com/api/v2/intelligence/?meta.severity=low&
confidence__gt=80' -H 'Authorization: apikey <username>:<api_key>'
3. To retrieve all of the intelligence for indicator type "mal_ip" in ThreatStream since a particular
date and time:
curl
'https://api.threatstream.com/api/v2/intelligence/?status=active&modified_
ts__gte=2014-10-02T20:44:35&limit=0&is_public=1&itype=mal_ip' -H
'Authorization: apikey <username>:<api_key>'
4. To retrieve all of the intelligence in ThreatStream since a particular date AND country = "CN":
curl 'https://api.threatstream.com/api/v2/intelligence/?status=active&date_
last__gte=2014-10-02T20:44:35&is_public=1&limit=0&country__exact=CN' -H
'Authorization: apikey <username>:<api_key>'
5. To retrieve all of the intelligence in ThreatStream that is tagged with the value "energetic-bear":
curl 'https://api.threatstream.com/api/v2/intelligence/?status=active&is_
public=1&limit=0&tags.name=energetic-bear&' -H 'Authorization: apikey
<username>:<api_key>'
curl 'https://api.threatstream.com/api/v2/intelligence/?value__
contains=myexample.com&limit=0' -H 'Authorization: apikey <username>:<api_
key>'
Tip: For best results, values specified after the contains operator should be at least 3
characters.
curl 'https://api.threatstream.com/api/v2/intelligence/?limit=0&q=
(expiration_ts>=2022-01-30T08:00:00+AND+confidence>=90+AND+(itype="apt_
ip"+OR+itype="bot_ip"+OR+itype="c2_ip"))' -H 'Authorization: apikey
<username>:<api_key>'
For more information on specifying advanced search queries, see "Advanced Search Queries"
on the previous page.
8. (Only on ThreatStream OnPrem) To retrieve 100 most recent threat intelligence entries stored
remotely (on ThreatStream Cloud):
curl 'https://api.threatstream.com/api/v2/intelligence/?limit=100&remote_
api=true' -H 'Authorization: apikey <username>:<api_key>'
9. (Only on ThreatStream OnPrem) To retrieve remote intelligence based on a saved search filter
whose ID is 398 and which is stored remotely (on ThreatStream Cloud):
curl 'https://<OnPrem_IP_or_FQDN>/api/v2/intelligence/?search_
filter=398&remote_api=true' -H 'Authorization: apikey <username>:<api_key>'
10. (Only on ThreatStream OnPrem) To retrieve local intelligence based on a saved search filter
whose ID is 1002538 and which is stored locally (on ThreatStream OnPrem):
curl 'https://api.threatstream.com/api/v2/intelligence/?search_
filter=1002538' -H 'Authorization: apikey <username>:<api_key>'
Search Filter
To retrieve information on search filters saved from the ThreatStream user interface. After identifying
the ID of a search filter, you can execute a query by specifying the search filter ID in the search_filter
parameter of an Intelligence API request.
Request
/api/v1/search_filter/
HTTP Method: GET
Response
Format: JSON
Example
To retrieve a list of search filters saved by your organization:
Observable Cloning
To create a separate instance of an observable. After identifying the ID of an observable, you can
execute a clone request by specifying the observable ID in an Intelligence API request.
When you clone an observable, an import session is initiated, which must be approved to add the
cloned observable to your threat intelligence.
Request
/api/v2/intelligence/<observable_id>/clone/
HTTP Method: POST
Response
HTTP 202 Accepted {"job_id": "<background_job_id>", "import_session_id": "<import_session_id>"}
where
import_session_id is the ID for the initiated import job. You will need this ID to review and approve
the import job.
Example Response:
Example
To clone an observable with ID 11202475 which belongs to another organization to your own
organization:
After this, proceed with approving the initiated import job. See "Import (with approval)" on page 19 for
more details.
l Passive DNS
l Recorded Future
l Risk IQ SSL
l AbuseIPDB
l Shodan Database
Note that enrichment data will not be returned for services to which your organization does not
subscribe.
Passive DNS
Use the Passive DNS API to return enrichment data for domain, IP, and URL observables available
to you on ThreatStream. The Passive DNS API leverages data from the following providers:
l Labs PDNS
l Farsight PDNS
l OpenDNS Investigate
l VirusTotal
l RiskIQ PDNS
Request
/api/v1/pdns/
HTTP Method: GET
Examples
To return Passive DNS enrichment data for a domain:
curl 'https://api.threatstream.com/api/v1/pdns/domain/<observable_value>/' -H
'Authorization: apikey <username>:<api_key>'
curl 'https://api.threatstream.com/api/v1/pdns/ip/<observable_value>/' -H
'Authorization: apikey <username>:<api_key>'
Note: Passive DNS requests are limited to 20 per minute per user.
Response
Format: JSON
Example
Recorded Future
Use the Recorded Future API to return enrichment data for domain, IP, MD5, and URL observables
available to you on ThreatStream.
Request
/api/v1/recorded_future/
HTTP Method: GET
Examples
To return Recorded Future enrichment data for a domain:
curl 'https://api.threatstream.com/api/v1/recorded_future/search/domain/<domain_
value>/' -H 'Authorization: apikey <username>:<api_key>'
curl 'https://api.threatstream.com/api/v1/recorded_future/search/ip/<ip_value>/'
-H 'Authorization: apikey <username>:<api_key>'
curl 'https://api.threatstream.com/api/v1/recorded_future/search/md5/<md5_
value>/' -H 'Authorization: apikey <username>:<api_key>'
Response
Format: JSON
Example
Risk IQ SSL
Use the Risk IQ SSL API to return enrichment data for IP observables available to you on
ThreatStream.
Request
/api/v1/riskiq_ssl/
HTTP Method: GET
Examples
To return Risk IQ SSL enrichment data for an IP address:
curl 'https://api.threatstream.com/api/v1/riskiq_ssl/certificate/<ip_value>/' -H
'Authorization: apikey <username>:<api_key>'
Response
Format: JSON
Example
AbuseIPDB
Use the Integration Package API to access data returned from the AbuseIPDB enrichment.
Request
/api/v1/integration_package/direct/ip/<IP_address>/?name=AbuseIPDB
HTTP Method: GET
Example
To return data from the AbuseIPDB enrichment:
curl 'https://api.threatstream.com/api/v1/integration_package/direct/ip/<IP_
address>/?name=AbuseIPDB' -H 'Authorization: apikey <username>:<api_key>'
Response
Format: JSON
Example
[
"status_code": 200,
"results": {
"data":{
"numDistinctUsers": 0,
"countryName": "USA",
"domain": "abcd.us",
"isp": "Telecomunications-US",
"lastReportedAt": null,
"countryCode": "US"
"isPublic": true,
"usageType": null,
"reports": [],
"ipVersion": 4,
"hostnames": [],
"abuseConfidenceScore": 0,
"isWhitelisted": null,
"ipAddress": "190.15.150.101",
"totalReports": 0
},
Shodan Database
Use the Integration Package API to access data returned from the Shodan Database enrichment.
Request
/api/v1/integration_package/direct/ip/<IP_address>/?name=Shodan+Database
HTTP Method: GET
Example
To return data from the Shodan Database enrichment:
curl 'https://api.threatstream.com/api/v1/integration_package/direct/ip/<IP_
address>/?name=Shodan+Database' -H 'Authorization: apikey <username>:<api_key>'
Note: The Shodan Database title requires the + sign between the two words as spaces are not
permitted in URLs.
Response
Format: JSON
Example
[
"status_code": 200,
"results": {
},
Notes:
l A call to the Shodan Database endpoint may invoke multiple endpoints, and some endpoints
may not pass data. Therefore, multiple status codes and results are returned as a list of
dictionaries.
Note: While the Investigation API can be used to create investigations that contain entity
associations, it only displays a count of associations (elements) and cannot be used to retrieve a
list of entities associated with existing investigations. However, the Investigationelement API can
be used to do so. See "Investigationelement" on page 63 for more information. See
"Investigationanalysis" on page 64 for information on retrieving analysis associated with an
investigation.
Request
/api/v1/investigation/
HTTP Methods:
Response
Format: JSON
Attributes
Attribute Type Description
remote_api (for boolean Whether the investigation is remote (stored on Cloud). Value
ThreatStream returned for this attribute is true when the investigation is
OnPrem only) remote.
tlp integer TLP setting for the investigation. In the context of investigations,
the TLP color sets the maximum level of information that users
outside your organization have access to when viewing your
investigation.
assignee
elements
r_type string Type of entity associated with the investigation. Possible values
listed below.
l Actors: actor
l Campaigns: campaign
l Incidents: incident
l Observables: intelligence2
l Signatures: signature
l TTP: ttp
l Vulnerabilities: vulnerability
add_related_ boolean When enabled, observables related to the entity you are
indicators associating with the investigation are also added.
Unused attributes
Examples
1. To retrieve the 20 most recent investigations:
curl 'https://api.threatstream.com/api/v1/investigation/?order_by=-created_
ts' -H 'Authorization: apikey <username>:<api_key>'
curl 'https://api.threatstream.com/api/v1/investigation/<investigation_id>/'
-H 'Authorization: apikey <username>:<api_key>'
4. To create an investigation and associate it with an actor, along with observables related to the
actor:
7. (Only on ThreatStream OnPrem) To retrieve the 20 most recent investigations stored on Cloud:
curl 'https://api.threatstream.com/api/v1/investigation/?remote_
api=true&order_by=-created_ts'-H 'Authorization: apikey <username>:<api_
key>'
Investigationelement
To create or retrieve associations between entities and existing investigations.
Request
HTTP Methods: GET, POST
Response
Format: JSON
Attributes
Attribute Description
r_type Type of entity associated with the investigation. Possible values listed below.
l Actors: actor
l Campaigns: campaign
l Incidents: incident
l Observables: intelligence2
l Signatures: signature
l TTP: ttp
l Vulnerabilities: vulnerability
add_related_ When enabled, observables related to the entity you are associating with the
indicators investigation are also added.
curl
"https://api.threatstream.com/api/v1/investigationelement/?investigation_
id=258" -H 'Authorization: apikey <username>:<api_key>'
Note: For information on iteratively retrieving large datasets, see "Limiting Results" on
page 8.
