ThreatQ API (5.14.0)
Download OpenAPI specification:Download
Last Updated: 04/27/23
The ThreatQ API is built on REST principles and uses JSON as a data interchange format.
Base URI
All URIs referenced in this document use the following base: https://hostname/api/, where hostname is replaced with the hostname or ip address of your ThreatQ instance.
Request Format
The ThreatQ API supports the following HTTP verbs:
| Verb | Description |
|---|---|
| GET | GET requests retrieve resources. |
| POST | POST requests create resources. |
| PUT | PUT requests update resources. |
| DELETE | DELETE requests delete resources. |
Response Format
All responses are returned in JSON. The response is wrapped in a top level data envelope which is an object or array depending on whether a single item or a collection is returned. If a single item is returned, the data field will be an object. If a collection is returned, the field will be an array.
Response Codes
The ThreatQ API uses HTTP status codes to indicate the status of your request.
| Code | Description |
|---|---|
| 200 | Object was retrieved successfully. |
| 201 | Object was created successfully. |
| 204 | Object(s) were successfully deleted. |
| 400 | Validation failed (usually as the result of an incorrect request) |
| 401 | Access denied (authorization access token in the header was incorrect / out of date) |
| 403 | Access forbidden (usually as the result of a bad request) |
| 404 | Object not found |
Authentication
ThreatQ uses OAuth 2.0 to authenticate end users. You must have a ThreatQ user account to retrieve an API token. The API token is required for all API requests. The token does time out; therefore, you must periodically refresh the token.
Authorization workflow
Run a GET request to retrieve your client ID using the following format: https://hostname/assets/js/config.js
Run a POST/token request to retrieve your authorization access token. See POST/token in the Authorization section of this reference for the correct format.
Include the following parameters:
- grant_type (password)
- client-id (retrieved in step 1)
Example: https://hostname/api/token?grant_type=password&client_id=ab20a55dd9ac779246210d7102a45ee37
In the request body, include your ThreatQ credentials:
- password
Enter the access token as the authorization key in the header for all subsequent api requests.
OAuth2 Authentication
You must have a ThreatQ User account to retrieve an API token. The API token is required for all requests. The
token does time out; therefore, you must periodically refresh the token.
Before authentication is attempted,
the Client ID used should be retrieved via GET to <hostname>/assets/js/config.js.
NOTE: The Authorization header can be ignored as authentication has not occurred yet.
Authorizations:
Request Body schema: application/json
| grant_type | string The grant_type you are authenticating with. |
| client_id | string Client ID retrieved from GET ` |
string User's email | |
| password | string User's password |
Responses
Request samples
- Payload
{- "grant_type": "password",
- "client_id": "ngmwzmvkntc1owe4nmy0mjuyoda0nwq1",
- "email": "fMercury@threatq.com",
- "password": "****************"
}Response samples
- 200
- 400
- 503
{- "access_token": "AbCdEfGhIjKLm",
- "token_type": "bearer",
- "expires_in": 3599,
- "refresh_token": "NoPqRsTuVwXyZ"
}List Adversaries
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Adversary
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Adversary Name |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Sad Panda"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Adversary Consume
Authorizations:
Request Body schema: application/json
Array of objects (AdversaryFillable) Related Adversaries | |
| name | string Adversary Name |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "adversaries": [
- {
- "name": "Sad Panda"
}
], - "name": "Sad Panda",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "name": "Sad Panda"
}
], - "total": 1
}Get Single Adversary
Authorizations:
path Parameters
| adversary_id required | integer Adversary ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Responses
Response samples
- 200
{- "data": {
- "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Adversary
Authorizations:
path Parameters
| adversary_id required | integer Adversary ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Adversary Name |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Sad Panda"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Attribute Search
Get attributes matching the specified search query
Authorizations:
query Parameters
| query required | string Example: query=www.threatquotient.com
|
| limit | integer Default: 30 Example: limit=10
|
| with | string Default: "all" Example: with=indicators,malware
|
Responses
Response samples
- 200
{- "data": [
- {
- "object_attribute_id": 1,
- "type": "indicator",
- "object_id": 1,
- "attribute_id": 1,
- "value": "www.threatquotient.com"
}
]
}Tag Search
Get tags matching the specified search query
Authorizations:
query Parameters
| query required | string Example: query=www.threatquotient.com
|
| limit | integer Default: 30 Example: limit=10
|
| with | string Default: "all" Example: with=indicators,malware
|
Responses
Response samples
- 200
{- "data": [
- {
- "tag_id": 1,
- "object_id": 1,
- "type": "indicator",
- "name": "www.threatquotient.com"
}
]
}Object Search
Get objects matching the specified search query
Authorizations:
query Parameters
| query required | string Example: query=www.threatquotient.com
|
| limit | integer Default: 30 Example: limit=10
|
| with | string Default: "all" Example: with=indicators,malware
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 1,
- "type": "indicator",
- "value": "www.threatquotient.com"
}
]
}List Assets
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 68,
- "value": "MacBook Pro",
- "description": "Development machine",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Assets
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Asset Value |
| description | string Description for the Asset |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "MacBook Pro",
- "description": "Development machine"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 68,
- "value": "MacBook Pro",
- "description": "Development machine",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Assets Consume
Authorizations:
Request Body schema: application/json
Array of objects (AssetsFillable) Related Assets | |
| value | string Asset Value |
| description | string Description for the Asset |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "asset": [
- {
- "value": "MacBook Pro",
- "description": "Development machine"
}
], - "value": "MacBook Pro",
- "description": "Development machine",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "MacBook Pro",
- "description": "Development machine"
}
], - "total": 1
}Get Single Assets
Authorizations:
path Parameters
| asset_id required | integer Asset ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 68,
- "value": "MacBook Pro",
- "description": "Development machine",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Assets
Authorizations:
path Parameters
| asset_id required | integer Asset ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Asset Value |
| description | string Description for the Asset |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "MacBook Pro",
- "description": "Development machine"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 68,
- "value": "MacBook Pro",
- "description": "Development machine",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Attachments (Files)
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 72,
- "type_id": 14,
- "title": "malicious.exe",
- "name": "malicious.exe",
- "hash": "701505c38aa35d0c523b6e85bced420f",
- "content_type_id": 1,
- "description": "This file is malicious...",
- "file_size": 11300,
- "path": "6/5/247ebe955ec180c8568f9bbc1dbfd4",
- "malware_locked": 1,
- "placeholder": 1,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Attachment
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| type_id | integer Attachment (File) Type ID |
| title | string Attachment (File) Title |
| name | string Attachment (File) Name |
| hash | string Attachment (File) Hash (Unique Hash of File Contents) |
| content_type_id | integer Attachment (File) Content Type ID |
| description | string Attachment (File) Description |
| file_size | integer Attachment (File) Size |
| path | string Attachment (File) Path |
| malware_locked | integer Attachment (File) is Malware Locked |
| placeholder | integer Attachment (File) is Placeholder |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "type_id": 14,
- "title": "malicious.exe",
- "name": "malicious.exe",
- "hash": "701505c38aa35d0c523b6e85bced420f",
- "content_type_id": 1,
- "description": "This file is malicious...",
- "file_size": 11300,
- "path": "6/5/247ebe955ec180c8568f9bbc1dbfd4",
- "malware_locked": 1,
- "placeholder": 1
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 72,
- "type_id": 14,
- "title": "malicious.exe",
- "name": "malicious.exe",
- "hash": "701505c38aa35d0c523b6e85bced420f",
- "content_type_id": 1,
- "description": "This file is malicious...",
- "file_size": 11300,
- "path": "6/5/247ebe955ec180c8568f9bbc1dbfd4",
- "malware_locked": 1,
- "placeholder": 1,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Get Single Attachment
Authorizations:
path Parameters
| attachment_id required | integer Attachment (File) ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Responses
Response samples
- 200
{- "data": {
- "id": 72,
- "type_id": 14,
- "title": "malicious.exe",
- "name": "malicious.exe",
- "hash": "701505c38aa35d0c523b6e85bced420f",
- "content_type_id": 1,
- "description": "This file is malicious...",
- "file_size": 11300,
- "path": "6/5/247ebe955ec180c8568f9bbc1dbfd4",
- "malware_locked": 1,
- "placeholder": 1,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Attachment
Authorizations:
path Parameters
| attachment_id required | integer Attachment (File) ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| type_id | integer Attachment (File) Type ID |
| title | string Attachment (File) Title |
| name | string Attachment (File) Name |
| hash | string Attachment (File) Hash (Unique Hash of File Contents) |
| content_type_id | integer Attachment (File) Content Type ID |
| description | string Attachment (File) Description |
| file_size | integer Attachment (File) Size |
| path | string Attachment (File) Path |
| malware_locked | integer Attachment (File) is Malware Locked |
| placeholder | integer Attachment (File) is Placeholder |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "type_id": 14,
- "title": "malicious.exe",
- "name": "malicious.exe",
- "hash": "701505c38aa35d0c523b6e85bced420f",
- "content_type_id": 1,
- "description": "This file is malicious...",
- "file_size": 11300,
- "path": "6/5/247ebe955ec180c8568f9bbc1dbfd4",
- "malware_locked": 1,
- "placeholder": 1
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 72,
- "type_id": 14,
- "title": "malicious.exe",
- "name": "malicious.exe",
- "hash": "701505c38aa35d0c523b6e85bced420f",
- "content_type_id": 1,
- "description": "This file is malicious...",
- "file_size": 11300,
- "path": "6/5/247ebe955ec180c8568f9bbc1dbfd4",
- "malware_locked": 1,
- "placeholder": 1,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Attack Pattern
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 67,
- "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Attack Pattern
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Attack Pattern Value |
| description | string Description for the Attack Pattern |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Attack Pattern Consume
Authorizations:
Request Body schema: application/json
Array of objects (AttackPatternFillable) Related Attack Pattern | |
| value | string Attack Pattern Value |
| description | string Description for the Attack Pattern |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "attack_pattern": [
- {
- "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts..."