3. To associate a threat bulletin and its related observables with an existing investigation:
Note: This call can only be used when first associating a threat model entity with an
investigation. It cannot be used to refresh the investigation with observables that were
associated with the threat model entity since its initial association with the investigation.
Investigationanalysis
To retrieve analysis on entities associated with an individual investigation.
Request
/api/v1/investigationanalysis/
HTTP Method: GET
Response
Format: JSON
Example
To retrieve analysis associated with an individual investigation:
curl "https://api.threatstream.com/api/v1/investigationanalysis/?investigation_
id=258" -H 'Authorization: apikey <username>:<api_key>'
Request
/api/v1/rule/
HTTP Methods:
Attributes
Note: If creating a rule, you must specify name, keywords, and at least one Match Within
parameter (match_observables, match_reportedfiles, match_signatures, match_tips,
or match_vulnerabilities). All other parameters are optional.
actors array of IDs of the Actors with which you want to associate matched
integers or entities.
strings
campaigns array of IDs of the Campaigns with which you want to associate
integers or matched entities.
strings
create_ boolean Whether you want to create a dedicated investigation the first
investigation time the rule is triggered. All intelligence in which keywords
appear are added to the investigation.
Default: False
exclude_impacts array of Indicator types you want to exclude from rule matches.
strings
Example: actor_ipv6
exclude_notify_ boolean Whether you want to exclude the rule from matching
org_whitelisted Observables that are included in your organization whitelist.
Default: False
incidents array of IDs of the Incidents with which you want to associate matched
integers or entities.
strings
keywords array of Keywords for which you want the rule to match.
strings
Keywords added to rules must adhere to the following
requirements:
Example: 192\.168\.
Example: 10.20.100.0/26
malware array of IDs of the Malware with which you want to associate matched
integers or entities.
strings
match_impacts array of Indicator types in which you want to look for rule matches at
strings the exclusion of all others.
Example: actor_ipv6
match_ boolean Whether the rule should match keywords in newly created
observables Observables.
Default: False
match_ boolean Whether the rule should match keywords in newly created
reportedfiles Sandbox Reports.
Default: False
match_signatures boolean Whether the rule should match keywords in newly created
Signatures.
Default: False
match_tips boolean Whether the rule should match keywords in newly created
Threat Bulletins.
Default: False
match_ boolean Whether the rule should match keywords in newly created
vulnerabilities Vulnerabilities.
Default: False
signatures array of IDs of the Signatures with which you want to associate
integers or matched entities.
strings
tags=[{“name”:"my_tag",“tlp”:"red"},{"name":"my_
tag2",“tlp”:"white"},{"name":"my_tag3"}]
Tag Attributes:
Default: white
tips array of IDs of the Threat Bulletins with which you want to associate
integers or matched entities.
strings
ttps array of IDs of the TTPs with which you want to associate matched
integers or entities.
strings
vulnerabilities array of IDs of the Vulnerabilities with which you want to associate
integers or matched entities.
strings
Response
Format: JSON
Attributes
Attribute Description
create_investigation Whether an investigation was created the first time the rule was triggered.
created_ts Time stamp of when the rule was created, in UTC format.
has_associations Whether the rule creates associations between specified entities and
matched entities.
investigation ID, Name, and Resource URI of the investigation created by the rule.
match_actors Unused.
Attribute Description
match_campaigns Unused.
match_incidents Unused.
match_malware Unused.
match_reportedfiles Whether the rule matches keywords in newly created Sandbox Reports.
match_tips Whether the rule matches keywords in newly created Threat Bulletins.
match_ttps Unused.
modified_ts Time stamp of when the rule was last modified, in UTC format.
org_shared Unused.
organization ID, Name, and Resource URI associated with the organization that
created the rule.
remote_api (for Whether the rule is remote (stored on Cloud). Value returned for this
ThreatStream attribute is true when the rule is remote.
OnPrem only)
Examples
1. To create a rule that matches for the keyword "example" in newly created Threat Bulletins:
5. (Only on ThreatStream OnPrem) To retrieve the 20 most recent rules stored on Cloud:
Request
/api/v1/submit/new/
Request Attributes
Attribute Type Description
file_has_ boolean If using Joe Sandbox to detonate a file, set this attribute to true if the
password file is password protected.
file_password string If detonating a password protected file on Joe Sandbox, use this
attribute to specify the value of the password.
import_ boolean If you want to initiate an import job for observables discovered during
indicators detonation, set this value to true.
Default: true
report_radio- string A comma-separated list that provides additional details for imported
notes observables. This information is displayed in the Tag column of the
ThreatStream UI. For example, "Credential-Exposure,compromised_
email"
report_radio- string Platform on which the submitted URL or file will be detonated.
platform
Note: This attribute is required for Cuckoo and Joe Sandbox
detonations. Do not specify this value for VMRay detonations.
curl -XGET
'https://api.threatstream.com/api/v1/submit/parameters/
' -H 'Authorization: apikey <username>:<api_key>'
trusted_ string ID of the trusted circle to which the Sandbox data should be
circles associated. If you want to specify multiple trusted circles, enter the list
of comma-separated IDs.
use_ boolean If you want to use the Joe Sandbox service for detonation, set this
premium_ attribute to true.
sandbox
If no value is set for use_premium_sandbox, the default Cuckoo
sandbox is used.
use_vmray_ boolean If you want to use the VMRay sandbox service for detonation, set this
sandbox attribute to true.
vmray_max_ integer Specify the number of detonations you want VMRay to perform for
jobs the submission. If you specify a number greater than 1, VMRay
performs the detonations on different platforms. A Sandbox Report is
created on ThreatStream for each detonation that returns results.
The following Sandbox Search request returns a list of detonated files for a submission tagged with
archive_detonation_2021-02-15:
curl 'https://api.threatstream.com/api/v1/submit/search/?q=archive_detonation_
2021-02-15' -H 'Authorization: apikey <username>:<api_key>'
See "Sandbox" on page 73 for more information on the Sandbox Search API.
Response
The response contains following attributes.
Attribute Description
success Whether the submission was successful or not. Possible values: true, false
reports Provides a report of the denotation. The following specifics are contained in the
report:
l status
l End point that provides the detonation status
l detail
l End point where the detonation report is located
Examples
Note: If you plan on cutting and pasting the following examples, be sure to remove any spaces
that are introduced in places where lines wrap in the document.
sandbox=true -F report_radio-notes="Credential-Exposure,compromised_email" -
H 'Authorization: apikey <username>:<api_key>'
5. To submit a password protected file whose password is "infected" to the Joe Sandbox service:
Sandbox Search
To search for submissions your organization has made to the ThreatStream sandbox.
Request
/api/v1/submit/search/
Request Attribute
l vendor
l platform
l status
l result
l notes (tags)
Example
To search for sandbox detonations using a keyword:
curl 'https://api.threatstream.com/api/v1/submit/search/?q=<keyword>' -H
'Authorization: apikey <username>:<api_key>'
ThreatStream provides multiple methods for retrieving threat intelligence. Use the following criteria to
determine which method is appropriate for your needs:
Downloading small intelligence sets on an ad- Use the Intelligence API. See "Intelligence" on
hoc basis. page 40 for more information.
You can set filters to specify criteria by which intelligence should be retrieved, as described in the
table below.
Note: Your organization can have no more than three snapshot processes running at once.
Request
/api/v1/snapshot/
For example,
filter Filter string to use as the search criteria for the intelligence.
whitelist Only include indicators that match the specified fields and
values.
Examples:
Notes:
blacklist Exclude indicators that match the specified fields and values.
Examples:
Notes:
field_whitelist Include only these fields in the results. Remove all other fields.
Notes:
field_blacklist Exclude these fields from the records that are returned.
Notes:
chunk_size Size of the snapshot file, in KB or MB. Specify the file size for the
snapshot file using this attribute.
Response
Format: CSV, JSON, or STIX
id integer "lt", "lte", "gt", "gte" A unique identifier for the snapshot.
location string Not available for filtering Location header that specifies the
URL to use for checking the status of
snapshot creation and downloading
the snapshot files.
resource_uri string Not available for filtering URI for the snapshot on ThreatStream.
snapshot_ts datetime "lt", "lte", "gt", "gte" Timestamp when the snapshot was
started on ThreatStream.
status string Not available for filtering Status of snapshot creation. Status is
"inprogress" when snapshot files are
being created. Once all files have been
created, the Status is "completed".
Status may be "errors" if the snapshot
creation failed for any reason.
Example
To obtain a full snapshot, in JSON format, in 1 MB chunks, that meets the specified criteria:
The Location header contains the ID of the snapshot. In the above example,
https://api.threatstream.com/api/v1/snapshot/2/, 2 is the snapshot ID. Use this ID when making
HTTP GET requests to retrieve the snapshot. If the snapshot contains multiple files, the HTTP GET
response will contain URLs of all the files along with the Status. If all files could not be retrieved with
one HTTP GET request, Status will be "inprogress". Continue to make requests until all files have
been retrieved. Once all files have been retrieved, the Status will change to "completed".
Output Sample
The calls to the status URL will return JSON and STIX output similar to the following:
{
"status":"inprogress",
"files":[
{
"download_url":"https://<download_URL_1>",
"sha256":"<SHA-256 sum of the file to be downloaded>",
"total_count":<count>
},
{
"download_url":"https://<download_URL_2>",
"sha256":"<SHA-256 sum of the file to be downloaded>",
"total_count":<count>
}
]
}
Error Codes
If the snapshot creation process fails, HTTP status codes reflect the reason for failure.
Request
/api/v1/ssohistory/
Response
Format: JSON
Attributes
Attribute Description
Attribute Description
user_email Email address of the ThreatStream user associated with the logged action.
Example
Request:
curl "https://api.threatstream.com/api/v1/ssohistory/" -H 'Authorization: apikey
<username>:<api_key>'
Response:
{
"action": "Login Attempt",
"deployment_type": "OnPrem",
"id": 1000000019,
"idp": "adfs-onprem",
"resource_uri": "/api/v1/ssohistory/1000000019/",
"ts": "2020-10-01T10:07:23.916639",
"user_email": "example@test.net"
}
You can also create and associate threat bulletins in the Threat Model and associate them with all
Threat Model entities. See "Managing Threat Model Associations " on page 154for more information.
You can manage tags of Threat Model entities in bulk. See "Threat Model Entity Tags in Bulk" on
page 162 for more information.
Actors 97
Campaigns 113
Incidents 119
Malware 124
Signatures 133
Tipreport 138
Vulnerabilities 149
Request
/api/v1/threat_model_search/
Response
Format: JSON
Ordering of attributes: By default, attributes are sorted by the modified_ts attribute, in descending
order.
Attributes
circles string Not available for filtering. Trusted circles with which the actor
is shared.
created_ts date "exact", "lt", "lte", "gte", Time stamp of when the entity was
"gt" created on ThreatStream, in UTC
format.
end_date date "exact", "lt", "lte", "gte", Time when a campaign was known
"gt" to have ended.
Default: False
modified_ts date "exact", "lt", "lte", "gte", Time stamp of when the entity was
"gt" last updated on ThreatStream, in
UTC format.
organization string Not available for filtering. Organization that owns the entity.
owner_user string Not available for filtering. ThreatStream user that created the
entity.
published_ts datetime "exact", "lt", "lte", "gte", Time stamp of when the entity was
"gt" published on ThreatStream, in UTC
format.
l Bro
l Carbon+Black+Query
l ClamAV
l Custom
l CybOX
l OpenIOC
l RSA+NetWitness
l Snort
l Splunk+Query
l Suricata
l YARA
source_created datetime "exact", "lt", "lte", "gte", Time stamp of when the entity was
"gt" created by its original source.
source_modified datetime "exact", "lt", "lte", "gte", Time stamp of when the entity was
"gt" last updated by its original source.
start_date date "exact", "lt", "lte", "gte", Time when a campaign was known
"gt" to have started.
Infrastructure: Aliases,
Description, Name, Tags
Vulnerabilities: Aliases,
Description, Name, Tags
Examples
As Intelligence API calls can yield large numbers of results, the following examples use the limit
attribute to limit the number of results displayed in an API call.
By default, if the limit parameter is not specified, 20 records are fetched at a time. However, when
limit=0, a maximum of 1000 the total records that meet the query are fetched.
1. To retrieve the 100 most recently modified Threat Model entities in ThreatStream:
curl 'https://api.threatstream.com/api/v1/threat_model_search/?limit=100' -H
'Authorization: apikey <username>:<api_key>'
2. To retrieve the 10 most recently modified Threat Model entities from a feed whose ID is 72:
curl 'https://api.threatstream.com/api/v1/threat_model_
search/?limit=10&feed_id=72' -H 'Authorization: apikey <username>:<api_key>'
3. To retrieve the 20 (default) most recently modified Threat Model entities tagged with "malware"
and "community-threat-briefing":
curl 'https://api.threatstream.com/api/v1/threat_model_
search/?tags.name=malware,community-threat-briefing' -H 'Authorization:
apikey <username>:<api_key>'
4. To retrieve the 20 (default) most recently modified Threat Model entities that are shared with a
trusted circle whose ID is 20:
curl 'https://api.threatstream.com/api/v1/threat_model_search/?trusted_
circle_ids=20' -H 'Authorization: apikey <username>:<api_key>'
5. To retrieve the 20 (default) most recently modified Threat Model entities that are assigned the
TLP setting red:
curl 'https://api.threatstream.com/api/v1/threat_model_search/?tlp=red' -H
'Authorization: apikey <username>:<api_key>'
6. To retrieve a list of actors (20 by default if the limit parameter is not specified):
curl 'https://api.threatstream.com/api/v1/threat_model_search/?model_
type=actor' -H 'Authorization: apikey <username>:<api_key>'
curl 'https://api.threatstream.com/api/v1/threat_model_search/?model_
type=actor&name=Fancy Bear' -H 'Authorization: apikey <username>:<api_key>'
8. To retrieve the 20 (default) most recently modified campaigns in "new" publication status:
curl 'https://api.threatstream.com/api/v1/threat_model_search/?model_
type=campaign&publication_status=new' -H 'Authorization: apikey
<username>:<api_key>'
curl 'https://api.threatstream.com/api/v1/threat_model_search/?model_
type=signature&signature$type=Snort' -H 'Authorization: apikey
<username>:<api_key>'
10. To retrieve the 20 (default) most recently modified actors and signatures of the signature type
CybOX:
curl 'https://api.threatstream.com/api/v1/threat_model_search/?model_
type=signature,actor&signature$type=CybOX' -H 'Authorization: apikey
<username>:<api_key>'
11. (Only on ThreatStream OnPrem) To retrieve the 100 most recently modified Threat Model
entities from ThreatStream Cloud:
curl 'https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/threat_model_
search/?limit=100&remote_api=true' -H 'Authorization: apikey
<username>:<api_key>'
12. (Only on ThreatStream OnPrem) To retrieve a list of actors (20 by default if the limit parameter is
not specified) from ThreatStream Cloud:
curl 'https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/threat_model_
search/?model_type=actor&remote_api=true' -H 'Authorization: apikey
<username>:<api_key>'
Actors
To create, update, or retrieve actors from the ThreatStream platform.
Request
/api/v1/actor/
For example,
GET /api/v1/threat_model_search/?model_
type=actor
GET /api/v1/actor/associated_with_
intelligence/?ids={comma_separated_id_list}
For example,
GET /api/v1/actor/associated_with_
intelligence/?value=google.com returns all actors
who are associated with google.com.
Response
Format: JSON
Notes
l Attributes with "related" data type return 0 to N number of values. For example, if a Threat Model
entity belongs to more than one trusted circle, both will be returned.
l For information on limiting results and returning large datasets while mitigating performance
impacts, see "Limiting Results" on page 8
Attributes
circles related (see item IDs of the trusted circles with which the actor is
1 in "Notes" on shared.
the previous
page)
intelligence related (see item Indicators associated with the actor on the
1 in "Notes" on ThreatStream platform.
the previous
When creating an actor, specify the indicator ID.
page)
See "Intelligence" on page 40.
Default: False
True—actor is a team
False—actor is an individual
Default: False
modified_ts datetime Time stamp of when the actor was last updated on
ThreatStream, in UTC format.
For example,
GET /api/v1/actor/{id}/?skip_
associations=true
For example,
GET /api/v1/actor/{id}/?skip_
intelligence=true
source_created datetime Time stamp of when the actor was created by its
original source.
source_modified datetime Time stamp of when the actor was last updated by
its original source.
start_date datetime Specify the time when this actor was first known to
be active.
ttps related (see item TTP (Threat Bulletins) associated with the actor.
1 in "Notes" on
When creating an actor, specify the TTP ID. See
page 98)
"TTPs (Tactics, Techniques, and Procedures)" on
page 144.
victims related (see item Victim type associated with the actor.
1 in "Notes" on
When creating an actor, specify the ID of the Victim
page 98)
type. To obtain a list of Victim types, make an
API call to /api/v1/victimtype/.
Examples
curl --request PATCH --data '{"name": "another test actor", "tlp": "orange",
"victims": [13]}' "https://api.threatstream.com/api/v1/actor/223/" -H
'Authorization: apikey <username>:<api_key>' -H "Content-
Type:application/json"
curl "https://api.threatstream.com/api/v1/actor/?limit=10" -H
'Authorization: apikey <username>:<api_key>'
4. To create a private actor and set Victim IDs to 13 (for "Health Care") and 15 (for "Insurance"):
curl --request POST --data '{"name": "test actor", "tlp": "red", "tags":
["bad actor", "dummy tag"], "victims": [13, 15], "publication_status":
"published"}' "https://api.threatstream.com/api/v1/actor/" -H
'Authorization: apikey <username>:<api_key>' -H "Content-
Type:application/json"
curl "https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/actor/253/?remote_
api=true" -H 'Authorization: apikey <username>:<api_key>'
6. (Only on ThreatStream OnPrem) To skip associations when retrieving details of a local actor
with ID 234678:
curl "https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/actor/234678/?skip_
associations=true" -H 'Authorization: apikey <username>:<api_key>'
Attack Patterns
To create, update, or retrieve attack pattern entities from the ThreatStream platform.
Request
/api/v1/attackpattern/
For example,
GET /api/v1/threat_model_search/?model_
type=atackpattern
For example,
GET /api/v1/attackpattern/associated_with_
intelligence/?value=google.com returns all
attack patterns that are associated with google.com.
Response
Format: JSON
Notes
l Attributes with "related" data type return 0 to N number of values. For example, if a Threat Model
entity belongs to more than one trusted circle, both will be returned.
l For information on limiting results and returning large datasets while mitigating performance
impacts, see "Limiting Results" on page 8
Attributes
actors related (see item Actors associated with the attack pattern.
1 in "Notes"
When creating an attack pattern, specify the
above)
Actor ID. See "Actors " on page 97.
attackpatterns related (see item Attack pattern entities associated with the attack
1 in "Notes" pattern.
above)
body_content_type string Format used for the body text of the description:
markdown or richtext
Default: markdown
campaigns related (see item Campaigns associated with the attack pattern.
1 in "Notes"
When creating an attack pattern, specify the
above)
Campaign ID. See "Campaigns" on page 113.
can_add_public_tags boolean Indicator for whether a user can add public tags
to an attack pattern.
circles related (see item All Trusted Circles to which the attack pattern
1 in "Notes" belongs.
above)
courseofaction related (see item Course of action entities associated with the
1 in "Notes" attack pattern.
above)
When creating an attack pattern, specify the
Course of Action ID.
external_references related (see item Information about the references associated with
1 in "Notes" on the attack pattern.
the previous
page)
identities related (see item Identities associated with the attack pattern.
1 in "Notes" on
When creating an attack pattern, specify the
the previous
Identity ID.
page)
incidents related (see item Incidents associated with the attack pattern.