}
], - "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts..."
}
], - "total": 1
}Get Single Attack Pattern
Authorizations:
path Parameters
| attack_pattern_id required | integer Attack Pattern ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 67,
- "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Attack Pattern
Authorizations:
path Parameters
| attack_pattern_id required | integer Attack Pattern ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Attack Pattern Value |
| description | string Description for the Attack Pattern |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Campaign
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 67,
- "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Campaign
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Campaign Value |
| description | string Description for the Campaign |
| objective | string Objective for the Campaign |
| started_at | string Date the Campaign was first seen |
| ended_at | string Date the Campaign was last seen |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Campaign Consume
Authorizations:
Request Body schema: application/json
Array of objects (CampaignFillable) Related Campaign | |
| value | string Campaign Value |
| description | string Description for the Campaign |
| objective | string Objective for the Campaign |
| started_at | string Date the Campaign was first seen |
| ended_at | string Date the Campaign was last seen |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "campaign": [
- {
- "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
], - "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
], - "total": 1
}Get Single Campaign
Authorizations:
path Parameters
| campaign_id required | integer Campaign ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 67,
- "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Campaign
Authorizations:
path Parameters
| campaign_id required | integer Campaign ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Campaign Value |
| description | string Description for the Campaign |
| objective | string Objective for the Campaign |
| started_at | string Date the Campaign was first seen |
| ended_at | string Date the Campaign was last seen |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create Connector
Create new connector(s)
Authorizations:
path Parameters
| resumableChunkNumber required | integer (ResumableChunkNumber) Example: 1
|
| resumableChunkSize required | integer (ResumableChunkSize) Example: 4096
|
| resumableCurrentChunkSize required | integer (ResumableCurrentChunkSize) Example: 1024
|
| resumableTotalSize required | integer (ResumableTotalSize) Example: 2048
|
| resumableType required | string (ResumableType) Example: application/x-yaml
|
| resumableIdentifier required | string (ResumableIdentifier) Example: 2048-connectoryaml
|
| resumableFilename required | string (ResumableFilename) Example: connector.yaml
|
| resumableRelativePath required | string (ResumableRelativePath) Example: connector.yaml
|
| resumableTotalChunks required | integer (ResumableTotalChunks) Example: 2
|
| with required | string Example: category,definition,tlp
|
Request Body schema:
| resumableChunkNumber | integer (ResumableChunkNumber) Chunk number of the data |
| resumableChunkSize | integer (ResumableChunkSize) Chunk size of the data |
| resumableCurrentChunkSize | integer (ResumableCurrentChunkSize) Current chunk size of the data |
| resumableTotalSize | integer (ResumableTotalSize) Total size of the data |
| resumableType | string (ResumableType) Type of the data |
| resumableIdentifier | string (ResumableIdentifier) Identifier of the data |
| resumableFilename | string (ResumableFilename) File name |
| resumableRelativePath | string (ResumableRelativePath) Relative path of the file |
| resumableTotalChunks | integer (ResumableTotalChunks) Total amount of chunks for the data |
| package required | string The connector YAML file |
Responses
Request samples
- Payload
Response samples
- 200
{- "data": [
- {
- "id": 1,
- "name": "My Connector",
- "namespace": "threatq.my_connector",
- "description": "My Connector",
- "custom_fields": "[{...}]",
- "frequency": 86400,
- "category_id": 1,
- "category": {
- "id": 1,
- "name": "Labs",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "connector_definition_id": 1,
- "definition_type": "feed",
- "indicator_status_id": 1,
- "gate_oauth2_client_id": 1,
- "gate_oauth2_client": {
- "id": 1,
- "client_id": "ntbhnzviodbingjmogm2n2uynjkzodk2",
- "name": "My Client",
- "description": "My Client",
- "type": "private",
- "redirect_uri": null,
- "session_timeout_minutes": 60,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "is_active": "disabled",
- "version": "1.0.0",
- "file_save_enabled": false,
- "schedule": null,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
]
}Analyze Connector YAML
Analyze the connector YAML to determine if it can be uploaded
Authorizations:
path Parameters
| resumableChunkNumber required | integer (ResumableChunkNumber) Example: 1
|
| resumableChunkSize required | integer (ResumableChunkSize) Example: 4096
|
| resumableCurrentChunkSize required | integer (ResumableCurrentChunkSize) Example: 1024
|
| resumableTotalSize required | integer (ResumableTotalSize) Example: 2048
|
| resumableType required | string (ResumableType) Example: application/x-yaml
|
| resumableIdentifier required | string (ResumableIdentifier) Example: 2048-connectoryaml
|
| resumableFilename required | string (ResumableFilename) Example: connector.yaml
|
| resumableRelativePath required | string (ResumableRelativePath) Example: connector.yaml
|
| resumableTotalChunks required | integer (ResumableTotalChunks) Example: 2
|
Request Body schema: multipart/form-data
| resumableChunkNumber | integer (ResumableChunkNumber) Chunk number of the data |
| resumableChunkSize | integer (ResumableChunkSize) Chunk size of the data |
| resumableCurrentChunkSize | integer (ResumableCurrentChunkSize) Current chunk size of the data |
| resumableTotalSize | integer (ResumableTotalSize) Total size of the data |
| resumableType | string (ResumableType) Type of the data |
| resumableIdentifier | string (ResumableIdentifier) Identifier of the data |
| resumableFilename | string (ResumableFilename) File name |
| resumableRelativePath | string (ResumableRelativePath) Relative path of the file |
| resumableTotalChunks | integer (ResumableTotalChunks) Total amount of chunks for the data |
| package required | string The connector YAML file |
Responses
Response samples
- 200
{- "data": {
- "definition_yaml": "Connector YAML contents...",
- "required_threatq_version": null,
- "summary": {
- "connector_name": {
- "additional_run_params": [
- "since"
], - "config": {
- "category": "Labs",
- "custom_fields": [
- {
- "type": "hr"
}
], - "description": "My connector",
- "indicator_status": "Active",
- "ingest_rules": {
- "attributes": [
- {
- "name": "Country",
- "multivalue": false
}
]
}, - "name": "connector_name",
- "namespace": "threatq.connector_name",
- "signature_status": "Active"
}, - "is_supplemental": false,
- "object_types": [
- "indicator"
], - "supports_manual": false
}
}, - "version": "1.0.0"
}
}List Course of Action
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 6274,
- "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Course of Action
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Course of Action Value |
| description | string Description for the Course of Action |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 6274,
- "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Course of Action Consume
Authorizations:
Request Body schema: application/json
Array of objects (CourseOfActionFillable) Related Course of Action | |
| value | string Course of Action Value |
| description | string Description for the Course of Action |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "course_of_action": [
- {
- "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from..."
}
], - "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from..."
}
], - "total": 1
}Get Single Course of Action
Authorizations:
path Parameters
| course_of_action_id required | integer Course of Action ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 6274,
- "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Course of Action
Authorizations:
path Parameters
| course_of_action_id required | integer Course of Action ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Course of Action Value |
| description | string Description for the Course of Action |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 6274,
- "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Events
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 54,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Event
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| type_id | integer Event Type ID |
| title | string Event Title |
| happened_at | string Date Event Occurred |
| hash | string Hash of the Event happened_at and title |
| description | string Event Description |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 54,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Event Consume
Authorizations:
Request Body schema: application/json
Array of objects (EventFillable) Related Events | |
| type_id | integer Event Type ID |
| title | string Event Title |
| happened_at | string Date Event Occurred |
| hash | string Hash of the Event happened_at and title |
| description | string Event Description |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "events": [
- {
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when..."