1 in "Notes" on
When creating an attack pattern, specify the
the previous
Incident ID.
page)
infrastructure related (see item Infrastructure entities associated with the attack
1 in "Notes" on pattern.
the previous
When creating an attack pattern, specify the
page)
Infrastructure ID.
intelligence related (see item Indicators associated with the attack pattern on
1 in "Notes" on the ThreatStream platform.
page 105)
When creating an attack pattern, specify the
indicator ID. See "Intelligence" on page 40.
intelligence_initiatives related (see item Intelligence Initiatives associated with the attack
1 in "Notes" on pattern.
page 105)
Note: This attribute is returned in the
response to a GET call and is set an
intelligence source; it cannot be configured.
intrusionsets related (see item Intrusion sets associated with the attack pattern.
1 in "Notes" on
When creating an attack pattern, specify the
page 105)
Instrusion Set ID.
Default: False
malwares related (see item Malware entities associated with the attack
1 in "Notes" on pattern.
page 105)
owner_user array of strings Information about the user that created the entity
on ThreatStream.
signatures related (see item Signatures associated with the attack pattern.
1 in "Notes" on
When creating an attack pattern, specify the
page 105)
Signature ID. See "Signatures" on page 133.
For example,
GET /api/v1/atackpattern/{id}/?skip_
associations=true
For example,
GET /api/v1/attackpattern/{id}/?skip_
intelligence=true
source_modified datetime Time stamp of when the attack pattern was last
modified by the source, in UTC format.
starred_total_count integer How many times the attack pattern was starred
by all users.
tags_v2 related (see item Additional information on the tags assigned to the
1 in "Notes" on attack pattern.
page 105)
tipreports related (see item Threat bulletins associated with the attack
1 in "Notes" on pattern.
page 105)
When creating an attack pattern, specify the ID of
the threat bulletin.
tools related (see item Tools associated with the attack pattern.
1 in "Notes" on
page 105)
ttps related (see item TTP (Threat Bulletins) associated with the attack
1 in "Notes" on pattern.
page 105)
When creating an attack pattern, specify the
TTP ID. See "TTPs (Tactics, Techniques, and
Procedures)" on page 144.
votes array of integers How many times the users voted for the attack
pattern.
vulnerability related (see item Vulnerabilities associated with the attack pattern.
1 in "Notes" on
When creating an attack pattern, specify the ID of
page 105)
the vulnerability.
watched_total_count integer How many users are watching the attack pattern.
Examples
1. To create a private attack pattern entity that is associated with a TTP whose ID is 63:
curl --request POST --data '{"name": "dummy test attack pattern", "tlp":
"red", "tags": ["attack pattern", "example tag"], "ttps": [63]}'
"https://api.threatstream.com/api/v1/attackpattern/" -H 'Authorization:
apikey <username>:<api_key>' -H "Content-Type:application/json"
curl --request PATCH --data '{"name": "another dummy test attack pattern",
"tlp": "orange"}' "https://api.threatstream.com/api/v1/attackpattern/27/" -H
'Authorization: apikey <username>:<api_key>' -H "Content-
Type:application/json"
curl "https://api.threatstream.com/api/v1/attackpattern/27/" -H
'Authorization: apikey <username>:<api_key>'
curl "https://api.threatstream.com/api/v1/attackpattern/?limit=10" -H
'Authorization: apikey <username>:<api_key>'
5. (Only on ThreatStream OnPrem) To get details of a remote attack patten whose ID is 28:
curl "https://<ThreatStream_OnPrem_IP_or_
FQDN>/api/v1/attackpattern/28/?remote_api=true" -H 'Authorization: apikey
<username>:<api_key>'
6. (Only on ThreatStream OnPrem) To skip associations when retrieving details of a local attack
pattern with ID 234678:
curl "https://<ThreatStream_OnPrem_IP_or_
FQDN>/api/v1/attackpattern/234678/?skip_associations=true" -H
'Authorization: apikey <username>:<api_key>'
Campaigns
To create, update or retrieve existing campaigns from the ThreatStream platform.
Request
/api/v1/campaign/
For example,
GET /api/v1/threat_model_search/?model_
type=campaign
For example,
GET /api/v1/campaign/associated_with_
intelligence/?value=google.com returns all
campaigns that are associated with google.com.
Response
Format: JSON
Notes
l Attributes with "related" data type return 0 to N number of values. For example, if a Threat Model
entity belongs to more than one trusted circle, both will be returned.
l For information on limiting results and returning large datasets while mitigating performance
impacts, see "Limiting Results" on page 8
Attributes
description string The free-form text associated with the campaign (as specified
in the Description field in the UI).
end_date datetime Specify the time when this campaign is known to have ended.
Default: False
limit numeric The limit variable controls the number of results returned
every time an API call is made; the total number of results may
be much larger than returned in one API call.
modified_ts datetime Time stamp of when the campaign was last updated on
ThreatStream, in UTC format.
For example,
GET /api/v1/campaign/{id}/?skip_associations=true
For example,
GET /api/v1/campaign/{id}/?skip_intelligence=true
source_created datetime Time stamp of when the campaign was created by its original
source.
source_modified datetime Time stamp of when the campaign was last updated by its
original source.
start_date datetime Specify the time when this campaign was first known to be
active.
Examples
curl --request POST --data '{"name": "dummy test campaign", "tlp": "red",
"tags": ["big campaign", "dummy tag"], "intelligence": [165546],
"publication_status": "published"}'
"https://api.threatstream.com/api/v1/campaign/" -H "Content-
Type:application/json" -H 'Authorization: apikey <username>:<api_key>'
curl --request PATCH --data '{"name": "another dummy test campaign", "tlp":
"orange"}' "https://api.threatstream.com/api/v1/campaign/1062/" -H "Content-
Type:application/json" -H 'Authorization: apikey <username>:<api_key>'
curl "https://api.threatstream.com/api/v1/campaign/?limit=10" -H
'Authorization: apikey <username>:<api_key>'
5. (Only on ThreatStream OnPrem) To get the detail of a remote campaign whose ID is 1063:
curl "https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/campaign/1063/?remote_
api=true" -H 'Authorization: apikey <username>:<api_key>'
curl "https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/campaign/234678/?skip_
associations=true" -H 'Authorization: apikey <username>:<api_key>
Incidents
To create, update, or retrieve incidents from from the ThreatStream platform.
Request
/api/v1/incident/
For example,
GET /api/v1/threat_model_search/?model_
type=incident
GET /api/v1/incident/associated_with_
intelligence/?ids={comma_separated_id_list}
For example,
GET /api/v1/incident/associated_with_
intelligence/?value=google.com returns all
incidents that are associated with google.com.
Response
Format: JSON
Notes
l Attributes with "related" data type return 0 to N number of values. For example, if a Threat Model
entity belongs to more than one trusted circle, both will be returned.
l For information on limiting results and returning large datasets while mitigating performance
impacts, see "Limiting Results" on page 8
Attributes
created_ts datetime Time stamp of when the incident was created on ThreatStream,
in UTC format.
description string The free-form text associated with the incident (as specified in
the Description field in the UI).
end_date datetime Specify the time when this incident is known to have ended.
Default: False
limit numeric The limit variable controls the number of results returned every
time an API call is made; the total number of results may be much
larger than returned in one API call.
modified_ts datetime Time stamp of when the incident was last updated on
ThreatStream, in UTC format.
For example,
GET /api/v1/incident/{id}/?skip_associations=true
For example,
GET /api/v1/incident/{id}/?skip_intelligence=true
source_created datetime Time stamp of when the incident was created by its original
source.
source_modified datetime Time stamp of when the incident was last updated by its original
source.
start_date datetime Specify the time when this incident was first known to be active.
status_desc string Free-form text associated with the status of the incident (as
specified in the Description field in the UI)
tlp string Traffic Light Protocol designation for the incident—red, amber,
green, white.
Examples
1. To create a private incident with status Open and associated with TTP whose ID is 63:
curl --request POST --data '{"name": "dummy test incident", "tlp": "red",
"tags": ["big incident", "dummy tag"], "ttps": [63], "status": 2, "status_
desc": "this is an open incident"}'
"https://api.threatstream.com/api/v1/incident/" -H 'Authorization: apikey
<username>:<api_key>' -H "Content-Type:application/json"
curl --request PATCH --data '{"name": "another dummy test incident", "tlp":
"orange", "status": 7, "status_desc": "this incident is closed"}'
"https://api.threatstream.com/api/v1/incident/79/" -H "Content-
Type:application/json" -H 'Authorization: apikey <username>:<api_key>'
curl "https://api.threatstream.com/api/v1/incident/?limit=10" -H
'Authorization: apikey <username>:<api_key>'
5. (Only on ThreatStream OnPrem) To get the detail of a remote incident whose ID is 80:
curl "https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/incident/80/?remote_
api=true" -H 'Authorization: apikey <username>:<api_key>'
6. (Only on ThreatStream OnPrem) To skip associations when retrieving details of a local incident
with ID 12345:
curl "https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/incident/12345/?skip_
associations=true" -H 'Authorization: apikey <username>:<api_key>'
Malware
To create, update, or retrieve malware entities from the ThreatStream platform.
Request
/api/v1/malware/
For example,
GET /api/v1/threat_model_search/?model_
type=malware
For example,
GET /api/v1/malware/associated_with_
intelligence/?value=google.com returns all
malware that are associated with google.com.
Response
Format: JSON
Notes
l Attributes with "related" data type return 0 to N number of values. For example, if a Threat Model
entity belongs to more than one trusted circle, both will be returned.
l For information on limiting results and returning large datasets while mitigating performance
impacts, see "Limiting Results" on page 8
Attributes
body_content_type string Format used for the body text of the description: markdown or
richtext
Default: markdown
description string The free-form text associated with the malware (as specified in
the Description field in the UI).
feed_id string Numeric ID of the threat feed that provided the Threat Model
entity.
first_seen datetime Time stamp of when the malware was first observed, in UTC
format.
is_anonymous boolean Whether the threat bulletin user and organization information is
anonymized.
Default: False
last seen datetime Time stamp of when the malware was last observed, in UTC
format.
modified_ts datetime Time stamp of when the malware was last updated on
ThreatStream, in UTC format.
organization string Information about the organization that created the entity on
ThreatStream.
owner_user string Information about the user that created the entity on
ThreatStream.
For example,
GET /api/v1/malware/{id}/?skip_associations=true
For example,
GET /api/v1/malware/{id}/?skip_intelligence=true
source_created datetime Time stamp of when the malware was originally created by the
source, in UTC format.
source_modified datetime Time stamp of when the malware was last modified by the
source, in UTC format.
tlp string Traffic Light Protocol designation for the malware—red, amber,
green, white.
Examples
1. To create a private malware entity that is associated with a TTP whose ID is 63:
curl --request POST --data '{"name": "dummy test malware", "tlp": "red",
"tags": ["malware", "example tag"], "ttps": [63], "is_family": false,
"malware_types": ["screen-capture"]}'
"https://api.threatstream.com/api/v1/malware/" -H 'Authorization: apikey
<username>:<api_key>' -H "Content-Type:application/json"
curl --request PATCH --data '{"name": "another dummy test malware", "tlp":
"orange"}' "https://api.threatstream.com/api/v1/malware/79/" -H
'Authorization: apikey <username>:<api_key>' -H "Content-
Type:application/json"
curl "https://api.threatstream.com/api/v1/malware/?limit=10" -H
'Authorization: apikey <username>:<api_key>'
5. (Only on ThreatStream OnPrem) To get the detail of a remote malware entity whose ID is 80:
curl "https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/malware/80/?remote_
api=true" -H 'Authorization: apikey <username>:<api_key>'
6. (Only on ThreatStream OnPrem) To skip associations when retrieving details of a local malware
entity with ID 123456:
curl "https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/malware/123456/?skip_
associations=true" -H 'Authorization: apikey <username>:<api_key>'
Signatures
To create, update or retrieve signatures from the ThreatStream platform.
Request
/api/v1/signature/
For example,
GET /api/v1/threat_model_search/?model_
type=signature
GET /api/v1/signature/associated_with_
intelligence/?ids={comma_separated_id_
list}
For example,
GET /api/v1/signature/associated_with_
intelligence/?value=google.com returns all
Signatures that are associated with google.com.
Response
Format: JSON
Notes
l Attributes with "related" data type return 0 to N number of values. For example, if a Threat Model
entity belongs to more than one trusted circle, both will be returned.
l For information on limiting results and returning large datasets while mitigating performance
impacts, see "Limiting Results" on page 8
Attributes
created_ts datetime Time stamp of when the signature was created on ThreatStream,
in UTC format.
Default: False
limit numeric The limit variable controls the number of results returned every
time an API call is made; the total number of results may be much
larger than returned in one API call.
modified_ts datetime Time stamp of when the signature was last updated on
ThreatStream, in UTC format.
notes string Free-form text description and any other significant information
about the signature.
For example,
GET /api/v1/signature/{id}/?skip_associations=true
For example,
GET /api/v1/signature/{id}/?skip_intelligence=true
source_created datetime Time stamp of when the signature was created by its original
source.
source_modified datetime Time stamp of when the signature was last updated by its original
source.
tlp string Traffic Light Protocol designation for the signature—red, amber,
green, white.
Examples
curl --request POST --data '{"name": "dummy test signature", "tlp": "red",
"s_type": 3, "tags": ["big signature", "dummy tag"], "intelligence":
[165546], "publication_status": "published", "notes": "the definition of
this CybOX signature"}' "https://api.threatstream.com/api/v1/signature/" -H
"Content-Type:application/json" -H 'Authorization: apikey <username>:<api_
key>'
curl --request PATCH --data '{"name": "another dummy test signature", "tlp":
"orange"}' "https://api.threatstream.com/api/v1/signature/10/" -H
'Authorization: apikey <username>:<api_key>' -H "Content-
Type:application/json"
curl "https://api.threatstream.com/api/v1/signature/?limit=10" -H
'Authorization: apikey <username>:<api_key>'
5. (Only on ThreatStream OnPrem) To get the detail of a remote signature whose ID is 11:
curl "https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/signature/11/?remote_
api=true" -H 'Authorization: apikey <username>:<api_key>'
curl "https://<ThreatStream_OnPrem_IP_or_
FQDN>/api/v1/signature/234678/?skip_associations=true" -H 'Authorization:
apikey <username>:<api_key>'
Tipreport
To create, update or retrieve threat bulletins from the ThreatStream platform.
Request
/api/v1/tipreport/
For example,
GET /api/v1/threat_model_
search/?model_type=tipreport
GET
/api/v1/tipreport/234673/actor/
returns all actors associated with the
specified threat bulletin.
Get all revision history values associated with a threat GET /api/v1/tipreport/
bulletin, as shown in the History table in the user {id}/history
interface
Note: For information creating and removing associations between threat bulletins and other
threat model entities through the API, see "Managing Threat Model Associations " on page 154
Response
Format: JSON
Notes
l Attributes with "related" data type return 0 to N number of values. For example, if a Threat Model
entity belongs to more than one trusted circle, both will be returned.
l For information on limiting results and returning large datasets while mitigating performance
impacts, see "Limiting Results" on page 8
Attributes
body_content_type string Format used for the body text of the threat bulletin:
markdown or richtext
Default: markdown
body string Full text of the threat bulletin. Body text must be in
the format specified for body_content_type.
circles related (see item IDs of the trusted circles with which the threat
1 in "Notes" on bulletin is shared.
the previous
page)
comments related (see item Deprecated. Use the GET request to view
1 in "Notes" on comments associated with the threat bulletin.
the previous
page)
history related (see item Deprecated. Use the GET request to view history
1 in "Notes" on of the threat bulletin.
the previous
page)
import_sessions related(see item Import sessions associated with the threat bulletin.
1 in "Notes" on
Use this attribute if you need to associate a batch
the previous
of imported indicators. Provide Import Job ID from
page)
the Import UI page or use the import API to obtain
the job ID.
intelligence related (see item Observables associated with the threat bulletin.
1 in "Notes" on
Use this attribute to associate intelligence
page 139)
(indicators) available on ThreatStream through
means other than "import".
Default: False
sandbox_reports related (see item Sandbox reports associated with the threat
1 in "Notes" on bulletin.
page 139)
Obtain ID of the Sandbox report from the Sandbox
UI page.
For example,
GET /api/v1/tipreport/{id}/?skip_
associations=true
For example,
GET /api/v1/tipreport/{id}/?skip_
intelligence=true
source_modified datetime Time stamp of when the threat bulletin was last
updated by its original source.
Default: new
Examples
curl "https://api.threatstream.com/api/v1/tipreport/?limit=10"
2. To retrieve threat bulletins that were created since a specified date and time:
curl "https://api.threatstream.com/api/v1/tipreport/?created_ts__gte=2014-
10-02T20:44:35"
where <file_directory> is the directory of the file which you want to attach
7. (Only on ThreatStream OnPrem) To get the details of a remote threat bulletin whose ID is 12:
curl "https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/tipreport/12/?remote_
api=true" -H 'Authorization: apikey <username>:<api_key>'
8. (Only on ThreatStream OnPrem) To skip associations when retrieving details of a local threat
bulletin with ID 234678:
9. curl "https://<ThreatStream_OnPrem_IP_or_
FQDN>/api/v1/tipreport/234678/?skip_associations=true" -H 'Authorization:
apikey <username>:<api_key>'
Request
/api/v1/ttp/
For example,
GET /api/v1/threat_model_search/?model_
type=ttp
GET /api/v1/ttp/associated_with_
intelligence/?ids={comma_separated_id_
list}
For example,
GET /api/v1/ttp/associated_with_
intelligence/?value=google.com returns all
TTPs that are associated with google.com.
Response
Format: JSON
Notes
l Attributes with "related" data type return 0 to N number of values. For example, if a Threat Model
entity belongs to more than one trusted circle, both will be returned.
l For information on limiting results and returning large datasets while mitigating performance
impacts, see "Limiting Results" on page 8
Attributes
created_ts datetime Time stamp of when the TTP was created on ThreatStream, in
UTC format.
description string The free-form text associated with the TTP (as specified in the
Description field in the UI).
intelligence related Indicators associated with the TTP on the ThreatStream platform.
(see item 1
When creating a TTP, specify the indicator ID. See "Intelligence"
in "Notes"
on page 40.
on the
previous
page)
Default: False
limit numeric The limit variable controls the number of results returned every
time an API call is made; the total number of results may be much
larger than returned in one API call.
modified_ts datetime Time stamp of when the TTP was last updated on ThreatStream,
in UTC format.
For example,
GET /api/v1/ttp/{id}/?skip_associations=true
For example,
GET /api/v1/ttp/{id}/?skip_intelligence=true
source_created datetime Time stamp of when the TTP was created by its original source.
source_modified datetime Time stamp of when the TTP was last updated by its original
source.
tlp string Traffic Light Protocol designation for the TTP—red, amber,
green, white.
Examples
1. To create a private TTP associated with an Indicator whose ID is 165546 and Signature whose
ID is 10:
curl --request POST --data '{"name": "dummy test ttp", "tlp": "red", "tags":
["big ttp", "dummy tag"], "intelligence": [165546], "signatures": [10],
"publication_status": "published"}'
"https://api.threatstream.com/api/v1/ttp/" -H 'Authorization: apikey
<username>:<api_key>' -H "Content-Type:application/json"
curl --request PATCH --data '{"name": "another dummy test ttp", "tlp":
"orange"}' "https://api.threatstream.com/api/v1/ttp/1774/" -H
'Authorization: apikey <username>:<api_key>' -H "Content-
Type:application/json"
curl "https://api.threatstream.com/api/v1/ttp/1774/?skip_
associations=true&skip_intelligence=true" -H 'Authorization: apikey
<username>:<api_key>'
curl "https://api.threatstream.com/api/v1/ttp/?limit=10&skip_
associations=true&skip_intelligence=true" -H 'Authorization: apikey
<username>:<api_key>'
5. (Only on ThreatStream OnPrem) To get the detail of a remote TTP whose ID is 1775:
curl "https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/ttp/1775/?remote_
api=true" -H 'Authorization: apikey <username>:<api_key>'
6. (Only on ThreatStream OnPrem) To skip associations when retrieving details of a local TTP with
ID 234678:
curl "https://<ThreatStream_OnPrem_IP_or_FQDN>/api/v1/ttp/234678/?skip_
associations=true" -H 'Authorization: apikey <username>:<api_key>'
Vulnerabilities
To create, update, or retrieve vulnerabilities from the ThreatStream platform.