}
], - "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when..."
}
], - "total": 1
}Get Single Event
Authorizations:
path Parameters
| event_id required | integer Event ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Responses
Response samples
- 200
{- "data": {
- "id": 54,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Event
Authorizations:
path Parameters
| event_id required | integer Event ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| type_id | integer Event Type ID |
| title | string Event Title |
| happened_at | string Date Event Occurred |
| hash | string Hash of the Event happened_at and title |
| description | string Event Description |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 54,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a Spearphish Event
Authorizations:
path Parameters
| event_id required | integer Event ID |
Request Body schema: application/json
| subject | string Spearphish Email Subject |
| sender | string Spearphish Email Sender |
| value | string Spearphish Email Body |
Responses
Request samples
- Payload
{- "subject": "Fwd: for you ????",
- "sender": "bad-email@do-not-trust.com",
- "value": "Content-Type: text/plain; charset='utf-8'..."
}Response samples
- 201
{- "data": {
- "id": 1,
- "event_id": 54,
- "hash": "dd829f2f1ce7a37b01c0cdb6adae8496",
- "last_parsed_at": "2020-01-24 20:21:51",
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "subject": "Fwd: for you ????",
- "sender": "bad-email@do-not-trust.com",
- "value": "Content-Type: text/plain; charset='utf-8'..."
}
}Get a Single Spearphish Event
Authorizations:
path Parameters
| event_id required | integer Event ID |
| spearphish_id required | integer Spearphish ID |
query Parameters
| with | string Example: with=event
|
Responses
Response samples
- 200
{- "data": {
- "event": {
- "id": 54,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}, - "id": 1,
- "event_id": 54,
- "hash": "dd829f2f1ce7a37b01c0cdb6adae8496",
- "last_parsed_at": "2020-01-24 20:21:51",
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "subject": "Fwd: for you ????",
- "sender": "bad-email@do-not-trust.com",
- "value": "Content-Type: text/plain; charset='utf-8'..."
}
}Update a Spearphish Event
Authorizations:
path Parameters
| event_id required | integer Event ID |
| spearphish_id required | integer Spearphish ID |
query Parameters
| with | string Example: with=event
|
Request Body schema: application/json
| subject | string Spearphish Email Subject |
| sender | string Spearphish Email Sender |
| value | string Spearphish Email Body |
Responses
Request samples
- Payload
{- "subject": "Fwd: for you ????",
- "sender": "bad-email@do-not-trust.com",
- "value": "Content-Type: text/plain; charset='utf-8'..."
}Response samples
- 201
{- "data": {
- "event": {
- "id": 54,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}, - "id": 1,
- "event_id": 54,
- "hash": "dd829f2f1ce7a37b01c0cdb6adae8496",
- "last_parsed_at": "2020-01-24 20:21:51",
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "subject": "Fwd: for you ????",
- "sender": "bad-email@do-not-trust.com",
- "value": "Content-Type: text/plain; charset='utf-8'..."
}
}List Spearphish Events
Authorizations:
path Parameters
| event_id required | integer Event ID |
query Parameters
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
| sort | string Example: sort=id,created_at
|
| with | string Example: with=event
|
Responses
Response samples
- 200
{- "data": [
- {
- "event": {
- "id": 54,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}, - "id": 1,
- "event_id": 54,
- "hash": "dd829f2f1ce7a37b01c0cdb6adae8496",
- "last_parsed_at": "2020-01-24 20:21:51",
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "subject": "Fwd: for you ????",
- "sender": "bad-email@do-not-trust.com",
- "value": "Content-Type: text/plain; charset='utf-8'..."
}
], - "total": 1
}List Exploit Target
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 139,
- "value": "Weakness - CWE-89",
- "description": "Improper String Handling",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Exploit Target
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Exploit Target Value |
| description | string Description for the Exploit Target |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Weakness - CWE-89",
- "description": "Improper String Handling"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 139,
- "value": "Weakness - CWE-89",
- "description": "Improper String Handling",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Exploit Target Consume
Authorizations:
Request Body schema: application/json
Array of objects (ExploitTargetFillable) Related Exploit Target | |
| value | string Exploit Target Value |
| description | string Description for the Exploit Target |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "exploit_target": [
- {
- "value": "Weakness - CWE-89",
- "description": "Improper String Handling"
}
], - "value": "Weakness - CWE-89",
- "description": "Improper String Handling",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "Weakness - CWE-89",
- "description": "Improper String Handling"
}
], - "total": 1
}Get Single Exploit Target
Authorizations:
path Parameters
| exploit_target_id required | integer Exploit Target ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 139,
- "value": "Weakness - CWE-89",
- "description": "Improper String Handling",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Exploit Target
Authorizations:
path Parameters
| exploit_target_id required | integer Exploit Target ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Exploit Target Value |
| description | string Description for the Exploit Target |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Weakness - CWE-89",
- "description": "Improper String Handling"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 139,
- "value": "Weakness - CWE-89",
- "description": "Improper String Handling",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Identity
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 67,
- "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Identity
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Identity Value |
| description | string Description for the Identity |
| contact_information | string Contact Information for the Identity |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Identity Consume
Authorizations:
Request Body schema: application/json
Array of objects (IdentityFillable) Related Identity | |
| value | string Identity Value |
| description | string Description for the Identity |
| contact_information | string Contact Information for the Identity |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "identity": [
- {
- "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com"
}
], - "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com"
}
], - "total": 1
}Get Single Identity
Authorizations:
path Parameters
| identity_id required | integer Identity ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 67,
- "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Identity
Authorizations:
path Parameters
| identity_id required | integer Identity ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Identity Value |
| description | string Description for the Identity |
| contact_information | string Contact Information for the Identity |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Incident
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 67,
- "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Incident
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Incident Value |
| description | string Description for the Incident |
| started_at | string Incident First Seen Date |
| ended_at | string Incident Last Seen Date |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Incident Consume
Authorizations:
Request Body schema: application/json
Array of objects (IncidentFillable) Related Incident | |
| value | string Incident Value |
| description | string Description for the Incident |
| started_at | string Incident First Seen Date |
| ended_at | string Incident Last Seen Date |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "incident": [
- {
- "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
], - "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
], - "total": 1
}Get Single Incident
Authorizations:
path Parameters
| incident_id required | integer Incident ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 67,
- "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Incident
Authorizations:
path Parameters
| incident_id required | integer Incident ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Incident Value |
| description | string Description for the Incident |
| started_at | string Incident First Seen Date |
| ended_at | string Incident Last Seen Date |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Indicators
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Indicator
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| type_id | integer Indicator Type ID |
| status_id | integer Indicator Status ID |
| class | string Indicator Class - Options include: host, network |
| value | string Indicator Value |
| description | string Indicator Description |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Indicator Consume
Authorizations:
Request Body schema: application/json
Array of objects (IndicatorFillable) Related Indicators | |
| type_id | integer Indicator Type ID |
| status_id | integer Indicator Status ID |
| class | string Indicator Class - Options include: host, network |
| value | string Indicator Value |
| description | string Indicator Description |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "indicators": [
- {
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation."
}
], - "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation."