Request
/api/v1/vulnerability/
For example,
GET /api/v1/threat_model_search/?model_
type=vulnerability
GET /api/v1/vulnerability/associated_
with_intelligence/?ids={comma_separated_
id_list}
For example,
GET /api/v1/vulnerability/associated_
with_intelligence/?value=google.com
returns all vulnerabilites that are associated with
google.com.
Response
Format: JSON
Notes
l Attributes with "related" data type return 0 to N number of values. For example, if a Threat Model
entity belongs to more than one trusted circle, both will be returned.
l For information on limiting results and returning large datasets while mitigating performance
impacts, see "Limiting Results" on page 8
Attributes
description string Free-form text associated with the vulnerability (as specified in the
Description field in the UI).
Default: False
limit numeric The limit variable controls the number of results returned every
time an API call is made; the total number of results may be much
larger than returned in one API call.
modified_ts datetime Time stamp of when the vulnerability was last updated on
ThreatStream, in UTC format.
For example,
GET /api/v1/vulnerability/{id}/?skip_
associations=true
For example,
GET /api/v1/vulnerability/{id}/?skip_
intelligence=true
source_created datetime Time stamp of when the vulnerability was created by its original
source.
source_modified datetime Time stamp of when the vulnerability was last updated by its
original source.
Examples
curl "https://api.threatstream.com/api/v1/vulnerability/15/" -H
'Authorization: apikey <username>:<api_key>'
curl "https://api.threatstream.com/api/v1/vulnerability/?limit=10" -H
'Authorization: apikey <username>:<api_key>'
5. (Only on ThreatStream OnPrem) To get the details of a remote vulnerability whose ID is 16:
curl "https://<ThreatStream_OnPrem_IP_or_
FQDN>/api/v1/vulnerability/16/?remote_api=true" -H 'Authorization: apikey
<username>:<api_key>'
curl "https://<ThreatStream_OnPrem_IP_or_
FQDN>/api/v1/vulnerability/12345/?skip_associations=true" -H 'Authorization:
apikey <username>:<api_key>'
You can use the information in this section to add and remove Threat Model entity associations
through the API.
Bulk Add
To create associations between Threat Model entities on the ThreatStream platform.
Request
/api/v1/<entity_type>/<entity_id>/<associated_entity_type>/bulk_add/
where <entity_type> is the type of Threat Model entity on which you are adding the association
(actor, attackpattern, campaign, courseofaction, identity, infrastructure,
intrusionset, incident, malware, signature, tipreport (Threat Bulletin), tool, ttp,
vulnerability)
<entity_id> is the ID of the Threat Model entity on which you are adding the association
<associated_entity_type> is the type of Threat Model entity with which you are associating the
initial entity (actor, attackpattern, campaign, courseofaction, identity, infrastructure,
intrusionset, incident, malware, signature, tipreport (Threat Bulletin), tool, ttp,
vulnerability)
Attribute
Attribute Description
ids Unique IDs of the Threat Model entities or observables with which you are
associating the initial entity.
Example
To associate a threat bulletin whose ID is 744 with observables whose IDs are 54 and 67:
Bulk Remove
To remove associations between Threat Model entities on the ThreatStream platform.
Request
/api/v1/<entity_type>/<entity_id>/<associated_entity_type>/bulk_remove/
where <entity_type> is the type of Threat Model entity on which you are adding the association
(actor, attackpattern, campaign, courseofaction, identity, infrastructure,
intrusionset, incident, malware, signature, tipreport (Threat Bulletin), tool, ttp,
vulnerability)
<entity_id> is the ID of the Threat Model entity on which you are adding the association
<associated_entity_type> is the type of Threat Model entity with which you are associating the
initial entity (actor, attackpattern, campaign, courseofaction, identity, infrastructure,
intrusionset, incident, malware, signature, tipreport (Threat Bulletin), tool, ttp,
vulnerability)
Attribute
Attribute Description
ids Unique IDs of the Threat Model entities or observables with which you are
associating the initial entity.
Example
To remove an association between a TTP whose ID is 67 with a signature whose ID is 123:
Additionally, you can manage observable and threat model entity tags in bulk. See "Observable Tags
in Bulk" on the next page and "Threat Model Entity Tags in Bulk" on page 162 for more information.
Request
/api/v1/<entity_type>/<entity_id>/tag/
where <entity_type> is the type of threat model entity on which you are adding the tag (actor,
attackpattern, campaign, incident, intelligence (observables), malware, signature,
tipreport, ttp, or vulnerability)
<entity_id> is the ID of the threat model entity or tag on which you are adding the association
Attributes
Attribute Description
ids Unique IDs of the threat model entities or observables to which you are adding tags.
tags=[{“name”:"my_tag",“tlp”:"red"},{"name":"my_
tag2",“tlp”:"white"},{"name":"my_tag3"}]
Tag Attributes:
Default: white
In the example above, my_tag is private and my_tag2 and my_tag3 are public.
Examples
1. To add a private tag to an observable whose ID is 4744:
2. To add a public tag and a private tag to an actor whose ID is 35:
Attributes
Attribute Description
ids Unique IDs of the observables to which you are adding tags.
tags=[{“name”:"my_tag",“tlp”:"red"},{"name":"my_
tag2",“tlp”:"white"},{"name":"my_tag3"}]
Tag Attributes:
Default: white
In the example above, my_tag is private and my_tag2 and my_tag3 are public.
By default, you can manage up to 250 tags in bulk. If you need to manage up more
than 250 tags in bulk, see "Managing up to 10,000 Tags in Bulk" on the next page for
more information.
Example
To add a private tag to a set of observables whose IDs are 61, 52, 8, 50, 34:
curl --X POST --data '{"tags": [{"name": "test", "tlp": "red"}], "ids":[61, 52,
8, 50, 34]}' "https://api.threatstream.com/api/v2/intelligence/bulk_tagging/" --
H "Content-Type:application/json" -H 'Authorization: apikey <username>:<api_
key>'
Attributes
Attribute Description
ids Unique IDs of the observables from which you are removing tags.
tags=[{“name”:"my_tag",“tlp”:"red"},{"name":"my_
tag2",“tlp”:"white"},{"name":"my_tag3"}]
Tag Attributes:
Default: white
In the example above, my_tag is private and my_tag2 and my_tag3 are public.
By default, you can manage up to 250 tags in bulk. If you need to manage up more
than 250 tags in bulk, see "Managing up to 10,000 Tags in Bulk" below for more
information.
Example
To remove two tags from a set of observables whose IDs are 776 and 349:
curl --X PATCH --data '{"tags": [{"name": ["test", "tagB"]}], "ids":[776, 349]}'
"https://api.threatstream.com/api/v2/intelligence/bulk_remove_tags/" -H
'Authorization: apikey <username>:<api_key>' -H "Content-Type:application/json"
When you add or remove up to 10,000 tags in bulk, a job is created. Once the job is completed
successfully, you must get the results of the job to finish the procedure. You can create one job at a
time. Otherwise, making this API call will result in an error.
Request
1. /api/v2/intelligence/bulk_tagging/?async_result=true
This request requires that you specify payload in JSON format. Payload consists of the query
object that creates a dataset, and the list of tags to be added and/or removed from observables
in the dataset.
2. /api/v1/generic_async_result/<id>/
Payload Parameters
query object Payload object that specifies the dataset and has the
following parameters: q, limit, and order_by. The
parameters are described in this table below.
q string Parameter in the query object that filters out the observables
to which tags will be added or from which the tags will be
removed.
tags array of strings Tags that will be added to the selected observables.
remove_tags array of strings Tags that will be removed from the selected observables.
Example
1. To add a private my_tag to and remove a private my_tag2 from the active observables created
on a specific date and ordered by date of creation:
created_ts: "2022-11-01T21:10:56.008462"
id: <id>
modified_ts: "2022-11-01T21:10:56.008475"
path: "/api/v2/intelligence/bulk_tagging/"
resource_uri: "/api/vl/generic_async_result/<id>/"
response_status: null
status: "inprogress"
where <id> is the unique ID of the job. You will use this value to check the status of the job and
return the results after its completion.
2. To check the status of the job using the command listed for resource_uri:
created_ts: "2022-11-01T21:10:56.008462"
id: <id>
modified_ts: "2022-11-01T21:10:56.008475"
path: "/api/v2/intelligence/bulk_tagging/"
resource_uri: "/api/vl/generic_async_result/<id>/"
response_status: null
status: "inprogress"
response_status: 200
status: "done"
This indicates that the job is complete and ready to return the results.
curl "https://api.threatstream.com/api/v1/generic_async_result/<id>/get_
result/" -H 'Authorization: apikey <username>:<api_key>'
Request
/api/v1/<entity_type>/bulk_tagging/
where <entity_type> is the type of threat model entity on which you are adding the tag (actor,
attackpattern, campaign, incident, malware, signature, tipreport, ttp, or vulnerability.)
Attributes
Attribute Description
ids Unique IDs of the Threat Model entities to which you are adding tags.
By default, you can delete up to 25 tags in bulk from a threat model entity.
tags Tags that will be applied to the specified Threat Model entities.
tags=[{“name”:"my_tag",“tlp”:"red"},{"name":"my_
tag2",“tlp”:"white"},{"name":"my_tag3"}]
Tag Attributes:
Default: white
In the example above, my_tag is private and my_tag2 and my_tag3 are public.
Example
To add tags private_tag1, private_tag2, and public_tag to a set of actors whose IDs are 655,
2784, 2785 and to remove tag4 from these actors:
Request
/api/v1/orgadmin/
Attributes
can_import_ boolean Whether the user can push data from TAXII clients to your
to_taxii_inbox ThreatStream TAXII server.
can_see_api_ boolean Whether the user can access their dedicated ThreatStream API key
key on the My Profile tab within ThreatStream settings.
can_share_ boolean Whether the user can create intelligence shared with the Anomali
intelligence Community. This includes importing observables, creating Sandbox
Reports, as well as modifying tags and commenting on observables
and Sandbox Reports shared with the Anomali Community.
email string Email address of the user you want to add to your organization.
is_readonly boolean Whether the user should be restricted to Read Only status.
is_tfa_exempt boolean Whether the user is excluded from having to use multi-factor
authentication.
must_ boolean Force existing users to change their password the next time they
change_ login.
password
Response
The response contains all request attributes (except must_change_password) in addition to the
following attributes.
Attribute Description
avatar_s3_url URL for the avatar image associated with the user.
must_change_ Whether the user will be forced to change their password the next time they
password login.
name Name entered by the user on the My Profile tab within ThreatStream
Settings.
next_password_ Future timestamp when the user will be forced to change their password.
change_ts
nickname Nickname entered by the user on the Profile screen, accessible through the
ThreatStream menu.
Attribute Description
Examples
Note: The user whose username and API key is used in requests must have Org Admin
privileges.
If the user had any of the following privileges, they are automatically removed: can_share_
intelligence, can_import_to_taxii_inbox, can_approve_intel, or is_org_admin.
7. To unlock a user whose account has been locked due to successive failed login attempts and
whose ID is 123:
There are two types of user activity reports: UI activity reports (including actions taken from the
ThreatStream user interface) and API activity reports (including API requests made by users).
Returning user activity reports is a three part process. It involves generating a user activity report,
checking the status of the report, and returning the report after completion. See "Examples" on the
next page for more information on this multi-step process.
Request
Generate a user UI activity report GET /api/v1/useraction/
Attributes
created_ Date Beginning of the time range for which you want to generate the report.
ts__gte
Date must be specified in this format: YYYYMMDDThhmmss
where T denotes the start of the value for time, in UTC time.
created_ Date End of the time range for which you want to generate the report
ts__lte
Date must be specified in this format: YYYYMMDDThhmmss
where T denotes the start of the value for time, in UTC time.
Default: 20
user_id__ Numeric IDs of the users which you want to include in the report.
in
If you do not specify a user ID, results are returned for all organization
users.
Response
Format: CSV, JSON
Examples
Request:
1. To generate a user UI activity report for a single user, whose user ID is 56:
a. curl "https://optic.threatstream.com/api/v1/useraction/?async_
result=true&created_ts__gte=2019-10-09T00:00:00.000Z&created_ts__
lte=2019-10-10T23:59:59.999Z&format=csv&limit=1000&order_by=-created_
ts&user_id__in=56" -H 'Authorization: apikey <username>:<api_key>'
created_ts: "2020-08-07T21:05:11.501490",
id: <id>,
modified_ts: "2020-08-07T21:05:11.501505",
path: "/api/v1/useraction/",
resource_uri: "/api/v1/generic_async_result/<id>/",
response_status: null,
status: "inprogress"
where <id> is the unique ID of the export. You will use this value to check the status of the
export job and return the results after completion.
b. To check the status of the export using the command listed for resource_uri:
curl "https://optic.threatstream.com/api/v1/generic_async_result/<id>/"
-H 'Authorization: apikey <username>:<api_key>'
Results are returned similar to the following when the export job is in progress:
created_ts: "2020-08-07T22:31:21.358172"
id: <id>
modified_ts: "2020-08-07T22:31:21.597286"
path: "/api/v1/useraction/"
resource_uri: "/api/v1/generic_async_result/<id>/"
response_status: null
status: "inprogress"
response_status: 200
status: "done"
This indicates that the export job is complete and ready to return.
curl "https://optic.threatstream.com/api/v1/generic_async_
result/<id>/get_result/" -H 'Authorization: apikey <username>:<api_key>'
2. To generate a user API activity report for a single user, whose user ID is 56:
a. curl "https://optic.threatstream.com/api/v1/apiuseraction/?async_
result=true&created_ts__gte=2019-10-09T00:00:00.000Z&created_ts__
lte=2019-10-10T23:59:59.999Z&format=csv&limit=1000&order_by=-created_
ts&user_id__in=56" -H 'Authorization: apikey <username>:<api_key>'
created_ts: "2020-08-07T21:05:11.501490",
id: <id>,
modified_ts: "2020-08-07T21:05:11.501505",
path: "/api/v1/apiuseraction/",
resource_uri: "/api/v1/generic_async_result/<id>/",
response_status: null,
status: "inprogress"
where <id> is the unique ID of the export. You will use this value to check the status of the
export job and return the results after completion.
b. Check the status of the export using the command listed for resource_uri:
curl "https://optic.threatstream.com/api/v1/generic_async_result/<id>/"
-H 'Authorization: apikey <username>:<api_key>'
Results are returned similar to the following when the export job is in progress:
created_ts: "2020-08-07T22:31:21.358172"
id: <id>
modified_ts: "2020-08-07T22:31:21.597286"
path: "/api/v1/apiuseraction/"
resource_uri: "/api/v1/generic_async_result/<id>/"
response_status: null
status: "inprogress"
response_status: 200
status: "done"
This indicates that the export job is complete and ready to return.
curl "https://optic.threatstream.com/api/v1/generic_async_
result/<id>/get_result/" -H 'Authorization: apikey <username>:<api_key>'
a. curl "https://optic.threatstream.com/api/v1/useraction/?async_
result=true&created_ts__gte=2019-10-09T00:00:00.000Z&created_ts__
lte=2019-10-10T23:59:59.999Z&format=csv&limit=1000&order_by=-created_
ts" -H 'Authorization: apikey <username>:<api_key>'
created_ts: "2020-08-07T21:05:11.501490",
id: <id>,
modified_ts: "2020-08-07T21:05:11.501505",
path: "/api/v1/apiuseraction/",
resource_uri: "/api/v1/generic_async_result/<id>/",
response_status: null,
status: "inprogress"
where <id> is the unique ID of the export. You will use this value to check the status of the
export job and return the results after completion.
b. Check the status of the export using the command listed for resource_uri:
curl "https://optic.threatstream.com/api/v1/generic_async_result/<id>/"
-H 'Authorization: apikey <username>:<api_key>'
Results are returned similar to the following when the export job is in progress:
created_ts: "2020-08-07T22:31:21.358172"
id: <id>
modified_ts: "2020-08-07T22:31:21.597286"
path: "/api/v1/useraction/"
resource_uri: "/api/v1/generic_async_result/<id>/"
response_status: null
status: "inprogress"
response_status: 200
status: "done"
This indicates that the export job is complete and ready to return.
curl "https://optic.threatstream.com/api/v1/generic_async_
result/<id>/get_result/" -H 'Authorization: apikey <username>:<api_key>'
Request
/api/v1/orgwhitelist/
HTTP Methods:
Request Attributes
Attribute Definition
file Path to the CSV file containing the whitelist entries you want to add.
limit The limit variable controls the number of results returned every time an API call is
made; the total number of results may be much larger than returned in one API call.
If limit is not specified, 10 results are returned with each API call. Specifying
limit=0 will return up to a maximum of 1000 results (if available).
remove_ Whether you want to replace existing whitelist entries with the entries specified in
existing the request.
Default: false
Attribute Definition
Default: true
Whitelist Attributes
l The entries must be contained in a valid CSV file with the following header line:
value_type,value,notes.
l value_type must be specified for each entry. Possible types include domain,
email, ip, md5, url, user-agent, and cidr.
l value must be specified for each entry. Values must be valid entries based on
the specified type. For example, if you specify ip for type, the corresponding
value must be a valid IP address.
value_type,value,notes
domain,*wildcard-example.com,this is a valid domain
email,account@example.com,example note
ip,1.2.3.4,
md5,fe01ce2a7fbac8fafaed7c982a04e229,
url,http://example.com,
user-agent,myagent1,
cidr,192.0.2.0/24,
Response
Format: JSON
Response Attributes
Attribute Definition
Examples
1. To return a list of your 10 most recently added whitelist entries:
curl -X POST
'https://api.threatstream.com/api/v1/orgwhitelist/upload/?remove_
existing=false' -F "file=@whitelist.csv" -H 'Authorization: apikey
<username>:<api_key>'
value_type,value,notes
domain,*foo.wildcarddomain.com,some notes on foo
domain,*wildcarddomain.com,
email,test@email.com,
ip,8.8.8.8,notes on ip address
4. To replace your existing import whitelist with entries from a CSV file:
curl -X POST
'https://api.threatstream.com/api/v1/orgwhitelist/upload/?remove_
existing=true' -F "file=@whitelist.csv" -H 'Authorization: apikey
<username>:<api_key>'
curl -X GET
'https://api.threatstream.com/api/v1/orgwhitelist/?showNote=True&format=csv'
-H "Content-Type:application/json" -H 'Authorization: apikey
<username>:<api_key>'
curl -X GET
'https://api.threatstream.com/api/v1/orgwhitelist/?showNote=True&format=jso
n' -H "Content-Type:application/json" -H 'Authorization: apikey
<username>:<api_key>'
where <Entry_ID> is the ID associated with the whitelist entry you want to delete. To determine
the entry ID, execute return a list of your current whitelist entries and note the ID value
associated with the entry of interest.
where <Entry_ID> is the ID associated with the whitelist entry you want to modify. To determine
the entry ID, return a list of your current whitelist entries and note the ID value associated with
the entry of interest.
Notes:
- Private also includes Trusted Circles.