}
], - "total": 1
}Get Single Indicator
Authorizations:
path Parameters
| indicator_id required | integer Indicator ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Responses
Response samples
- 200
{- "data": {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Indicator
Authorizations:
path Parameters
| indicator_id required | integer Indicator ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| type_id | integer Indicator Type ID |
| status_id | integer Indicator Status ID |
| class | string Indicator Class - Options include: host, network |
| value | string Indicator Value |
| description | string Indicator Description |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Intrusion Set
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 67,
- "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Intrusion Set
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Intrusion Set Value |
| description | string Description for the Intrusion Set |
| started_at | string Date the Intrusion Set was first seen |
| ended_at | string Date the Intrusion Set was last seen |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Intrusion Set Consume
Authorizations:
Request Body schema: application/json
Array of objects (IntrusionSetFillable) Related Intrusion Set | |
| value | string Intrusion Set Value |
| description | string Description for the Intrusion Set |
| started_at | string Date the Intrusion Set was first seen |
| ended_at | string Date the Intrusion Set was last seen |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "intrusion_set": [
- {
- "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13"
}
], - "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13"
}
], - "total": 1
}Get Single Intrusion Set
Authorizations:
path Parameters
| intrusion_set_id required | integer Intrusion Set ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 67,
- "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Intrusion Set
Authorizations:
path Parameters
| intrusion_set_id required | integer Intrusion Set ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Intrusion Set Value |
| description | string Description for the Intrusion Set |
| started_at | string Date the Intrusion Set was first seen |
| ended_at | string Date the Intrusion Set was last seen |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Investigations
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 939,
- "name": "My Investigation",
- "status_id": 1,
- "priority_id": 2,
- "description": "Need to determine whether...",
- "data": "NOT SURE THIS IS USED BY THE UI ANYMORE (IF EVER)",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Investigation
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Investigation Name |
| status_id | integer Investigation Status ID |
| priority_id | integer Investigation Priority ID |
| description | string Investigation Description |
| data | string Investigation Data |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "My Investigation",
- "status_id": 1,
- "priority_id": 2,
- "description": "Need to determine whether...",
- "data": "NOT SURE THIS IS USED BY THE UI ANYMORE (IF EVER)"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 939,
- "name": "My Investigation",
- "status_id": 1,
- "priority_id": 2,
- "description": "Need to determine whether...",
- "data": "NOT SURE THIS IS USED BY THE UI ANYMORE (IF EVER)",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Get Single Investigation
Authorizations:
path Parameters
| investigation_id required | integer Investigation ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Responses
Response samples
- 200
{- "data": {
- "id": 939,
- "name": "My Investigation",
- "status_id": 1,
- "priority_id": 2,
- "description": "Need to determine whether...",
- "data": "NOT SURE THIS IS USED BY THE UI ANYMORE (IF EVER)",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Investigation
Authorizations:
path Parameters
| investigation_id required | integer Investigation ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Investigation Name |
| status_id | integer Investigation Status ID |
| priority_id | integer Investigation Priority ID |
| description | string Investigation Description |
| data | string Investigation Data |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "My Investigation",
- "status_id": 1,
- "priority_id": 2,
- "description": "Need to determine whether...",
- "data": "NOT SURE THIS IS USED BY THE UI ANYMORE (IF EVER)"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 939,
- "name": "My Investigation",
- "status_id": 1,
- "priority_id": 2,
- "description": "Need to determine whether...",
- "data": "NOT SURE THIS IS USED BY THE UI ANYMORE (IF EVER)",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Malware
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 211,
- "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Malware
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Malware Value |
| description | string Description for the Malware |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 211,
- "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Malware Consume
Authorizations:
Request Body schema: application/json
Array of objects (MalwareFillable) Related Malware | |
| value | string Malware Value |
| description | string Description for the Malware |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "malware": [
- {
- "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after..."
}
], - "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after..."
}
], - "total": 1
}Get Single Malware
Authorizations:
path Parameters
| malware_id required | integer Malware ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 211,
- "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Malware
Authorizations:
path Parameters
| malware_id required | integer Malware ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Malware Value |
| description | string Description for the Malware |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 211,
- "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Report
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 1213,
- "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Report
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Report Value |
| description | string Description for the Report |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 1213,
- "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Report Consume
Authorizations:
Request Body schema: application/json
Array of objects (ReportFillable) Related Report | |
| value | string Report Value |
| description | string Description for the Report |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "report": [
- {
- "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage..."
}
], - "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage..."
}
], - "total": 1
}Get Single Report
Authorizations:
path Parameters
| report_id required | integer Report ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 1213,
- "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Report
Authorizations:
path Parameters
| report_id required | integer Report ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Report Value |
| description | string Description for the Report |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 1213,
- "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Response samples
- 200
{- "data": {
- "attributes": [
- {
- "value": "High",
- "score": 8,
- "id": 1,
- "name": "Confidence"
}
], - "indicator_types": [
- {
- "id": 1,
- "score": 3
}
], - "sources": [
- {
- "id": 1,
- "score": 6
}
], - "relations": [
- {
- "object_id": 54,
- "object_type": 54,
- "score": 6
}
], - "score_config_hash": "9f22dd6061fbc45452bfeca3d2d6819cd610f024"
}
}Create a Score Range
Authorizations:
Request Body schema: application/json
| name | string Score Range Name |
| min_value | integer Lower Bound of the Score Range |
| max_value | integer Upper Bound of the Score Range |
Responses
Request samples
- Payload
{- "name": "High Risk",
- "min_value": 8,
- "max_value": 10
}Response samples
- 201
{- "data": {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "High Risk",
- "min_value": 8,
- "max_value": 10
}
}Get a Single Score Range
Authorizations:
path Parameters
| score_range_id required | integer Score Range ID |
Responses
Response samples
- 200
{- "data": {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "High Risk",
- "min_value": 8,
- "max_value": 10
}
}Update a Score Range
Authorizations:
path Parameters
| score_range_id required | integer Score Range ID |
Request Body schema: application/json
| name | string Score Range Name |
| min_value | integer Lower Bound of the Score Range |
| max_value | integer Upper Bound of the Score Range |
Responses
Request samples
- Payload
{- "name": "High Risk",
- "min_value": 8,
- "max_value": 10
}Response samples
- 201
{- "data": {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "High Risk",
- "min_value": 8,
- "max_value": 10
}
}List Score Ranges
Authorizations:
query Parameters
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
| sort | string Example: sort=id,created_at
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "High Risk",
- "min_value": 8,
- "max_value": 10
}
], - "total": 1
}List Data Collections
Get a listing of data collection the current user has sharing permissions for
Authorizations:
query Parameters
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
| sort | string Example: sort=id,created_at
|
| with | string Example: with=dashboards,tqxFeeds,workflowDefinitions
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 1,
- "hash": "9548a377155bd3fa13b2a16649c6eb88",
- "name": "My Data Collection",
- "json": {
- "ui_query": {
- "columns": {
- "indicators": [
- "author"
]
}, - "criteria": {
- "matchType": [
- {
- "": "+and"
}
], - "items": [
- {
- "": {
- "key": "mentions",
- "value": "www.threatquotient.com",
- "set_id": 0
}
}
]
}, - "filters": {
- "created_at": [
- {
- "startDate": "2022-08-01 00:00:00",
- "endDate": "2022-08-31 23:59:99",
- "interval": null,
- "type": "is between",
- "set_id": 0
}
]
}, - "objects": {
- "current": "indicators",
- "selected": [
- {
- "": "indicators"
}
]
}, - "filter_sets": [
- {
- "id": 0,
- "operator": "or",
- "isNegated": false,
- "expanded": true
}
]
}, - "api_query": {
- "criteria": {
- "+and": [
- {
- "+or": [
- {
- "mentions": null
}
]
}
]
}, - "filters": {
- "+and": [
- {
- "+or": [
- {
- "created_at": null
}
]
}
]
}
}
}, - "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Create Data Collection
Create a data collection
Authorizations:
Request Body schema: application/json
| name | string Name of the data collection |
object (SearchJson) JSON representation of the advanced search query |
Responses
Request samples
- Payload
{- "name": "My Data Collection",
- "json": {
- "ui_query": {
- "columns": {
- "indicators": [
- "author"
]
}, - "criteria": {
- "matchType": [
- {
- "": "+and"
}
], - "items": [
- {
- "": {
- "key": "mentions",
- "value": "www.threatquotient.com",
- "set_id": 0
}
}
]
}, - "filters": {
- "created_at": [
- {
- "startDate": "2022-08-01 00:00:00",
- "endDate": "2022-08-31 23:59:99",
- "interval": null,
- "type": "is between",
- "set_id": 0
}
]
}, - "objects": {
- "current": "indicators",
- "selected": [
- {
- "": "indicators"
}
]
}, - "filter_sets": [
- {
- "id": 0,
- "operator": "or",
- "isNegated": false,
- "expanded": true
}
]
}, - "api_query": {
- "criteria": {
- "+and": [
- {
- "+or": [
- {
- "mentions": "www.threatquotient.com"
}
]
}
]
}, - "filters": {
- "+and": [
- {
- "+or": [
- {
- "created_at": {
- "+gt": "2022-08-01 00:00:00"
}
}
]
}
]
}
}
}
}Response samples
- 200
{- "data": {
- "id": 1,
- "hash": "9548a377155bd3fa13b2a16649c6eb88",
- "name": "My Data Collection",
- "json": {
- "ui_query": {
- "columns": {
- "indicators": [
- "author"
]
}, - "criteria": {
- "matchType": [
- {
- "": "+and"
}
], - "items": [
- {
- "": {
- "key": "mentions",
- "value": "www.threatquotient.com",
- "set_id": 0
}
}
]
}, - "filters": {
- "created_at": [
- {
- "startDate": "2022-08-01 00:00:00",
- "endDate": "2022-08-31 23:59:99",
- "interval": null,
- "type": "is between",
- "set_id": 0
}
]
}, - "objects": {
- "current": "indicators",
- "selected": [
- {
- "": "indicators"
}
]
}, - "filter_sets": [
- {
- "id": 0,
- "operator": "or",
- "isNegated": false,
- "expanded": true
}
]
}, - "api_query": {
- "criteria": {
- "+and": [
- {
- "+or": [
- {
- "mentions": "www.threatquotient.com"
}
]
}
]
}, - "filters": {
- "+and": [
- {
- "+or": [
- {
- "created_at": {
- "+gt": null
}
}
]
}
]
}
}
}, - "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Get Data Collection
Get a single data collection that the user has sharing permissions for
Authorizations:
path Parameters
| hash required | string Example: 9548a377155bd3fa13b2a16649c6eb88
|
query Parameters
| id | integer Example: id=1
|
| name | string Example: name=My Data Collection
|
| hash | string Example: hash=9548a377155bd3fa13b2a16649c6eb88
|
| created_at | string Example: created_at=2022-08-01 00:00:00
|
| updated_at | string Example: updated_at=2022-08-01 00:00:00
|
string or integer
| |
| fields | string Enum: "[FIELD]" "[RELATIONSHIP].[FIELD]" Example: fields=id,created_at,[RELATIONSHIP].id,[RELATIONSHIP].created_at
|
| sort | string Example: sort=id,created_at
|
| with | string Example: with=dashboards,tqxFeeds,workflowDefinitions
|
Responses
Response samples
- 200
{- "data": {
- "id": 1,
- "hash": "9548a377155bd3fa13b2a16649c6eb88",
- "name": "My Data Collection",
- "json": {
- "ui_query": {
- "columns": {
- "indicators": [
- "author"
]
}, - "criteria": {
- "matchType": [
- {
- "": "+and"
}
], - "items": [
- {
- "": {
- "key": "mentions",
- "value": "www.threatquotient.com",
- "set_id": 0
}
}
]
}, - "filters": {
- "created_at": [
- {
- "startDate": "2022-08-01 00:00:00",
- "endDate": "2022-08-31 23:59:99",
- "interval": null,
- "type": "is between",
- "set_id": 0
}
]
}, - "objects": {
- "current": "indicators",
- "selected": [
- {
- "": "indicators"
}
]
}, - "filter_sets": [
- {
- "id": 0,
- "operator": "or",
- "isNegated": false,
- "expanded": true
}
]
}, - "api_query": {
- "criteria": {
- "+and": [
- {
- "+or": [
- {
- "mentions": "www.threatquotient.com"
}
]
}
]
}, - "filters": {
- "+and": [
- {
- "+or": [
- {
- "created_at": {
- "+gt": null
}
}
]
}
]
}
}
}, - "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Update Data Collection
Update a data collection
Authorizations:
path Parameters
| hash required | string Example: 9548a377155bd3fa13b2a16649c6eb88
|
Request Body schema: application/json
| name | string Name of the data collection |
object (SearchJson) JSON representation of the advanced search query |
Responses
Request samples
- Payload
{- "name": "My Data Collection",
- "json": {
- "ui_query": {
- "columns": {
- "indicators": [
- "author"
]
}, - "criteria": {
- "matchType": [
- {
- "": "+and"
}
], - "items": [
- {
- "": {
- "key": "mentions",
- "value": "www.threatquotient.com",
- "set_id": 0
}
}
]
}, - "filters": {
- "created_at": [
- {
- "startDate": "2022-08-01 00:00:00",
- "endDate": "2022-08-31 23:59:99",
- "interval": null,
- "type": "is between",
- "set_id": 0
}
]
}, - "objects": {
- "current": "indicators",
- "selected": [
- {
- "": "indicators"
}
]
}, - "filter_sets": [
- {
- "id": 0,
- "operator": "or",
- "isNegated": false,
- "expanded": true
}
]
}, - "api_query": {
- "criteria": {
- "+and": [
- {
- "+or": [
- {
- "mentions": "www.threatquotient.com"
}
]
}
]
}, - "filters": {
- "+and": [
- {
- "+or": [
- {
- "created_at": {
- "+gt": "2022-08-01 00:00:00"
}
}
]
}
]
}
}
}
}Response samples
- 200
{- "data": {
- "id": 1,
- "hash": "9548a377155bd3fa13b2a16649c6eb88",
- "name": "My Data Collection",
- "json": {
- "ui_query": {
- "columns": {
- "indicators": [
- "author"
]
}, - "criteria": {
- "matchType": [
- {
- "": "+and"
}
], - "items": [
- {
- "": {
- "key": "mentions",
- "value": "www.threatquotient.com",
- "set_id": 0
}
}
]
}, - "filters": {
- "created_at": [
- {
- "startDate": "2022-08-01 00:00:00",
- "endDate": "2022-08-31 23:59:99",
- "interval": null,
- "type": "is between",
- "set_id": 0
}
]
}, - "objects": {
- "current": "indicators",
- "selected": [
- {
- "": "indicators"
}
]
}, - "filter_sets": [
- {
- "id": 0,
- "operator": "or",
- "isNegated": false,
- "expanded": true
}
]
}, - "api_query": {
- "criteria": {
- "+and": [
- {
- "+or": [
- {
- "mentions": "www.threatquotient.com"
}
]
}
]
}, - "filters": {
- "+and": [
- {
- "+or": [
- {
- "created_at": {
- "+gt": null
}
}
]
}
]
}
}
}, - "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}List Signatures
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 221,
- "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Signature
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Signature Name |
| hash | string Signature Hash (Unique Hash of Signature Name) |
| value | string Signature Value |
| type_id | integer Signature Type ID |
| status_id | integer Signature Status ID |
| description | string Signature Description |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 221,
- "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Signature Consume
Authorizations:
Request Body schema: application/json
Array of objects (SignatureFillable) Related Signatures | |
| name | string Signature Name |
| hash | string Signature Hash (Unique Hash of Signature Name) |
| value | string Signature Value |
| type_id | integer Signature Type ID |
| status_id | integer Signature Status ID |
| description | string Signature Description |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "signatures": [
- {
- "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description..."
}
], - "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description..."
}
], - "total": 1
}Get Single Signature
Authorizations:
path Parameters
| signature_id required | integer Signature ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Responses
Response samples
- 200
{- "data": {
- "id": 221,
- "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Signature
Authorizations:
path Parameters
| signature_id required | integer Signature ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Signature Name |
| hash | string Signature Hash (Unique Hash of Signature Name) |
| value | string Signature Value |
| type_id | integer Signature Type ID |
| status_id | integer Signature Status ID |
| description | string Signature Description |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 221,
- "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Get a Single Source
Authorizations:
path Parameters
| source_id required | integer Source ID |
Responses
Response samples
- 200
{- "data": {
- "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Update a Source
/**
Authorizations:
path Parameters
| source_id required | integer Source ID |
Request Body schema: application/json
| score | integer Source Score - Ranges from -10 to 10 |
| default_tlp_id | integer Source Default TLP ID - the TLP that should be assigned for the Source if none is provided |
| type | string Source Type - Options include: clients, connectors (Feeds), other_sources, plugins, or users |
| reference_id | integer Source Reference ID - points to related Client, Connector (Feed), Other Source, Plugin, or User |
| name | string Source Name |
Responses
Request samples
- Payload
{- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ"
}Response samples
- 201
{- "data": {
- "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}List Sources
Authorizations:
query Parameters
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
| sort | string Example: sort=id,created_at
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}List Tags
Authorizations:
query Parameters
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
| sort | string Example: sort=id,created_at
|
| with | string Example: with=adversaries,indicators,course_of_action
|
| with_DUPLICATES_PREVIOUS_NAME | string Example: with_DUPLICATES_PREVIOUS_NAME=objects
|
Responses
Response samples
- 200
{- "data": [
- {
- "adversaries": [
- {
- "pivot": {
- "tag_id": 1,
- "object_id": 54,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "indicators": [
- {
- "pivot": {
- "tag_id": 1,
- "object_id": 54,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "course_of_action": [
- {
- "pivot": {
- "tag_id": 1,
- "object_id": 54,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "id": 6274,
- "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "id": 81,
- "name": "Ominous"
}
], - "total": 1
}List Tasks
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 373,
- "name": "Task #1",
- "status_id": 1,
- "priority": "Medium",
- "description": "Need to determine whether...",
- "assignee_source_id": 12,
- "due_at": "2020-03-05 12:00:00",
- "completed_at": "2020-03-04 12:00:00",
- "creator_source_id": 2,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Task
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Name of the Task |
| status_id | integer Status ID for the Task (Statuses include To Do, In Progress, Review, and Done) |
| priority | string Priority of the Task (Options: Low, Medium, and High) |
| description | string Description for the Task |
| assignee_source_id | integer Assignee Source ID (Source ID for the User the Task is assigned to) |
| due_at | string Date the Task is due for completion |
| completed_at | string Date the Task was completed |
| creator_source_id | integer Creator Source ID - Source ID of User, Feed, or other means that brought the object into the system |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Task #1",
- "status_id": 1,
- "priority": "Medium",
- "description": "Need to determine whether...",
- "assignee_source_id": 12,
- "due_at": "2020-03-05 12:00:00",
- "completed_at": "2020-03-04 12:00:00",
- "creator_source_id": 2
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 373,
- "name": "Task #1",
- "status_id": 1,
- "priority": "Medium",
- "description": "Need to determine whether...",
- "assignee_source_id": 12,
- "due_at": "2020-03-05 12:00:00",
- "completed_at": "2020-03-04 12:00:00",
- "creator_source_id": 2,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Get Single Task
Authorizations:
path Parameters
| task_id required | integer Task ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Responses
Response samples
- 200
{- "data": {
- "id": 373,
- "name": "Task #1",
- "status_id": 1,
- "priority": "Medium",
- "description": "Need to determine whether...",
- "assignee_source_id": 12,
- "due_at": "2020-03-05 12:00:00",
- "completed_at": "2020-03-04 12:00:00",
- "creator_source_id": 2,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Task
Authorizations:
path Parameters
| task_id required | integer Task ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Name of the Task |
| status_id | integer Status ID for the Task (Statuses include To Do, In Progress, Review, and Done) |
| priority | string Priority of the Task (Options: Low, Medium, and High) |
| description | string Description for the Task |
| assignee_source_id | integer Assignee Source ID (Source ID for the User the Task is assigned to) |
| due_at | string Date the Task is due for completion |
| completed_at | string Date the Task was completed |
| creator_source_id | integer Creator Source ID - Source ID of User, Feed, or other means that brought the object into the system |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Task #1",
- "status_id": 1,
- "priority": "Medium",
- "description": "Need to determine whether...",
- "assignee_source_id": 12,
- "due_at": "2020-03-05 12:00:00",
- "completed_at": "2020-03-04 12:00:00",
- "creator_source_id": 2
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 373,
- "name": "Task #1",
- "status_id": 1,
- "priority": "Medium",
- "description": "Need to determine whether...",
- "assignee_source_id": 12,
- "due_at": "2020-03-05 12:00:00",
- "completed_at": "2020-03-04 12:00:00",
- "creator_source_id": 2,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a TLP
Authorizations:
Request Body schema: application/json
| name | string TLP Name |
| description | string TLP Description |
| value | integer TLP Value used for hierarchy comparisons |
| user_editable | string Determines whether the TLP record can be updated by a User |
Responses
Request samples
- Payload
{- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}Response samples
- 201
{- "data": {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}
}Response samples
- 200
{- "data": {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}
}Update a TLP
Authorizations:
path Parameters
| tlp_id required | integer TLP ID |
Request Body schema: application/json
| name | string TLP Name |
| description | string TLP Description |
| value | integer TLP Value used for hierarchy comparisons |
| user_editable | string Determines whether the TLP record can be updated by a User |
Responses
Request samples
- Payload
{- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}Response samples
- 200
{- "data": {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}
}List TLPs
Authorizations:
query Parameters
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
| sort | string Example: sort=id,created_at
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}
], - "total": 1
}List Tool
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 4781,
- "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Tool
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Tool Value |
| description | string Description for the Tool |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 4781,
- "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Tool Consume
Authorizations:
Request Body schema: application/json
Array of objects (ToolFillable) Related Tool | |
| value | string Tool Value |
| description | string Description for the Tool |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "tool": [
- {
- "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot..."
}
], - "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot..."
}
], - "total": 1
}Get Single Tool
Authorizations:
path Parameters
| tool_id required | integer Tool ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 4781,
- "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Tool
Authorizations:
path Parameters
| tool_id required | integer Tool ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Tool Value |
| description | string Description for the Tool |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 4781,
- "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List TTP
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 5120,
- "value": "Malware",
- "description": "PIVY Variant",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) TTP
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string TTP Value |
| description | string Description for the TTP |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Malware",
- "description": "PIVY Variant"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 5120,
- "value": "Malware",
- "description": "PIVY Variant",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}TTP Consume
Authorizations:
Request Body schema: application/json
Array of objects (TTPFillable) Related TTP | |
| value | string TTP Value |
| description | string Description for the TTP |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "ttp": [
- {
- "value": "Malware",
- "description": "PIVY Variant"
}
], - "value": "Malware",
- "description": "PIVY Variant",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "Malware",
- "description": "PIVY Variant"
}
], - "total": 1
}Get Single TTP
Authorizations:
path Parameters
| ttp_id required | integer TTP ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 5120,
- "value": "Malware",
- "description": "PIVY Variant",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) TTP
Authorizations:
path Parameters
| ttp_id required | integer TTP ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string TTP Value |
| description | string Description for the TTP |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Malware",
- "description": "PIVY Variant"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 5120,
- "value": "Malware",
- "description": "PIVY Variant",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Vulnerability
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 7177,
- "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Vulnerability
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Vulnerability Value |
| description | string Description for the Vulnerability |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 7177,
- "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Vulnerability Consume
Authorizations:
Request Body schema: application/json
Array of objects (VulnerabilityFillable) Related Vulnerability | |
| value | string Vulnerability Value |
| description | string Description for the Vulnerability |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| object_code | Array of integers Relate objects of other types by providing a list of IDs. Replace the 'object_code' property with
one of the options to relate objects of that type. |
Responses
Request samples
- Payload
[- {
- "vulnerability": [
- {
- "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation..."
}
], - "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "object_code": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation..."
}
], - "total": 1
}Get Single Vulnerability
Authorizations:
path Parameters
| vulnerability_id required | integer Vulnerability ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 7177,
- "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Vulnerability
Authorizations:
path Parameters
| vulnerability_id required | integer Vulnerability ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Vulnerability Value |
| description | string Description for the Vulnerability |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 7177,
- "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a Whitelist Rule
Authorizations:
Request Body schema: application/json
| type_id | integer Indicator Type ID |
| status_id | integer Indicator Status ID |
| rule | string Whitelist Rule Value |
| enabled | string Determines whether the Whitelist Rule is being actively applied |
Responses
Request samples
- Payload
{- "type_id": 11,
- "status_id": 2,
- "rule": "*.threatq.com",
- "enabled": "Y"
}Response samples
- 201
{- "data": {
- "updated_count": 3,
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "type_id": 11,
- "status_id": 2,
- "rule": "*.threatq.com",
- "enabled": "Y"
}
}Get a Single Whitelist Rule
Authorizations:
path Parameters
| whitelist_rule_id required | integer Whitelist Rule ID |
query Parameters
| with | string Example: with=type
|
Responses
Response samples
- 200
{- "data": {
- "type": {
- "id": 1,
- "wildcard_matching": "Y",
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "FQDN",
- "class": "network",
- "score": 3
}, - "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "type_id": 11,
- "status_id": 2,
- "rule": "*.threatq.com",
- "enabled": "Y"
}
}Update a Whitelist Rule
Authorizations:
path Parameters
| whitelist_rule_id required | integer Whitelist Rule ID |
query Parameters
| with | string Example: with=type
|
Request Body schema: application/json
| type_id | integer Indicator Type ID |
| status_id | integer Indicator Status ID |
| rule | string Whitelist Rule Value |
| enabled | string Determines whether the Whitelist Rule is being actively applied |
Responses
Request samples
- Payload
{- "type_id": 11,
- "status_id": 2,
- "rule": "*.threatq.com",
- "enabled": "Y"
}Response samples
- 201
{- "data": {
- "type": {
- "id": 1,
- "wildcard_matching": "Y",
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "FQDN",
- "class": "network",
- "score": 3
}, - "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "type_id": 11,
- "status_id": 2,
- "rule": "*.threatq.com",
- "enabled": "Y"
}
}List Whitelist Rules
Authorizations:
query Parameters
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
| sort | string Example: sort=id,created_at
|
| with | string Example: with=type
|
Responses
Response samples
- 200
{- "data": [
- {
- "type": {
- "id": 1,
- "wildcard_matching": "Y",
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "FQDN",
- "class": "network",
- "score": 3
}, - "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "type_id": 11,
- "status_id": 2,
- "rule": "*.threatq.com",
- "enabled": "Y"
}
], - "total": 1
}List Attributes for an Object Type by Attribute ID
This path can be used for any object type installed on the system.
Examples:
Indicator Attributes by Attribute ID: /indicators/:indicator_id/attributes/:attribute_id
Attack Pattern Attributes by Attribute ID: /attack_pattern/:attack_pattern_id/attributes/:attribute_id
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| attribute_id | integer Example: 5 Attribute ID - if not provided, the |
query Parameters
| id | integer Example: id=14,22 Attribute ID. Can be used in lieu of path |
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 11,
- "indicators": [
- {
- "id": 15
}
], - "attribute_id": 7,
- "<object_type>_id": 517,
- "name": "Confidence",
- "value": "High"
}
]
}List Attributes for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Attributes: /indicators/:indicator_id/attributes
Attack Pattern Attributes: /attack_pattern/:attack_pattern_id/attributes
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
query Parameters
| with | Array of strings Example: with=sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "sources": [
- {
- "id": 42,
- "tlp_id": 1,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17",
- "pivot": {
- "id": 11,
- "<object_code>_attribute_id": 8,
- "source_id": 42,
- "creator_source_id": 2
}
}
], - "id": 8,
- "attribute_id": 7,
- "<object_type>_id": 517,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Create One or More Attributes for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
Request Body schema: application/json
Array of objects or objects (SourceBasics) | |
| attribute_id | integer Attribute ID - the ID for the Attribute Key |
| <object_type>_id | integer Object Type ID - |
| name | string Attribute Name |
| value | string Attribute Value |
Responses
Request samples
- Payload
[- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "attribute_id": 7,
- "<object_type>_id": 517,
- "name": "Confidence",
- "value": "High"
}
]Response samples
- 201
{- "data": [
- {
- "sources": [
- {
- "id": 42,
- "tlp_id": 1,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17",
- "pivot": {
- "id": 11,
- "<object_code>_attribute_id": 8,
- "source_id": 42,
- "creator_source_id": 2
}
}
], - "id": 8,
- "attribute_id": 7,
- "<object_type>_id": 517,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Get a Single Attribute for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_attribute_id required | integer Example: 3 The ID of the Attribute record for the specified Object Type |
query Parameters
| with | Array of strings Example: with=sources
|
Responses
Response samples
- 200
{- "data": [
- {
- "sources": [
- {
- "id": 42,
- "tlp_id": 1,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17",
- "pivot": {
- "id": 11,
- "<object_code>_attribute_id": 8,
- "source_id": 42,
- "creator_source_id": 2
}
}
], - "id": 8,
- "attribute_id": 7,
- "<object_type>_id": 517,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
]
}Update an Attribute for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_attribute_id required | integer Example: 3 The ID of the Attribute record for the specified Object Type |
Request Body schema: application/json
| tlp_id | integer Source TLP ID |
| value | string Attribute Value |
Responses
Request samples
- Payload
[- {
- "value": "High",
- "tlp_id": 3
}
]Response samples
- 200
{- "data": [
- {
- "attribute": {
- "id": 1,
- "name": "Confidence",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "id": 8,
- "attribute_id": 7,
- "<object_type>_id": 517,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
]
}Delete an Attribute for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_attribute_id required | integer Example: 3 The ID of the Attribute record for the specified Object Type |
Responses
(Short) Get a Single Comment for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_comment_id required | integer The ID of the Comment record for the specified Object Type |
query Parameters
| with | Array of strings Example: with=indicator,sources
|
Responses
Response samples
- 200
{- "data": {
- "sources": [
- {
- "pivot": {
- "id": 81,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "indicator": [
- {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "id": 39,
- "<object_type>_id": 517,
- "creator_source_id": 2,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}(Short) Update a Comment for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_comment_id required | integer The ID of the Comment record for the specified Object Type |
Request Body schema: application/json
| value | string Comment value |
Responses
Request samples
- Payload
{- "value": "There's something odd happening..."
}Response samples
- 201
{- "data": [
- {
- "sources": [
- {
- "pivot": {
- "id": 81,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "id": 39,
- "<object_type>_id": 517,
- "creator_source_id": 2,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
]
}(Short) Delete a Comment for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_comment_id required | integer The ID of the Comment record for the specified Object Type |
Responses
List Comments for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
query Parameters
| with | Array of strings Example: with=indicator,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "sources": [
- {
- "pivot": {
- "id": 81,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "indicator": [
- {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "id": 39,
- "<object_type>_id": 517,
- "creator_source_id": 2,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Create a Comment for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
Request Body schema: application/json
| value | string Comment value |
Responses
Request samples
- Payload
[- {
- "value": "There's something odd happening..."
}
]Response samples
- 201
{- "data": [
- {
- "sources": [
- {
- "pivot": {
- "id": 81,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "id": 39,
- "<object_type>_id": 517,
- "creator_source_id": 2,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
]
}Get a Single Comment for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_comment_id required | integer The ID of the Comment record for the specified Object Type |
query Parameters
| with | Array of strings Example: with=indicator,sources
|
Responses
Response samples
- 200
{- "data": {
- "sources": [
- {
- "pivot": {
- "id": 81,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "indicator": [
- {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "id": 39,
- "<object_type>_id": 517,
- "creator_source_id": 2,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Update a Comment for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_comment_id required | integer The ID of the Comment record for the specified Object Type |
Request Body schema: application/json
| value | string Comment value |
Responses
Request samples
- Payload
{- "value": "There's something odd happening..."
}Response samples
- 201
{- "data": [
- {
- "sources": [
- {
- "pivot": {
- "id": 81,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "id": 39,
- "<object_type>_id": 517,
- "creator_source_id": 2,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
]
}Delete a Comment for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_comment_id required | integer The ID of the Comment record for the specified Object Type |
Responses
List all Entries in a User's Watchlist for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Watchlist: /indicators/watchlist
Attack Pattern Watchlist: /attack_pattern/watchlist
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
Responses
Response samples
- 200
{- "data": [
- {
- "indicator": {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}, - "id": 39,
- "user_id": 42,
- "object_type": "indicator",
- "object_id": 54,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Bulk Add Entries to a User's Watchlist for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Watchlist: /indicators/:indicator_id/watchlist
Attack Pattern Watchlist: /attack_pattern/:attack_pattern_id/watchlist
Authorizations:
Request Body schema: application/json
| object_ids | Array of integers |
Responses
Request samples
- Payload
{- "object_ids": [
- 2
]
}Response samples
- 200
{- "data": [
- {
- "id": 39,
- "user_id": 42,
- "object_type": "indicator",
- "object_id": 54,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
]
}Get a Single Entry in a User's Watchlist for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Watchlist: /indicators/:indicator_id/watchlist
Attack Pattern Watchlist: /attack_pattern/:attack_pattern_id/watchlist
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
query Parameters
| with | Array of strings Example: with=indicator
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "indicator": {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}, - "id": 39,
- "user_id": 42,
- "object_type": "indicator",
- "object_id": 54,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Add an Entry to a User's Watchlist for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
Responses
Response samples
- 201
{- "data": {
- "id": 39,
- "user_id": 42,
- "object_type": "indicator",
- "object_id": 54,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Remove an Entry from a User's Watchlist for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_watchlist_id required | integer Example: 12 The ID of the Watchlist entry for the specified Object Type |
Responses
Update an Attribute Source for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Attribute Sources:
/indicators/:indicator_id/attributes/:indicator_attribute_id/sources/:indicator_attribute_source_id
Attack Pattern Sources:
/attack_pattern/:attack_pattern_id/attributes/:attack_pattern_attribute_id/sources/:attack_pattern_attribute_source_id
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_attribute_id required | integer Example: 3 The ID of the Attribute record for the specified Object Type |
| object_type_attribute_source_id required | integer Example: 5 The ID of the Attribute Source record for the specified Object Type |
Request Body schema: application/json
| tlp_id | integer Source TLP ID |
Responses
Request samples
- Payload
{- "tlp": {
- "name": "WHITE"
}
}Response samples
- 200
{- "data": [
- {
- "id": 42,
- "tlp_id": 1,
- "<object_type>_attribute_id": 7,
- "source_id": 42,
- "creator_source_id": 2,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17"
}
]
}Remove an Attribute Source for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Attribute Sources:
/indicators/:indicator_id/attributes/:indicator_attribute_id/sources/:indicator_attribute_source_id
Attack Pattern Sources:
/attack_pattern/:attack_pattern_id/attributes/:attack_pattern_attribute_id/sources/:attack_pattern_attribute_source_id
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_attribute_id required | integer Example: 3 The ID of the Attribute record for the specified Object Type |
| object_type_attribute_source_id required | integer Example: 5 The ID of the Attribute Source record for the specified Object Type |
Responses
List Relation Counts for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Sources: /indicators/:indicator_id/relation-counts
Attack Pattern Sources: /attack_pattern/:attack_pattern_id/relation-counts
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
Responses
Response samples
- 200
{- "data": {
- "indicators": 51,
- "adversaries": 2,
- "events": 7,
- "attachments": 11,
- "signatures": 3,
- "investigations": 6,
- "attack_pattern": 17,
- "campaign": 1,
- "course_of_action": 3,
- "exploit_target": 4,
- "identity": 2,
- "incident": 512,
- "intrusion_set": 5,
- "malware": 13,
- "report": 3,
- "tool": 2,
- "ttp": 10,
- "vulnerability": 11
}
}List Sources for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Sources: /indicators/:indicator_id/sources
Attack Pattern Sources: /attack_pattern/:attack_pattern_id/sources
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
query Parameters
| with | Array of strings Example: with=indicator,tlp
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "tlp": [
- {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}
], - "indicator": [
- {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "id": 39,
- "tlp_id": 1,
- "<object_type>_id": 517,
- "source_id": 42,
- "creator_source_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17"
}
], - "total": 1
}Create a Source for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Sources: /indicators/:indicator_id/sources
Attack Pattern Sources: /attack_pattern/:attack_pattern_id/sources
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
Request Body schema: application/json
| tlp_id | integer Source TLP ID |
| name | string Source Name |
Responses
Request samples
- Payload
[- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
]Response samples
- 201
{- "data": [
- {
- "id": 39,
- "tlp_id": 1,
- "<object_type>_id": 517,
- "source_id": 42,
- "creator_source_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17"
}
], - "total": 1
}Get a Single Source for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Sources: /indicators/:indicator_id/sources/:indicator_source_id
Attack Pattern Sources: /attack_pattern/:attack_pattern_id/sources/:attack_pattern_source_id
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_source_id required | integer Example: 7 The ID of the Source record for the specified Object Type |
query Parameters
| with | Array of strings Example: with=indicator,tlp
|
Responses
Response samples
- 200
{- "data": {
- "tlp": [
- {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}
], - "indicator": [
- {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "id": 39,
- "tlp_id": 1,
- "<object_type>_id": 517,
- "source_id": 42,
- "creator_source_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17"
}
}Update a Source for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Sources: /indicators/:indicator_id/sources/:indicator_source_id
Attack Pattern Sources: /attack_pattern/:attack_pattern_id/sources/:attack_pattern_source_id
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_source_id required | integer Example: 7 The ID of the Source record for the specified Object Type |
Request Body schema: application/json
| tlp_id | integer Source TLP ID |
Responses
Request samples
- Payload
{- "tlp": {
- "name": "WHITE"
}
}Response samples
- 200
{- "data": [
- {
- "id": 39,
- "tlp_id": 1,
- "<object_type>_id": 517,
- "source_id": 42,
- "creator_source_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17"
}
]
}Delete a Source for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Sources: /indicators/:indicator_id/sources/:indicator_source_id
Attack Pattern Sources: /attack_pattern/:attack_pattern_id/sources/:attack_pattern_source_id
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_source_id required | integer Example: 7 The ID of the Source record for the specified Object Type |
Responses
Generate a Summary PDF for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Summary PDF: /indicators/:indicator_id/summary
Attack Pattern Summary PDF: /attack_pattern/:attack_pattern_id/summary
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
query Parameters
| limit | integer Example: limit=10
|
Responses
List Relationships for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
Indicators related to an Adversary: /adversaries/:adversary_id/indicators
Indicators related to an Indicator: /indicators/:indicator_id/indicators
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
query Parameters
| with | Array of strings Example: with=sources,pivot.attributes
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "sources": [
- {
- "name": "ThreatQ"
}
], - "pivot": {
- "attributes": [
- {
- "id": 11,
- "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "id": 11,
- "name": "Integration",
- "type": "connectors",
- "pivot": {
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}
], - "comments": [
- {
- "source": {
- "id": 21,
- "name": "Analyst",
- "type": "users",
- "reference_id": 2
}, - "id": 4,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "id": "2542",
- "src_type": "indicator",
- "src_object_id": 1,
- "dest_type": "adversary",
- "dest_object_id": 1,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17",
- "deleted_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a Relationship for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
Relate Indicators to an Adversary: /adversaries/:adversary_id/indicators
Relate Indicators to an Indicator: /indicators/:indicator_id/indicators
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
Request Body schema: application/json
| id | integer Destination Object ID - the ID for the object you would like to create a relationship with. |
Responses
Request samples
- Payload
[- {
- "id": 3
}
]Response samples
- 200
{- "data": [
- {
- "pivot": {
- "id": 10,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Get a Single Relationship for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
Indicator related to an Adversary: /adversaries/:adversary_id/indicators/:object_link_id
Indicator related to an Indicator: /indicators/:indicator_id/indicators/:object_link_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
query Parameters
| with | Array of strings Example: with=sources,pivot.attributes
|
Responses
Response samples
- 200
{- "data": {
- "pivot": {
- "attributes": [
- {
- "id": 11,
- "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "id": 11,
- "name": "Integration",
- "type": "connectors",
- "pivot": {
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}
], - "comments": [
- {
- "source": {
- "id": 21,
- "name": "Analyst",
- "type": "users",
- "reference_id": 2
}, - "id": 4,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "id": "2542",
- "src_type": "indicator",
- "src_object_id": 1,
- "dest_type": "adversary",
- "dest_object_id": 1,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "sources": [
- {
- "name": "ThreatQ"
}
], - "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Remove a Relationship for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
Indicator related to an Adversary: /adversaries/:adversary_id/indicators/:object_link_id
Indicator related to an Indicator: /indicators/:indicator_id/indicators/:object_link_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
Responses
List Relationship Attributes for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
Attributes for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/attributes
Attributes for an
Indicator / Indicator relationship: /indicators/:indicator_id/indicators/:object_link_id/attributes
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
query Parameters
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "attribute": {
- "id": 1,
- "name": "Confidence",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "object_link_id": 120,
- "id": 11,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Create a Relationship Attribute for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
Attributes for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/attributes
Attributes for an
Indicator / Indicator relationship: /indicators/:indicator_id/indicators/:object_link_id/attributes
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
Request Body schema: application/json
| name | string Attribute Name |
| value | string Attribute Value |
Responses
Request samples
- Payload
{- "name": "Confidence",
- "value": "High"
}Response samples
- 201
{- "object_link_id": 120,
- "id": 11,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}Get a Single Relationship Attribute for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
An Attribute for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/attributes/:object_link_attribute_id
An Attribute for an Indicator / Indicator relationship:
/indicators/:indicator_id/indicators/:object_link_id/attributes/:object_link_attribute_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
| object_link_attribute_id required | integer Example: 3 Object Link Attribute ID |
Responses
Response samples
- 200
{- "data": {
- "attribute": {
- "id": 1,
- "name": "Confidence",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "object_link_id": 120,
- "id": 11,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Update a Relationship Attribute for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
An Attribute for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/attributes/:object_link_attribute_id
An Attribute for an Indicator / Indicator relationship:
/indicators/:indicator_id/indicators/:object_link_id/attributes/:object_link_attribute_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
| object_link_attribute_id required | integer Example: 3 Object Link Attribute ID |
Request Body schema: application/json
| value | string Attribute Value |
Responses
Request samples
- Payload
{- "value": "High"
}Response samples
- 200
{- "data": {
- "object_link_id": 120,
- "id": 11,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Remove a Relationship Attribute for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
An Attribute for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/attributes/:object_link_attribute_id
An Attribute for an Indicator / Indicator relationship:
/indicators/:indicator_id/indicators/:object_link_id/attributes/:object_link_attribute_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
| object_link_attribute_id required | integer Example: 3 Object Link Attribute ID |
Responses
List Relationship Comments for an Object Type
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
query Parameters
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "sources": [
- {
- "pivot": {
- "id": 21,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "object_link_id": 4,
- "creator_source_id": 2,
- "id": 4,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Create a Relationship Comment for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
Comments for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/comments
Comments for an
Indicator / Indicator relationship: /indicators/:indicator_id/indicators/:object_link_id/comments
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
Request Body schema: application/json
| value | string Comment value |
Responses
Request samples
- Payload
{- "value": "There's something odd happening..."
}Response samples
- 201
{- "data": {
- "sources": [
- {
- "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "object_link_id": 4,
- "creator_source_id": 2,
- "id": 4,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Get a Single Relationship Comment for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
A Comment for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/comments/:object_link_comment_id
An Comment for an Indicator / Indicator relationship:
/indicators/:indicator_id/indicators/:object_link_id/comments/:object_link_comment_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
| object_link_comment_id required | integer Example: 4 Object Link Comment ID |
Responses
Response samples
- 200
{- "data": {
- "sources": [
- {
- "id": 2,
- "name": "ThreatQ"
}
], - "object_link_id": 4,
- "creator_source_id": 2,
- "id": 4,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Update a Relationship Comment for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
A Comment for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/comments/:object_link_comment_id
An Attribute for an Indicator / Indicator relationship:
/indicators/:indicator_id/indicators/:object_link_id/comments/:object_link_comment_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
| object_link_comment_id required | integer Example: 4 Object Link Comment ID |
Request Body schema: application/json
| value | string Comment value |
Responses
Request samples
- Payload
{- "value": "There's something odd happening..."
}Response samples
- 200
{- "data": {
- "sources": [
- {
- "pivot": {
- "id": 21,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "object_link_id": 4,
- "creator_source_id": 2,
- "id": 4,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Remove a Relationship Comment for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
A Comment for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/comments/:object_link_comment_id
A Comment for an Indicator / Indicator relationship:
/indicators/:indicator_id/indicators/:object_link_id/comments/:object_link_comment_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
| object_link_comment_id required | integer Example: 4 Object Link Comment ID |