- classification is displayed as Visibility on the
ThreatStream user interface.
country String Two-letter ISO country code for the IP associated with the
observable. For example, US, CN, DE, and so on.
created_by String Email address of the user who submitted the import job
containing the observable.
created_ts Date UTC time stamp of when the observable was first created
in ThreatStream.
lat Numeric Latitude associated with the Geo location of the IP.
lon Numeric Longitude associated with the Geo location of the IP.
modified_ts Date UTC time stamp of when the observable was last updated
in ThreatStream.
org String Name of the business that owns the IP address associated
with the observable. For example, Comcast, Amazon, and
so on.
registrant_email String Email address of the person who registered the domain.
registration_ Date Time stamp of when the domain registration was last
modified_ts updated.
severity String Criticality associated with the threat feed that supplied the
observable.
source_created Date UTC time stamp of when the entity was created by its
original source.
source_modified Date UTC time stamp of when the entity was created by its
original source.
source_reported_ Numeric A risk score from 0 to 100, provided by the source of the
confidence observable.
trusted_circle_id String ID of the trusted circle with which the observable is shared.
The severity values listed in the table below represent the default severity values that Anomali
assigns to observables of a given indicator types. However, default values are not displayed in the
following cases:
2. When users modify the assigned value while editing observables that belong to their
organizations on ThreatStream
Notes:
- Observables assigned indicator types which display String in the Type column below are not
consumed by downstream integrations such as Anomali Match or those which receive
intelligence through ThreatStream Integrator. Additionally, string-type observables cannot be
cloned in ThreatStream.
- MD5 observables ingested from feeds are never made inactive by ThreatStream API.
However, MD5 observables imported through other means, such as the import assistant, adhere
to the expiration dates you set.
Example: itype="actor_ip"
Example: itype="actor_ipv6"
Example: itype="actor_subject"
Example: itype="adware_
domain"
Example: itype="adware_
registry_key"
Example: itype="anon_proxy"
Example: itype="anon_proxy_
ipv6"
Example: itype="anon_vpn"
Example: itype:"anon_vpn_ipv6"
Example: itype="apt_email"
Example: itype="apt_email_
subject_line"
apt_file_name APT File Name String Very-High Name of a file used by a known
Advanced Persistent Threat
(APT) actor.
Example: itype="apt_file_name"
Example: itype="apt_file_path"
Example: itype="apt_ip"
Example: itype="apt_ipv6"
apt_md5 APT File Hash Hash Very-High MD5 or SHA hash of a malware
sample used by a known
Advanced Persistent Threat
(APT) actor.
Example: itype="apt_md5"
Example: itype="apt_mta"
Example: itype="apt_mutex"
Example: itype="apt_registry_
key"
Example: itype="apt_service_
description"
Example: itype="apt_service_
displayname"
Example: itype="apt_service_
name"
Example: itype="apt_ssdeep"
apt_subject APT Subject Line String High Email subject line used by a
known Advanced Persistent
Threat (APT) actor.
Example: itype="apt_subject"
apt_ua APT User Agent String High User agent string used by a
known Advanced Persistent
Threat (APT) actor.
Example: itype="apt_ua"
Example: itype="bot_domain"
Example: itype="bot_ip"
Example: itype="bot_ipv6"
Example: itype="bot_md5"
Example: itype="bot_url"
Example: itype="browser_
extension_id"
Example: itype="brute_ip"
Example: itype="brute_ipv6"
Example: itype="c2_domain"
Example: itype="c2_ip"
Example: itype="c2_ipv6"
Example: itype="c2_url"
Example: itype="comm_proxy_
domain"
Example: itype="comm_proxy_
ip"
Example: itype="compromised_
domain"
Example: itype="compromised_
email"
Example: itype="compromised_
email_subject"
Example: itype="compromised_
ip"
Example: itype="compromised_
ipv6"
Example: itype="compromised_
serv_account"
Example: itype="compromised_
url"
Example: itype="compromised_
username"
Example: itype="crypto_hash"
Example: itype="crypto_ip"
Example: itype="crypto_url"
Example: itype="crypto_wallet"
Example: itype="ddos_ip"
Example: itype="ddos_ipv6"
Example: itype="disposable_
email_domain"
Example: itype="downloader_
domain"
Example: itype="downloader_
hash"
Example: itype="downloader_ip"
Example: itype="downloader_
ipv6"
Example: itype="downloader_url"
dyn_dns Dynamic DNS Domain Low Domain name used for hosting
Dynamic DNS services.
Example: itype="dyn_dns"
Example: itype="exfil_domain"
Example: itype="exfil_ip"
Example: itype="exfil_ipv6"
exfil_url Data Exfiltration URL High URL used for data exfiltration.
URL
Example: itype="exfil_url"
Example: itype="exploit_domain"
Example: itype="exploit_ip"
exploit_ipv6 Exploit Kit IPv6 IP High IPv6 address associated with the
web server hosting an exploit kit
or launching web-based exploits.
Example: itype="exploit_ipv6"
Example: itype="exploit_md5"
exploit_url Exploit Kit URL URL Very-High URL used for launching web-
based exploits.
Example: itype="exploit_url"
Example: itype="fraud_domain"
Example: itype="fraud_email"
Example: itype="fraud_ip"
Example: itype="fraud_email_
subject"
Example: itype="fraud_ipv6"
Example: itype="fraud_md5"
Example: itype="fraud_url"
Example: itype="free_email_
domain"
Example: itype="geolocation_url"
Example: itype="hack_tool"
hack_tool_md5 Hack Tool File Hash Very-High MD5 or SHA hash of general
Hash hacking software tools used by
threat actors.
Example: itype="hack_tool_md5"
Example: itype="i2p_ip"
Example: itype="i2p_ipv6"
Example: itype="image_hash"
Example: itype="infostealer_
domain"
Example: itype="infostealer_
hash"
Example: itype="infostealer_ip"
Example: itype="infostealer_
ipv6"
Example: itype="infostealer_url"
Example: itype="iot_domain"
Example: itype="iot_hash"
Example: itype="iot_ip"
Example: itype="iot_ipv6"
Example: itype="iot_url"
ipcheck_url IP Check URL URL Low URL that can be used to provide
IP checking services, such as
echoing the Internet facing IP
address of the client.
Example: itype="ipcheck_url"
Example: itype="mal_domain"
Example: itype="mal_email"
Example: itype="mal_ip"
Example: itype="mal_ipv6"
Example: itype="mal_md5"
Example: itype="mal_mutex"
Example: itype="mal_service_
description"
Example: itype="mal_service_
displayname"
mal_service_ Malware Service String Very-High Service name associated with the
name Name malware sample.
Example: itype="mal_service_
name"
Example: itype="mal_ssdeep"
Example: itype="mal_sslcert_
sha1"
Example: itype="mal_ua"
Example: itype="mal_url"
Example: itype="p2pcnc"
Example: itype="p2pcnc_ipv6"
Example: itype="parked_domain"
Example: itype="parked_ip"
Example: itype="parked_ipv6"
Example: itype="parked_url"
pastesite_url Paste Site URL URL Low URL that can be used for sharing
pastes or text content
anonymously.
Example: itype="pastesite_url"
Example: itype="phish_domain"
Example: itype="phish_email"
Example: itype="phish_email_
subject"
Example: itype="phish_ip"
Example: itype="phish_ipv6"
Example: itype="phish_md5"
Example: itype="phish_url"
pos_hash Point of Sale Hash High Malicious file hash targeting Point
Malicious File of Sales systems.
Hash
Example: itype="pos_hash"
Example: itype="pos_ip"
Example: itype="pos_ipv6"
Example: itype="pos_url"
Example: itype="proxy_ip"
Example: itype="proxy_ipv6"
Example: itype="ransomware_
domain"
Example: itype="ransomware_
hash"
Example: itype="ransomware_ip"
Example: itype="ransomware_
ipv6"
Example: itype="ransomware_
url"
rootkit_hash Rootkit File Hash Hash Very High File hash of rootkit malware that
provides root-level access to an
attacker.
Example: itype="rootkit_hash"
Example: itype="scan_ip"
Example: itype="scan_ipv6"
Example: itype="sinkhole_
domain"
Example: itype="sinkhole_ip"
Example: itype="sinkhole_ipv6"
Example: itype="social_media_
url"
Example: itype="spam_domain"
spam_email Spammer Email Email Low Email address that has been
Address observed sending SPAM emails.
Example: itype="spam_email"
Example: itype="spam_email_
subject"
Example: itype="spam_ip"
Example: itype="spam_ipv6"
Example: itype="spam_mta"
Example: itype="spam_url"
speedtest_url Speed Test URL URL Low URL that can be used to run
internet speed tests or bandwidth
measurements of the client's
network connection.
Example: itype="speedtest_url"
Example: itype="ssh_ip"
Example: itype="ssh_ipv6"
ssl_cert_serial_ SSL Certificate String Low Serial number unique to the TLS
number Serial Number certificate issuer that identifies
the entity being signed.
Example: itype="ssl_cert_serial_
number"
Default Severity: n/a
Example: itype="suppress"
Example: itype="suspicious_
domain"
Example: itype="suspicious_
email"
Example: itype="suspicious-
email_subject"
Example: itype="suspicious_ip"
Example: itype="suspicious_reg_
email"
Example: itype="suspicious_url"
Example: itype="tor_ip"
Example: itype="tor_ipv6"
torrent_tracker_ Torrent Tracker URL Low URL used for tracking bittorrent
url URL file transfer activity.
Example: itype="torrent_tracker_
url"
Example: itype="trojan_domain"
trojan_hash Trojan File Hash Hash High File hash associated with Trojan
malware that disguises as a
legitimate code or software.
Example: itype="trojan_hash"
Example: itype="trojan_ip"
Example: itype="trojan_ipv6"
Example: itype="trojan_url"
Example: itype="vpn_domain"
Example: itype="vps_ip"
Example: itype="vps_ipv6"
Example: itype="whois_bulk_
reg_email"
Example: itype="whois_privacy_
domain"
Example: itype="whois_privacy_
email"
Fraud
Indicator Data
Type Type Description
fraud_aba_ Numeric ABA number, also known as the routing number or routing transfer
num number
Associated
Threat Type Name Example Indicator Types
Associated
Threat Type Name Example Indicator Types
Associated
Threat Type Name Example Indicator Types
Associated
Threat Type Name Example Indicator Types
l Click contact the documentation team to send an email. If you have an email client configured on
this system, an email window will open with the following information in the subject line: