REST API Reference
Version: 5.9
Last Updated: 12/19/2022
License
ThreatQuotient Proprietary and Confidential
Copyright © 2022 ThreatQuotient, Inc. All rights reserved.
NOTICE: All information contained herein, is, and remains the property of ThreatQuotient, Inc. The intellectual and technical concepts contained herein are proprietary to ThreatQuotient, Inc. and its suppliers and may be covered by U.S. and Foreign Patents, patents in process, and are protected by trade secret or copyright law.
Dissemination of this information or reproduction of this material is strictly forbidden unless prior written permission is obtained from ThreatQuotient, Inc.
Introduction
The ThreatQ API is built on REST principles and uses JSON as a data interchange format.
Base URI
All URIs referenced in this document use the following base: https://hostname/api/, where hostname is replaced with the hostname or ip address of your ThreatQ instance.
Request Format
The ThreatQ API supports the following HTTP verbs:
| Verb | Description |
|---|---|
| GET | GET requests retrieve resources. |
| POST | POST requests create resources. |
| PUT | PUT requests update resources. |
| DELETE | DELETE requests delete resources. |
Response Format
All responses are returned in JSON. The response is wrapped in a top level data envelope which is an object or array depending on whether a single item or a collection is returned. If a single item is returned, the data field will be an object. If a collection is returned, the field will be an array.
Response Codes
The ThreatQ API uses HTTP status codes to indicate the status of your request.
| Code | Description |
|---|---|
| 200 | Object was retrieved successfully. |
| 201 | Object was created successfully. |
| 204 | Object(s) were successfully deleted. |
| 400 | Validation failed (usually as the result of an incorrect request) |
| 401 | Access denied (authorization access token in the header was incorrect / out of date) |
| 403 | Access forbidden (usually as the result of a bad request) |
| 404 | Object not found |
Authentication
ThreatQ uses OAuth 2.0 to authenticate end users. You must have a ThreatQ user account to retrieve an api token. The api token is required for all api requests. The token does time out; therefore, you must periodically refresh the token.
Authorization workflow
-
Run a GET request to retrieve your client ID using the following format: https://hostname/assets/js/config.js
-
Run a POST/token request to retrieve your authorization access token. See POST/token in the Authorization section of this reference for the correct format.
Include the following parameters:
- grant_type (password)
- client-id (retrieved in step 1)
Example: https://hostname/api/token?grant_type=password&client_id=ab20a55dd9ac779246210d7102a45ee37
In the request body, include your ThreatQ credentials:
- password
-
Enter the access token as the authorization key in the header for all subsequent api requests.
Object/Parameter Relationships
The following table specifies the parameters available to api endpoints using the “with” query.
NOTE: Examples throughout this API reference are intended to show where you can add a parameter. Use this section as a reference.
| Section | Object | Parameter (Relationships available to the object) |
|---|---|---|
| Authorization | Client | groups, connector |
| ACL | Group | users, clients, actions |
| User | groups, source | |
| Adversaries | Adversary | adversaries, attachments, attributes, attributes.attribute, comments, description, events, indicators, plugins, pluginActions, signatures, sources, tags, watchlist |
| Adversary Attribute | attribute, attributes.attribute, sources | |
| Adversary Comment | adversary, sources | |
| Adversary Description | value | |
| Adversary Source | adversary, tlp | |
| Adversary Tag | adversaries | |
| ObjectLink (e.g., Adversary Link) | pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources | |
| ObjectLink Comment | sources | |
| Attachments | Attachment | adversaries, attachments, attributes, attributes.attribute, comments, contentType, events, indicators, signatures, sources, tags, type, watchlist |
| Attachment Attribute | attribute, attributes.attribute, sources | |
| Attachment Comment | attachment, sources | |
| Attachment Source | attachment, tlp | |
| Attachment Tag | attachments | |
| Attachment Type | plugins, pluginActions | |
| ObjectLink (e.g., Adversary Link) | pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources | |
| ObjectLink Comment | sources | |
| Connectors | Connector | category, tlp |
| Connector Category | connectors | |
| Events | Event | adversaries, attachments, attributes, attributes.attribute, comments, events, indicators, signatures, sources, spearphish, tags, type, watchlist |
| Event Attribute | attribute, attributes.attribute, sources | |
| Event Comment | event, sources | |
| Event Source | event, tlp | |
| Event Tag | events | |
| Event Type | events, plugins, pluginActions, pluginObjectTypes | |
| ObjectLink (e.g., Adversary Link) | pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources | |
| ObjectLink Comment | sources | |
| Event Imports | Event Import | attachments, creatorSource, events, globalAttributes, globalIndicatorAttributes, globalObjectLinks, indicators, indicatorStatus, objectLinks, type |
| Event Import Event | attributes, attributes.attribute, import, type | |
| Event Import Event Attribute | event, import | |
| Event Import Global Indicator Attribute | import | |
| Event Import Indicator | attributes, attributes.attribute, comments, import, status, type | |
| Eula | Eula | acceptance |
| Exporters | Exporter | dataType, deliveryType, config |
| Exporter Config | exporter | |
| Exporter Data Type Field | dataType | |
| Exporter Data Type | dataTypeFields, exporters | |
| Exporter Data Type Related Data Type Field | dataType | |
| Exporter Delivery Type Config Option | deliveryType | |
| Exporter Delivery Type | configOptions, exporters | |
| Imports | Import | attributes, attributes.attribute, indicators, events, objectLinks, source |
| Import Event | attributes, attributes.attribute, type | |
| Import Indicator | attributes, attributes.attribute, comments, objectLinks | |
| Indicators | Indicator | adversaries, attachments, attributes, attributes.attribute, comments, events, indicators, score, signatures, sources, status, tags, type, watchlist |
| Indicator Source | indicator, tlp | |
| Indicator Status | indicators | |
| Indicator Tag | indicators | |
| Indicator Type | indicators, plugins, pluginActions, pluginObjectTypes | |
| ObjectLink (e.g., Adversary Link) | pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources | |
| ObjectLink Comment | sources | |
| ObjectLinks | ObjectLink Comment | objectLink, sources |
| Plugins | Plugin | action, config, objectType |
| Plugin Action | objectType | |
| Signatures | Signature | adversaries, attachments, attributes, attributes.attribute, comments, events, indicators, signatures, sources, status, type, watchlist |
| Signature Attribute | attribute, attributes.attribute, sources | |
| Signature Comment | signature, sources | |
| Signature Source | signature, tlp | |
| Signature Status | signatures | |
| Signature Type | plugins, pluginActions, signatures | |
| ObjectLink (e.g., Adversary Link) | pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources | |
| ObjectLink Comment | sources | |
| Spearphish | Spearphish | event |
| Tag | Tag | attachments, adversaries, events, indicators |
| Whitelist | Whitelist Rule | type |
Acl ¶
Group List ¶
Get ListGET/groups{?limit,offset,sort,with}
Get a list of Groups.
Example URI
GET /groups?limit=500&offset=100&sort=id&with=users,clients
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: users,clientsA comma-separated list of related objects to include in the response. Options for this endpoint: users, clients, actions.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 4,
"data": [
{
"id": 1,
"name": "group1",
"description": "Group 1",
"is_enabled": 1,
"created_at": "2017-03-21 14:56:12",
"updated_at": "2017-03-21 14:56:12",
"users": [
{
"id": 1,
"display_name": "example@threatq.com",
"email": "example@threatq.com",
"type": "user",
"status": "enabled",
"lock_expire_at": "0000-00-00 00:00:00",
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"pivot": {
"group_id": 1,
"user_id": 1
}
}
],
"clients": [
{
"id": 5,
"name": "Client 1",
"description": null,
"type": "private",
"client_id": "otvlotvmhzeynjdiy2rjyzu5mju5mhmy",
"redirect_uri": null,
"created_at": "2017-03-21 19:53:06",
"updated_at": "2017-03-21 19:53:06",
"pivot": {
"group_id": 2,
"client_id": 5
}
}
],
"actions": [
{
"id": 1,
"name": "action1",
"pivot": {
"group_id": 1,
"action_id": 1
}
},
{
"id": 3,
"name": "action2",
"pivot": {
"group_id": 1,
"action_id": 3
}
}
]
},
{
"id": 2,
"name": "group2",
"description": "Group 2",
"is_enabled": 1,
"created_at": "2017-03-21 14:56:12",
"updated_at": "2017-03-21 14:56:12",
"users": [
{
"id": 1,
"display_name": "example@threatq.com",
"email": "example@threatq.com",
"type": "user",
"status": "enabled",
"lock_expire_at": "0000-00-00 00:00:00",
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"pivot": {
"group_id": 1,
"user_id": 1
}
}
],
"clients": [
{
"id": 5,
"name": "Client 1",
"description": null,
"type": "private",
"client_id": "otvlotvmhzeynjdiy2rjyzu5mju5mhmy",
"redirect_uri": null,
"created_at": "2017-03-21 19:53:06",
"updated_at": "2017-03-21 19:53:06",
"pivot": {
"group_id": 2,
"client_id": 5
}
}
],
"actions": [
{
"id": 1,
"name": "action3",
"pivot": {
"group_id": 2,
"action_id": 1
}
},
{
"id": 3,
"name": "action4",
"pivot": {
"group_id": 2,
"action_id": 3
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/groups
Create a new Group.
Example URI
POST /groups
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Group Name",
"description": "Group Description",
"is_enabled": "1"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"is_enabled": "1",
"name": "Group Name",
"description": "Group Description",
"updated_at": "2017-04-06 15:57:31",
"created_at": "2017-04-06 15:57:31",
"id": 5
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"is_enabled": 1,
"errors": {
"name": [
"The name field is required."
],
"description": [
"The description field is required."
]
}
}
}Response
401Access denied.
Group ¶
Get SingleGET/groups/{group_id}{?with}
Get a single Group.
Example URI
GET /groups/1?with=users,clients
URI Parameters
- group_id
integer(required) Example: 1Group ID
- with
string(optional) Example: users,clientsA comma-separated list of related objects to include in the response. Options for this endpoint: users, clients, actions.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 2,
"name": "group2",
"description": "Group 2",
"is_enabled": 1,
"created_at": "2017-03-21 14:56:12",
"updated_at": "2017-03-21 14:56:12",
"actions": [
{
"id": 1,
"name": "action1",
"pivot": {
"group_id": 2,
"action_id": 1
}
},
{
"id": 3,
"name": "action2",
"pivot": {
"group_id": 2,
"action_id": 3
}
}
],
"clients": [
{
"id": 3,
"name": "Client 1",
"description": null,
"type": "private",
"client_id": "0790cf895a331b33b1b59f26005c956b",
"redirect_uri": null,
"created_at": "2017-03-21 14:56:19",
"updated_at": "2017-03-21 19:51:12",
"pivot": {
"group_id": 2,
"client_id": 3
}
},
{
"id": 4,
"name": "Client 2",
"description": null,
"type": "private",
"client_id": "mtqzmgu1nlq0nwu4zjc0mtu3yjmwl2rl",
"redirect_uri": null,
"created_at": "2017-03-21 14:56:19",
"updated_at": "2017-03-21 14:56:19",
"pivot": {
"group_id": 2,
"client_id": 4
}
}
],
"users": [
{
"id": 1,
"display_name": "example@threatq.com",
"email": "example@threatq.com",
"type": "user",
"status": "enabled",
"lock_expire_at": "0000-00-00 00:00:00",
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"pivot": {
"group_id": 1,
"user_id": 1
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/groups/{group_id}{?with}
Update a Group.
Example URI
PUT /groups/1?with=users,clients
URI Parameters
- group_id
integer(required) Example: 1Group ID
- with
string(optional) Example: users,clientsA comma-separated list of related objects to include in the response. Options for this endpoint: users, clients, actions.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Updated Group Name",
"description": "Updated Group Description",
"is_enabled": "0"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 5,
"name": "Updated Group Name",
"description": "Updated Group Description",
"is_enabled": "0",
"created_at": "2017-04-06 15:57:31",
"updated_at": "2017-04-06 16:11:27",
"actions": [
{
"id": 1,
"name": "action1",
"pivot": {
"group_id": 2,
"action_id": 1
}
},
{
"id": 3,
"name": "action2",
"pivot": {
"group_id": 2,
"action_id": 3
}
}
],
"clients": [
{
"id": 3,
"name": "Client 1",
"description": null,
"type": "private",
"client_id": "0790cf895a331b33b1b59f26005c956b",
"redirect_uri": null,
"created_at": "2017-03-21 14:56:19",
"updated_at": "2017-03-21 19:51:12",
"pivot": {
"group_id": 2,
"client_id": 3
}
},
{
"id": 4,
"name": "Client 2",
"description": null,
"type": "private",
"client_id": "mtqzmgu1nlq0nwu4zjc0mtu3yjmwl2rl",
"redirect_uri": null,
"created_at": "2017-03-21 14:56:19",
"updated_at": "2017-03-21 14:56:19",
"pivot": {
"group_id": 2,
"client_id": 4
}
}
],
"users": [
{
"id": 1,
"display_name": "example@threatq.com",
"email": "example@threatq.com",
"type": "user",
"status": "enabled",
"lock_expire_at": "0000-00-00 00:00:00",
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"pivot": {
"group_id": 1,
"user_id": 1
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/groups/{group_id}
Delete a Group.
Example URI
DELETE /groups/1
URI Parameters
- group_id
integer(required) Example: 1Group ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Current Permissions ¶
Current PermissionsGET/permissions/current
Get a list of the permissions available to the current user.
Example URI
GET /permissions/current
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"groups": [
"analyst"
],
"permissions": {
"adversaries_adversaries_attributes": "read_write",
"adversaries_adversaries_comments": "read_write",
"adversaries_adversaries": "read_write",
"adversaries_attachments": "read_write",
"adversaries_attributes": "read_write",
"adversaries_attributes_sources": "read_write",
"adversaries_comments": "read_write",
"adversaries_consume": "read_write",
"adversaries_description": "read_write",
"adversaries_events_attributes": "read_write",
"adversaries_events_comments": "read_write",
"adversaries_events": "read_write",
"adversaries_indicators": "read_write",
"adversaries": "read_write",
"adversaries_signatures": "read_write",
"adversaries_sources": "read_write",
"adversaries_tags": "read_write",
"adversaries_value_weight": "read_write",
"adversaries_watchlist": "read_write",
"attachments_adversaries_attributes": "read_write",
"attachments_adversaries_comments": "read_write",
"attachments_adversaries": "read_write",
"attachments_attributes": "read_write",
"attachments_attributes_sources": "read_write",
"attachments_comments": "read_write",
"attachments_download": "read_write",
"attachments_events": "read_write",
"attachments_indicators": "read_write",
"attachments_malware_lock": "read_write",
"attachments": "read_write",
"attachments_signatures": "read_write",
"attachments_sources": "read_write",
"attachments_tags": "read_write",
"attachments_types": "read",
"attachments_upload": "read_write",
"attachments_watchlist": "read_write",
"attributes": "read_write",
"attributes_search": "read_write",
"attributes_value_weight": "read_write",
"configuration_ldap_disable": "read",
"configuration_ldap_enable": "read",
"configuration_ldap": "read",
"configuration_whitelist": "read_write",
"docs": "read_write",
"eula_acceptance_latest": "read_write",
"eula_acceptance": "read_write",
"eula_latest": "read_write",
"eula": "read_write",
"event_types": "read",
"events_adversaries_attributes": "read_write",
"events_adversaries_comments": "read_write",
"events_adversaries": "read_write",
"events_attachments": "read_write",
"events_attributes": "read_write",
"events_attributes_sources": "read_write",
"events_comments": "read_write",
"events_consume": "read_write",
"events_events": "read_write",
"events_import_attachments": "read_write",
"events_import_commit": "read_write",
"events_import_event_attributes": "read_write",
"events_import_events": "read_write",
"events_import_globals_indicators_attributes": "read_write",
"events_import_indicators_attributes": "read_write",
"events_import_indicators_comments": "read_write",
"events_import_indicators": "read_write",
"events_import": "read_write",
"events_indicators": "read_write",
"events": "read_write",
"events_signatures": "read_write",
"events_sources": "read_write",
"events_spearphish": "read_write",
"events_tags": "read_write",
"events_watchlist": "read_write",
"files_content_types": "read_write",
"imports_commit": "read_write",
"imports_events": "read_write",
"imports_indicators_attributes": "read_write",
"imports_indicators_comments": "read_write",
"imports_indicators_links": "read_write",
"imports_indicators_objectlinks_attributes": "read_write",
"imports_indicators_objectlinks_comments": "read_write",
"imports_indicators_objectlinks": "read_write",
"imports_indicators": "read_write",
"imports": "read_write",
"imports_upload_check": "read_write",
"indicator_scores_overview": "read_write",
"indicator_scores": "read_write",
"indicator_statuses": "read",
"indicator_types": "read",
"indicators_adversaries_attributes": "read_write",
"indicators_adversaries_comments": "read_write",
"indicators_adversaries": "read_write",
"indicators_attachments": "read_write",
"indicators_attributes": "read_write",
"indicators_attributes_sources": "read_write",
"indicators_bulk_details": "read",
"indicators_bulk": "read_write",
"indicators_comments": "read_write",
"indicators_consume_new": "read_write",
"indicators_consume": "read_write",
"indicators_details": "read",
"indicators_events": "read_write",
"indicators_expiration": "read_write",
"indicators_indicators": "read_write",
"indicators": "read_write",
"indicators_scorable": "read",
"indicators_search": "read_write",
"indicators_signatures": "read_write",
"indicators_sources": "read_write",
"indicators_tags": "read_write",
"indicators_watchlist": "read_write",
"logout": "read_write",
"objectlinks_attributes_sources": "read_write",
"objectlinks_comments": "read_write",
"permissions_current": "read_write",
"plugins_actions": "read",
"plugins_config": "read_write",
"plugins_disable_proxy": "read_write",
"plugins_disable": "read_write",
"plugins_enable_proxy": "read_write",
"plugins_enable": "read_write",
"plugins_execute": "read_write",
"plugins_object_types": "read",
"plugins": "read_write",
"reports_adversaries_auditlog": "read",
"reports_adversaries_indicator_distribution": "read",
"reports_adversaries_indicators": "read",
"reports_adversaries_summary": "read",
"reports_adversaries_timeline": "read",
"reports_attachments_auditlog": "read",
"reports_attributes_attribute_indicator_counts": "read",
"reports_attributes_attribute_value_counts": "read",
"reports_configuration_version": "read",
"reports_events_adversary_spearphish_monthly": "read",
"reports_events_auditlog": "read",
"reports_events_summary": "read",
"reports_events_timeline": "read",
"reports_exports_highcharts": "read",
"reports_files_attachment_types": "read",
"reports_indicators_attack_phases": "read",
"reports_indicators_auditlog": "read",
"reports_indicators_incoming_intelligence_overview": "read",
"reports_indicators_indicators_created_recent": "read",
"reports_indicators_indicators_source_type": "read",
"reports_indicators_indicators_type_overview": "read",
"reports_indicators_spearphish": "read",
"reports_indicators_summary": "read",
"reports_indicators_timeline": "read",
"reports_indicators_totals_by_status": "read",
"reports_signatures_auditlog": "read",
"score_configuration": "read",
"score_range": "read_write",
"search_advanced": "read_write",
"search": "read",
"signature_statuses": "read_write",
"signature_types": "read",
"signatures_adversaries_attributes": "read_write",
"signatures_adversaries_comments": "read_write",
"signatures_adversaries": "read_write",
"signatures_attachments": "read_write",
"signatures_attributes": "read_write",
"signatures_attributes_sources": "read_write",
"signatures_comments": "read_write",
"signatures_consume": "read_write",
"signatures_events": "read_write",
"signatures_import": "read_write",
"signatures_indicators": "read_write",
"signatures": "read_write",
"signatures_signatures": "read_write",
"signatures_sources": "read_write",
"signatures_watchlist": "read_write",
"sources": "read_write",
"spearphish_attachments": "read_write",
"tags": "read_write",
"tlp": "read",
"token": "read_write",
"users_activity": "read",
"users_current": "read_write",
"watchlist": "read",
"whitelist_rules_consume": "read_write",
"whitelist_rules_count": "read_write",
"whitelist_rules": "read_write"
}
}
}Response
401Access denied.
User List ¶
Get ListGET/users{?limit,offset,sort,with}
Get a list of Users. Only users with super or administrator permissions may access this endpoint.
Example URI
GET /users?limit=500&offset=100&sort=id&with=groups,source
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: groups,sourceA comma-separated list of related objects to include in the response. Options for this endpoint: groups, source, eulaAcceptances, eulaAcceptances.eula.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 1,
"data": [
{
"id": 1,
"display_name": "user1@threatq.com",
"email": "user1@threatq.com",
"type": "user",
"status": "enabled",
"lock_expire_at": "0000-00-00 00:00:00",
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"groups": [
{
"id": 1,
"name": "group1",
"description": "Group 1",
"is_enabled": 1,
"created_at": "2017-03-21 14:56:12",
"updated_at": "2017-03-21 14:56:12",
"pivot": {
"user_id": 1,
"group_id": 1,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00"
}
}
],
"source": {
"id": 8,
"type": "users",
"name": "source1@threatq.com",
"expire_days": null,
"score": 0,
"created_at": "2017-03-21 19:58:17",
"updated_at": "2017-03-24 22:07:21"
},
"eula_acceptances": [
{
"id": 6,
"user_id": 1,
"eula_id": 1,
"created_at": "2021-03-30 16:03:01",
"updated_at": "2021-03-30 16:03:01",
"eula": {
"id": 1,
"license_type": "ON_PREM_CUST",
"text": "THREATQUOTIENT, INC.\n\nEND USER LICENSE AGREEMENT...",
"version": "2.0",
"hash": "08d1c9165e5f62365e1535f1958ef8ec",
"created_at": "2021-03-29 19:47:50",
"updated_at": "2021-03-29 19:47:50"
}
}
]
}
]
}Response
401Access denied.
Response
403Access forbidden.
Create NewPOST/users
Create a new User. Only users with super or administrator permissions may access this endpoint.
Example URI
POST /users
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"display_name": "User2",
"email": "user2@threatq.com",
"group_id": "3",
"password": "thisisapassword",
"password_confirmation": "thisisapassword",
"status": "enabled",
"type": "user"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 7,
"display_name": "User2",
"email": "user2@threatq.com",
"type": "user",
"status": "enabled",
"lock_expire_at": "0000-00-00 00:00:00",
"created_at": "2017-04-05 21:23:09",
"updated_at": "2017-04-05 21:23:09"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"type": "user",
"status": "disabled",
"errors": {
"display_name": [
"The display name field is required."
],
"email": [
"The email field is required."
],
"password": [
"The password field is required."
],
"group_id": [
"The group id field is required."
]
}
}
}Response
401Access denied.
Response
403Access forbidden.
Current User ¶
Current UserGET/users/current
Get the current user.
Example URI
GET /users/current
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"display_name": "Threat Quotient",
"email": "threatq@threatq.com",
"type": "user",
"status": "enabled",
"lock_expire_at": "0000-00-00 00:00:00",
"created_at": "2017-04-05 19:59:20",
"updated_at": "2017-04-05 19:59:20",
"source": {
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-04-05 19:59:20",
"updated_at": "2017-04-05 19:59:20"
}
}
}Response
401Access denied.
User Profile ¶
User ProfilePUT/users/profile
Update the currently authenticated User’s password.
Example URI
PUT /users/profile
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"password": "new_password",
"password_confirmation": "new_password",
"display_name": "New Display Name",
"email": "new@email.com"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"display_name": "User 1",
"email": "user1@threatq.com",
"type": "user",
"status": "enabled",
"lock_expire_at": "0000-00-00 00:00:00",
"created_at": "2017-08-24 15:30:06",
"updated_at": "2017-08-24 15:35:51"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"display_name": "User 1",
"email": "user1@threatq.com",
"type": "user",
"status": "enabled",
"lock_expire_at": "0000-00-00 00:00:00",
"created_at": "2017-08-24 15:30:06",
"updated_at": "2017-08-24 15:35:51",
"password_confirmation": "new_password",
"errors": {
"password": [
"The password format is invalid."
]
}
}
}Response
401Access denied.
User ¶
Get SingleGET/users/{user_id}{?with}
Get a single User. Only users with super or administrator permissions may access this endpoint.
Example URI
GET /users/1?with=groups,source
URI Parameters
- user_id
integer(required) Example: 1User ID
- with
string(optional) Example: groups,sourceA comma-separated list of related objects to include in the response. Options for this endpoint: groups, source, eulaAcceptances, eulaAcceptances.eula.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"display_name": "user1@threatq.com",
"email": "user1@threatq.com",
"type": "user",
"status": "enabled",
"lock_expire_at": "0000-00-00 00:00:00",
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"groups": [
{
"id": 1,
"name": "group1",
"description": "Group 1",
"is_enabled": 1,
"created_at": "2017-03-21 14:56:12",
"updated_at": "2017-03-21 14:56:12",
"pivot": {
"user_id": 1,
"group_id": 1,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00"
}
}
],
"source": {
"id": 8,
"type": "users",
"name": "source1@threatq.com",
"expire_days": null,
"score": 0,
"created_at": "2017-03-21 19:58:17",
"updated_at": "2017-03-24 22:07:21"
},
"eula_acceptances": [
{
"id": 6,
"user_id": 1,
"eula_id": 1,
"created_at": "2021-03-30 16:03:01",
"updated_at": "2021-03-30 16:03:01",
"eula": {
"id": 1,
"license_type": "ON_PREM_CUST",
"text": "THREATQUOTIENT, INC.\n\nEND USER LICENSE AGREEMENT...",
"version": "2.0",
"hash": "08d1c9165e5f62365e1535f1958ef8ec",
"created_at": "2021-03-29 19:47:50",
"updated_at": "2021-03-29 19:47:50"
}
}
]
}
}Response
401Access denied.
Response
403Access forbidden.
Response
404Object not found.
UpdatePUT/users/{user_id}{?with}
Update an User. Only users with super or administrator permissions may access this endpoint. If LDAP is enabled, LDAP users cannot update passwords.
Example URI
PUT /users/1?with=groups,source
URI Parameters
- user_id
integer(required) Example: 1User ID
- with
string(optional) Example: groups,sourceA comma-separated list of related objects to include in the response. Options for this endpoint: groups, source, eulaAcceptances, eulaAcceptances.eula.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"display_name": "User 3",
"email": "user3@threatq.com",
"group_id": "4",
"password": "thisisanewpassword",
"password_confirmation": "thisisanewpassword",
"status": "enabled",
"type": "user"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 7,
"display_name": "User 3",
"email": "user3@threatq.com",
"type": "user",
"status": "enabled",
"lock_expire_at": "0000-00-00 00:00:00",
"created_at": "2017-04-05 21:23:09",
"updated_at": "2017-04-06 14:44:18",
"groups": [
{
"id": 1,
"name": "group1",
"description": "Group 1",
"is_enabled": 1,
"created_at": "2017-03-21 14:56:12",
"updated_at": "2017-03-21 14:56:12",
"pivot": {
"user_id": 1,
"group_id": 1,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00"
}
}
],
"source": {
"id": 8,
"type": "users",
"name": "source1@threatq.com",
"expire_days": null,
"score": 0,
"created_at": "2017-03-21 19:58:17",
"updated_at": "2017-03-24 22:07:21"
}
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 7,
"display_name": "User2",
"email": "user2@threatq.com",
"type": "user",
"status": "enabled",
"lock_expire_at": "0000-00-00 00:00:00",
"created_at": "2017-04-05 21:23:09",
"updated_at": "2017-04-05 21:23:09",
"password_confirmation": "thisisapassword",
"errors": {
"password": [
"The password confirmation does not match."
]
}
}
}Response
401Access denied.
Response
403Access forbidden.
Response
404Object not found.
DeleteDELETE/users/{user_id}
Delete an User. Only users with super or administrator permissions may access this endpoint.
Example URI
DELETE /users/1
URI Parameters
- user_id
integer(required) Example: 1User ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
403Access forbidden.
Response
404Object not found.
User Activity ¶
User ActivityGET/users/{user_id}/activity{?limit,offset,sort}
Get a user’s activity.
Example URI
GET /users/1/activity?limit=500&offset=100&sort=id
URI Parameters
- user_id
integer(required) Example: 1User ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 11,
"data": [
{
"id": 1,
"user_id": 1,
"email": "user1@threatq.com",
"event_type": "Successful Login",
"ipaddress": "172.28.128.1",
"created_at": "2017-04-05 20:06:26"
},
{
"id": 2,
"user_id": 1,
"email": "user1@threatq.com",
"event_type": "Successful Login",
"ipaddress": "172.28.128.1",
"created_at": "2017-04-05 20:08:41"
},
{
"id": 3,
"user_id": 1,
"email": "user1@threatq.com",
"event_type": "Successful Login",
"ipaddress": "172.28.128.1",
"created_at": "2017-04-05 20:09:25"
}
]
}Response
401Access denied.
Response
404Object not found.
Adversaries ¶
Adversary List ¶
Get ListGET/adversaries{?limit,offset,sort,with}
Get a list of Adversaries.
Example URI
GET /adversaries?limit=500&offset=100&sort=id&with=adversaries,attachments
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, description, events, indicators, plugins, pluginActions, signatures, sources, tags, valueWeight, watchlist.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 1,
"data": [
{
"id": 1,
"name": "BOOMER",
"created_at": "2017-03-23 20:38:39",
"updated_at": "2017-03-23 20:38:39",
"touched_at": "2017-04-03 15:09:41",
"adversaries": [
{
"id": 2,
"name": "AMOROUS PANDA",
"created_at": "2017-04-13 00:12:14",
"updated_at": "2017-04-13 00:12:14",
"touched_at": "2017-06-28 00:55:56",
"pivot": {
"id": 62204,
"created_at": "2017-06-28 00:55:56",
"updated_at": "2017-06-28 00:55:56"
}
}
],
"attachments": [
{
"id": 3,
"type_id": 3,
"title": "EXE like script",
"name": "Honeybooboo.sh",
"hash": "51774564f8d78fbddbfa22e1e7459af4",
"content_type_id": 1,
"file_size": 234234,
"malware_locked": 1,
"description": null,
"created_at": "2017-06-22 15:06:21",
"updated_at": "2017-06-22 15:06:21",
"touched_at": "2017-06-28 00:56:44",
"pivot": {
"id": 62205,
"created_at": "2017-06-28 00:56:44",
"updated_at": "2017-06-28 00:56:44"
}
}
],
"attributes": [
{
"id": 1,
"adversary_id": 1,
"attribute_id": 252,
"value": "Attribute Value",
"created_at": "2017-06-28 00:57:49",
"updated_at": "2017-06-28 00:57:49",
"name": "My Attribute",
"attribute": {
"id": 252,
"name": "My Attribute",
"created_at": "2017-06-28 00:57:49",
"updated_at": "2017-06-28 00:57:49"
}
}
],
"comments": [
{
"id": 54,
"adversary_id": 1,
"value": "A random comment appeared.",
"creator_source_id": 8,
"created_at": "2017-06-28 00:58:55",
"updated_at": "2017-06-28 00:58:55"
}
],
"description": {
"id": 1,
"adversary_id": 1,
"value_id": 1,
"created_at": "2017-03-23 20:38:39"
},
"events": [
{
"id": 434,
"type_id": 3,
"title": "SQL - 0/uB|*dgNjMEHXz(q%b,Pqm*ufQS{g",
"description": "",
"happened_at": "2017-05-15 17:05:01",
"hash": "1531ce6ae74370a9ac9267eb7ff1c008",
"created_at": "2017-05-15 17:05:01",
"updated_at": "2017-05-15 17:05:01",
"touched_at": "2017-06-27 15:09:22",
"pivot": {
"id": 61869,
"created_at": "2017-04-16 18:44:38",
"updated_at": "2017-06-27 15:09:19"
}
}
],
"indicators": [
{
"id": 549,
"type_id": 4,
"status_id": 3,
"class": "network",
"hash": "02a727a516e305b50c998f11acf75f9b",
"value": "sethc.exe",
"description": null,
"last_detected_at": "2013-11-12 06:22:41",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-06-27 15:07:24",
"updated_at": "2017-06-27 15:07:24",
"touched_at": "2017-06-27 15:09:18",
"pivot": {
"id": 16032,
"created_at": "2017-04-16 21:50:44",
"updated_at": "2017-06-27 15:09:01"
}
}
],
"plugins": [
{
"id": 1,
"name": "plugin1",
"friendly_name": "Plugin 1",
"description": "A custom plugin",
"package_name": "my-package",
"version": "0.0.1",
"required_threatq_version": "2.1",
"author": "Me",
"logo_path": "logo.png",
"enabled": 1,
"disable_proxy": 0,
"created_at": "2017-06-27 15:06:45",
"updated_at": "2017-06-28 01:07:10",
"deleted_at": null,
"object_type_id": 1
}
],
"plugin_actions": [
{
"id": 1,
"plugin_id": 1,
"name": "action1",
"description": "Action 1",
"logo_path": "logo.png",
"created_at": "2017-06-27 15:06:45",
"updated_at": "2017-06-27 15:06:45",
"object_type_id": 1
}
],
"signatures": [
{
"id": 202,
"name": "ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27 (2019448:1)",
"description": "",
"hash": "32eb2da7b59c7e85fbeec98f90adaf2d",
"value": "alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27\"; flow:established,to_server; content:\"%6e%61m%65[\"; nocase; fast_pattern:only; http_client_body; pcre:\"/(?:^|&|Content-Disposition[\\x3a][^\\n]*?name\\s*?=\\s*?[\\x22\\x27])\\%6e\\%61m\\%65\\[[^\\x5d]*?\\W/Pi\"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:1;)",
"status_id": 6,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-06-27 15:08:53",
"updated_at": "2017-06-27 15:08:53",
"touched_at": "2017-06-28 01:10:58",
"pivot": {
"id": 62208,
"created_at": "2017-06-28 01:10:58",
"updated_at": "2017-06-28 01:10:58"
}
}
],
"sources": [
{
"id": 19,
"type": "other_sources",
"name": "Source 1",
"tlp_id": null,
"created_at": "2017-03-23 20:38:39",
"updated_at": "2017-03-23 20:38:39",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 19,
"id": 1,
"creator_source_id": 8
}
}
],
"tags": [
{
"id": 1,
"name": "Yet Another Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 1,
"created_at": "2017-06-28 01:12:27",
"updated_at": "2017-06-28 01:12:27"
}
}
],
"value_weight": {
"id": 1,
"object_type": "adversary",
"object_id": 1,
"score": 1,
"created_at": "2017-06-28 01:13:25",
"updated_at": "2017-06-28 01:13:25"
},
"watchlist": [
{
"id": 1,
"user_id": 1,
"object_type": "adversary",
"object_id": 1,
"created_at": "2017-06-27 18:39:18",
"updated_at": "2017-06-27 18:39:18"
}
]
}
]
}Response
401Access denied.
Create NewPOST/adversaries
Create a new Adversary.
Example URI
POST /adversaries
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Adversary Name",
"sources": [
{
"name": "Adversary source",
"tlp": {
"name": "GREEN"
}
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"name": "Adversary Name",
"updated_at": "2017-03-01 16:12:18",
"created_at": "2017-03-01 16:12:18",
"id": 243,
"sources": [
{
"type": "other_sources",
"name": "Adversary Source",
"updated_at": "2017-03-01 16:12:18",
"created_at": "2017-03-01 16:12:18",
"id": 85
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"name": [
"The name field is required."
]
}
}
}Response
401Access denied.
Adversary Comment Short ¶
DeleteDELETE/adversaries/comments/{adversary_comment_id}
Delete an Adversary Comment.
Example URI
DELETE /adversaries/comments/2
URI Parameters
- adversary_comment_id
integer(required) Example: 2Adversary Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Get SingleGET/adversaries/comments/{adversary_comment_id}{?with}
Get a single Adversary Comment.
Example URI
GET /adversaries/comments/2?with=adversary,sources
URI Parameters
- adversary_comment_id
integer(required) Example: 2Adversary Comment ID
- with
string(optional) Example: adversary,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: adversary, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/adversaries/comments/{adversary_comment_id}{?with}
Update an Adversary Comment.
Example URI
PUT /adversaries/comments/2?with=adversary,sources
URI Parameters
- adversary_comment_id
integer(required) Example: 2Adversary Comment ID
- with
string(optional) Example: adversary,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: adversary, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 62,
"adversary_id": 1,
"value": "This is an updated comment.",
"creator_source_id": 5,
"created_at": "2017-03-01 19:46:23",
"updated_at": "2017-03-01 20:06:04",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-02-28 20:13:18",
"updated_at": "2017-02-28 20:13:18",
"pivot": {
"id": 62,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"The current authenticated owner is not the owner of this comment."
]
}Response
401Access denied.
Response
404Object not found.
Adversary Consume ¶
Adversary ConsumePOST/adversaries/consume
Consume a list of Adversary objects.
Required fields: name
Optional fields: description, published_at, tlp (an object with a name field) or tlp_id, sources, attributes, comments, and tags
Relations can also be included as optional fields in the request: adversaries, attachments, attack_pattern, campaign, course_of_action, events, exploit_target, identity, incident, indicators, intrusion_set, malware, report, signatures, tool, ttp, and vulnerability.
When including relations, if the relation is of the same type as the endpoint used (e.g. related adversaries on Adversary Consume), the relation can be defined using the required fields. Otherwise, relations must be created in advance and the resulting IDs should be used in the request.
Note: Objects that already exist in the system will not be duplicated, any new context in the request will be added to the existing object. This endpoint does not fail on validation - any errors will be included in the response object.
Example URI
POST /adversaries/consume
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"name": "Deadeye Jackal",
"tlp": {
"name": "WHITE"
},
"published_at": "2017-01-01 00:00:00",
"adversaries": [
{
"name": "Keyhole Panda"
}
],
"comments": [
{
"value": "Found this during the investigation."
}
]
},
{
"name": "Numbered Panda",
"tlp_id": 3,
"attributes": [
{
"name": "Industry",
"value": "Hospitals"
}
],
"indicators": [
{
"id": 3
},
{
"id": 4
}
]
},
{
"name": "Boulder Bear",
"description": [
{
"value": "This bear is from Colorado."
}
],
"sources": [
{
"name": "Digital Shadows",
"tlp": "AMBER"
}
],
"tags": [
{
"name": "Internal"
}
]
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 4,
"data": [
{
"name": "Deadeye Jackal",
"id": 187
},
{
"name": "Numbered Panda",
"id": 188
},
{
"name": "Boulder Bear",
"id": 189
},
{
"name": "Keyhole Panda",
"id": 190
}
]
}Response
401Access denied.
Adversary Search ¶
Adversary SearchPOST/adversaries/query{?limit,offset,sort}
Search the Threat Library for Adversaries using criteria and filters.
Criteria and filters should be formatted in the convention of SOLR query structures.
Criteria Options: mentions, name
Filter Options: created_at, updated_at, expires_at, published_at, source_name, source_created_at, related, tags, attribute
Example URI
POST /adversaries/query?limit=500&offset=100&sort=id
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"criteria": {
"+or": [
{
"mentions": "bear"
},
{
"name": {
"+contains": "bad"
}
}
]
},
"filters": {
"+and": [
{
"created_at": {
"+lt": "2021-01-27 22:35:00"
}
},
{
"+or": [
{
"expires_at": {
"+gt": "2021-01-26 23:59:59",
"+lt": "2021-01-28 00:00:00"
}
},
{
"expired_at": {
"+gt": "2021-01-26 23:59:59",
"+lt": "2021-01-28 00:00:00"
}
}
]
},
{
"+or": [
{
"+and": [
{
"source_name": "Customer Admin"
},
{
"published_at": {
"+lt": "2021-01-27 22:50:00"
}
}
]
}
]
},
{
"+or": [
{
"related": {
"id": 1,
"type": "indicator"
}
}
]
},
{
"+or": [
{
"related": {
"object": "adversary"
}
}
]
},
{
"+or": [
{
"source_name": "Primary Contributor"
}
]
},
{
"+or": [
{
"tags": "Internal"
}
]
},
{
"updated_at": {
"+lt": "2021-01-27 22:51:00"
}
},
{
"+or": [
{
"+and": [
{
"source_name": "Primary Contributor"
},
{
"source_created_at": {
"+lt": "2021-01-27 22:50:00"
}
}
]
}
]
}
],
"+or": [
{
"attribute": {
"name": "Confidence",
"value": "High"
}
}
]
}
}Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"touched_at": "2021-01-27 19:55:23",
"updated_at": "2021-01-27 09:58:51",
"published_at": "2021-01-27 09:58:51",
"created_at": "2021-01-27 09:58:51",
"id": 174,
"name": "VENOMOUS BEAR",
"sources": [
{
"updated_at": "2021-01-27 19:55:23",
"source_id": 1,
"type": "clients",
"creator_source_id": 1,
"adversary_id": 174,
"created_at": "2020-11-18 03:02:26",
"id": 345,
"reference_id": 1,
"published_at": "2020-11-18 03:02:26",
"name": "ThreatQ System"
}
]
},
{
"touched_at": "2021-01-27 19:55:23",
"updated_at": "2021-01-17 12:05:24",
"published_at": "2021-01-17 12:05:24",
"created_at": "2021-01-17 12:05:24",
"id": 11,
"name": "BERSERK BEAR",
"sources": [
{
"updated_at": "2021-01-27 19:55:23",
"source_id": 1,
"type": "clients",
"creator_source_id": 1,
"adversary_id": 11,
"created_at": "2020-12-17 04:54:18",
"id": 20,
"reference_id": 1,
"published_at": "2020-12-17 04:54:18",
"name": "ThreatQ System"
},
{
"updated_at": "2021-01-27 19:55:23",
"source_id": 6,
"type": "users",
"creator_source_id": 6,
"adversary_id": 11,
"created_at": "2020-11-17 07:54:33",
"id": 21,
"reference_id": 2,
"published_at": "2020-11-17 07:54:33",
"name": "Threat Quotient Feeds"
}
]
}
],
"offset": 0,
"limit": 25
}Response
401Access denied.
Adversary Watchlist Bulk ¶
Get ListGET/adversaries/watchlist
Get all Adversaries in a user’s Watchlist. Only users with administrator privileges can see Watchlists for all users.
Example URI
GET /adversaries/watchlist
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 3,
"data": [
{
"id": 1,
"user_id": 1,
"object_type": "adversary",
"object_id": 1,
"created_at": "2017-03-03 15:52:39",
"updated_at": "2017-03-03 15:52:39",
"adversary": {
"id": 1,
"name": "Advanced Pawn",
"created_at": "2017-01-26 19:20:42",
"updated_at": "2017-01-26 19:20:42",
"touched_at": "2017-03-03 14:20:55"
}
},
{
"id": 2,
"user_id": 1,
"object_type": "adversary",
"object_id": 2,
"created_at": "2017-03-03 15:52:48",
"updated_at": "2017-03-03 15:52:48",
"adversary": {
"id": 2,
"name": "AMOROUS PANDA",
"created_at": "2016-12-06 14:17:52",
"updated_at": "2016-12-06 14:17:52",
"touched_at": "2017-03-03 14:20:55"
}
},
{
"id": 3,
"user_id": 1,
"object_type": "adversary",
"object_id": 16,
"created_at": "2017-03-03 15:53:10",
"updated_at": "2017-03-03 15:53:10",
"adversary": {
"id": 16,
"name": "BOULDER BEAR",
"created_at": "2016-12-15 01:18:20",
"updated_at": "2016-12-15 01:18:20",
"touched_at": "2017-03-03 14:20:55"
}
}
]
}Response
401Access denied.
Create NewPOST/adversaries/watchlist
Bulk add Adversaries to the user’s Watchlist.
Example URI
POST /adversaries/watchlist
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"object_ids": [
5,
6,
7
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"object_type": "adversary",
"user_id": 1,
"object_id": "5",
"updated_at": "2017-03-03 15:56:58",
"created_at": "2017-03-03 15:56:58",
"id": 4
},
{
"object_type": "adversary",
"user_id": 1,
"object_id": "6",
"updated_at": "2017-03-03 15:56:58",
"created_at": "2017-03-03 15:56:58",
"id": 5
},
{
"object_type": "adversary",
"user_id": 1,
"object_id": "7",
"updated_at": "2017-03-03 15:56:58",
"created_at": "2017-03-03 15:56:58",
"id": 6
}
]
}Response
401Access denied.
Adversary ¶
Get SingleGET/adversaries/{adversary_id}{?with}
Get a single Adversary.
Example URI
GET /adversaries/1?with=adversaries,attachments
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, description, events, indicators, plugins, pluginActions, signatures, sources, tags, valueWeight, watchlist.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "BOOMER",
"created_at": "2017-06-30 23:16:32",
"updated_at": "2017-06-30 23:16:32",
"touched_at": "2017-06-30 23:16:33",
"adversaries": [
{
"id": 1,
"name": "Advanced Pawn",
"created_at": "2017-04-16 05:49:49",
"updated_at": "2017-04-16 05:49:49",
"touched_at": "2017-06-30 23:16:33",
"pivot": {
"id": 62020,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
}
],
"attachments": [
{
"id": 1,
"type_id": 1,
"title": "Crazy File",
"name": "crazy-file.exe",
"hash": "f5f39c6886a66686af0950014dffe968",
"content_type_id": 1,
"file_size": 234235236,
"malware_locked": 1,
"description": null,
"created_at": "2017-06-30 22:06:29",
"updated_at": "2017-06-30 22:06:29",
"touched_at": "2017-06-30 23:16:33",
"pivot": {
"id": 62021,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
}
],
"attributes": [
{
"id": 3,
"adversary_id": 189,
"attribute_id": 1,
"value": "Attribute Value",
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33",
"name": "My Attribute",
"attribute": {
"id": 1,
"name": "My Attribute",
"created_at": "2017-06-25 22:06:29",
"updated_at": "2017-06-12 22:06:29"
}
}
],
"comments": [
{
"id": 56,
"adversary_id": 1,
"value": "A random comment appeared.",
"creator_source_id": 8,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
],
"description": {
"id": 3,
"adversary_id": 1,
"value_id": 3,
"created_at": "-0001-11-30 00:00:00"
},
"events": [
{
"id": 1,
"type_id": 1,
"title": "Subject - Hatter were having.",
"description": "",
"happened_at": "2017-03-19 03:55:15",
"hash": "c7591a75b6059c9d27e48113f372687b",
"created_at": "2017-03-19 03:55:15",
"updated_at": "2017-03-19 03:55:15",
"touched_at": "2017-06-30 23:16:33",
"pivot": {
"id": 62022,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
}
],
"indicators": [
{
"id": 1,
"type_id": 1,
"status_id": 5,
"class": "network",
"hash": "4aba5ab07a3bda558d5d725a09d93ba6",
"value": "37.139.40.0/21",
"description": null,
"last_detected_at": "1976-02-14 17:27:49",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-06-30 22:55:30",
"updated_at": "2017-06-30 22:55:30",
"touched_at": "2017-06-30 23:16:33",
"pivot": {
"id": 62023,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
}
],
"plugins": [
{
"id": 6,
"name": "adversary_plugin",
"friendly_name": "Adversary Plugin",
"description": "Adversary Plugin",
"package_name": "plugin",
"version": "1.0.0",
"required_threatq_version": "3.0.0",
"author": "dredd",
"logo_path": "a/b/c/d",
"enabled": 0,
"disable_proxy": 1,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33",
"deleted_at": null,
"object_type_id": 189
}
],
"plugin_actions": [
{
"id": 9,
"plugin_id": 6,
"name": "action1",
"description": "Action 1",
"logo_path": "a/b/c/d",
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33",
"object_type_id": 189
}
],
"signatures": [
{
"id": 1,
"name": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)",
"description": "",
"hash": "737309fe355ef23e1c03a5e98bc364b5",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:\"ET EXPLOIT Arkeia full remote access without password or authentication\"; flow:to_server,established; content:\"|464F3A20596F75206861766520737563|\"; content:\"|6520636C69656E7420696E666F726D61|\"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)",
"status_id": 5,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-06-30 22:56:56",
"updated_at": "2017-06-30 22:56:56",
"touched_at": "2017-06-30 23:16:33",
"pivot": {
"id": 62024,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Source 1",
"tlp_id": null,
"created_at": "2017-06-30 23:16:32",
"updated_at": "2017-06-30 23:16:32",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 8,
"id": 356,
"creator_source_id": 8
}
}
],
"tags": [
{
"id": 3,
"name": "What a Tag",
"pivot": {
"object_id": 1,
"tag_id": 3,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
}
],
"value_weight": {
"id": 3,
"object_type": "adversary",
"object_id": 1,
"score": 2,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
},
"watchlist": [
{
"id": 3,
"user_id": 1,
"object_type": "adversary",
"object_id": 1,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
]
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/adversaries/{adversary_id}{?with}
Update an Adversary.
Example URI
PUT /adversaries/1?with=adversaries,attachments
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, description, events, indicators, plugins, pluginActions, signatures, sources, tags, valueWeight, watchlist.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "New Adversary Name",
"sources": [
{
"name": "Adversary source22",
"tlp": {
"name": "GREEN"
}
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"name": "New Adversary Name",
"created_at": "2017-06-30 23:16:32",
"updated_at": "2017-06-30 23:16:32",
"touched_at": "2017-06-30 23:16:33",
"adversaries": [
{
"id": 1,
"name": "Advanced Pawn",
"created_at": "2017-04-16 05:49:49",
"updated_at": "2017-04-16 05:49:49",
"touched_at": "2017-06-30 23:16:33",
"pivot": {
"id": 62020,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
}
],
"attachments": [
{
"id": 1,
"type_id": 1,
"title": "Crazy File",
"name": "crazy-file.exe",
"hash": "f5f39c6886a66686af0950014dffe968",
"content_type_id": 1,
"file_size": 234235236,
"malware_locked": 1,
"description": null,
"created_at": "2017-06-30 22:06:29",
"updated_at": "2017-06-30 22:06:29",
"touched_at": "2017-06-30 23:16:33",
"pivot": {
"id": 62021,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
}
],
"attributes": [
{
"id": 3,
"adversary_id": 189,
"attribute_id": 1,
"value": "Attribute Value",
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33",
"name": "My Attribute",
"attribute": {
"id": 1,
"name": "My Attribute",
"created_at": "2017-06-25 22:06:29",
"updated_at": "2017-06-12 22:06:29"
}
}
],
"comments": [
{
"id": 56,
"adversary_id": 1,
"value": "A random comment appeared.",
"creator_source_id": 8,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
],
"description": {
"id": 3,
"adversary_id": 1,
"value_id": 3,
"created_at": "-0001-11-30 00:00:00"
},
"events": [
{
"id": 1,
"type_id": 1,
"title": "Subject - Hatter were having.",
"description": "",
"happened_at": "2017-03-19 03:55:15",
"hash": "c7591a75b6059c9d27e48113f372687b",
"created_at": "2017-03-19 03:55:15",
"updated_at": "2017-03-19 03:55:15",
"touched_at": "2017-06-30 23:16:33",
"pivot": {
"id": 62022,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
}
],
"indicators": [
{
"id": 1,
"type_id": 1,
"status_id": 5,
"class": "network",
"hash": "4aba5ab07a3bda558d5d725a09d93ba6",
"value": "37.139.40.0/21",
"description": null,
"last_detected_at": "1976-02-14 17:27:49",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-06-30 22:55:30",
"updated_at": "2017-06-30 22:55:30",
"touched_at": "2017-06-30 23:16:33",
"pivot": {
"id": 62023,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
}
],
"plugins": [
{
"id": 6,
"name": "adversary_plugin",
"friendly_name": "Adversary Plugin",
"description": "Adversary Plugin",
"package_name": "plugin",
"version": "1.0.0",
"required_threatq_version": "3.0.0",
"author": "dredd",
"logo_path": "a/b/c/d",
"enabled": 0,
"disable_proxy": 1,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33",
"deleted_at": null,
"object_type_id": 189
}
],
"plugin_actions": [
{
"id": 9,
"plugin_id": 6,
"name": "action1",
"description": "Action 1",
"logo_path": "a/b/c/d",
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33",
"object_type_id": 189
}
],
"signatures": [
{
"id": 1,
"name": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)",
"description": "",
"hash": "737309fe355ef23e1c03a5e98bc364b5",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:\"ET EXPLOIT Arkeia full remote access without password or authentication\"; flow:to_server,established; content:\"|464F3A20596F75206861766520737563|\"; content:\"|6520636C69656E7420696E666F726D61|\"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)",
"status_id": 5,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-06-30 22:56:56",
"updated_at": "2017-06-30 22:56:56",
"touched_at": "2017-06-30 23:16:33",
"pivot": {
"id": 62024,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Source 1",
"tlp_id": null,
"created_at": "2017-06-30 23:16:32",
"updated_at": "2017-06-30 23:16:32",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 8,
"id": 356,
"creator_source_id": 8
}
}
],
"tags": [
{
"id": 3,
"name": "What a Tag",
"pivot": {
"object_id": 1,
"tag_id": 3,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
}
],
"value_weight": {
"id": 3,
"object_type": "adversary",
"object_id": 1,
"score": 2,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
},
"watchlist": [
{
"id": 3,
"user_id": 1,
"object_type": "adversary",
"object_id": 1,
"created_at": "2017-06-30 23:16:33",
"updated_at": "2017-06-30 23:16:33"
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 243,
"name": "ANDROMEDA SPIDER",
"created_at": "2017-03-01 16:12:18",
"updated_at": "2017-03-01 16:32:55",
"touched_at": "2017-03-01 16:12:19",
"errors": {
"name": [
"The name has already been taken."
]
},
"attributes": [],
"events": [],
"indicators": [],
"sources": [
{
"id": 85,
"type": "other_sources",
"name": "Adversary Source",
"tlp_id": null,
"created_at": "2017-03-01 16:12:19",
"updated_at": "2017-03-01 16:12:19",
"published_at": null,
"pivot": {
"adversary_id": 243,
"source_id": 85,
"id": 419,
"creator_source_id": 5
}
}
],
"comments": [],
"signatures": []
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}
Delete an Adversary.
Example URI
DELETE /adversaries/1
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Adversaries List ¶
Get ListGET/adversaries/{adversary_id}/adversaries{?limit,offset,sort,with}
Get a list of Adversary Adversary links.
Example URI
GET /adversaries/1/adversaries?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"name": "AMOROUS PANDA",
"created_at": "2018-03-24 03:49:31",
"updated_at": "2018-03-24 03:49:31",
"touched_at": "2018-04-02 16:16:38",
"deleted_at": null,
"sources": [
{
"name": "Customer Observer"
}
],
"pivot": {
"id": 62324,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 2,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"comments": [
{
"id": 54,
"type": "users",
"value": "This link is important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 16:19:51.184000",
"updated_at": "2018-04-02 16:23:40.426000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15066,
"name": "Industry",
"value": "Hospitals",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24424,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:16:38.663000",
"updated_at": "2018-04-02 16:16:38.663000"
}
}
]
}
},
{
"id": 3,
"name": "ANCHOR PANDA",
"created_at": "2018-01-08 23:05:37",
"updated_at": "2018-01-08 23:05:37",
"touched_at": "2018-04-02 16:17:00",
"deleted_at": null,
"sources": [
{
"name": "ThreatQ Front End"
},
{
"name": "Domain Tools"
}
],
"pivot": {
"id": 62325,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 3,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"comments": [
{
"id": 56,
"type": "users",
"value": "This link is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 16:20:25.327000",
"updated_at": "2018-04-02 16:20:25.327000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15065,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24426,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/adversaries
Create a link from an Adversary to another Adversary.
Example URI
POST /adversaries/1/adversaries
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 2,
"data": [
{
"id": 2,
"name": "AMOROUS PANDA",
"created_at": "2017-03-06 14:05:24",
"updated_at": "2017-03-06 14:05:24",
"touched_at": "2017-03-10 19:25:48",
"pivot": {
"id": 62141,
"created_at": "2017-03-10 19:25:48",
"updated_at": "2017-03-10 19:25:48"
}
},
{
"id": 3,
"name": "ANCHOR PANDA",
"created_at": "2016-12-27 13:45:12",
"updated_at": "2016-12-27 13:45:12",
"touched_at": "2017-03-10 19:25:48",
"pivot": {
"id": 62142,
"created_at": "2017-03-10 19:25:48",
"updated_at": "2017-03-10 19:25:48"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/adversaries/{adversary_id}/adversaries
Delete multiple Adversary Adversary links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /adversaries/1/adversaries
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Adversary Adversary ¶
Get SingleGET/adversaries/{adversary_id}/adversaries/{object_link_id}{?with}
Get a single Adversary Adversary link.
Example URI
GET /adversaries/1/adversaries/2?with=sources,pivot.attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Advanced Pawn",
"created_at": "2018-01-18 22:47:52",
"updated_at": "2018-01-18 22:47:52",
"touched_at": "2018-04-02 16:17:00",
"pivot": {
"id": 62324,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"comments": [
{
"id": 54,
"object_link_id": 62324,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 16:23:40",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15066,
"object_link_id": 62324,
"attribute_id": 136,
"value": "Hospitals",
"created_at": "2018-04-02 16:25:47",
"updated_at": "2018-04-02 16:25:47",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15066,
"source_id": 8,
"id": 2,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"published_at": null,
"pivot": {
"object_link_id": 62324,
"source_id": 8,
"id": 24424,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 1,
"type": "clients",
"name": "ThreatQ Front End",
"tlp_id": null,
"created_at": "2018-02-05 12:29:56",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 1,
"id": 1,
"creator_source_id": 1
}
},
{
"id": 7,
"type": "plugins",
"name": "VirusTotal",
"tlp_id": null,
"created_at": "2018-01-31 03:41:47",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 7,
"id": 2,
"creator_source_id": 7
}
},
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-03-31 21:31:30",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 8,
"id": 3,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/adversaries/{object_link_id}
Delete an Adversary Adversary link.
Example URI
DELETE /adversaries/1/adversaries/2
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Adversary Attributes List ¶
Get ListGET/adversaries/{adversary_id}/adversaries/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Adversary Adversary link Attributes.
Example URI
GET /adversaries/1/adversaries/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/adversaries/{object_link_id}/attributes
Create a new Adversary Adversary link Attribute.
Example URI
POST /adversaries/1/adversaries/2/attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Adversary Adversary Attribute ¶
Get SingleGET/adversaries/{adversary_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Adversary Adversary link Attribute.
Example URI
GET /adversaries/1/adversaries/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/adversaries/{adversary_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Update an Adversary Adversary link Attribute.
Example URI
PUT /adversaries/1/adversaries/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Adversary Adversary link Attribute.
Example URI
DELETE /adversaries/1/adversaries/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Adversary Comments List ¶
Get ListGET/adversaries/{adversary_id}/adversaries/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Adversary Adversary link Comments.
Example URI
GET /adversaries/1/adversaries/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/adversaries/{object_link_id}/comments
Create a new Adversary Adversary link Comment.
Example URI
POST /adversaries/1/adversaries/2/comments
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Adversary Adversary Comment ¶
Get SingleGET/adversaries/{adversary_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Get a single Adversary Adversary link Comment.
Example URI
GET /adversaries/1/adversaries/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/adversaries/{adversary_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Update an Adversary Adversary link Comment.
Example URI
PUT /adversaries/1/adversaries/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Delete an Adversary Adversary link Comment.
Example URI
DELETE /adversaries/1/adversaries/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Attachments List ¶
Get ListGET/adversaries/{adversary_id}/attachments{?limit,offset,sort,with}
Get a list of Adversary Attachment links.
Example URI
GET /adversaries/1/attachments?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"type_id": 19,
"title": "Honeybooboo.sh",
"name": "Honeybooboo.sh",
"hash": "4ece432b22f92461f9c4d2de2656d3e3",
"content_type_id": 2,
"file_size": 75,
"path": "6/b/d/0/d/c/1/2/e/5/d/f/a/0/4/3/e/b/4/9/6/0/9/f/a/4/7/c/4/f/1/0",
"malware_locked": "0",
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:39:18",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62326,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "attachment",
"dest_object_id": 2,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"comments": [
{
"id": 57,
"type": "users",
"value": "This link is important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 17:54:58.936000",
"updated_at": "2018-04-02 17:55:15.039000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15067,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 3,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24428,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 17:39:18.781000",
"updated_at": "2018-04-02 17:39:18.781000"
}
}
]
}
},
{
"id": 1,
"type_id": 10,
"title": "parsing-sample.pdf",
"name": "parsing-sample.pdf",
"hash": "89e17b2f6cd3888864237b0ee10048f0",
"content_type_id": 1,
"file_size": 11300,
"path": "e/a/f/d/d/7/1/e/5/c/e/1/1/9/b/0/5/6/4/a/6/d/5/9/a/2/3/5/3/1/0/4",
"malware_locked": "0",
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:40:48",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62327,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "attachment",
"dest_object_id": 1,
"created_at": "2018-04-02 17:40:48",
"updated_at": "2018-04-02 17:40:48",
"comments": [
{
"id": 58,
"type": "users",
"value": "This link is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 17:55:30.995000",
"updated_at": "2018-04-02 17:55:30.995000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15068,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 4,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24430,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 17:40:48.310000",
"updated_at": "2018-04-02 17:40:48.310000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/attachments
Create a link from an Attachment to an Adversary.
Example URI
POST /adversaries/1/attachments
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 3,
"type_id": 3,
"title": "EXE like script",
"name": "Honeybooboo.sh",
"hash": "51774564f8d78fbddbfa22e1e7459af4",
"content_type_id": 1,
"file_size": 234234,
"malware_locked": 1,
"description": null,
"created_at": "2017-02-23 20:02:18",
"updated_at": "2017-02-23 20:02:18",
"touched_at": "2017-03-01 16:51:15",
"pivot": {
"id": 62394,
"created_at": "2017-03-01 16:51:15",
"updated_at": "2017-03-01 16:51:15"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/adversaries/{adversary_id}/attachments
Delete multiple Adversary Attachment links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /adversaries/1/attachments
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Adversary Attachment ¶
Get SingleGET/adversaries/{adversary_id}/attachments/{object_link_id}{?with}
Get a single Adversary Attachment link.
Example URI
GET /adversaries/1/attachments/2?with=sources,pivot.attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 2,
"type_id": 19,
"title": "Honeybooboo.sh",
"name": "Honeybooboo.sh",
"hash": "4ece432b22f92461f9c4d2de2656d3e3",
"content_type_id": 2,
"file_size": 75,
"malware_locked": 0,
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:39:18",
"pivot": {
"id": 62326,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"comments": [
{
"id": 57,
"object_link_id": 62326,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-02 17:54:58",
"updated_at": "2018-04-02 17:55:15",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 57,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15067,
"source_id": 8,
"id": 3,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"published_at": null,
"pivot": {
"object_link_id": 62326,
"source_id": 8,
"id": 24428,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"published_at": null,
"pivot": {
"attachment_id": 2,
"source_id": 8,
"id": 2,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/attachments/{object_link_id}
Delete an Adversary Attachment link.
Example URI
DELETE /adversaries/1/attachments/2
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Attachment Attributes List ¶
Get ListGET/adversaries/{adversary_id}/attachments/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Adversary Attachment link Attributes.
Example URI
GET /adversaries/1/attachments/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/attachments/{object_link_id}/attributes
Create a new Adversary Attachment link Attribute.
Example URI
POST /adversaries/1/attachments/2/attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Adversary Attachment Attribute ¶
Get SingleGET/adversaries/{adversary_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Adversary Attachment link Attribute.
Example URI
GET /adversaries/1/attachments/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/adversaries/{adversary_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Update an Adversary Attachment link Attribute.
Example URI
PUT /adversaries/1/attachments/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Adversary Attachment link Attribute.
Example URI
DELETE /adversaries/1/attachments/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Attachment Comments List ¶
Get ListGET/adversaries/{adversary_id}/attachments/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Adversary Attachment link Comments.
Example URI
GET /adversaries/1/attachments/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/attachments/{object_link_id}/comments
Create a new Adversary Attachment link Comment.
Example URI
POST /adversaries/1/attachments/2/comments
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Adversary Attachment Comment ¶
Get SingleGET/adversaries/{adversary_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Get a single Adversary Attachment link Comment.
Example URI
GET /adversaries/1/attachments/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/adversaries/{adversary_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Update an Adversary Attachment link Comment.
Example URI
PUT /adversaries/1/attachments/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Delete an Adversary Attachment link Comment.
Example URI
DELETE /adversaries/1/attachments/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Attributes List ¶
Get ListGET/adversaries/{adversary_id}/attributes{?limit,offset,sort,with}
Get a list of Adversary Attributes.
Example URI
GET /adversaries/1/attributes?limit=500&offset=100&sort=id&with=attribute,sources
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 7,
"adversary_id": 193,
"attribute_id": 1,
"value": "Adversary Attribute",
"created_at": "2017-07-03 23:45:02",
"updated_at": "2017-07-03 23:45:02",
"name": "Attribute Name",
"attribute": {
"id": 1,
"name": "Attribute Name",
"created_at": "2017-06-22 23:06:31",
"updated_at": "2017-06-25 23:06:31"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": 0,
"created_at": "2017-07-03 23:45:02",
"updated_at": "2017-07-03 23:45:02",
"published_at": null,
"pivot": {
"adversary_attribute_id": 7,
"source_id": 8,
"id": 13,
"creator_source_id": 8
}
}
]
},
{
"id": 9,
"adversary_id": 108,
"attribute_id": 3,
"value": "Another Attribute",
"created_at": "2017-07-03 23:45:02",
"updated_at": "2017-07-03 23:45:02",
"name": "Attribute Name",
"attribute": {
"id": 3,
"name": "Attribute Name",
"created_at": "2017-06-22 23:06:31",
"updated_at": "2017-06-25 23:06:31"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": 0,
"created_at": "2017-07-03 23:45:02",
"updated_at": "2017-07-03 23:45:02",
"published_at": null,
"pivot": {
"adversary_attribute_id": 9,
"source_id": 8,
"id": 13,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/attributes
Create a new Adversary Attribute.
Example URI
POST /adversaries/1/attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"value": "Test Value",
"adversary_id": 1,
"updated_at": "2017-03-01 19:24:48",
"created_at": "2017-03-01 19:24:48",
"id": 12,
"name": "Test Attribute",
"attribute": {
"name": "Test Attribute"
},
"sources": [
{
"id": 86,
"type": "other_sources",
"name": "AdversarySource",
"tlp_id": 1,
"created_at": "2017-03-01 19:24:48",
"updated_at": "2017-03-01 19:24:48",
"published_at": "2017-02-28 00:00:00",
"pivot": {
"adversary_attribute_id": 12,
"source_id": 86,
"id": 12,
"creator_source_id": 5
}
}
]
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"adversary_id": "1",
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Adversary Attribute ¶
Get SingleGET/adversaries/{adversary_id}/attributes/{adversary_attribute_id}{?with}
Get a single Adversary Attribute.
Example URI
GET /adversaries/1/attributes/2?with=attribute,sources
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- adversary_attribute_id
integer(required) Example: 2Adversary Attribute ID
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 7,
"adversary_id": 193,
"attribute_id": 1,
"value": "Adversary Attribute",
"created_at": "2017-07-03 23:45:02",
"updated_at": "2017-07-03 23:45:02",
"name": "Attribute Name",
"attribute": {
"id": 1,
"name": "Attribute Name",
"created_at": "2017-06-22 23:06:31",
"updated_at": "2017-06-25 23:06:31"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": 0,
"created_at": "2017-07-03 23:45:02",
"updated_at": "2017-07-03 23:45:02",
"published_at": null,
"pivot": {
"adversary_attribute_id": 7,
"source_id": 8,
"id": 13,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/adversaries/{adversary_id}/attributes/{adversary_attribute_id}{?with}
Update an Adversary Attribute.
Example URI
PUT /adversaries/1/attributes/2?with=attribute,sources
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- adversary_attribute_id
integer(required) Example: 2Adversary Attribute ID
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 7,
"adversary_id": 193,
"attribute_id": 1,
"value": "New Value",
"created_at": "2017-07-03 23:45:02",
"updated_at": "2017-07-03 23:45:02",
"name": "Attribute Name",
"attribute": {
"id": 1,
"name": "Attribute Name",
"created_at": "2017-06-22 23:06:31",
"updated_at": "2017-06-25 23:06:31"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": 1,
"created_at": "2017-07-03 23:45:02",
"updated_at": "2017-07-03 23:45:02",
"published_at": null,
"pivot": {
"adversary_attribute_id": 7,
"source_id": 8,
"id": 13,
"creator_source_id": 8
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"adversary_id": "1",
"attribute_id": "31",
"errors": {
"value": [
"The value field is required."
]
},
"name": null,
"attribute": null
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/attributes/{adversary_attribute_id}
Delete an Adversary Attribute.
Example URI
DELETE /adversaries/1/attributes/2
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- adversary_attribute_id
integer(required) Example: 2Adversary Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Attribute Source ¶
UpdatePUT/adversaries/{adversary_id}/attributes/{adversary_attribute_id}/sources/{adversary_attribute_source_id}
Update an Adversary Attribute Source.
Example URI
PUT /adversaries/1/attributes/2/sources/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- adversary_attribute_id
integer(required) Example: 2Adversary Attribute ID
- adversary_attribute_source_id
integer(required) Example: 3Adversary Attribute Source ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"adversary_attribute_id": 1,
"source_id": 8,
"tlp_id": 1,
"created_at": "2018-09-20 21:22:20",
"updated_at": "2018-09-20 21:23:46",
"published_at": "2017-01-01 01:01:01",
"creator_source_id": 8
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/attributes/{adversary_attribute_id}/sources/{adversary_attribute_source_id}
Delete an Adversary Attribute Source.
Example URI
DELETE /adversaries/1/attributes/2/sources/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- adversary_attribute_id
integer(required) Example: 2Adversary Attribute ID
- adversary_attribute_source_id
integer(required) Example: 3Adversary Attribute Source ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Comments List ¶
Get ListGET/adversaries/{adversary_id}/comments{?limit,offset,sort,with}
Get a list of Adversary Comments.
Example URI
GET /adversaries/1/comments?limit=500&offset=100&sort=id&with=adversary,sources
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: adversary,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: adversary, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 56,
"adversary_id": 19,
"value": "This is a comment.",
"creator_source_id": 8,
"created_at": "2017-07-04 01:01:43",
"updated_at": "2017-07-04 01:01:43",
"adversary": {
"id": 189,
"name": "Adversary Name",
"created_at": "2017-07-04 01:01:43",
"updated_at": "2017-07-04 01:01:44",
"touched_at": "2017-07-04 01:01:49"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-07-04 00:53:08",
"updated_at": "2017-07-04 00:53:08",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
},
{
"id": 57,
"adversary_id": 19,
"value": "This is another comment.",
"creator_source_id": 8,
"created_at": "2017-07-04 01:01:43",
"updated_at": "2017-07-04 01:01:43",
"adversary": {
"id": 189,
"name": "Adversary Name",
"created_at": "2017-07-04 01:01:43",
"updated_at": "2017-07-04 01:01:44",
"touched_at": "2017-07-04 01:01:49"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-07-04 00:53:08",
"updated_at": "2017-07-04 00:53:08",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/comments
Create a new Adversary Comment.
Example URI
POST /adversaries/1/comments
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 64,
"adversary_id": 1,
"value": "This is a comment.",
"creator_source_id": 5,
"created_at": "2017-03-01 19:52:17",
"updated_at": "2017-03-01 19:52:17",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-02-28 20:13:18",
"updated_at": "2017-02-28 20:13:18",
"pivot": {
"id": 64,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"adversary_id": "1",
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Adversary Comment ¶
UpdatePUT/adversaries/{adversary_id}/comments/{adversary_comment_id}{?with}
Update an Adversary Comment.
Example URI
PUT /adversaries/1/comments/2?with=adversary,sources
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- adversary_comment_id
integer(required) Example: 2Adversary Comment ID
- with
string(optional) Example: adversary,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: adversary, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 62,
"adversary_id": 1,
"value": "This is an updated comment.",
"creator_source_id": 5,
"created_at": "2017-03-01 19:46:23",
"updated_at": "2017-03-01 20:06:04",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-02-28 20:13:18",
"updated_at": "2017-02-28 20:13:18",
"pivot": {
"id": 62,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"The current authenticated owner is not the owner of this comment."
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/comments/{adversary_comment_id}
Delete an Adversary Comment.
Example URI
DELETE /adversaries/1/comments/2
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- adversary_comment_id
integer(required) Example: 2Adversary Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Events List ¶
Get ListGET/adversaries/{adversary_id}/events{?limit,offset,sort,with}
Get a list of Adversary Event links.
Example URI
GET /adversaries/1/events?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 13,
"type_id": 1,
"title": "Origin - http://halvorson.com/quia-reprehenderit-ullam-aut-accusantium-iusto-voluptas-omnis",
"description": "",
"happened_at": "2018-01-25 03:17:53",
"hash": "0ba76d18a6e5350a8e5979b5676bc8c8",
"created_at": "2018-01-25 03:17:53",
"updated_at": "2018-01-25 03:17:53",
"touched_at": "2018-04-03 15:34:22",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 61077,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "event",
"dest_object_id": 13,
"created_at": "2018-02-26 00:36:06",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 55,
"type": "users",
"value": "This is important.",
"source": "Threat Quotient",
"created_at": "2018-04-04 14:42:46.690000",
"updated_at": "2018-04-04 14:42:46.690000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 14948,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 22414,
"name": "Threat Quotient",
"type": "clients",
"pivot": {
"created_at": "2018-03-05 22:01:33",
"updated_at": "2018-04-03 15:34:22.693000"
}
}
]
}
},
{
"id": 46,
"type_id": 1,
"title": "Origin - http://kling.com/voluptate-nihil-sit-est-aut",
"description": "",
"happened_at": "2017-12-31 23:17:05",
"hash": "e2e96a1516420fc05ad8ac04de52bd89",
"created_at": "2017-12-31 23:17:05",
"updated_at": "2017-12-31 23:17:05",
"touched_at": "2018-04-03 15:34:22",
"deleted_at": null,
"sources": [
{
"name": "Domain Tools"
},
{
"name": "Emerging Threats"
},
{
"name": "VirusTotal"
}
],
"pivot": {
"id": 61144,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "event",
"dest_object_id": 46,
"created_at": "2018-03-01 23:54:52",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 56,
"type": "users",
"value": "This is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-04 14:43:10.692000",
"updated_at": "2018-04-04 14:43:10.692000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 14949,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 22513,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-02-24 09:36:30",
"updated_at": "2018-04-03 15:34:22.693000"
}
},
{
"id": 22514,
"name": "Customer Observer",
"type": "users",
"pivot": {
"created_at": "2018-02-25 22:27:11",
"updated_at": "2018-04-03 15:34:22.693000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/events
Create a link from an Event to an Adversary.
Example URI
POST /adversaries/1/events
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"type_id": 2,
"title": "Origin - http://www.durgan.biz/vel-omnis-impedit-at-quod-quasi-reiciendis.html",
"description": "",
"happened_at": "2016-12-05 20:01:48",
"hash": "d13e682a5d567d51b99f676b7bdef980",
"created_at": "2016-12-05 20:01:48",
"updated_at": "2016-12-05 20:01:48",
"touched_at": "2017-02-28 20:14:59",
"pivot": {
"id": 62396,
"created_at": "2017-03-01 20:55:10",
"updated_at": "2017-03-01 20:55:10"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/adversaries/{adversary_id}/events
Delete multiple Adversary Event links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /adversaries/1/events
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Adversary Event ¶
Get SingleGET/adversaries/{adversary_id}/events/{object_link_id}{?with}
Get a single Adversary Event link.
Example URI
GET /adversaries/1/events/2?with=sources,pivot.attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 13,
"type_id": 1,
"title": "Origin - http://halvorson.com/quia-reprehenderit-ullam-aut-accusantium-iusto-voluptas-omnis",
"description": "",
"happened_at": "2018-01-25 03:17:53",
"hash": "0ba76d18a6e5350a8e5979b5676bc8c8",
"created_at": "2018-01-25 03:17:53",
"updated_at": "2018-01-25 03:17:53",
"touched_at": "2018-04-03 15:34:22",
"pivot": {
"id": 61077,
"created_at": "2018-02-26 00:36:06",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 55,
"object_link_id": 61077,
"value": "This is important.",
"creator_source_id": 8,
"created_at": "2018-04-04 14:42:46",
"updated_at": "2018-04-04 14:42:46",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-03 15:31:57",
"updated_at": "2018-04-03 15:31:57",
"pivot": {
"id": 55,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 14948,
"object_link_id": 61077,
"attribute_id": 135,
"value": "Universities",
"created_at": "2018-04-04 14:38:39",
"updated_at": "2018-04-04 14:38:39",
"name": "Industry",
"attribute": {
"id": 135,
"name": "Industry",
"created_at": "2018-04-03 19:41:04",
"updated_at": "2018-04-03 19:41:04"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 14948,
"source_id": 8,
"id": 1,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 2,
"type": "clients",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-03-05 22:01:33",
"updated_at": "2018-04-03 15:34:22",
"published_at": null,
"pivot": {
"object_link_id": 61077,
"source_id": 2,
"id": 22414,
"creator_source_id": 2
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-02-24 22:23:15",
"updated_at": "2018-04-03 15:34:22",
"published_at": null,
"pivot": {
"event_id": 13,
"source_id": 8,
"id": 27,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/events/{object_link_id}
Delete an Adversary Event link.
Example URI
DELETE /adversaries/1/events/2
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Event Attributes List ¶
Get ListGET/adversaries/{adversary_id}/events/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Adversary Event link Attributes.
Example URI
GET /adversaries/1/events/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/events/{object_link_id}/attributes
Create a new Adversary Event link Attribute.
Example URI
POST /adversaries/1/events/2/attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Adversary Event Attribute ¶
Get SingleGET/adversaries/{adversary_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Adversary Event link Attribute.
Example URI
GET /adversaries/1/events/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/adversaries/{adversary_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Update an Adversary Event link Attribute.
Example URI
PUT /adversaries/1/events/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Adversary Event link Attribute.
Example URI
DELETE /adversaries/1/events/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Event Comments List ¶
Get ListGET/adversaries/{adversary_id}/events/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Adversary Event link Comments.
Example URI
GET /adversaries/1/events/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/events/{object_link_id}/comments
Create a new Adversary Event link Comment.
Example URI
POST /adversaries/1/events/2/comments
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Adversary Event Comment ¶
Get SingleGET/adversaries/{adversary_id}/events/{object_link_id}/comments/{object_link_comment_id}
Get a single Adversary Event link Comment.
Example URI
GET /adversaries/1/events/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/adversaries/{adversary_id}/events/{object_link_id}/comments/{object_link_comment_id}
Update an Adversary Event link Comment.
Example URI
PUT /adversaries/1/events/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/events/{object_link_id}/comments/{object_link_comment_id}
Delete an Adversary Event link Comment.
Example URI
DELETE /adversaries/1/events/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Indicators List ¶
Get ListGET/adversaries/{adversary_id}/indicators{?limit,offset,sort,with}
Get a list of Adversary Indicator links.
Example URI
GET /adversaries/1/indicators?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 24,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "bc77846655cdf4c183713a59f8c2a8f1",
"value": "brendon57@hotmail.com",
"description": null,
"last_detected_at": "2002-06-23 14:29:54",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"touched_at": "2018-04-04 19:30:57",
"deleted_at": null,
"sources": [
{
"name": "ThreatQ Example Feed"
}
],
"pivot": {
"id": 14896,
"src_type": "indicator",
"src_object_id": 24,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"comments": [
{
"id": 54,
"type": "users",
"value": "This link is important.",
"created_at": "2018-04-04 20:05:39.284000",
"updated_at": "2018-04-04 20:05:39.284000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 43,
"name": "Confidence",
"value": "75",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 62,
"name": "VirusTotal",
"type": "plugins",
"pivot": {
"created_at": "2018-02-19 02:14:29",
"updated_at": "2018-04-04 19:30:59.439000"
}
}
]
}
},
{
"id": 74,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "890a7aa3415d8b4fa39d9f51a026b7d8",
"value": "hazel.kilback@hotmail.com",
"description": null,
"last_detected_at": "1992-07-15 20:23:27",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"touched_at": "2018-04-04 19:30:57",
"deleted_at": null,
"sources": [
{
"name": "Customer Admin"
}
],
"pivot": {
"id": 14991,
"src_type": "indicator"",
"src_object_id": 74,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"comments": [
{
"id": 56,
"type": "users",
"value": "This link is also important.",
"created_at": "2018-04-04 20:09:29.324000",
"updated_at": "2018-04-04 20:09:29.324000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 138,
"name": "Confidence",
"value": "75",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 200,
"name": "Emerging Threats",
"type": "plugins",
"pivot": {
"created_at": "2018-01-13 11:24:36",
"updated_at": "2018-04-04 19:30:59.439000"
}
}
]
}
}
],
"limit": 2,
"offset": 0
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/indicators
Create a link from an Indicator to an Adversary.
Example URI
POST /adversaries/1/indicators
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"type_id": 2,
"status_id": 3,
"class": "network",
"hash": "bba60e76a34af96122b9f44e67ae8ea7",
"value": "oolson@yahoo.com",
"last_detected_at": "2013-12-13 08:58:00",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-02-28 20:13:19",
"updated_at": "2017-02-28 20:13:19",
"touched_at": "2017-03-02 14:57:32",
"pivot": {
"id": 62397,
"created_at": "2017-03-02 14:57:32",
"updated_at": "2017-03-02 14:57:32"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/adversaries/{adversary_id}/indicators
Delete multiple Adversary Indicator links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /adversaries/1/indicators
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Adversary Indicator ¶
Get SingleGET/adversaries/{adversary_id}/indicators/{object_link_id}{?with}
Get a single Adversary Indicator link.
Example URI
GET /adversaries/1/indicators/2?with=sources,pivot.attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 24,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "bc77846655cdf4c183713a59f8c2a8f1",
"value": "brendon57@hotmail.com",
"description": null,
"last_detected_at": "2002-06-23 14:29:54",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"touched_at": "2018-04-04 19:30:57",
"pivot": {
"id": 14896,
"created_at": "2018-03-09 14:32:27",
"updated_at": "2018-04-04 19:30:29",
"comments": [
{
"id": 54,
"object_link_id": 14896,
"value": "This link is also important.",
"creator_source_id": 8,
"created_at": "2018-04-04 20:05:39",
"updated_at": "2018-04-04 20:05:39",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-04 19:28:33",
"updated_at": "2018-04-04 19:28:33",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 43,
"object_link_id": 14896,
"attribute_id": 13,
"value": "75",
"created_at": "2018-02-24 14:33:41",
"updated_at": "-0001-11-30 00:00:00",
"name": "Confidence",
"attribute": {
"id": 13,
"name": "Confidence",
"created_at": "2018-03-28 19:03:33",
"updated_at": "2018-03-24 19:03:33"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 43,
"source_id": 8,
"id": 1,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 5,
"type": "plugins",
"name": "VirusTotal",
"tlp_id": null,
"created_at": "2018-02-19 02:14:29",
"updated_at": "2018-04-04 19:30:59",
"published_at": null,
"pivot": {
"object_link_id": 14896,
"source_id": 5,
"id": 62,
"creator_source_id": 5
}
}
]
},
"sources": [
{
"id": 3,
"type": "clients",
"name": "ThreatQ",
"tlp_id": null,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"published_at": null,
"pivot": {
"indicator_id": 24,
"source_id": 3,
"id": 59,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/indicators/{object_link_id}
Delete an Adversary Indicator link.
Example URI
DELETE /adversaries/1/indicators/2
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Indicator Attributes List ¶
Get ListGET/adversaries/{adversary_id}/indicators/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Adversary Indicator link Attributes.
Example URI
GET /adversaries/1/indicators/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/indicators/{object_link_id}/attributes
Create a new Adversary Indicator link Attribute.
Example URI
POST /adversaries/1/indicators/2/attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Adversary Indicator Attribute ¶
Get SingleGET/adversaries/{adversary_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Adversary Indicator link Attribute.
Example URI
GET /adversaries/1/indicators/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/adversaries/{adversary_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Update an Adversary Indicator link Attribute.
Example URI
PUT /adversaries/1/indicators/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Adversary Indicator link Attribute.
Example URI
DELETE /adversaries/1/indicators/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Indicator Comments List ¶
Get ListGET/adversaries/{adversary_id}/indicators/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Adversary Indicator link Comments.
Example URI
GET /adversaries/1/indicators/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/indicators/{object_link_id}/comments
Create a new Adversary Indicator link Comment.
Example URI
POST /adversaries/1/indicators/2/comments
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Adversary Indicator Comment ¶
Get SingleGET/adversaries/{adversary_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Get a single Adversary Indicator link Comment.
Example URI
GET /adversaries/1/indicators/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/adversaries/{adversary_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Update an Adversary Indicator link Comment.
Example URI
PUT /adversaries/1/indicators/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Delete an Adversary Indicator link Comment.
Example URI
DELETE /adversaries/1/indicators/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Signatures List ¶
Get ListGET/adversaries/{adversary_id}/signatures{?limit,offset,sort,with}
Get a list of Adversary Signature links.
Example URI
GET /adversaries/1/signatures?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"name": "ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (2007937:4)",
"description": "",
"hash": "8cf2e60aeb0b7ed9874f2ed379b3f42d",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:\"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow\"; content:\"|44 53 52 65 71 75 65 73 74|\"; pcre:\"/[0-9a-zA-Z]{50}/R\"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:02:46",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62261,
"src_type": "signature",
"src_object_id": 2,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"comments": [
{
"id": 57,
"type": "users",
"value": "This link is important.",
"created_at": "2018-04-04 23:16:40.155000",
"updated_at": "2018-04-04 23:18:42.648000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 15080,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 3,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 24298,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-04 23:02:46.740000",
"updated_at": "2018-04-04 23:02:46.740000"
}
}
]
}
},
{
"id": 1,
"name": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)",
"description": "",
"hash": "737309fe355ef23e1c03a5e98bc364b5",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:\"ET EXPLOIT Arkeia full remote access without password or authentication\"; flow:to_server,established; content:\"|464F3A20596F75206861766520737563|\"; content:\"|6520636C69656E7420696E666F726D61|\"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:03:35",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62262,
"src_type": "signature",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"comments": [
{
"id": 58,
"type": "users",
"value": "This link is also important.",
"created_at": "2018-04-04 23:16:58.817000",
"updated_at": "2018-04-04 23:16:58.817000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 15081,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 4,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 24300,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-04 23:03:35.975000",
"updated_at": "2018-04-04 23:03:35.975000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/signatures
Create a link from a Signature to an Adversary.
Example URI
POST /adversaries/1/signatures
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"name": "ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27 (2019448:1)",
"description": "",
"hash": "32eb2da7b59c7e85fbeec98f90adaf2d",
"value": "alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27\"; flow:established,to_server; content:\"%6e%61m%65[\"; nocase; fast_pattern:only; http_client_body; pcre:\"/(?:^|&|Content-Disposition[\\x3a][^\\n]*?name\\s*?=\\s*?[\\x22\\x27])\\%6e\\%61m\\%65\\[[^\\x5d]*?\\W/Pi\"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:1;)",
"status_id": 4,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-03-02 16:34:40",
"updated_at": "2017-03-02 16:34:40",
"touched_at": "2017-03-02 16:34:41",
"pivot": {
"id": 62337,
"created_at": "2017-03-02 16:43:29",
"updated_at": "2017-03-02 16:43:29"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/adversaries/{adversary_id}/signatures
Delete multiple Adversary Signature links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /adversaries/1/signatures
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Adversary Signature ¶
Get SingleGET/adversaries/{adversary_id}/signatures/{object_link_id}{?with}
Get a single Adversary Signature link.
Example URI
GET /adversaries/1/signatures/2?with=sources,pivot.attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 2,
"name": "ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (2007937:4)",
"description": "",
"hash": "8cf2e60aeb0b7ed9874f2ed379b3f42d",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:\"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow\"; content:\"|44 53 52 65 71 75 65 73 74|\"; pcre:\"/[0-9a-zA-Z]{50}/R\"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:02:46",
"pivot": {
"id": 62261,
"created_at": "2018-04-04 23:02:46",
"updated_at": "2018-04-04 23:02:46",
"comments": [
{
"id": 57,
"object_link_id": 62261,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-04 23:16:40",
"updated_at": "2018-04-04 23:18:42",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-04 19:28:33",
"updated_at": "2018-04-04 19:28:33",
"pivot": {
"id": 57,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15080,
"object_link_id": 62261,
"attribute_id": 135,
"value": "Universities",
"created_at": "2018-04-04 23:09:28",
"updated_at": "2018-04-04 23:09:28",
"name": "Industry",
"attribute": {
"id": 135,
"name": "Industry",
"created_at": "2018-04-04 20:01:00",
"updated_at": "2018-04-04 20:01:00"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15080,
"source_id": 8,
"id": 3,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-04 23:02:46",
"updated_at": "2018-04-04 23:02:46",
"published_at": null,
"pivot": {
"object_link_id": 62261,
"source_id": 8,
"id": 24298,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"published_at": null,
"pivot": {
"signature_id": 2,
"source_id": 8,
"id": 2,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/signatures/{object_link_id}
Delete an Adversary Signature link.
Example URI
DELETE /adversaries/1/signatures/2
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Signature Attributes List ¶
Get ListGET/adversaries/{adversary_id}/signatures/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Adversary Signature link Attributes.
Example URI
GET /adversaries/1/signatures/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/signatures/{object_link_id}/attributes
Create a new Adversary Signature link Attribute.
Example URI
POST /adversaries/1/signatures/2/attributes
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Adversary Signature Attribute ¶
Get SingleGET/adversaries/{adversary_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Adversary Signature link Attribute.
Example URI
GET /adversaries/1/signatures/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/adversaries/{adversary_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Update an Adversary Signature link Attribute.
Example URI
PUT /adversaries/1/signatures/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Adversary Signature link Attribute.
Example URI
DELETE /adversaries/1/signatures/2/attributes/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Signature Comments List ¶
Get ListGET/adversaries/{adversary_id}/signatures/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Adversary Signature link Comments.
Example URI
GET /adversaries/1/signatures/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/signatures/{object_link_id}/comments
Create a new Adversary Signature link Comment.
Example URI
POST /adversaries/1/signatures/2/comments
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Adversary Signature Comment ¶
Get SingleGET/adversaries/{adversary_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Get a single Adversary Signature link Comment.
Example URI
GET /adversaries/1/signatures/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/adversaries/{adversary_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Update an Adversary Signature link Comment.
Example URI
PUT /adversaries/1/signatures/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Delete an Adversary Signature link Comment.
Example URI
DELETE /adversaries/1/signatures/2/comments/3
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Sources List ¶
Get ListGET/adversaries/{adversary_id}/sources{?limit,offset,sort,with}
Get a list of Adversary Sources.
Example URI
GET /adversaries/1/sources?limit=500&offset=100&sort=id&with=adversary,tlp
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: adversary,tlpA comma-separated list of related objects to include in the response. Options for this endpoint: adversary, tlp.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 366,
"adversary_id": 187,
"source_id": 8,
"creator_source_id": 8,
"tlp_id": 1,
"created_at": "2017-07-04 03:44:46",
"updated_at": "2017-07-04 03:44:46",
"published_at": null,
"adversary": {
"id": 187,
"name": "Adversary Name",
"created_at": "2017-07-04 03:44:46",
"updated_at": "2017-07-04 03:44:48",
"touched_at": "2017-07-04 03:45:01"
},
"tlp": {
"id": 1,
"name": "RED",
"description": "Red",
"value": 0,
"user_editable": "N",
"created_at": "2017-07-04 03:37:52",
"updated_at": "2017-07-04 03:37:52"
}
},
{
"id": 367,
"adversary_id": 187,
"source_id": 9,
"creator_source_id": 8,
"tlp_id": 1,
"created_at": "2017-07-04 03:44:46",
"updated_at": "2017-07-04 03:44:46",
"published_at": null,
"adversary": {
"id": 187,
"name": "Adversary Name",
"created_at": "2017-07-04 03:44:46",
"updated_at": "2017-07-04 03:44:48",
"touched_at": "2017-07-04 03:45:01"
},
"tlp": {
"id": 1,
"name": "RED",
"description": "Red",
"value": 0,
"user_editable": "N",
"created_at": "2017-07-04 03:37:52",
"updated_at": "2017-07-04 03:37:52"
}
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/sources
Create a new Adversary Source.
Example URI
POST /adversaries/1/sources
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Test Source",
"tlp": {
"name": "RED"
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 370,
"adversary_id": 1,
"source_id": 11,
"creator_source_id": 5,
"tlp_id": 1,
"created_at": "2017-03-02 21:08:27",
"updated_at": "2017-03-02 21:08:27",
"published_at": null,
"deleted_at": null,
"existing": 0,
"name": "Test Source"
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"name": [
"The name field is required."
]
}
}
]
}Response
401Access denied.
Adversary Source ¶
Get SingleGET/adversaries/{adversary_id}/sources/{adversary_source_id}
Get a single Adversary Source.
Example URI
GET /adversaries/1/sources/2
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- adversary_source_id
integer(required) Example: 2Adversary Source ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"adversary_id": 1,
"source_id": 13,
"creator_source_id": 8,
"tlp_id": 4,
"created_at": "2018-10-30 20:10:24",
"updated_at": "2018-10-30 20:10:24",
"published_at": null
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/adversaries/{adversary_id}/sources/{adversary_source_id}
Update an Adversary Source.
Example URI
PUT /adversaries/1/sources/2
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- adversary_source_id
integer(required) Example: 2Adversary Source ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"adversary_id": 1,
"source_id": 13,
"creator_source_id": 8,
"tlp_id": 4,
"created_at": "2018-10-30 20:10:24",
"updated_at": "2018-10-30 20:10:24",
"published_at": null
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/sources/{adversary_source_id}
Delete an Adversary Source.
Example URI
DELETE /adversaries/1/sources/2
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- adversary_source_id
integer(required) Example: 2Adversary Source ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Tag List ¶
Get ListGET/adversaries/{adversary_id}/tags{?limit,offset,sort,with}
Get a list of Adversary Tags.
Example URI
GET /adversaries/1/tags?limit=500&offset=100&sort=id&with=adversaries
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: adversariesA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"name": "A Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 1,
"created_at": "2017-05-25 19:38:08",
"updated_at": "2017-05-25 19:38:08"
},
"adversaries": [
{
"id": 1,
"name": "Advanced Pawn",
"created_at": "2017-03-15 17:27:36",
"updated_at": "2017-03-15 17:27:36",
"touched_at": "2017-05-24 19:08:38",
"pivot": {
"tag_id": 1,
"object_id": 1,
"created_at": "2017-05-25 19:38:08",
"updated_at": "2017-05-25 19:38:08"
}
}
]
},
{
"id": 2,
"name": "Yet Another Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 2,
"created_at": "2017-05-25 19:38:08",
"updated_at": "2017-05-25 19:38:08"
},
"adversaries": [
{
"id": 1,
"name": "Advanced Pawn",
"created_at": "2017-03-15 17:27:36",
"updated_at": "2017-03-15 17:27:36",
"touched_at": "2017-05-24 19:08:38",
"pivot": {
"tag_id": 2,
"object_id": 1,
"created_at": "2017-05-25 19:38:08",
"updated_at": "2017-05-25 19:38:08"
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/tags
Create a new Adversary Tag.
Example URI
POST /adversaries/1/tags
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Tag Name"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 2,
"name": "Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 2,
"created_at": "2017-03-02 21:24:30",
"updated_at": "2017-03-02 21:24:30"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"name": [
"The name field is required."
]
}
}
}Response
401Access denied.
Adversary Tag ¶
Get SingleGET/adversaries/{adversary_id}/tags/{tag_id}{?with}
Get a single Adversary Tag.
Example URI
GET /adversaries/1/tags/2?with=adversaries
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- tag_id
integer(required) Example: 2Tag ID
- with
string(optional) Example: adversariesA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 3,
"name": "A Tag Name",
"pivot": {
"object_id": 189,
"tag_id": 3,
"created_at": "2017-07-04 18:39:46",
"updated_at": "2017-07-04 18:39:46"
},
"adversaries": [
{
"id": 189,
"name": "New Adversary Name",
"created_at": "2017-07-04 18:39:46",
"updated_at": "2017-07-04 18:39:48",
"touched_at": "2017-07-04 18:40:04",
"pivot": {
"tag_id": 3,
"object_id": 189,
"created_at": "2017-07-04 18:39:46",
"updated_at": "2017-07-04 18:39:46"
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/adversaries/{adversary_id}/tags/{tag_id}
Delete an Adversary Tag.
Example URI
DELETE /adversaries/1/tags/2
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- tag_id
integer(required) Example: 2Tag ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Watchlists ¶
Get SingleGET/adversaries/{adversary_id}/watchlist
Get an Adversary in a user’s Watchlist.
Example URI
GET /adversaries/1/watchlist
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 1,
"data": [
{
"id": 1,
"user_id": 1,
"object_type": "adversary",
"object_id": 1,
"created_at": "2017-03-02 21:46:50",
"updated_at": "2017-03-02 21:46:50",
"adversary": {
"id": 1,
"name": "Advanced Pawn",
"created_at": "2017-02-14 15:09:26",
"updated_at": "2017-02-14 15:09:26",
"touched_at": "2017-03-02 21:08:27"
}
}
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/watchlist
Add an Adversary to the user’s Watchlist.
Example URI
POST /adversaries/1/watchlist
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Authorization: Bearer <access_token>Body
No Request Body.Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"object_type": "adversary",
"user_id": 1,
"object_id": "1",
"updated_at": "2017-03-02 21:50:37",
"created_at": "2017-03-02 21:50:37",
"id": 3
}
}Response
401Access denied.
Adversary Watchlist ¶
Adversary WatchlistDELETE/adversaries/{adversary_id}/watchlist/{watchlist_id}
Remove an Adversary from the user’s Watchlist.
Example URI
DELETE /adversaries/1/watchlist/2
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- watchlist_id
integer(required) Example: 2Watchlist ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Adversary Description ¶
Get SingleGET/adversaries/{adversary_id}/description
Get an Adversary Description.
Example URI
GET /adversaries/1/description
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": "<p>This Adversary has a description.</p>\n"
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Adversary has no description"
]
}Response
401Access denied.
Create NewPOST/adversaries/{adversary_id}/description
Create a new Adversary Description.
Example URI
POST /adversaries/1/description
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This Adversary has these qualities."
}Response
200Object(s) retrieved successfully.
Body
{
"data": "This Adversary has these qualities."
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Attachments ¶
Attachment List ¶
Get ListGET/attachments{?limit,offset,sort,with}
Get a list of Attachments (Files).
Example URI
GET /attachments?limit=500&offset=100&sort=id&with=adversaries,attachments
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, contentType, events, indicators, signatures, sources, tags, type, watchlist.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 3,
"data": [
{
"id": 1,
"type_id": 1,
"title": "Crazy File",
"name": "crazy-file.exe",
"hash": "f5f39c6886a66686af0950014dffe968",
"content_type_id": 1,
"file_size": 234235236,
"malware_locked": 1,
"description": null,
"created_at": "2017-03-16 13:03:07",
"updated_at": "2017-03-16 13:03:07",
"touched_at": "2017-03-16 13:05:54"
},
{
"id": 2,
"type_id": 2,
"title": "Bad Malware",
"name": "Crazy effing malware!.net.org.exe",
"hash": "350649b5b5fa5436d325cbaf482d52c7",
"content_type_id": 1,
"file_size": 134232,
"malware_locked": 1,
"description": null,
"created_at": "2017-03-15 13:03:07",
"updated_at": "2017-03-15 13:03:07",
"touched_at": "2017-03-16 13:05:54"
},
{
"id": 3,
"type_id": 3,
"title": "EXE like script",
"name": "Honeybooboo.sh",
"hash": "51774564f8d78fbddbfa22e1e7459af4",
"content_type_id": 1,
"file_size": 234234,
"malware_locked": 1,
"description": null,
"created_at": "2017-03-11 13:03:07",
"updated_at": "2017-03-11 13:03:07",
"touched_at": "2017-03-16 13:05:54"
}
]
}Response
401Access denied.
Create NewPOST/attachments
Create a new Attachment (File). Before a request is made to this endpoint, the file should be uploaded with a POST to /attachments/upload.
If you leave the title field blank in your request, the title will share the file name of the attachment.
Example URI
POST /attachments
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "bad_file.exe",
"title": "Bad File",
"type_id": "2",
"malware_locked": "0",
"tlp": {
"name": "GREEN"
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"malware_locked": 0,
"name": "bad_file.exe",
"file_size": 917573,
"hash": "aead2388d5b9de8b1bfdd83eb6b4746d",
"type_id": 1,
"content_type_id": 2,
"updated_at": "2017-03-16 15:01:52",
"created_at": "2017-03-16 15:01:52",
"id": 4
}
}Response
401Access denied.
Response
500Internal Server Error.
Body
{
"errors": [
"The file \"/tmp/bad_file.exe\" does not exist"
]
}Attachment Comment Short ¶
Get SingleGET/attachments/comments/{attachment_comment_id}{?with}
Get a single Attachment (File) Comment.
Example URI
GET /attachments/comments/2?with=attachment,sources
URI Parameters
- attachment_comment_id
integer(required) Example: 2Attachment Comment ID
- with
string(optional) Example: attachment,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attachment, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/attachments/comments/{attachment_comment_id}{?with}
Update an Attachment (File) Comment.
Example URI
PUT /attachments/comments/2?with=attachment,sources
URI Parameters
- attachment_comment_id
integer(required) Example: 2Attachment Comment ID
- with
string(optional) Example: attachment,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attachment, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 4,
"attachment_id": 1,
"value": "This is an updated comment.",
"creator_source_id": 5,
"created_at": "2017-03-16 20:26:25",
"updated_at": "2017-03-16 20:38:01",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-03-16 13:04:06",
"updated_at": "2017-03-16 13:04:06",
"pivot": {
"id": 4,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"The current authenticated owner is not the owner of this comment."
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/comments/{attachment_comment_id}
Delete an Attachment (File) Comment.
Example URI
DELETE /attachments/comments/2
URI Parameters
- attachment_comment_id
integer(required) Example: 2Attachment Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Malware Lock ¶
Attachment Malware LockPUT/attachments/malware-lock/{attachment_id}
Update the malware_lock setting on an Attachment (File).
Example URI
PUT /attachments/malware-lock/1
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"malware_locked": "0"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 2,
"type_id": 2,
"title": "Bad Malware",
"name": "Crazy effing malware!.net.org.exe",
"hash": "350649b5b5fa5436d325cbaf482d52c7",
"content_type_id": 1,
"file_size": 134232,
"malware_locked": 0,
"description": null,
"created_at": "2017-03-15 13:03:07",
"updated_at": "2017-03-16 18:46:10",
"touched_at": "2017-03-16 13:05:54"
}
}Response
401Access denied.
Response
404Object not found.
Attachment Search ¶
Attachment SearchPOST/attachments/query{?limit,offset,sort}
Search the Threat Library for Attachments (Files) using criteria and filters.
Criteria and filters should be formatted in the convention of SOLR query structures.
Criteria Options: mentions, name, title
Filter Options: created_at, updated_at, expires_at, published_at, type_name, source_name, source_created_at, related, tags, attribute
Example URI
POST /attachments/query?limit=500&offset=100&sort=id
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"criteria": {
"+or": [
{
"mentions": "phishing"
},
{
"name": {
"+contains": "parsing"
}
},
{
"title": {
"+contains": "parsing"
}
}
]
},
"filters": {
"+and": [
{
"created_at": {
"+lt": "2021-01-27 22:35:00"
}
},
{
"+or": [
{
"expires_at": {
"+gt": "2021-01-26 23:59:59",
"+lt": "2021-01-28 00:00:00"
}
},
{
"expired_at": {
"+gt": "2021-01-26 23:59:59",
"+lt": "2021-01-28 00:00:00"
}
}
]
},
{
"+or": [
{
"type_name": "FireEye Analysis"
}
]
},
{
"+or": [
{
"+and": [
{
"source_name": "Customer Admin"
},
{
"published_at": {
"+lt": "2021-01-27 22:50:00"
}
}
]
}
]
},
{
"+or": [
{
"related": {
"id": 1,
"type": "indicator"
}
}
]
},
{
"+or": [
{
"related": {
"object": "adversary"
}
}
]
},
{
"+or": [
{
"source_name": "Primary Contributor"
}
]
},
{
"+or": [
{
"tags": "Internal"
}
]
},
{
"updated_at": {
"+lt": "2021-01-27 22:51:00"
}
},
{
"+or": [
{
"+and": [
{
"source_name": "Primary Contributor"
},
{
"source_created_at": {
"+lt": "2021-01-27 22:50:00"
}
}
]
}
]
}
],
"+or": [
{
"attribute": {
"name": "Confidence",
"value": "High"
}
}
]
}
}Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"path": "9/8/385b698cf73f84e7f1f888a81627cf",
"updated_at": "2021-01-27 19:50:43",
"type_id": 20,
"file_size": "11300",
"title": "parsing-sample.pdf",
"name": "parsing-sample.pdf",
"published_at": "2021-01-27 19:50:43",
"content_type_id": 1,
"placeholder": "0",
"created_at": "2021-01-27 19:50:43",
"hash": "89e17b2f6cd3888864237b0ee10048f0",
"id": 1,
"malware_locked": "0",
"touched_at": "2021-01-27 19:55:20",
"content_type_name": "application/pdf",
"adversaries": [
{
"name": "TOXIC PANDA"
}
],
"type": {
"name": "Spearphish Attachment",
"id": 20
},
"comments": [
{
"updated_at": "2020-12-25 07:02:05",
"value": "Is anyone reading what I'm typing?",
"attachment_id": 1,
"creator_source_id": 10,
"id": 3,
"created_at": "2020-12-25 07:02:05"
}
],
"sources": [
{
"updated_at": "2021-01-27 19:50:43",
"source_id": 5,
"type": "users",
"creator_source_id": 5,
"created_at": "2021-01-27 19:50:43",
"attachment_id": 1,
"id": 1,
"reference_id": 1,
"published_at": "2021-01-27 19:50:43",
"name": "Threat Quotient"
}
],
"content": ""
},
{
"path": "0/a/0bb1e36b529dc8e2387efe5b7585b6",
"updated_at": "2021-01-27 19:50:43",
"type_id": 23,
"file_size": "75",
"title": "Crazy malware!.net.org.exe",
"name": "Crazy malware!.net.org.exe",
"published_at": "2021-01-27 19:50:43",
"content_type_id": 2,
"placeholder": "0",
"created_at": "2021-01-27 19:50:43",
"hash": "dc6080259082066ae67b8323658a079e",
"id": 4,
"malware_locked": "1",
"touched_at": "2021-01-27 19:55:20",
"content_type_name": "text/plain",
"adversaries": [
{
"name": "FLYING KITTEN"
}
],
"type": {
"name": "ThreatQ CSV File",
"id": 23
},
"comments": [
{
"updated_at": "2021-01-16 10:53:39",
"value": "WHOIS Owner",
"attachment_id": 4,
"creator_source_id": 7,
"id": 4,
"created_at": "2021-01-16 10:53:39",
"source_name": "Customer Admin"
}
],
"sources": [
{
"updated_at": "2021-01-27 19:50:43",
"source_id": 5,
"type": "users",
"creator_source_id": 5,
"created_at": "2021-01-27 19:50:43",
"attachment_id": 4,
"id": 4,
"reference_id": 1,
"published_at": "2021-01-27 19:50:43",
"name": "Threat Quotient"
}
],
"content": ""
}
],
"offset": 0,
"limit": 25
}Response
401Access denied.
Attachment Types List ¶
Get ListGET/attachments/types{?limit,offset,sort,with}
Get a list of Attachment (File) Types.
Example URI
GET /attachments/types?limit=500&offset=100&sort=id&with=plugins,pluginActions
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: plugins,pluginActionsA comma-separated list of related objects to include in the response. Options for this endpoint: plugins, pluginActions.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 24,
"data": [
{
"id": 1,
"name": "Cuckoo",
"is_parsable": "Y",
"parser_class": "Cuckoo",
"created_at": "2017-03-20 13:28:41",
"updated_at": "2017-03-20 13:28:41"
},
{
"id": 2,
"name": "CrowdStrike Intelligence",
"is_parsable": "N",
"parser_class": "",
"created_at": "2017-03-20 13:28:41",
"updated_at": "2017-03-20 13:28:41"
},
{
"id": 3,
"name": "Early Warning and Indicator Notice (EWIN)",
"is_parsable": "N",
"parser_class": "",
"created_at": "2017-03-20 13:28:41",
"updated_at": "2017-03-20 13:28:41"
}
]
}Response
401Access denied.
Create NewPOST/attachments/types
Create a new Attachment (File) Type.
Example URI
POST /attachments/types
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "New Type",
"is_parsable": "Y",
"parser_class": "Generic"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"is_parsable": "Y",
"name": "New Type",
"parser_class": "Generic",
"updated_at": "2017-03-17 02:03:27",
"created_at": "2017-03-17 02:03:27",
"id": 25
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"is_parsable": "N",
"errors": {
"name": [
"The name field is required."
]
}
}
}Response
401Access denied.
Attachment Type ¶
Get SingleGET/attachments/types/{attachment_type_id}{?with}
Get a single Attachment (File) Type.
Example URI
GET /attachments/types/2?with=plugins,pluginActions
URI Parameters
- attachment_type_id
integer(required) Example: 2Attachment Type ID
- with
string(optional) Example: plugins,pluginActionsA comma-separated list of related objects to include in the response. Options for this endpoint: plugins, pluginActions.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Cuckoo",
"is_parsable": "Y",
"parser_class": "Cuckoo",
"created_at": "2017-03-16 13:03:46",
"updated_at": "2017-03-16 13:03:46"
}
}Response
401Access denied.
UpdatePUT/attachments/types/{attachment_type_id}{?with}
Update an Attachment (File) Type.
Example URI
PUT /attachments/types/2?with=plugins,pluginActions
URI Parameters
- attachment_type_id
integer(required) Example: 2Attachment Type ID
- with
string(optional) Example: plugins,pluginActionsA comma-separated list of related objects to include in the response. Options for this endpoint: plugins, pluginActions.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Updated New Type",
"is_parsable": "N",
"parser_class": ""
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 25,
"name": "Updated New Type",
"is_parsable": "N",
"parser_class": "",
"created_at": "2017-03-17 02:03:27",
"updated_at": "2017-03-17 02:14:55"
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/types/{attachment_type_id}
Delete an Attachment (File) Type.
Example URI
DELETE /attachments/types/2
URI Parameters
- attachment_type_id
integer(required) Example: 2Attachment Type ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Upload ¶
Get UploadGET/attachments/upload
Check an Attachment (File) upload.
Example URI
GET /attachments/upload
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Response
401Access denied.
Response
404Object not found.
Upload NewPOST/attachments/upload
Upload a new Attachment (File).
Example URI
POST /attachments/upload
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
------WebKitFormBoundaryhatA0asEkvcym8Yv
Content-Disposition: form-data; name="resumableChunkNumber"
1
------WebKitFormBoundaryhatA0asEkvcym8Yv
Content-Disposition: form-data; name="resumableChunkSize"
1048576
------WebKitFormBoundaryhatA0asEkvcym8Yv
Content-Disposition: form-data; name="resumableCurrentChunkSize"
266039
------WebKitFormBoundaryhatA0asEkvcym8Yv
Content-Disposition: form-data; name="resumableTotalSize"
266039
------WebKitFormBoundaryhatA0asEkvcym8Yv
Content-Disposition: form-data; name="resumableType"
------WebKitFormBoundaryhatA0asEkvcym8Yv
Content-Disposition: form-data; name="resumableIdentifier"
266039-payload1json
------WebKitFormBoundaryhatA0asEkvcym8Yv
Content-Disposition: form-data; name="resumableFilename"
payload (1).json
------WebKitFormBoundaryhatA0asEkvcym8Yv
Content-Disposition: form-data; name="resumableRelativePath"
payload (1).json
------WebKitFormBoundaryhatA0asEkvcym8Yv
Content-Disposition: form-data; name="resumableTotalChunks"
1
------WebKitFormBoundaryhatA0asEkvcym8Yv
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream
------WebKitFormBoundaryhatA0asEkvcym8Yv--
Name
uploadResponse
200Object(s) retrieved successfully.
Body
{}Response
401Access denied.
Attachment Watchlist Bulk ¶
Get ListGET/attachments/watchlist
Get all Attachments (Files) in a user’s Watchlist. Only users with administrator privileges can see Watchlists for all users.
Example URI
GET /attachments/watchlist
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"user_id": 1,
"object_type": "attachment",
"object_id": 1,
"created_at": "2017-03-16 19:34:25",
"updated_at": "2017-03-16 19:34:25",
"attachment": {
"id": 1,
"type_id": 1,
"title": "Crazy Bad File",
"name": "crazy-file.exe",
"hash": "f5f39c6886a66686af0950014dffe968",
"content_type_id": 1,
"file_size": 234235236,
"malware_locked": 1,
"description": "This file is crazy bad.",
"created_at": "2017-03-16 13:03:07",
"updated_at": "2017-03-16 16:37:58",
"touched_at": "2017-03-16 16:37:58"
}
},
{
"id": 2,
"user_id": 1,
"object_type": "attachment",
"object_id": 2,
"created_at": "2017-03-16 19:35:31",
"updated_at": "2017-03-16 19:35:31",
"attachment": {
"id": 2,
"type_id": 2,
"title": "Bad Malware",
"name": "Crazy effing malware!.net.org.exe",
"hash": "350649b5b5fa5436d325cbaf482d52c7",
"content_type_id": 1,
"file_size": 134232,
"malware_locked": 0,
"description": null,
"created_at": "2017-03-15 13:03:07",
"updated_at": "2017-03-16 18:46:10",
"touched_at": "2017-03-16 18:46:10"
}
}
]
}Response
401Access denied.
Create NewPOST/attachments/watchlist
Bulk add Attachments (Files) to the user’s Watchlist.
Example URI
POST /attachments/watchlist
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"object_ids": [
5,
6,
7
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"object_type": "attachment",
"user_id": 1,
"object_id": "5",
"updated_at": "2017-03-03 15:56:58",
"created_at": "2017-03-03 15:56:58",
"id": 4
},
{
"object_type": "attachment",
"user_id": 1,
"object_id": "6",
"updated_at": "2017-03-03 15:56:58",
"created_at": "2017-03-03 15:56:58",
"id": 5
},
{
"object_type": "attachment",
"user_id": 1,
"object_id": "7",
"updated_at": "2017-03-03 15:56:58",
"created_at": "2017-03-03 15:56:58",
"id": 6
}
]
}Response
401Access denied.
Attachment Download ¶
Attachment DownloadGET/attachments/{attachment_id}/download
Download an attachment (file).
Example URI
GET /attachments/1/download
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
Contents of the file.Response
401Access denied.
Response
404Object not found.
Attachment ¶
Get SingleGET/attachments/{attachment_id}{?with}
Get a single Attachment (File).
Example URI
GET /attachments/1?with=adversaries,attachments
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, contentType, events, indicators, signatures, sources, tags, type, watchlist.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"type_id": 1,
"title": "Crazy File",
"name": "crazy-file.exe",
"hash": "f5f39c6886a66686af0950014dffe968",
"content_type_id": 1,
"file_size": 234235236,
"malware_locked": 1,
"description": null,
"created_at": "2017-03-16 13:03:07",
"updated_at": "2017-03-16 13:03:07",
"touched_at": "2017-03-16 13:05:54"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/attachments/{attachment_id}{?with}
Update an Attachment (File). If making changes to the file itself, the file should be uploaded with a POST to /attachments/upload first.
If you leave the title field blank in your request, the title will share the file name of the attachment.
Example URI
PUT /attachments/1?with=adversaries,attachments
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, contentType, events, indicators, signatures, sources, tags, type, watchlist.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"description": "This file is crazy bad.",
"title": "Crazy Bad File"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"type_id": 1,
"title": "Crazy Bad File",
"name": "crazy-file.exe",
"hash": "f5f39c6886a66686af0950014dffe968",
"content_type_id": 1,
"file_size": 234235236,
"malware_locked": 1,
"description": "This file is crazy bad.",
"created_at": "2017-03-16 13:03:07",
"updated_at": "2017-03-16 16:37:58",
"touched_at": "2017-03-16 16:37:38"
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}
Delete an Attachment (File).
Example URI
DELETE /attachments/1
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Adversaries List ¶
Get ListGET/attachments/{attachment_id}/adversaries{?limit,offset,sort,with}
Get a list of Attachment (File) Adversary links.
Example URI
GET /attachments/1/adversaries?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"name": "AMOROUS PANDA",
"created_at": "2018-03-24 03:49:31",
"updated_at": "2018-03-24 03:49:31",
"touched_at": "2018-04-02 16:16:38",
"deleted_at": null,
"sources": [
{
"name": "Customer Observer"
}
],
"pivot": {
"id": 62324,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 2,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"comments": [
{
"id": 54,
"type": "users",
"value": "This link is important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 16:19:51.184000",
"updated_at": "2018-04-02 16:23:40.426000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15066,
"name": "Industry",
"value": "Hospitals",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24424,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:16:38.663000",
"updated_at": "2018-04-02 16:16:38.663000"
}
}
]
}
},
{
"id": 3,
"name": "ANCHOR PANDA",
"created_at": "2018-01-08 23:05:37",
"updated_at": "2018-01-08 23:05:37",
"touched_at": "2018-04-02 16:17:00",
"deleted_at": null,
"sources": [
{
"name": "ThreatQ Front End"
},
{
"name": "Domain Tools"
}
],
"pivot": {
"id": 62325,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 3,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"comments": [
{
"id": 56,
"type": "users",
"value": "This link is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 16:20:25.327000",
"updated_at": "2018-04-02 16:20:25.327000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15065,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24426,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/adversaries
Create a link from an Adversary to an Attachment (File).
Example URI
POST /attachments/1/adversaries
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 2,
"data": [
{
"id": 2,
"name": "AMOROUS PANDA",
"created_at": "2017-03-06 14:05:24",
"updated_at": "2017-03-06 14:05:24",
"touched_at": "2017-03-10 19:25:48",
"pivot": {
"id": 62141,
"created_at": "2017-03-10 19:25:48",
"updated_at": "2017-03-10 19:25:48"
}
},
{
"id": 3,
"name": "ANCHOR PANDA",
"created_at": "2016-12-27 13:45:12",
"updated_at": "2016-12-27 13:45:12",
"touched_at": "2017-03-10 19:25:48",
"pivot": {
"id": 62142,
"created_at": "2017-03-10 19:25:48",
"updated_at": "2017-03-10 19:25:48"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/attachments/{attachment_id}/adversaries
Delete multiple Attachment (File) Adversary links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /attachments/1/adversaries
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Attachment Adversary ¶
Get SingleGET/attachments/{attachment_id}/adversaries/{object_link_id}{?with}
Get a single Attachment (File) Adversary link.
Example URI
GET /attachments/1/adversaries/2?with=sources,pivot.attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Advanced Pawn",
"created_at": "2018-01-18 22:47:52",
"updated_at": "2018-01-18 22:47:52",
"touched_at": "2018-04-02 16:17:00",
"pivot": {
"id": 62324,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"comments": [
{
"id": 54,
"object_link_id": 62324,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 16:23:40",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15066,
"object_link_id": 62324,
"attribute_id": 136,
"value": "Hospitals",
"created_at": "2018-04-02 16:25:47",
"updated_at": "2018-04-02 16:25:47",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15066,
"source_id": 8,
"id": 2,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"published_at": null,
"pivot": {
"object_link_id": 62324,
"source_id": 8,
"id": 24424,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 1,
"type": "clients",
"name": "ThreatQ Front End",
"tlp_id": null,
"created_at": "2018-02-05 12:29:56",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 1,
"id": 1,
"creator_source_id": 1
}
},
{
"id": 7,
"type": "plugins",
"name": "VirusTotal",
"tlp_id": null,
"created_at": "2018-01-31 03:41:47",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 7,
"id": 2,
"creator_source_id": 7
}
},
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-03-31 21:31:30",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 8,
"id": 3,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/adversaries/{object_link_id}
Delete an Attachment (File) Adversary link.
Example URI
DELETE /attachments/1/adversaries/2
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Adversary Attributes List ¶
Get ListGET/attachments/{attachment_id}/adversaries/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Attachment (File) Adversary link Attributes.
Example URI
GET /attachments/1/adversaries/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/adversaries/{object_link_id}/attributes
Create a new Attachment (File) Adversary link Attribute.
Example URI
POST /attachments/1/adversaries/2/attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Attachment Adversary Attribute ¶
Get SingleGET/attachments/{attachment_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Attachment (File) Adversary link Attribute.
Example URI
GET /attachments/1/adversaries/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/attachments/{attachment_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Update an Attachment (File) Adversary link Attribute.
Example URI
PUT /attachments/1/adversaries/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Attachment (File) Adversary link Attribute.
Example URI
DELETE /attachments/1/adversaries/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Adversary Comments List ¶
Get ListGET/attachments/{attachment_id}/adversaries/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Attachment (File) Adversary link Comments.
Example URI
GET /attachments/1/adversaries/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/adversaries/{object_link_id}/comments
Create a new Attachment (File) Adversary link Comment.
Example URI
POST /attachments/1/adversaries/2/comments
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Attachment Adversary Comment ¶
Get SingleGET/attachments/{attachment_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Get a single Attachment (File) Adversary link Comment.
Example URI
GET /attachments/1/adversaries/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/attachments/{attachment_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Update an Attachment (File) Adversary link Comment.
Example URI
PUT /attachments/1/adversaries/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Delete an Attachment (File) Adversary link Comment.
Example URI
DELETE /attachments/1/adversaries/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Attachments List ¶
Get ListGET/attachments/{attachment_id}/attachments{?limit,offset,sort,with}
Get a list of Attachment (File) Attachment links.
Example URI
GET /attachments/1/attachments?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"type_id": 19,
"title": "Honeybooboo.sh",
"name": "Honeybooboo.sh",
"hash": "4ece432b22f92461f9c4d2de2656d3e3",
"content_type_id": 2,
"file_size": 75,
"path": "6/b/d/0/d/c/1/2/e/5/d/f/a/0/4/3/e/b/4/9/6/0/9/f/a/4/7/c/4/f/1/0",
"malware_locked": "0",
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:39:18",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62326,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "attachment",
"dest_object_id": 2,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"comments": [
{
"id": 57,
"type": "users",
"value": "This link is important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 17:54:58.936000",
"updated_at": "2018-04-02 17:55:15.039000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15067,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 3,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24428,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 17:39:18.781000",
"updated_at": "2018-04-02 17:39:18.781000"
}
}
]
}
},
{
"id": 1,
"type_id": 10,
"title": "parsing-sample.pdf",
"name": "parsing-sample.pdf",
"hash": "89e17b2f6cd3888864237b0ee10048f0",
"content_type_id": 1,
"file_size": 11300,
"path": "e/a/f/d/d/7/1/e/5/c/e/1/1/9/b/0/5/6/4/a/6/d/5/9/a/2/3/5/3/1/0/4",
"malware_locked": "0",
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:40:48",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62327,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "attachment",
"dest_object_id": 1,
"created_at": "2018-04-02 17:40:48",
"updated_at": "2018-04-02 17:40:48",
"comments": [
{
"id": 58,
"type": "users",
"value": "This link is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 17:55:30.995000",
"updated_at": "2018-04-02 17:55:30.995000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15068,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 4,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24430,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 17:40:48.310000",
"updated_at": "2018-04-02 17:40:48.310000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/attachments
Create a link from an Attachment (File) to an Attachment.
Example URI
POST /attachments/1/attachments
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 3,
"type_id": 3,
"title": "EXE like script",
"name": "Honeybooboo.sh",
"hash": "51774564f8d78fbddbfa22e1e7459af4",
"content_type_id": 1,
"file_size": 234234,
"malware_locked": 1,
"description": null,
"created_at": "2017-02-23 20:02:18",
"updated_at": "2017-02-23 20:02:18",
"touched_at": "2017-03-01 16:51:15",
"pivot": {
"id": 62394,
"created_at": "2017-03-01 16:51:15",
"updated_at": "2017-03-01 16:51:15"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/attachments/{attachment_id}/attachments
Delete multiple Attachment (File) Attachment links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /attachments/1/attachments
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Attachment Attachment ¶
Get SingleGET/attachments/{attachment_id}/attachments/{object_link_id}{?with}
Get a single Attachment (File) Attachment link.
Example URI
GET /attachments/1/attachments/2?with=sources,pivot.attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 2,
"type_id": 19,
"title": "Honeybooboo.sh",
"name": "Honeybooboo.sh",
"hash": "4ece432b22f92461f9c4d2de2656d3e3",
"content_type_id": 2,
"file_size": 75,
"malware_locked": 0,
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:39:18",
"pivot": {
"id": 62326,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"comments": [
{
"id": 57,
"object_link_id": 62326,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-02 17:54:58",
"updated_at": "2018-04-02 17:55:15",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 57,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15067,
"source_id": 8,
"id": 3,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"published_at": null,
"pivot": {
"object_link_id": 62326,
"source_id": 8,
"id": 24428,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"published_at": null,
"pivot": {
"attachment_id": 2,
"source_id": 8,
"id": 2,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/attachments/{object_link_id}
Delete an Attachment (File) Attachment link.
Example URI
DELETE /attachments/1/attachments/2
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Attachment Attributes List ¶
Get ListGET/attachments/{attachment_id}/attachments/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Attachment (File) Attachment link Attributes.
Example URI
GET /attachments/1/attachments/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/attachments/{object_link_id}/attributes
Create a new Attachment (File) Attachment link Attribute.
Example URI
POST /attachments/1/attachments/2/attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Attachment Attachment Attribute ¶
Get SingleGET/attachments/{attachment_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Attachment (File) Attachment link Attribute.
Example URI
GET /attachments/1/attachments/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/attachments/{attachment_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Update an Attachment (File) Attachment link Attribute.
Example URI
PUT /attachments/1/attachments/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Attachment (File) Attachment link Attribute.
Example URI
DELETE /attachments/1/attachments/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Attachment Comments List ¶
Get ListGET/attachments/{attachment_id}/attachments/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Attachment (File) Attachment link Comments.
Example URI
GET /attachments/1/attachments/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/attachments/{object_link_id}/comments
Create a new Attachment (File) Attachment link Comment.
Example URI
POST /attachments/1/attachments/2/comments
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Attachment Attachment Comment ¶
Get SingleGET/attachments/{attachment_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Get a single Attachment (File) Attachment link Comment.
Example URI
GET /attachments/1/attachments/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/attachments/{attachment_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Update an Attachment (File) Attachment link Comment.
Example URI
PUT /attachments/1/attachments/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Delete an Attachment (File) Attachment link Comment.
Example URI
DELETE /attachments/1/attachments/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Attributes List ¶
Get ListGET/attachments/{attachment_id}/attributes{?limit,offset,sort,with}
Get a list of Attachment (File) Attributes.
Example URI
GET /attachments/1/attributes?limit=500&offset=100&sort=id&with=attribute,sources
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"attachment_id": 1,
"attribute_id": 68,
"value": "Koobface payload aolsbm.2.exe",
"created_at": "2017-02-03 21:22:36",
"updated_at": "2017-02-03 21:22:36",
"name": "Registrant",
"attribute": {
"id": 68,
"name": "Registrant",
"created_at": "2017-02-22 13:02:07",
"updated_at": "2017-03-01 13:03:07"
}
},
{
"id": 2,
"attachment_id": 1,
"attribute_id": 69,
"value": "Riskware%2FOpenCandy",
"created_at": "2017-02-03 21:22:36",
"updated_at": "2017-02-03 21:22:36",
"name": "Registrant Email",
"attribute": {
"id": 69,
"name": "Registrant Email",
"created_at": "2017-03-15 13:03:07",
"updated_at": "2017-03-06 13:03:07"
}
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/attributes
Create a new Attachment (File) Attribute.
Example URI
POST /attachments/1/attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"value": "Test Value",
"attachment_id": 1,
"updated_at": "2017-03-17 02:35:19",
"created_at": "2017-03-17 02:35:19",
"id": 4,
"name": "Test Attribute",
"attribute": {
"name": "Test Attribute"
},
"sources": [
{
"id": 12,
"type": "other_sources",
"name": "Source",
"tlp_id": 1,
"created_at": "2017-03-17 02:35:20",
"updated_at": "2017-03-17 02:35:20",
"published_at": "2017-02-28 00:00:00",
"pivot": {
"attachment_attribute_id": 4,
"source_id": 12,
"id": 2,
"creator_source_id": 5
}
}
]
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"attachment_id": "1",
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Attachment Attribute ¶
Get SingleGET/attachments/{attachment_id}/attributes/{attachment_attribute_id}{?with}
Get a single Attachment (File) Attribute.
Example URI
GET /attachments/1/attributes/2?with=attribute,sources
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- attachment_attribute_id
integer(required) Example: 2Attachment Attribute ID
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"attachment_id": 1,
"attribute_id": 68,
"value": "Koobface payload aolsbm.2.exe",
"created_at": "2017-02-03 21:22:36",
"updated_at": "2017-02-03 21:22:36",
"name": "Registrant",
"attribute": {
"id": 68,
"name": "Registrant",
"created_at": "2017-02-22 13:02:07",
"updated_at": "2017-03-01 13:03:07"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/attachments/{attachment_id}/attributes/{attachment_attribute_id}{?with}
Update an Attachment (File) Attribute.
Example URI
PUT /attachments/1/attributes/2?with=attribute,sources
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- attachment_attribute_id
integer(required) Example: 2Attachment Attribute ID
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"attachment_id": 1,
"attribute_id": 68,
"value": "New Value",
"created_at": "2017-02-03 21:22:36",
"updated_at": "2017-03-17 13:05:34",
"name": "Registrant",
"attribute": {
"id": 68,
"name": "Registrant",
"created_at": "2017-02-22 13:02:07",
"updated_at": "2017-03-01 13:03:07"
}
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"attachment_id": "1",
"attribute_id": "1",
"errors": {
"value": [
"The value field is required."
]
},
"name": "Accessed Time",
"attribute": {
"id": 1,
"name": "Accessed Time",
"created_at": "2017-03-10 13:03:07",
"updated_at": "2017-03-01 13:03:07"
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/attributes/{attachment_attribute_id}
Delete an Attachment (File) Attribute.
Example URI
DELETE /attachments/1/attributes/2
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- attachment_attribute_id
integer(required) Example: 2Attachment Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Attribute Source ¶
UpdatePUT/attachments/{attachment_id}/attributes/{attachment_attribute_id}/sources/{attachment_attribute_source_id}
Update an Attachment (File) Attribute Source.
Example URI
PUT /attachments/1/attributes/2/sources/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- attachment_attribute_id
integer(required) Example: 2Attachment Attribute ID
- attachment_attribute_source_id
integer(required) Example: 3Attachment Attribute Source ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"attachment_attribute_id": 1,
"source_id": 8,
"tlp_id": 1,
"created_at": "2018-09-20 21:22:20",
"updated_at": "2018-09-20 21:23:46",
"published_at": "2017-01-01 01:01:01",
"creator_source_id": 8
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/attributes/{attachment_attribute_id}/sources/{attachment_attribute_source_id}
Delete an Attachment (File) Attribute Source.
Example URI
DELETE /attachments/1/attributes/2/sources/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- attachment_attribute_id
integer(required) Example: 2Attachment Attribute ID
- attachment_attribute_source_id
integer(required) Example: 3Attachment Attribute Source ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Comments List ¶
Get ListGET/attachments/{attachment_id}/comments{?limit,offset,sort,with}
Get a list of Attachment (File) Comments.
Example URI
GET /attachments/1/comments?limit=500&offset=100&sort=id&with=attachment,sources
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: attachment,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attachment, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"attachment_id": 1,
"value": "Hey John, did you update this last week?",
"creator_source_id": 9,
"created_at": "2017-01-20 23:35:21",
"updated_at": "2017-01-20 23:35:21"
},
{
"id": 4,
"attachment_id": 1,
"value": "This file has not been updated.",
"creator_source_id": 5,
"created_at": "2017-03-16 20:26:25",
"updated_at": "2017-03-16 20:26:25"
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/comments
Create a new Attachment (File) Comment.
Example URI
POST /attachments/1/comments
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 5,
"attachment_id": 1,
"value": "This is a comment.",
"creator_source_id": 5,
"created_at": "2017-03-16 20:34:15",
"updated_at": "2017-03-16 20:34:15",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-03-16 13:04:06",
"updated_at": "2017-03-16 13:04:06",
"pivot": {
"id": 5,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"attachment_id": "1",
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Attachment Comment ¶
UpdatePUT/attachments/{attachment_id}/comments/{attachment_comment_id}{?with}
Update an Attachment (File) Comment.
Example URI
PUT /attachments/1/comments/2?with=attachment,sources
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- attachment_comment_id
integer(required) Example: 2Attachment Comment ID
- with
string(optional) Example: attachment,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attachment, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 4,
"attachment_id": 1,
"value": "This is an updated comment.",
"creator_source_id": 5,
"created_at": "2017-03-16 20:26:25",
"updated_at": "2017-03-16 20:38:01",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-03-16 13:04:06",
"updated_at": "2017-03-16 13:04:06",
"pivot": {
"id": 4,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"The current authenticated owner is not the owner of this comment."
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/comments/{attachment_comment_id}
Delete an Attachment (File) Comment.
Example URI
DELETE /attachments/1/comments/2
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- attachment_comment_id
integer(required) Example: 2Attachment Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Events List ¶
Get ListGET/attachments/{attachment_id}/events{?limit,offset,sort,with}
Get a list of Attachment (File) Event links.
Example URI
GET /attachments/1/events?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 13,
"type_id": 1,
"title": "Origin - http://halvorson.com/quia-reprehenderit-ullam-aut-accusantium-iusto-voluptas-omnis",
"description": "",
"happened_at": "2018-01-25 03:17:53",
"hash": "0ba76d18a6e5350a8e5979b5676bc8c8",
"created_at": "2018-01-25 03:17:53",
"updated_at": "2018-01-25 03:17:53",
"touched_at": "2018-04-03 15:34:22",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 61077,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "event",
"dest_object_id": 13,
"created_at": "2018-02-26 00:36:06",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 55,
"type": "users",
"value": "This is important.",
"source": "Threat Quotient",
"created_at": "2018-04-04 14:42:46.690000",
"updated_at": "2018-04-04 14:42:46.690000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 14948,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 22414,
"name": "Threat Quotient",
"type": "clients",
"pivot": {
"created_at": "2018-03-05 22:01:33",
"updated_at": "2018-04-03 15:34:22.693000"
}
}
]
}
},
{
"id": 46,
"type_id": 1,
"title": "Origin - http://kling.com/voluptate-nihil-sit-est-aut",
"description": "",
"happened_at": "2017-12-31 23:17:05",
"hash": "e2e96a1516420fc05ad8ac04de52bd89",
"created_at": "2017-12-31 23:17:05",
"updated_at": "2017-12-31 23:17:05",
"touched_at": "2018-04-03 15:34:22",
"deleted_at": null,
"sources": [
{
"name": "Domain Tools"
},
{
"name": "Emerging Threats"
},
{
"name": "VirusTotal"
}
],
"pivot": {
"id": 61144,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "event",
"dest_object_id": 46,
"created_at": "2018-03-01 23:54:52",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 56,
"type": "users",
"value": "This is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-04 14:43:10.692000",
"updated_at": "2018-04-04 14:43:10.692000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 14949,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 22513,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-02-24 09:36:30",
"updated_at": "2018-04-03 15:34:22.693000"
}
},
{
"id": 22514,
"name": "Customer Observer",
"type": "users",
"pivot": {
"created_at": "2018-02-25 22:27:11",
"updated_at": "2018-04-03 15:34:22.693000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/events
Create a link from an Event to an Attachment (File).
Example URI
POST /attachments/1/events
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"type_id": 2,
"title": "Origin - http://www.durgan.biz/vel-omnis-impedit-at-quod-quasi-reiciendis.html",
"description": "",
"happened_at": "2016-12-05 20:01:48",
"hash": "d13e682a5d567d51b99f676b7bdef980",
"created_at": "2016-12-05 20:01:48",
"updated_at": "2016-12-05 20:01:48",
"touched_at": "2017-02-28 20:14:59",
"pivot": {
"id": 62396,
"created_at": "2017-03-01 20:55:10",
"updated_at": "2017-03-01 20:55:10"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/attachments/{attachment_id}/events
Delete multiple Attachment (File) Event links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /attachments/1/events
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Attachment Event ¶
Get SingleGET/attachments/{attachment_id}/events/{object_link_id}{?with}
Get a single Attachment (File) Event link.
Example URI
GET /attachments/1/events/2?with=sources,pivot.attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 13,
"type_id": 1,
"title": "Origin - http://halvorson.com/quia-reprehenderit-ullam-aut-accusantium-iusto-voluptas-omnis",
"description": "",
"happened_at": "2018-01-25 03:17:53",
"hash": "0ba76d18a6e5350a8e5979b5676bc8c8",
"created_at": "2018-01-25 03:17:53",
"updated_at": "2018-01-25 03:17:53",
"touched_at": "2018-04-03 15:34:22",
"pivot": {
"id": 61077,
"created_at": "2018-02-26 00:36:06",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 55,
"object_link_id": 61077,
"value": "This is important.",
"creator_source_id": 8,
"created_at": "2018-04-04 14:42:46",
"updated_at": "2018-04-04 14:42:46",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-03 15:31:57",
"updated_at": "2018-04-03 15:31:57",
"pivot": {
"id": 55,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 14948,
"object_link_id": 61077,
"attribute_id": 135,
"value": "Universities",
"created_at": "2018-04-04 14:38:39",
"updated_at": "2018-04-04 14:38:39",
"name": "Industry",
"attribute": {
"id": 135,
"name": "Industry",
"created_at": "2018-04-03 19:41:04",
"updated_at": "2018-04-03 19:41:04"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 14948,
"source_id": 8,
"id": 1,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 2,
"type": "clients",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-03-05 22:01:33",
"updated_at": "2018-04-03 15:34:22",
"published_at": null,
"pivot": {
"object_link_id": 61077,
"source_id": 2,
"id": 22414,
"creator_source_id": 2
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-02-24 22:23:15",
"updated_at": "2018-04-03 15:34:22",
"published_at": null,
"pivot": {
"event_id": 13,
"source_id": 8,
"id": 27,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/events/{object_link_id}
Delete an Attachment (File) Event link.
Example URI
DELETE /attachments/1/events/2
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Event Attributes List ¶
Get ListGET/attachments/{attachment_id}/events/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Attachment (File) Event link Attributes.
Example URI
GET /attachments/1/events/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/events/{object_link_id}/attributes
Create a new Attachment (File) Event link Attribute.
Example URI
POST /attachments/1/events/2/attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Attachment Event Attribute ¶
Get SingleGET/attachments/{attachment_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Attachment (File) Event link Attribute.
Example URI
GET /attachments/1/events/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/attachments/{attachment_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Update an Attachment (File) Event link Attribute.
Example URI
PUT /attachments/1/events/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Attachment (File) Event link Attribute.
Example URI
DELETE /attachments/1/events/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Event Comments List ¶
Get ListGET/attachments/{attachment_id}/events/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Attachment (File) Event link Comments.
Example URI
GET /attachments/1/events/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/events/{object_link_id}/comments
Create a new Attachment (File) Event link Comment.
Example URI
POST /attachments/1/events/2/comments
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Attachment Event Comment ¶
Get SingleGET/attachments/{attachment_id}/events/{object_link_id}/comments/{object_link_comment_id}
Get a single Attachment (File) Event link Comment.
Example URI
GET /attachments/1/events/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/attachments/{attachment_id}/events/{object_link_id}/comments/{object_link_comment_id}
Update an Attachment (File) Event link Comment.
Example URI
PUT /attachments/1/events/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/events/{object_link_id}/comments/{object_link_comment_id}
Delete an Attachment (File) Event link Comment.
Example URI
DELETE /attachments/1/events/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Indicators List ¶
Get ListGET/attachments/{attachment_id}/indicators{?limit,offset,sort,with}
Get a list of Attachment (File) Indicator links.
Example URI
GET /attachments/1/indicators?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 24,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "bc77846655cdf4c183713a59f8c2a8f1",
"value": "brendon57@hotmail.com",
"description": null,
"last_detected_at": "2002-06-23 14:29:54",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"touched_at": "2018-04-04 19:30:57",
"deleted_at": null,
"sources": [
{
"name": "ThreatQ Example Feed"
}
],
"pivot": {
"id": 14896,
"src_type": "indicator",
"src_object_id": 24,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"comments": [
{
"id": 54,
"type": "users",
"value": "This link is important.",
"created_at": "2018-04-04 20:05:39.284000",
"updated_at": "2018-04-04 20:05:39.284000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 43,
"name": "Confidence",
"value": "75",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 62,
"name": "VirusTotal",
"type": "plugins",
"pivot": {
"created_at": "2018-02-19 02:14:29",
"updated_at": "2018-04-04 19:30:59.439000"
}
}
]
}
},
{
"id": 74,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "890a7aa3415d8b4fa39d9f51a026b7d8",
"value": "hazel.kilback@hotmail.com",
"description": null,
"last_detected_at": "1992-07-15 20:23:27",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"touched_at": "2018-04-04 19:30:57",
"deleted_at": null,
"sources": [
{
"name": "Customer Admin"
}
],
"pivot": {
"id": 14991,
"src_type": "indicator"",
"src_object_id": 74,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"comments": [
{
"id": 56,
"type": "users",
"value": "This link is also important.",
"created_at": "2018-04-04 20:09:29.324000",
"updated_at": "2018-04-04 20:09:29.324000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 138,
"name": "Confidence",
"value": "75",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 200,
"name": "Emerging Threats",
"type": "plugins",
"pivot": {
"created_at": "2018-01-13 11:24:36",
"updated_at": "2018-04-04 19:30:59.439000"
}
}
]
}
}
],
"limit": 2,
"offset": 0
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/indicators
Create a link from an Indicator to an Attachment (File).
Example URI
POST /attachments/1/indicators
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"type_id": 2,
"status_id": 3,
"class": "network",
"hash": "bba60e76a34af96122b9f44e67ae8ea7",
"value": "oolson@yahoo.com",
"last_detected_at": "2013-12-13 08:58:00",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-02-28 20:13:19",
"updated_at": "2017-02-28 20:13:19",
"touched_at": "2017-03-02 14:57:32",
"pivot": {
"id": 62397,
"created_at": "2017-03-02 14:57:32",
"updated_at": "2017-03-02 14:57:32"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/attachments/{attachment_id}/indicators
Delete multiple Attachment (File) Indicator links.
Example URI
DELETE /attachments/1/indicators
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Attachment Indicator ¶
Get SingleGET/attachments/{attachment_id}/indicators/{object_link_id}{?with}
Get a single Attachment (File) Indicator link.
Example URI
GET /attachments/1/indicators/2?with=sources,pivot.attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 24,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "bc77846655cdf4c183713a59f8c2a8f1",
"value": "brendon57@hotmail.com",
"description": null,
"last_detected_at": "2002-06-23 14:29:54",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"touched_at": "2018-04-04 19:30:57",
"pivot": {
"id": 14896,
"created_at": "2018-03-09 14:32:27",
"updated_at": "2018-04-04 19:30:29",
"comments": [
{
"id": 54,
"object_link_id": 14896,
"value": "This link is also important.",
"creator_source_id": 8,
"created_at": "2018-04-04 20:05:39",
"updated_at": "2018-04-04 20:05:39",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-04 19:28:33",
"updated_at": "2018-04-04 19:28:33",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 43,
"object_link_id": 14896,
"attribute_id": 13,
"value": "75",
"created_at": "2018-02-24 14:33:41",
"updated_at": "-0001-11-30 00:00:00",
"name": "Confidence",
"attribute": {
"id": 13,
"name": "Confidence",
"created_at": "2018-03-28 19:03:33",
"updated_at": "2018-03-24 19:03:33"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 43,
"source_id": 8,
"id": 1,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 5,
"type": "plugins",
"name": "VirusTotal",
"tlp_id": null,
"created_at": "2018-02-19 02:14:29",
"updated_at": "2018-04-04 19:30:59",
"published_at": null,
"pivot": {
"object_link_id": 14896,
"source_id": 5,
"id": 62,
"creator_source_id": 5
}
}
]
},
"sources": [
{
"id": 3,
"type": "clients",
"name": "ThreatQ",
"tlp_id": null,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"published_at": null,
"pivot": {
"indicator_id": 24,
"source_id": 3,
"id": 59,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/indicators/{object_link_id}
Delete an Attachment (File) Indicator link.
Example URI
DELETE /attachments/1/indicators/2
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Indicator Attributes List ¶
Get ListGET/attachments/{attachment_id}/indicators/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Attachment (File) Indicator link Attributes.
Example URI
GET /attachments/1/indicators/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/indicators/{object_link_id}/attributes
Create a new Attachment (File) Indicator link Attribute.
Example URI
POST /attachments/1/indicators/2/attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Attachment Indicator Attribute ¶
Get SingleGET/attachments/{attachment_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Attachment (File) Indicator link Attribute.
Example URI
GET /attachments/1/indicators/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/attachments/{attachment_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Update an Attachment (File) Indicator link Attribute.
Example URI
PUT /attachments/1/indicators/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Attachment (File) Indicator link Attribute.
Example URI
DELETE /attachments/1/indicators/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Indicator Comments List ¶
Get ListGET/attachments/{attachment_id}/indicators/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Attachment (File) Indicator link Comments.
Example URI
GET /attachments/1/indicators/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/indicators/{object_link_id}/comments
Create a new Attachment (File) Indicator link Comment.
Example URI
POST /attachments/1/indicators/2/comments
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Attachment Indicator Comment ¶
Get SingleGET/attachments/{attachment_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Get a single Attachment (File) Indicator link Comment.
Example URI
GET /attachments/1/indicators/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/attachments/{attachment_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Update an Attachment (File) Indicator link Comment.
Example URI
PUT /attachments/1/indicators/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Delete an Attachment (File) Indicator link Comment.
Example URI
DELETE /attachments/1/indicators/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Signatures List ¶
Get ListGET/attachments/{attachment_id}/signatures{?limit,offset,sort,with}
Get a list of Attachment (File) Signature links.
Example URI
GET /attachments/1/signatures?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"name": "ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (2007937:4)",
"description": "",
"hash": "8cf2e60aeb0b7ed9874f2ed379b3f42d",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:\"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow\"; content:\"|44 53 52 65 71 75 65 73 74|\"; pcre:\"/[0-9a-zA-Z]{50}/R\"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:02:46",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62261,
"src_type": "signature",
"src_object_id": 2,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"comments": [
{
"id": 57,
"type": "users",
"value": "This link is important.",
"created_at": "2018-04-04 23:16:40.155000",
"updated_at": "2018-04-04 23:18:42.648000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 15080,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 3,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 24298,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-04 23:02:46.740000",
"updated_at": "2018-04-04 23:02:46.740000"
}
}
]
}
},
{
"id": 1,
"name": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)",
"description": "",
"hash": "737309fe355ef23e1c03a5e98bc364b5",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:\"ET EXPLOIT Arkeia full remote access without password or authentication\"; flow:to_server,established; content:\"|464F3A20596F75206861766520737563|\"; content:\"|6520636C69656E7420696E666F726D61|\"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:03:35",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62262,
"src_type": "signature",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"comments": [
{
"id": 58,
"type": "users",
"value": "This link is also important.",
"created_at": "2018-04-04 23:16:58.817000",
"updated_at": "2018-04-04 23:16:58.817000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 15081,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 4,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 24300,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-04 23:03:35.975000",
"updated_at": "2018-04-04 23:03:35.975000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/signatures
Create a link from a (File) Signature to an Attachment.
Example URI
POST /attachments/1/signatures
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"name": "ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27 (2019448:1)",
"description": "",
"hash": "32eb2da7b59c7e85fbeec98f90adaf2d",
"value": "alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27\"; flow:established,to_server; content:\"%6e%61m%65[\"; nocase; fast_pattern:only; http_client_body; pcre:\"/(?:^|&|Content-Disposition[\\x3a][^\\n]*?name\\s*?=\\s*?[\\x22\\x27])\\%6e\\%61m\\%65\\[[^\\x5d]*?\\W/Pi\"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:1;)",
"status_id": 4,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-03-02 16:34:40",
"updated_at": "2017-03-02 16:34:40",
"touched_at": "2017-03-02 16:34:41",
"pivot": {
"id": 62337,
"created_at": "2017-03-02 16:43:29",
"updated_at": "2017-03-02 16:43:29"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/attachments/{attachment_id}/signatures
Delete multiple Attachment (File) Signature links.
Example URI
DELETE /attachments/1/signatures
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Attachment Signature ¶
Get SingleGET/attachments/{attachment_id}/signatures/{object_link_id}{?with}
Get a single Attachment (File) Signature link.
Example URI
GET /attachments/1/signatures/2?with=sources,pivot.attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 2,
"name": "ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (2007937:4)",
"description": "",
"hash": "8cf2e60aeb0b7ed9874f2ed379b3f42d",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:\"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow\"; content:\"|44 53 52 65 71 75 65 73 74|\"; pcre:\"/[0-9a-zA-Z]{50}/R\"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:02:46",
"pivot": {
"id": 62261,
"created_at": "2018-04-04 23:02:46",
"updated_at": "2018-04-04 23:02:46",
"comments": [
{
"id": 57,
"object_link_id": 62261,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-04 23:16:40",
"updated_at": "2018-04-04 23:18:42",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-04 19:28:33",
"updated_at": "2018-04-04 19:28:33",
"pivot": {
"id": 57,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15080,
"object_link_id": 62261,
"attribute_id": 135,
"value": "Universities",
"created_at": "2018-04-04 23:09:28",
"updated_at": "2018-04-04 23:09:28",
"name": "Industry",
"attribute": {
"id": 135,
"name": "Industry",
"created_at": "2018-04-04 20:01:00",
"updated_at": "2018-04-04 20:01:00"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15080,
"source_id": 8,
"id": 3,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-04 23:02:46",
"updated_at": "2018-04-04 23:02:46",
"published_at": null,
"pivot": {
"object_link_id": 62261,
"source_id": 8,
"id": 24298,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"published_at": null,
"pivot": {
"signature_id": 2,
"source_id": 8,
"id": 2,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/signatures/{object_link_id}
Delete an Attachment (File) Signature link.
Example URI
DELETE /attachments/1/signatures/2
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Signature Attributes List ¶
Get ListGET/attachments/{attachment_id}/signatures/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Attachment (File) Signature link Attributes.
Example URI
GET /attachments/1/signatures/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/signatures/{object_link_id}/attributes
Create a new Attachment (File) Signature link Attribute.
Example URI
POST /attachments/1/signatures/2/attributes
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Attachment Signature Attribute ¶
Get SingleGET/attachments/{attachment_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Attachment (File) Signature link Attribute.
Example URI
GET /attachments/1/signatures/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/attachments/{attachment_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Update an Attachment (File) Signature link Attribute.
Example URI
PUT /attachments/1/signatures/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Attachment (File) Signature link Attribute.
Example URI
DELETE /attachments/1/signatures/2/attributes/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Signature Comments List ¶
Get ListGET/attachments/{attachment_id}/signatures/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Attachment (File) Signature link Comments.
Example URI
GET /attachments/1/signatures/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/signatures/{object_link_id}/comments
Create a new Attachment (File) Signature link Comment.
Example URI
POST /attachments/1/signatures/2/comments
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Attachment Signature Comment ¶
Get SingleGET/attachments/{attachment_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Get a single Attachment (File) Signature link Comment.
Example URI
GET /attachments/1/signatures/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/attachments/{attachment_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Update an Attachment (File) Signature link Comment.
Example URI
PUT /attachments/1/signatures/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Delete an Attachment (File) Signature link Comment.
Example URI
DELETE /attachments/1/signatures/2/comments/3
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Sources List ¶
Get ListGET/attachments/{attachment_id}/sources{?limit,offset,sort,with}
Get a list of Attachment (File) Sources.
Example URI
GET /attachments/1/sources?limit=500&offset=100&sort=id&with=attachment,tlp
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: attachment,tlpA comma-separated list of related objects to include in the response. Options for this endpoint: attachment, tlp.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"attachment_id": 4,
"source_id": 5,
"creator_source_id": 5,
"tlp_id": null,
"created_at": "2017-03-16 15:01:52",
"updated_at": "2017-03-16 15:01:52",
"published_at": null
},
{
"id": 3,
"attachment_id": 4,
"source_id": 10,
"creator_source_id": 5,
"tlp_id": 1,
"created_at": "2017-03-16 22:18:47",
"updated_at": "2017-03-16 22:18:47",
"published_at": null
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/sources
Create a new Attachment (File) Source.
Example URI
POST /attachments/1/sources
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Test Source",
"tlp": {
"name": "RED"
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 3,
"attachment_id": 4,
"source_id": 10,
"creator_source_id": 5,
"tlp_id": 1,
"created_at": "2017-03-16 22:18:47",
"updated_at": "2017-03-16 22:18:47",
"published_at": null,
"deleted_at": null,
"existing": 0,
"name": "Test Source"
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"name": [
"The name field is required."
]
}
}
]
}Response
401Access denied.
Attachment Source ¶
Get SingleGET/attachments/{attachment_id}/sources/{attachment_source_id}
Get a single Attachment (File) Source.
Example URI
GET /attachments/1/sources/2
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- attachment_source_id
integer(required) Example: 2Attachment Source ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"attachment_id": 1,
"source_id": 13,
"creator_source_id": 8,
"tlp_id": 4,
"created_at": "2018-10-30 20:10:24",
"updated_at": "2018-10-30 20:10:24",
"published_at": null
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/attachments/{attachment_id}/sources/{attachment_source_id}
Update an Attachment (File) Source.
Example URI
PUT /attachments/1/sources/2
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- attachment_source_id
integer(required) Example: 2Attachment Source ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"attachment_id": 1,
"source_id": 13,
"creator_source_id": 8,
"tlp_id": 4,
"created_at": "2018-10-30 20:10:24",
"updated_at": "2018-10-30 20:10:24",
"published_at": null
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/sources/{attachment_source_id}
Delete an Attachment (File) Source.
Example URI
DELETE /attachments/1/sources/2
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- attachment_source_id
integer(required) Example: 2Attachment Source ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Tag List ¶
Get ListGET/attachments/{attachment_id}/tags{?limit,offset,sort,with}
Get a list of Attachment (File) Tags (Keywords).
Example URI
GET /attachments/1/tags?limit=500&offset=100&sort=id&with=attachments
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: attachments.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"name": "New Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 1,
"created_at": "2017-03-02 21:22:02",
"updated_at": "2017-03-02 21:22:02"
}
},
{
"id": 2,
"name": "Another New Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 2,
"created_at": "2017-03-02 21:24:30",
"updated_at": "2017-03-02 21:24:30"
}
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/tags
Create a new Attachment (File) Tag (Keyword).
Example URI
POST /attachments/1/tags
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Tag Name"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 2,
"name": "Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 2,
"created_at": "2017-03-02 21:24:30",
"updated_at": "2017-03-02 21:24:30"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"name": [
"The name field is required."
]
}
}
}Response
401Access denied.
Attachment Tag ¶
Get SingleGET/attachments/{attachment_id}/tags/{tag_id}{?with}
Get a single Attachment (File) Tag (Keyword).
Example URI
GET /attachments/1/tags/2?with=attachments
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- tag_id
integer(required) Example: 2Tag ID
- with
string(optional) Example: attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: attachments.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 1,
"created_at": "2017-03-02 21:22:02",
"updated_at": "2017-03-02 21:22:02"
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/attachments/{attachment_id}/tags/{tag_id}
Delete an Attachment (File) Tag (Keyword).
Example URI
DELETE /attachments/1/tags/2
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- tag_id
integer(required) Example: 2Tag ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attachment Watchlists ¶
Get SingleGET/attachments/{attachment_id}/watchlist
Get an Attachment (File) in the user’s Watchlist.
Example URI
GET /attachments/1/watchlist
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 1,
"data": [
{
"id": 1,
"user_id": 1,
"object_type": "attachment",
"object_id": 1,
"created_at": "2017-03-16 19:34:25",
"updated_at": "2017-03-16 19:34:25",
"attachment": {
"id": 1,
"type_id": 1,
"title": "Crazy Bad File",
"name": "crazy-file.exe",
"hash": "f5f39c6886a66686af0950014dffe968",
"content_type_id": 1,
"file_size": 234235236,
"malware_locked": 1,
"description": "This file is crazy bad.",
"created_at": "2017-03-16 13:03:07",
"updated_at": "2017-03-16 16:37:58",
"touched_at": "2017-03-16 16:37:58"
}
}
]
}Response
401Access denied.
Create NewPOST/attachments/{attachment_id}/watchlist
Add an Attachment (File) to the user’s Watchlist.
Example URI
POST /attachments/1/watchlist
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
Request
Headers
Authorization: Bearer <access_token>Body
No Request Body.Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"object_type": "attachment",
"user_id": 1,
"object_id": "3",
"updated_at": "2017-03-02 21:50:37",
"created_at": "2017-03-02 21:50:37",
"id": 3
}
}Response
401Access denied.
Attachment Watchlist ¶
Attachment WatchlistDELETE/attachments/{attachment_id}/watchlist/{watchlist_id}
Remove an Attachment (File) from the user’s Watchlist.
Example URI
DELETE /attachments/1/watchlist/2
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- watchlist_id
integer(required) Example: 2Watchlist ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Attributes ¶
Attribute List ¶
Get ListGET/attributes{?limit,offset,sort,with}
Get a list of Attributes.
Example URI
GET /attributes?limit=500&offset=100&sort=id&with=valueWeights
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: valueWeightsA comma-separated list of related objects to include in the response. Options for this endpoint: valueWeights.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 106,
"data": [
{
"id": 1,
"name": "Accessed Time",
"created_at": "2017-02-17 17:02:54",
"updated_at": "2017-03-03 17:03:54"
},
{
"id": 2,
"name": "ASN",
"created_at": "2017-02-22 17:02:54",
"updated_at": "2017-03-02 17:03:54"
},
{
"id": 3,
"name": "Associated File",
"created_at": "2017-02-20 17:02:54",
"updated_at": "2017-03-16 17:03:54"
}
]
}Response
401Access denied.
Create NewPOST/attributes
Create a new Attribute.
Example URI
POST /attributes
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "New Attribute"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"name": "New Attribute",
"updated_at": "2017-03-17 18:19:44",
"created_at": "2017-03-17 18:19:44",
"id": 252
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"name": [
"The name field is required."
]
}
}
}Response
401Access denied.
Attribute Search ¶
Attribute SearchGET/attributes/search{?name,limit}
Search Attributes by name.
Example URI
GET /attributes/search?name=Date&limit=10
URI Parameters
- name
integer(required) Example: DateAttribute Name
- limit
integer(required) Example: 10The maximum number of records to retrieve.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 11,
"name": "Compilation Date"
},
{
"id": 15,
"name": "Create Date"
},
{
"id": 22,
"name": "Domain Registration Date"
}
]
}Response
401Access denied.
Attribute ¶
AttributeGET/attributes/{attribute_id}{?with}
Get a single Attribute.
Example URI
GET /attributes/1?with=valueWeights
URI Parameters
- attribute_id
integer(required) Example: 1Attribute ID
- with
string(optional) Example: valueWeightsA comma-separated list of related objects to include in the response. Options for this endpoint: valueWeights.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Accessed Time",
"created_at": "2017-02-17 17:02:54",
"updated_at": "2017-03-03 17:03:54"
}
}Response
401Access denied.
Response
404Object not found.
Configuration ¶
Configuration List ¶
Get ListGET/configuration{?limit,offset,sort}
Get a list of Configuration parameters.
Example URI
GET /configuration?limit=500&offset=100&sort=id
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"key": "key.1",
"value": "value.1",
"group": "",
"created_at": "2017-03-17 20:42:41",
"updated_at": "2017-03-17 20:42:41"
},
{
"key": "key.2",
"value": "value.2",
"group": "",
"created_at": "2017-03-17 20:42:41",
"updated_at": "2017-03-17 20:42:41"
}
]
}Response
401Access denied.
Create NewPOST/configuration
Create a new Configuration parameter.
Example URI
POST /configuration
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"key": "New Key",
"value": "New Value",
"group": "config_group"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"key": "New Key",
"value": "New Value",
"group": "config_group",
"updated_at": "2017-03-17 20:50:20",
"created_at": "2017-03-17 20:50:20"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"key": [
"The key field is required."
]
}
}
}Response
401Access denied.
LDAP Configuration List ¶
Get ListGET/configuration/ldap{?limit,offset,sort}
Get a list of LDAP Configuration parameters.
Example URI
GET /configuration/ldap?limit=500&offset=100&sort=id
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 14,
"data": [
{
"key": "ldap.config.domain",
"value": "threatq.com",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.filter_field_name",
"value": "memberUid",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.group_field_name",
"value": "cn",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.ou",
"value": "tqusers",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.port",
"value": "389",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.server",
"value": "ldap://",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.uid_key",
"value": "uid",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.use_rdn",
"value": "1",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.user_append_domain",
"value": "1",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.enabled",
"value": "0",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.group.administrator",
"value": "myAdmin",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.group.analyst",
"value": "myAnalyst",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.group.observer",
"value": "myObserver",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.group.super",
"value": "mySuperUser",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
}
]
}Response
401Access denied.
Create NewPOST/configuration/ldap
Create a new LDAP Configuration.
Example URI
POST /configuration/ldap
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"total": 14,
"data": [
{
"key": "ldap.config.domain",
"value": "threatq.com",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.filter_field_name",
"value": "memberUid",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.group_field_name",
"value": "cn",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.ou",
"value": "tqusers",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.port",
"value": "389",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.server",
"value": "ldap://",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.uid_key",
"value": "uid",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.use_rdn",
"value": "1",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.user_append_domain",
"value": "1",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.enabled",
"value": "0",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.group.administrator",
"value": "myAdmin",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.group.analyst",
"value": "myAnalyst",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.group.observer",
"value": "myObserver",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.group.super",
"value": "mySuperUser",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 15:49:34"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 14,
"data": [
{
"key": "ldap.enabled",
"group": "ldap",
"value": "0",
"updated_at": "2017-03-18 15:49:34",
"created_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.domain",
"group": "ldap",
"value": "threatq.com",
"updated_at": "2017-03-18 15:49:34",
"created_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.server",
"group": "ldap",
"value": "ldap://",
"updated_at": "2017-03-18 15:49:34",
"created_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.port",
"group": "ldap",
"value": "389",
"updated_at": "2017-03-18 15:49:34",
"created_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.ou",
"group": "ldap",
"value": "tqusers",
"updated_at": "2017-03-18 15:49:34",
"created_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.uid_key",
"group": "ldap",
"value": "uid",
"updated_at": "2017-03-18 15:49:34",
"created_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.use_rdn",
"group": "ldap",
"value": "1",
"updated_at": "2017-03-18 15:49:34",
"created_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.user_append_domain",
"group": "ldap",
"value": "1",
"updated_at": "2017-03-18 15:49:34",
"created_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.group_field_name",
"group": "ldap",
"value": "cn",
"updated_at": "2017-03-18 15:49:34",
"created_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.config.filter_field_name",
"group": "ldap",
"value": "memberUid",
"updated_at": "2017-03-18 15:49:34",
"created_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.group.super",
"group": "ldap",
"value": "mySuperUser",
"updated_at": "2017-03-18 15:49:34",
"created_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.group.administrator",
"group": "ldap",
"value": "myAdmin",
"updated_at": "2017-03-18 15:49:34",
"created_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.group.analyst",
"group": "ldap",
"value": "myAnalyst",
"updated_at": "2017-03-18 15:49:34",
"created_at": "2017-03-18 15:49:34"
},
{
"key": "ldap.group.observer",
"group": "ldap",
"value": "myObserver",
"updated_at": "2017-03-18 15:49:34",
"created_at": "2017-03-18 15:49:34"
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": {
"ldap.enabled": [
"The ldap.enabled field is required."
],
"ldap.config.domain": [
"The ldap.config.domain field is required."
],
"ldap.config.server": [
"The ldap.config.server field is required."
],
"ldap.config.port": [
"The ldap.config.port field is required."
],
"ldap.config.use_rdn": [
"The ldap.config.use rdn field is required."
],
"ldap.config.user_append_domain": [
"The ldap.config.user append domain field is required."
],
"ldap.config.ou": [
"The ldap.config.ou field is required."
],
"ldap.config.group_field_name": [
"The ldap.config.group field name field is required."
],
"ldap.config.filter_field_name": [
"The ldap.config.filter field name field is required."
],
"ldap.config.uid_key": [
"The ldap.config.uid key field is required."
],
"ldap.group.super": [
"The ldap.group.super field is required."
],
"ldap.group.administrator": [
"The ldap.group.administrator field is required."
],
"ldap.group.analyst": [
"The ldap.group.analyst field is required."
],
"ldap.group.observer": [
"The ldap.group.observer field is required."
]
}
}Response
401Access denied.
LDAP Disable ¶
LDAP DisablePUT/configuration/ldap/disable
Disable LDAP.
Example URI
PUT /configuration/ldap/disable
Request
Headers
Authorization: Bearer <access_token>Body
No Request Body.Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"key": "ldap.enabled",
"value": "0",
"group": "ldap",
"created_at": "2017-03-18 16:30:20",
"updated_at": "2017-03-18 16:32:43"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"LDAP is already disabled."
]
}
{
"errors": [
"LDAP configuration not found."
]
}Response
401Access denied.
LDAP Enable ¶
LDAP EnablePUT/configuration/ldap/enable
Enable LDAP.
Example URI
PUT /configuration/ldap/enable
Request
Headers
Authorization: Bearer <access_token>Body
No Request Body.Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"key": "ldap.enabled",
"value": "1",
"group": "ldap",
"created_at": "2017-03-18 15:49:34",
"updated_at": "2017-03-18 16:20:14"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"LDAP is already enabled."
]
}
{
"errors": [
"LDAP configuration not found."
]
}Response
401Access denied.
LDAP Configuration ¶
DeleteDELETE/configuration/ldap/{ldap_key}
Delete a LDAP Configuration. Deleting a single key will remove the entire configuration from the database.
Example URI
DELETE /configuration/ldap/ldap.config.ou
URI Parameters
- ldap_key
string(required) Example: ldap.config.ouLDAP Key
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Proxy Configuration List ¶
Get ListGET/configuration/proxy
Get a list of Proxy Configurations.
Example URI
GET /configuration/proxy
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 1,
"data": [
{
"name": "internal_proxy_1",
"password": "password",
"password_required": true,
"port": 4000,
"server": "threatq.com",
"username": "threatqUser"
}
]
}Response
401Access denied.
Create NewPOST/configuration/proxy
Create a new Proxy Configuration.
Example URI
POST /configuration/proxy
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "internal_proxy_1",
"server": "threatq.com",
"port": "4000",
"password_required": "true",
"username": "threatqUser",
"password": "password"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"name": "internal_proxy_1",
"server": "threatq.com",
"port": 4000,
"password_required": true,
"username": "threatqUser",
"password": "password"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": {
"name": [
"The name field is required."
],
"server": [
"The server field is required."
]
}
}Response
401Access denied.
Proxy Configuration ¶
Get SingleGET/configuration/proxy/{name}
Get a single Proxy Configuration.
Example URI
GET /configuration/proxy/internal_proxy_1
URI Parameters
- name
string(required) Example: internal_proxy_1Proxy Name
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"name": "internal_proxy_1",
"password": "password",
"password_required": true,
"port": 4000,
"server": "threatq.com",
"username": "threatqUser"
}
}Response
401Access denied.
UpdatePUT/configuration/proxy/{name}
Update a Proxy Configuration.
Example URI
PUT /configuration/proxy/internal_proxy_1
URI Parameters
- name
string(required) Example: internal_proxy_1Proxy Name
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "internal_proxy_1",
"server": "threatq.com",
"port": "4001",
"password_required": "true",
"username": "threatqUser1",
"password": "new_password"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"name": "internal_proxy_1",
"password": "new_password",
"password_required": true,
"port": 4001,
"server": "threatq.com",
"username": "threatqUser1"
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/configuration/proxy/{name}
Delete a Proxy Configuration.
Example URI
DELETE /configuration/proxy/internal_proxy_1
URI Parameters
- name
string(required) Example: internal_proxy_1Proxy Name
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
TLP ¶
TLP Enable/DisablePUT/configuration/{tlp.enabled}
Enable or disable TLP.
Example URI
PUT /configuration/tlp.enabled
URI Parameters
- tlp.enabled
string(required) Example: tlp.enabledTLP Key
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{"value":1}
OR
{"value":0}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"key": "tlp.enabled",
"value": "0",
"group": "",
"created_at": "2018-10-22 08:25:08",
"updated_at": "2018-10-25 09:10:55"
}
}Response
401Access denied.
Connectors ¶
Connector List ¶
Get ListGET/connectors{?limit,offset,sort,with}
Get a list of Connectors.
Example URI
GET /connectors?limit=500&offset=100&sort=id&with=category,definition,runLog,tlp
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: category,definition,runLog,tlpA comma-separated list of related objects to include in the response. Options for this endpoint: category, definition, runLog, tlp.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 133,
"data": [
{
"id": 1,
"name": "MITRE Enterprise ATT&CK",
"namespace": "threatq.connector.osint.mitre_enterprise_att&ck.MitreEnterpriseAtt&ck",
"version": null,
"custom_fields": "[{\"name\":\"verify_ssl\",\"label\":\"Verify SSL\",\"type\":\"checkbox\",\"default\":true,\"description\":\"If true, specifies that this feed should verify SSL connections with the provider.\"},{\"name\":\"disable_proxies\",\"label\":\"Disable Proxies\",\"type\":\"checkbox\",\"default\":false,\"description\":\"If true, specifies that this feed should not honor any proxies setup in ThreatQuotient.\"},{\"name\":\"save_intrusion_sets_as\",\"label\":\"Save Intrusion Sets as\",\"type\":\"select\",\"description\":\"MITRE releases Threat Actor Data as Intrusion Sets. ThreatQuotient recommends mapping this data to ThreatQ Adversaries in order to create a consolidated profile.\",\"options\":[{\"text\":\"Adversaries\",\"value\":\"Adversaries\",\"default\":true},{\"text\":\"Intrusion Sets\",\"value\":\"Intrusion Sets\",\"default\":false}],\"value\":\"Adversaries\"}]",
"frequency": 86400,
"category_id": 1,
"connector_definition_id": 1,
"indicator_status_id": 2,
"tlp_id": null,
"gate_oauth2_client_id": 5,
"last_import_at": null,
"last_import_count": null,
"is_active": "disabled",
"created_at": "2019-10-23 14:50:59",
"updated_at": "2019-10-23 14:54:41",
"run_log": [],
"definition": {
"id": 1,
"definition_yaml": "This is the CDF YAML.",
"created_at": "2019-10-23 14:54:31",
"updated_at": "2019-10-23 14:54:31"
},
"category": {
"id": 1,
"name": "OSINT",
"created_at": "2019-10-23 14:45:56",
"updated_at": "2019-10-23 14:45:56"
}
},
{
"id": 2,
"name": "My Custom CDF",
"namespace": "threatq.feeds.MyCustomCDF",
"version": "1.0.0",
"custom_fields": "[]",
"frequency": 3600,
"category_id": 1,
"connector_definition_id": 2,
"indicator_status_id": 1,
"tlp_id": null,
"gate_oauth2_client_id": 6,
"last_import_at": null,
"last_import_count": null,
"is_active": "enabled",
"created_at": "2019-10-23 14:51:00",
"updated_at": "2019-10-23 14:51:00",
"run_log": [
{
"run_uuid": "9a289b38-62fa-45c7-bfe2-7dd4de3fcc11",
"connector_id": 2,
"client_id": 1,
"user_id": 1,
"trigger_type": "scheduled",
"since": null,
"until": null,
"expired": 0,
"created_at": "2019-10-23 14:55:39",
"updated_at": "2019-10-23 14:55:39",
"has_files": true
}
],
"definition": {
"id": 2,
"definition_yaml": "This is my custom CDF YAML.",
"created_at": "2019-10-23 14:54:31",
"updated_at": "2019-10-23 14:54:31"
},
"category": {
"id": 1,
"name": "OSINT",
"created_at": "2019-10-23 14:45:56",
"updated_at": "2019-10-23 14:45:56"
}
}
]
}Response
401Access denied.
Create NewPOST/connectors
Create a new Connector.
Example URI
POST /connectors
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"category": "STIX/TAXII",
"custom_fields": "[{\"name\":\"version\",\"type\":\"select\",\"options\":[{\"text\":\"1.0\",\"value\":\"1.0\"},{\"text\":\"1.1\",\"value\":\"1.1\"},{\"text\":\"2.0\",\"value\":\"2.0\",\"default\":true}],\"label\":\"TAXII Server Version\",\"description\":\"The version of the TAXII Server to poll for data.\",\"required\":true,\"value\":\"2.0\"},{\"name\":\"feed_url\",\"value\":\"https://cti-taxii.mitre.org/taxii/\",\"label\":\"Discovery Path URL\",\"description\":\"Path to the TAXII Server's Discovery Service\",\"required\":true},{\"name\":\"poll_url\",\"value\":\"\",\"label\":\"Poll URL (Optional)\",\"description\":\"Optional URL specifying a specific endpoint on the TAXII Server to poll for data. If not supplied, the TAXII Client will attempt to determine the appropriate path via the Collections Service.\"},{\"name\":\"collection_name\",\"value\":\"Enterprise ATT&CK\",\"label\":\"Collection Name\",\"description\":\"Name of the collection to poll data from\",\"required\":true},{\"name\":\"disable_proxies\",\"type\":\"checkbox\",\"value\":false,\"label\":\"Disable Proxies\",\"description\":\"If true, specifies that this feed should not honor any proxies setup in ThreatQuotient.\"},{\"name\":\"username\",\"value\":\"\",\"label\":\"Username\",\"description\":\"Basic Authentication Username\"},{\"name\":\"password\",\"value\":\"\",\"type\":\"password\",\"label\":\"Password\",\"description\":\"Basic Authentication Password\"},{\"name\":\"certificate\",\"type\":\"textarea\",\"value\":\"\",\"label\":\"Client Certificate\",\"description\":\"Client Certificate for authentication with the TAXII Server. Only supported by TAXII 1.x.\"},{\"name\":\"private_key\",\"type\":\"textarea\",\"value\":\"\",\"label\":\"Client Key\",\"description\":\"Private Key for authentication with the TAXII Server. Only supported by TAXII 1.x.\"},{\"name\":\"verify_ssl\",\"type\":\"checkbox\",\"value\":true,\"label\":\"Verify SSL\",\"description\":\"Specifies whether the TAXII client should verify a provider's SSL certificate\"},{\"name\":\"host_ca_certificate\",\"type\":\"textarea\",\"value\":\"\",\"label\":\"Host CA Certificate Bundle\",\"description\":\"Used to specify a provider's CA Certificate Bundle to verify SSL against. This denotes that Verify SSL is True.\"}]",
"indicator_status_id": 1,
"is_active": "disabled",
"frequency": 86400,
"name": "MITRE ATT&CK Enterprise Clone",
"namespace": "threatq.feeds.dynamic.taxii.MitreAttCkEnterpriseClone"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"frequency": 86400,
"is_active": "disabled",
"indicator_status_id": 1,
"category_id": 4,
"custom_fields": "[{\"name\":\"version\",\"type\":\"select\",\"options\":[{\"text\":\"1.0\",\"value\":\"1.0\"},{\"text\":\"1.1\",\"value\":\"1.1\"},{\"text\":\"2.0\",\"value\":\"2.0\",\"default\":true}],\"label\":\"TAXII Server Version\",\"description\":\"The version of the TAXII Server to poll for data.\",\"required\":true,\"value\":\"2.0\"},{\"name\":\"feed_url\",\"value\":\"https://cti-taxii.mitre.org/taxii/\",\"label\":\"Discovery Path URL\",\"description\":\"Path to the TAXII Server's Discovery Service\",\"required\":true},{\"name\":\"poll_url\",\"value\":\"\",\"label\":\"Poll URL (Optional)\",\"description\":\"Optional URL specifying a specific endpoint on the TAXII Server to poll for data. If not supplied, the TAXII Client will attempt to determine the appropriate path via the Collections Service.\"},{\"name\":\"collection_name\",\"value\":\"Enterprise ATT&CK\",\"label\":\"Collection Name\",\"description\":\"Name of the collection to poll data from\",\"required\":true},{\"name\":\"disable_proxies\",\"type\":\"checkbox\",\"value\":false,\"label\":\"Disable Proxies\",\"description\":\"If true, specifies that this feed should not honor any proxies setup in ThreatQuotient.\"},{\"name\":\"username\",\"value\":\"\",\"label\":\"Username\",\"description\":\"Basic Authentication Username\"},{\"name\":\"password\",\"value\":\"\",\"type\":\"password\",\"label\":\"Password\",\"description\":\"Basic Authentication Password\"},{\"name\":\"certificate\",\"type\":\"textarea\",\"value\":\"\",\"label\":\"Client Certificate\",\"description\":\"Client Certificate for authentication with the TAXII Server. Only supported by TAXII 1.x.\"},{\"name\":\"private_key\",\"type\":\"textarea\",\"value\":\"\",\"label\":\"Client Key\",\"description\":\"Private Key for authentication with the TAXII Server. Only supported by TAXII 1.x.\"},{\"name\":\"verify_ssl\",\"type\":\"checkbox\",\"value\":true,\"label\":\"Verify SSL\",\"description\":\"Specifies whether the TAXII client should verify a provider's SSL certificate\"},{\"name\":\"host_ca_certificate\",\"type\":\"textarea\",\"value\":\"\",\"label\":\"Host CA Certificate Bundle\",\"description\":\"Used to specify a provider's CA Certificate Bundle to verify SSL against. This denotes that Verify SSL is True.\"}]",
"name": "MITRE ATT&CK Enterprise Clone",
"namespace": "threatq.feeds.dynamic.taxii.MitreAttCkEnterpriseClone",
"gate_oauth2_client_id": 108,
"connector_definition_id": "1",
"updated_at": "2020-06-05 14:55:49",
"created_at": "2020-06-05 14:55:49",
"id": 104,
"category": {
"id": 4,
"name": "STIX/TAXII",
"created_at": "2020-06-05 14:55:48",
"updated_at": "2020-06-05 14:55:48"
},
"gate_oauth2_client": {
"session_timeout_minutes": 60,
"name": "MITRE ATT&CK Enterprise Clone",
"type": "private",
"client_id": "yzcyztm1ztvky2ywogy5odjjoda3ndmw",
"client_secret": "ZWUyMjIzNGRmNmUzMGEzYjk2YmMxYjllMWU1NzFmYTFhODRjYjljNjVlM2U0MDg3",
"updated_at": "2020-06-05 14:55:49",
"created_at": "2020-06-05 14:55:49",
"id": 108
}
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"frequency": 3600,
"is_active": "disabled",
"errors": {
"name": [
"The name field is required."
]
}
}
}Response
401Access denied.
Connector Categories List ¶
Get ListGET/connectors/categories{?limit,offset,sort,with}
Get a list of Connector Categories.
Example URI
GET /connectors/categories?limit=500&offset=100&sort=id&with=connectors
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: connectorsA comma-separated list of related objects to include in the response. Options for this endpoint: connectors.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 4,
"data": [
{
"id": 1,
"name": "OSINT",
"created_at": "2017-03-18 00:05:16",
"updated_at": "2017-03-18 00:05:16"
},
{
"id": 2,
"name": "Commercial",
"created_at": "2017-03-18 00:05:16",
"updated_at": "2017-03-18 00:05:16"
},
{
"id": 3,
"name": "Labs",
"created_at": "2017-03-18 00:05:16",
"updated_at": "2017-03-18 00:05:16"
}
]
}Response
401Access denied.
Create NewPOST/connectors/categories
Create a new Connector Category.
Example URI
POST /connectors/categories
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "My Category"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"name": "My Category",
"updated_at": "2017-03-19 23:21:19",
"created_at": "2017-03-19 23:21:19",
"id": 5
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"name": [
"The name field is required."
]
}
}
}Response
401Access denied.
Connector Category ¶
Get SingleGET/connectors/categories/{connector_category_id}{?with}
Get a single Connector Category.
Example URI
GET /connectors/categories/2?with=connectors
URI Parameters
- connector_category_id
integer(required) Example: 2Connector Category ID
- with
string(optional) Example: connectorsA comma-separated list of related objects to include in the response. Options for this endpoint: connectors.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "OSINT",
"created_at": "2017-03-18 00:05:16",
"updated_at": "2017-03-18 00:05:16"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/connectors/categories/{connector_category_id}{?with}
Update a Connector Category.
Example URI
PUT /connectors/categories/2?with=connectors
URI Parameters
- connector_category_id
integer(required) Example: 2Connector Category ID
- with
string(optional) Example: connectorsA comma-separated list of related objects to include in the response. Options for this endpoint: connectors.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "My Updated Category"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 5,
"name": "My Updated Category",
"created_at": "2017-03-19 23:21:19",
"updated_at": "2017-03-19 23:28:18"
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/connectors/categories/{connector_category_id}
Delete a Connector Category.
Example URI
DELETE /connectors/categories/2
URI Parameters
- connector_category_id
integer(required) Example: 2Connector Category ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Connector Definition List ¶
Get ListGET/connectors/definitions{?limit,offset,sort,with}
Get a list of Connector Definitions.
Example URI
GET /connectors/definitions?limit=500&offset=100&sort=id&with=connectors
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: connectorsA comma-separated list of related objects to include in the response. Options for this endpoint: connectors.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"definition_yaml": "This is some YAML.",
"created_at": "2017-10-23 14:54:31",
"updated_at": "2017-10-23 14:54:31",
"connectors": [
{
"id": 1,
"name": "Bambenek Consulting - Murofet Master",
"namespace": "threatq.connector.osint.bambenek.BambenekMurofetMaster",
"custom_fields": "{\"feed_url\": {\"order\": 1, \"value\": \"http://osint.bambenekconsulting.com/feeds/murofet-master.txt\", \"label\": \"Feed URL\"}}",
"frequency": 3600,
"category_id": 1,
"connector_definition_id": 1,
"indicator_status_id": 2,
"tlp_id": null,
"gate_oauth2_client_id": 5,
"last_import_at": null,
"last_import_count": null,
"is_active": "disabled",
"created_at": "2017-10-23 14:50:59",
"updated_at": "2017-10-23 14:54:41"
},
{
"id": 2,
"name": "Bambenek Consulting - Symmi Master",
"namespace": "threatq.connector.osint.bambenek.BambenekSymmiMaster",
"custom_fields": "{\"feed_url\": {\"order\": 1, \"value\": \"http://osint.bambenekconsulting.com/feeds/symmi-master.txt\", \"label\": \"Feed URL\"}}",
"frequency": 3600,
"category_id": 1,
"connector_definition_id": 1,
"indicator_status_id": 1,
"tlp_id": null,
"gate_oauth2_client_id": 6,
"last_import_at": null,
"last_import_count": null,
"is_active": "disabled",
"created_at": "2017-10-23 14:51:00",
"updated_at": "2017-10-23 14:51:00"
}
]
},
{
"id": 2,
"definition_yaml": "This is some more YAML.",
"created_at": "2017-10-23 15:31:34",
"updated_at": "2017-10-23 15:31:34",
"connectors": [
{
"id": 3,
"name": "SecureWorks Dirt Jumper C2 IP Watchlist",
"namespace": "threatq.connector.secureworks.connector.SecureWorksDirtJumperC2IPWatchlist",
"custom_fields": "{\"api_key\": {\"type\": \"password\", \"order\": 1, \"value\": \"\", \"label\": \"Application Key\"}, \"feed_url\": {\"order\": 2, \"value\": \"https://portal.secureworks.com/attackerdb/blackList?Token={token}&type={type}&schemaVersion=v1&format=csv\", \"label\": \"Feed URL\"}}",
"frequency": 3600,
"category_id": 2,
"connector_definition_id": 2,
"indicator_status_id": 1,
"tlp_id": null,
"gate_oauth2_client_id": 7,
"last_import_at": null,
"last_import_count": null,
"is_active": "disabled",
"created_at": "2017-10-23 14:51:00",
"updated_at": "2017-10-23 14:51:00"
}
]
}
]
}Response
401Access denied.
Create NewPOST/connectors/definitions
Create a new Connector Definition.
Example URI
POST /connectors/definitions
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"definition_yaml": "This is some YAML."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"definition_yaml": "This is some YAML.",
"updated_at": "2017-10-23 15:31:34",
"created_at": "2017-10-23 15:31:34",
"id": 2
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"definition_yaml": [
"The definition yaml field is required."
]
}
}
}Response
401Access denied.
Connector Definition ¶
Get SingleGET/connectors/definitions/{connector_definition_id}{?with}
Get a single Connector Definition.
Example URI
GET /connectors/definitions/2?with=connectors
URI Parameters
- connector_definition_id
integer(required) Example: 2Connector Definition ID
- with
string(optional) Example: connectorsA comma-separated list of related objects to include in the response. Options for this endpoint: connectors.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"definition_yaml": "This is some YAML.",
"created_at": "2017-10-23 14:54:31",
"updated_at": "2017-10-23 14:54:31",
"connectors": [
{
"id": 1,
"name": "Bambenek Consulting - Murofet Master",
"namespace": "threatq.connector.osint.bambenek.BambenekMurofetMaster",
"custom_fields": "{\"feed_url\": {\"order\": 1, \"value\": \"http://osint.bambenekconsulting.com/feeds/murofet-master.txt\", \"label\": \"Feed URL\"}}",
"frequency": 3600,
"category_id": 1,
"connector_definition_id": 1,
"indicator_status_id": 2,
"tlp_id": null,
"gate_oauth2_client_id": 5,
"last_import_at": null,
"last_import_count": null,
"is_active": "disabled",
"created_at": "2017-10-23 14:50:59",
"updated_at": "2017-10-23 14:54:41"
},
{
"id": 2,
"name": "Bambenek Consulting - Symmi Master",
"namespace": "threatq.connector.osint.bambenek.BambenekSymmiMaster",
"custom_fields": "{\"feed_url\": {\"order\": 1, \"value\": \"http://osint.bambenekconsulting.com/feeds/symmi-master.txt\", \"label\": \"Feed URL\"}}",
"frequency": 3600,
"category_id": 1,
"connector_definition_id": 1,
"indicator_status_id": 1,
"tlp_id": null,
"gate_oauth2_client_id": 6,
"last_import_at": null,
"last_import_count": null,
"is_active": "disabled",
"created_at": "2017-10-23 14:51:00",
"updated_at": "2017-10-23 14:51:00"
}
]
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/connectors/definitions/{connector_definition_id}{?with}
Update a Connector Definition.
Example URI
PUT /connectors/definitions/2?with=connectors
URI Parameters
- connector_definition_id
integer(required) Example: 2Connector Definition ID
- with
string(optional) Example: connectorsA comma-separated list of related objects to include in the response. Options for this endpoint: connectors.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"definition_yaml": "This is some more YAML."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"definition_yaml": "This is some more YAML.",
"created_at": "2017-10-20 06:57:40",
"updated_at": "2017-10-20 06:59:03"
}
}Response
401Access denied.
Response
404Object not found.
Connector Manual Pull ¶
Connector Manual PullPOST/connectors/{connector_id}/manual
Perform a manual run of a Connector (feed).
Example URI
POST /connectors/1/manual
URI Parameters
- connector_id
integer(required) Example: 1Connector ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"since": "2017-09-11",
"until": "2017-09-13 01:15:00"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"since": "2017-09-11 00:00:00",
"until": "2017-09-13 01:15:00",
"feed_id": 1,
"feed_name": "Feed",
"run_uuid": "fb543043-9822-11e7-a110-080027981579",
"user_fields": {
"api_key": {
"order": 1,
"value": "",
"label": "API Key"
},
"feed_url": {
"order": 2,
"value": "https://feed.com/{api_key}/reputation.data",
"label": "Feed URL"
}
}
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
[
"Connector is disabled."
]
]
}Response
401Access denied.
Connector Run Log Event List ¶
Get ListGET/connectors/{connector_id}/runs/{run_uuid}/events{?limit,offset,sort,with}
Get a list of Connector Run Log Events.
Example URI
GET /connectors/1/runs/49d210f4-93cd-11e7-888c-080027981579/events?limit=500&offset=100&sort=id&with=messageType
URI Parameters
- connector_id
integer(required) Example: 1Connector ID
- run_uuid
string(required) Example: 49d210f4-93cd-11e7-888c-080027981579Run Log UUID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: messageTypeA comma-separated list of related objects to include in the response. Options for this endpoint: messageType.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
"request_0.json",
"response_0.json"
]
}Response
401Access denied.
Response
404Object not found.
Create NewPOST/connectors/{connector_id}/runs/{run_uuid}/events
Create a new Connector Run Log Event.
Example URI
POST /connectors/1/runs/49d210f4-93cd-11e7-888c-080027981579/events
URI Parameters
- connector_id
integer(required) Example: 1Connector ID
- run_uuid
string(required) Example: 49d210f4-93cd-11e7-888c-080027981579Run Log UUID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"message_type_id": "1",
"description": "This is how the event went down.",
"occurred_at": "2017-09-14 19:56:09-00:00"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"run_uuid": "2dc43f6f-9fb0-11e7-bab0-08002737f846",
"message_type_id": "1",
"description": "This is how the event went down.",
"occurred_at": "2017-09-14 19:56:09-00:00",
"id": 5
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: message_type_id"
]
}Response
401Access denied.
Connector Run Log File List ¶
Connector Run Log File ListGET/connectors/{connector_id}/runs/{run_uuid}/files
Get a list of Connector Run Log files.
Example URI
GET /connectors/1/runs/49d210f4-93cd-11e7-888c-080027981579/files
URI Parameters
- connector_id
integer(required) Example: 1Connector ID
- run_uuid
string(required) Example: 49d210f4-93cd-11e7-888c-080027981579Run Log UUID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
"request_0.json",
"response_0.json"
]
}Response
401Access denied.
Response
404Object not found.
Connector Run Log File Download ¶
Connector Run Log File DownloadPOST/connectors/{connector_id}/runs/{run_uuid}/files/download
Download Connector Run Log files as a zip. Specify desired files in the request, or leave the request empty to pull all files. A password for the zip file can be provided, or will be set to “threatq” by default. Zip filename will come in format “feed-run-<run_uuid>.zip”.
Example URI
POST /connectors/1/runs/49d210f4-93cd-11e7-888c-080027981579/files/download
URI Parameters
- connector_id
integer(required) Example: 1Connector ID
- run_uuid
string(required) Example: 49d210f4-93cd-11e7-888c-080027981579Run Log UUID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"filenames": [
"request_0.txt",
"response_0.txt",
"errors_0.txt"
],
"password": "password"
}Response
200Object(s) retrieved successfully.
Body
Downloaded zip file in format "feed-run-<run_uuid>.zip"Response
401Access denied.
Response
404Object not found.
Connector Run Log Summary ¶
Connector Run Log SummaryGET/connectors/{connector_id}/runs/{run_uuid}/summary
Get a list of object counts for a Connector Run Log.
Example URI
GET /connectors/1/runs/49d210f4-93cd-11e7-888c-080027981579/summary
URI Parameters
- connector_id
integer(required) Example: 1Connector ID
- run_uuid
string(required) Example: 49d210f4-93cd-11e7-888c-080027981579Run Log UUID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"object_type": "adversaries",
"count": 8
},
{
"object_type": "adversary_sources",
"count": 3
},
{
"object_type": "indicator_attributes",
"count": 7
},
{
"object_type": "indicators",
"count": 10
}
]
}Response
401Access denied.
Response
404Object not found.
Connector ¶
Get SingleGET/connectors/{connector_id}{?with}
Get a single Connector.
Example URI
GET /connectors/1?with=category,definition,runLog,tlp
URI Parameters
- connector_id
integer(required) Example: 1Connector ID
- with
string(optional) Example: category,definition,runLog,tlpA comma-separated list of related objects to include in the response. Options for this endpoint: category, definition, runLog, tlp.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "MITRE Enterprise ATT&CK",
"namespace": "threatq.connector.osint.mitre_enterprise_att&ck.MitreEnterpriseAtt&ck",
"version": null,
"custom_fields": "[{\"name\":\"verify_ssl\",\"label\":\"Verify SSL\",\"type\":\"checkbox\",\"default\":true,\"description\":\"If true, specifies that this feed should verify SSL connections with the provider.\"},{\"name\":\"disable_proxies\",\"label\":\"Disable Proxies\",\"type\":\"checkbox\",\"default\":false,\"description\":\"If true, specifies that this feed should not honor any proxies setup in ThreatQuotient.\"},{\"name\":\"save_intrusion_sets_as\",\"label\":\"Save Intrusion Sets as\",\"type\":\"select\",\"description\":\"MITRE releases Threat Actor Data as Intrusion Sets. ThreatQuotient recommends mapping this data to ThreatQ Adversaries in order to create a consolidated profile.\",\"options\":[{\"text\":\"Adversaries\",\"value\":\"Adversaries\",\"default\":true},{\"text\":\"Intrusion Sets\",\"value\":\"Intrusion Sets\",\"default\":false}],\"value\":\"Adversaries\"}]",
"frequency": 86400,
"category_id": 1,
"connector_definition_id": 1,
"indicator_status_id": 2,
"tlp_id": null,
"gate_oauth2_client_id": 5,
"last_import_at": null,
"last_import_count": null,
"is_active": "disabled",
"created_at": "2019-10-23 14:50:59",
"updated_at": "2019-10-23 14:54:41",
"definition": {
"id": 1,
"definition_yaml": "This is the CDF YAML.",
"created_at": "2019-10-23 14:54:31",
"updated_at": "2019-10-23 14:54:31"
},
"category": {
"id": 1,
"name": "OSINT",
"created_at": "2019-10-23 14:45:56",
"updated_at": "2019-10-23 14:45:56"
},
"tlp": null,
"run_log": []
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/connectors/{connector_id}{?with}
Update a Connector.
Example URI
PUT /connectors/104?with=category,definition,runLog,tlp
URI Parameters
- connector_id
integer(required) Example: 104Connector ID
- with
string(optional) Example: category,definition,runLog,tlpA comma-separated list of related objects to include in the response. Options for this endpoint: category, definition, runLog, tlp.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"is_active": "enabled"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 104,
"name": "MITRE ATT&CK Enterprise Clone",
"namespace": "threatq.feeds.dynamic.taxii.MitreAttCkEnterpriseClone",
"version": null,
"custom_fields": "[{\"name\":\"version\",\"type\":\"select\",\"options\":[{\"text\":\"1.0\",\"value\":\"1.0\"},{\"text\":\"1.1\",\"value\":\"1.1\"},{\"text\":\"2.0\",\"value\":\"2.0\",\"default\":true}],\"label\":\"TAXII Server Version\",\"description\":\"The version of the TAXII Server to poll for data.\",\"required\":true,\"value\":\"2.0\"},{\"name\":\"feed_url\",\"value\":\"https://cti-taxii.mitre.org/taxii/\",\"label\":\"Discovery Path URL\",\"description\":\"Path to the TAXII Server's Discovery Service\",\"required\":true},{\"name\":\"poll_url\",\"value\":\"\",\"label\":\"Poll URL (Optional)\",\"description\":\"Optional URL specifying a specific endpoint on the TAXII Server to poll for data. If not supplied, the TAXII Client will attempt to determine the appropriate path via the Collections Service.\"},{\"name\":\"collection_name\",\"value\":\"Enterprise ATT&CK\",\"label\":\"Collection Name\",\"description\":\"Name of the collection to poll data from\",\"required\":true},{\"name\":\"disable_proxies\",\"type\":\"checkbox\",\"value\":false,\"label\":\"Disable Proxies\",\"description\":\"If true, specifies that this feed should not honor any proxies setup in ThreatQuotient.\"},{\"name\":\"username\",\"value\":\"\",\"label\":\"Username\",\"description\":\"Basic Authentication Username\"},{\"name\":\"password\",\"value\":\"\",\"type\":\"password\",\"label\":\"Password\",\"description\":\"Basic Authentication Password\"},{\"name\":\"certificate\",\"type\":\"textarea\",\"value\":\"\",\"label\":\"Client Certificate\",\"description\":\"Client Certificate for authentication with the TAXII Server. Only supported by TAXII 1.x.\"},{\"name\":\"private_key\",\"type\":\"textarea\",\"value\":\"\",\"label\":\"Client Key\",\"description\":\"Private Key for authentication with the TAXII Server. Only supported by TAXII 1.x.\"},{\"name\":\"verify_ssl\",\"type\":\"checkbox\",\"value\":true,\"label\":\"Verify SSL\",\"description\":\"Specifies whether the TAXII client should verify a provider's SSL certificate\"},{\"name\":\"host_ca_certificate\",\"type\":\"textarea\",\"value\":\"\",\"label\":\"Host CA Certificate Bundle\",\"description\":\"Used to specify a provider's CA Certificate Bundle to verify SSL against. This denotes that Verify SSL is True.\"}]",
"frequency": 86400,
"category_id": 4,
"connector_definition_id": 1,
"indicator_status_id": 1,
"tlp_id": null,
"gate_oauth2_client_id": 108,
"last_import_at": "2020-06-05 15:05:43",
"last_import_count": null,
"is_active": "enabled",
"is_notifiable": 1,
"created_at": "2020-06-05 14:55:49",
"updated_at": "2020-06-05 15:11:37",
"category": {
"id": 4,
"name": "STIX/TAXII",
"created_at": "2020-06-05 14:55:48",
"updated_at": "2020-06-05 14:55:48"
},
"definition": {
"id": 1,
"definition_yaml": "This is the STIX/TAXII CDF YAML.",
"created_at": "2020-06-04 22:00:55",
"updated_at": "2020-06-04 22:00:55"
},
"tlp": null,
"run_log": []
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/connectors/{connector_id}
Delete a Connector.
Example URI
DELETE /connectors/1
URI Parameters
- connector_id
integer(required) Example: 1Connector ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Connector Run Log List ¶
Get ListGET/connectors/{connector_id}/runs{?limit,offset,sort,with}
Get a list of Connector Run Log entries.
Example URI
GET /connectors/1/runs?limit=500&offset=100&sort=id&with=connector,connectorEvents
URI Parameters
- connector_id
integer(required) Example: 1Connector ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: connector,connectorEventsA comma-separated list of related objects to include in the response. Options for this endpoint: connector, connectorEvents.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"run_uuid": "49d210f4-93cd-11e7-888c-080027981579",
"connector_id": 1,
"user_id": 1,
"trigger_type": "scheduled",
"since": "2017-08-17 00:00:00",
"until": "2017-08-18 00:00:00",
"started_at": "2017-09-01 01:01:01",
"completed_at": null,
"created_at": "2017-09-13 20:32:22",
"updated_at": "2017-09-13 20:32:22",
"has_files": false,
"connector_events": [
{
"id": 1,
"run_uuid": "9a289b38-62fa-45c7-bfe2-7dd4de3fcc14",
"message_type_id": 1,
"description": "event description",
"occurred_at": "2017-01-02 03:04:05",
"created_at": "2017-09-28 18:33:28"
}
],
"connector": {
"id": 1,
"name": "Feed",
"namespace": "threatq.feeds.feed",
"custom_fields": "{\"api_key\": {\"type\": \"password\", \"order\": 1, \"value\": \"\", \"label\": \"API Key\"}, \"feed_url\": {\"order\": 2, \"value\": \"https://feed.com/{api_key}/reputation.data\", \"label\": \"Feed URL\"}}",
"frequency": 3600,
"category_id": 1,
"indicator_status_id": 1,
"tlp_id": null,
"gate_oauth2_client_id": 8,
"last_import_at": null,
"last_import_count": null,
"is_active": "disabled",
"created_at": "2017-09-28 18:31:53",
"updated_at": "2017-09-28 18:31:53"
}
},
{
"run_uuid": "b1586939-9497-11e7-888c-080027981579",
"connector_id": 1,
"user_id": 1,
"trigger_type": "manual",
"since": "2017-08-17 00:00:00",
"until": "2017-08-18 00:00:00",
"started_at": "2017-09-01 01:01:01",
"completed_at": null,
"created_at": "2017-09-13 20:31:20",
"updated_at": "2017-09-13 20:31:20",
"has_files": true,
"connector_events": [
{
"id": 1,
"run_uuid": "9a289b38-62fa-45c7-bfe2-7dd4de3fcc14",
"message_type_id": 1,
"description": "event description",
"occurred_at": "2017-01-02 03:04:05",
"created_at": "2017-09-28 18:33:28"
}
],
"connector": {
"id": 1,
"name": "Feed",
"namespace": "threatq.feeds.feed",
"custom_fields": "{\"api_key\": {\"type\": \"password\", \"order\": 1, \"value\": \"\", \"label\": \"API Key\"}, \"feed_url\": {\"order\": 2, \"value\": \"https://feed.com/{api_key}/reputation.data\", \"label\": \"Feed URL\"}}",
"frequency": 3600,
"category_id": 1,
"indicator_status_id": 1,
"tlp_id": null,
"gate_oauth2_client_id": 8,
"last_import_at": null,
"last_import_count": null,
"is_active": "disabled",
"created_at": "2017-09-28 18:31:53",
"updated_at": "2017-09-28 18:31:53"
}
}
]
}Response
401Access denied.
Create NewPOST/connectors/{connector_id}/runs
Create a new Connector Run Log entry.
Example URI
POST /connectors/1/runs
URI Parameters
- connector_id
integer(required) Example: 1Connector ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"run_uuid": "49d210f4-93cd-11e7-888c-080027981579",
"trigger_type": "scheduled",
"is_periodic": 1,
"since": "2017-08-17 00:00:00",
"until": "2017-08-18 00:00:00",
"started_at": "2017-09-01 01:01:01"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"run_uuid": "49d210f4-93cd-11e7-888c-080027981579",
"connector_id": 1,
"user_id": 1,
"trigger_type": "scheduled",
"since": "2017-08-17 00:00:00",
"until": "2017-08-18 00:00:00",
"started_at": "2017-09-01 01:01:01",
"completed_at": null,
"created_at": "2017-09-13 20:32:22",
"updated_at": "2017-09-13 20:32:22",
"has_files": false
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": {
"run_uuid": [
"The run uuid format is invalid."
]
}
}Response
401Access denied.
Connector Run Log ¶
Get SingleGET/connectors/{connector_id}/runs/{run_uuid}{?with}
Get a single Connector Run Log entry.
Example URI
GET /connectors/1/runs/49d210f4-93cd-11e7-888c-080027981579?with=connector,connectorEvents
URI Parameters
- connector_id
integer(required) Example: 1Connector ID
- run_uuid
string(required) Example: 49d210f4-93cd-11e7-888c-080027981579Run Log UUID
- with
string(optional) Example: connector,connectorEventsA comma-separated list of related objects to include in the response. Options for this endpoint: connector, connectorEvents.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"run_uuid": "2dc43f6f-9fb0-11e7-bab0-08002737f846",
"connector_id": 60,
"client_id": 1,
"user_id": 1,
"trigger_type": "scheduled",
"since": null,
"until": null,
"created_at": "2017-09-28 18:33:11",
"updated_at": "2017-09-28 18:33:11",
"has_files": true,
"connector": {
"id": 60,
"name": "DigitalShadows",
"namespace": "threatq.feeds.digitalshadows.DigitalShadows",
"custom_fields": "{\"api_key\": {\"type\": \"password\", \"order\": 2, \"value\": \"\", \"label\": \"API Key\"}, \"feed_url\": {\"order\": 3, \"value\": \"https://portal-digitalshadows.com/api\", \"label\": \"Feed URL\"}, \"api_id\": {\"order\": 1, \"value\": \"\", \"label\": \"API ID\"}}",
"frequency": 3600,
"category_id": 2,
"indicator_status_id": 1,
"tlp_id": null,
"gate_oauth2_client_id": 64,
"last_import_at": null,
"last_import_count": null,
"is_active": "disabled",
"created_at": "2017-09-28 18:32:06",
"updated_at": "2017-09-28 18:32:06"
},
"connector_events": [
{
"id": 5,
"run_uuid": "2dc43f6f-9fb0-11e7-bab0-08002737f846",
"message_type_id": 1,
"description": "This is how the event went down.",
"occurred_at": "2017-09-14 19:56:09",
"created_at": "2017-09-28 18:40:41"
}
]
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/connectors/{connector_id}/runs/{run_uuid}
Update a Connector Run Log entry.
Example URI
PUT /connectors/1/runs/49d210f4-93cd-11e7-888c-080027981579
URI Parameters
- connector_id
integer(required) Example: 1Connector ID
- run_uuid
string(required) Example: 49d210f4-93cd-11e7-888c-080027981579Run Log UUID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"trigger_type": "scheduled",
"since": "2017-09-01 00:00:00",
"until": "2017-09-05 00:00:00",
"started_at": "2017-09-12 11:00:00",
"completed_at": "2017-09-12 12:00:00"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"run_uuid": "49d210f4-93cd-11e7-888c-080027981579",
"connector_id": 1,
"user_id": 1,
"trigger_type": "scheduled",
"since": "2017-09-01 00:00:00",
"until": "2017-09-05 00:00:00",
"started_at": "2017-09-12 11:00:00",
"completed_at": "2017-09-12 12:00:00",
"created_at": "2017-09-13 20:32:22",
"updated_at": "2017-09-13 20:53:19",
"has_files": false
}
}Response
401Access denied.
Response
404Object not found.
Event Imports ¶
Event Imports ¶
Event ImportsPOST/events/import
Create a new Event Import.
Example URI
POST /events/import
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
------WebKitFormBoundaryOXZxN3SNueFFAXTP
Content-Disposition: form-data; name="resumableChunkNumber"
1
------WebKitFormBoundaryOXZxN3SNueFFAXTP
Content-Disposition: form-data; name="resumableChunkSize"
1048576
------WebKitFormBoundaryOXZxN3SNueFFAXTP
Content-Disposition: form-data; name="resumableCurrentChunkSize"
307799
------WebKitFormBoundaryOXZxN3SNueFFAXTP
Content-Disposition: form-data; name="resumableTotalSize"
307799
------WebKitFormBoundaryOXZxN3SNueFFAXTP
Content-Disposition: form-data; name="resumableType"
text/plain
------WebKitFormBoundaryOXZxN3SNueFFAXTP
Content-Disposition: form-data; name="resumableIdentifier"
307799-ChronArtewallclockstxt
------WebKitFormBoundaryOXZxN3SNueFFAXTP
Content-Disposition: form-data; name="resumableFilename"
ChronArte wall clocks.txt
------WebKitFormBoundaryOXZxN3SNueFFAXTP
Content-Disposition: form-data; name="resumableRelativePath"
ChronArte wall clocks.txt
------WebKitFormBoundaryOXZxN3SNueFFAXTP
Content-Disposition: form-data; name="resumableTotalChunks"
1
------WebKitFormBoundaryOXZxN3SNueFFAXTP
Content-Disposition: form-data; name="type_id"
1
------WebKitFormBoundaryOXZxN3SNueFFAXTP
Content-Disposition: form-data; name="sources"
[{"name":"me","tlp":{"name":"AMBER"}]
------WebKitFormBoundaryOXZxN3SNueFFAXTP
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream
------WebKitFormBoundaryOXZxN3SNueFFAXTP--Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"file": [
"The file field is required when text is not present."
],
"text": [
"The text field is required when file is not present."
]
}
}
}Response
401Access denied.
Event Import Attachments ¶
Event Import AttachmentsDELETE/events/import/{event_import_id}/attachments
Bulk delete Event Import Attachments.
Example URI
DELETE /events/import/1/attachments
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Import Commit ¶
Event Import CommitGET/events/import/{event_import_id}/commit
Commit an Event Import.
Example URI
GET /events/import/1/commit
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"events": [
{
"id": 601
}
]
}
}Response
401Access denied.
Response
404Object not found.
Event Import Event Attributes ¶
Get ListGET/events/import/{event_import_id}/event/attributes{?sort,with}
Get a list of Event Import Event Attributes.
Example URI
GET /events/import/1/event/attributes?sort=id&with=event,import
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: event,importA comma-separated list of related objects to include in the response. Options for this endpoint: event, import.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 3,
"data": [
{
"id": 1,
"import_id": 1,
"event_id": 1,
"name": "Delivered-To",
"value": "architonic@null.otherinbox.com",
"source": "Source"
},
{
"id": 9,
"import_id": 1,
"event_id": 1,
"name": "Mime-Version",
"value": "1.0",
"source": "Source"
},
{
"id": 11,
"import_id": 1,
"event_id": 1,
"name": "Subject",
"value": "ChronArte wall clocks",
"source": "Source"
}
]
}Response
401Access denied.
Create NewPOST/events/import/{event_import_id}/event/attributes
Create a new Event Import Event Attribute.
Example URI
POST /events/import/1/event/attributes
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Accessed Time",
"value": "2017-01-01 01:01:01",
"source": {
"name": "Source",
"tlp": {
"name": "AMBER"
}
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"name": "Accessed Time",
"value": "2017-01-01 01:01:01",
"source": "Source",
"import_id": 1,
"event_id": 1,
"id": 13
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"import_id": 1,
"event_id": 1,
"errors": {
"name": [
"The name field is required."
],
"value": [
"The value field is required."
],
"source": [
"The source field is required."
]
}
}
}Response
401Access denied.
Bulk DeleteDELETE/events/import/{event_import_id}/event/attributes
Bulk delete Event Import Event Attributes.
Example URI
DELETE /events/import/1/event/attributes
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
531,
532,
535,
538,
540,
541
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Import Event Attribute ¶
Event Import Event AttributeDELETE/events/import/{event_import_id}/event/attributes/{event_import_event_attribute_id}
Delete an Event Import Event Attribute.
Example URI
DELETE /events/import/1/event/attributes/2
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- event_import_event_attribute_id
integer(required) Example: 2Event Import Event Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Import Global Indicator Attributes ¶
Get ListGET/events/import/{event_import_id}/globals/indicators/attributes{?limit,offset,sort,with}
Get a list of Event Import Global Indicator Attributes.
Example URI
GET /events/import/1/globals/indicators/attributes?limit=500&offset=100&sort=id&with=import
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: importA comma-separated list of related objects to include in the response. Options for this endpoint: import.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"import_id": 1,
"name": "Accessed Time",
"value": "2017-01-01 01:01:01",
"type": "indicator",
"sources": [
{
"name": "Source"
}
]
},
{
"id": 2,
"import_id": 1,
"name": "Test Attribute 1",
"value": "Test Value 1",
"type": "Indicator",
"sources": [
{
"name": "Source"
}
]
}
]
}Response
401Access denied.
Create NewPOST/events/import/{event_import_id}/globals/indicators/attributes
Create a new Event Import Global Indicator Attribute.
Example URI
POST /events/import/1/globals/indicators/attributes
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Test Attribute 1",
"value": "Test Value 1",
"source": {
"name": "Source",
"tlp": {
"name": "AMBER"
}
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"type": "Indicator",
"import_id": "1",
"name": "Test Attribute 1",
"value": "Test Value 1",
"id": 2,
"sources": [
{
"name": "Source"
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"type": "Indicator",
"import_id": "1",
"errors": {
"name": [
"The name field is required."
],
"value": [
"The value field is required."
]
},
"sources": []
}
}Response
401Access denied.
Event Import Global Indicator Attribute ¶
Get SingleGET/events/import/{event_import_id}/globals/indicators/attributes/{event_import_global_indicator_attribute_id}{?with}
Get a single Event Import Global Indicator Attribute.
Example URI
GET /events/import/1/globals/indicators/attributes/2?with=import
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- event_import_global_indicator_attribute_id
integer(required) Example: 2Event Import Global Indicator Attribute ID
- with
string(optional) Example: importA comma-separated list of related objects to include in the response. Options for this endpoint: import.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"import_id": 1,
"name": "Accessed Time",
"value": "2017-01-01 01:01:01",
"type": "indicator",
"sources": [
{
"name": "Source"
}
]
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/import/{event_import_id}/globals/indicators/attributes/{event_import_global_indicator_attribute_id}
Update an Event Import Global Indicator Attribute.
Example URI
PUT /events/import/1/globals/indicators/attributes/2
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- event_import_global_indicator_attribute_id
integer(required) Example: 2Event Import Global Indicator Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "2017-02-02 02:02:02",
"type": "Indicator"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"import_id": 1,
"name": "Accessed Time",
"value": "2017-02-02 02:02:02",
"type": "Indicator",
"sources": [
{
"name": "Source"
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"import_id": 1,
"name": "Accessed Time",
"value": "2017-01-01 01:01:01",
"type": "indicator",
"errors": {
"type": [
"The selected type is invalid."
]
},
"sources": [
{
"name": "Source"
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/import/{event_import_id}/globals/indicators/attributes/{event_import_global_indicator_attribute_id}
Delete an Event Import Global Indicator Attribute.
Example URI
DELETE /events/import/1/globals/indicators/attributes/2
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- event_import_global_indicator_attribute_id
integer(required) Example: 2Event Import Global Indicator Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Import Indicator Attributes ¶
Event Import Indicator AttributesPOST/events/import/{event_import_id}/indicators/attributes
Create a new Event Import Indicator Attribute.
Example URI
POST /events/import/1/indicators/attributes
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Test Attribute 1",
"value": "Test Value 1",
"source": {
"name": "Source",
"tlp": {
"name": "AMBER"
}
}
"indicator_ids": [
1,
2
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"name": "Test Attribute 1",
"value": "Test Value 1",
"source": "Source",
"import_id": 1,
"indicator_id": 1,
"id": 2
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"import_id": 1,
"indicator_id": 1,
"errors": {
"name": [
"The name field is required."
],
"value": [
"The value field is required."
]
}
}
]
}Response
401Access denied.
Event Import Indicator Comments ¶
Event Import Indicator CommentsPOST/events/import/{event_import_id}/indicators/comments
Create a new Event Import Indicator Comment.
Example URI
POST /events/import/1/indicators/comments
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment.",
"indicator_ids": [
1,
2
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"value": "This is a comment.",
"import_id": 1,
"indicator_id": 8,
"id": 1
},
{
"value": "This is a comment.",
"import_id": 1,
"indicator_id": 20,
"id": 2
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"import_id": 1,
"indicator_id": 1,
"errors": {
"value": [
"The value field is required."
]
}
},
{
"import_id": 1,
"indicator_id": 2,
"errors": {
"value": [
"The value field is required."
]
}
}
]
}Response
401Access denied.
Event Import ¶
Get SingleGET/events/import/{event_import_id}{?with}
Get a single Event Import.
Example URI
GET /events/import/1?with=attachments,creatorSource
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- with
string(optional) Example: attachments,creatorSourceA comma-separated list of related objects to include in the response. Options for this endpoint: attachments, creatorSource, events, globalAttributes, globalIndicatorAttributes, globalObjectLinks, indicators, indicatorStatus, objectLinks, type.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"creator_source_id": 5,
"type_id": 1,
"text": "Delivered-To: architonic@null.otherinbox.com\nReceived: by 10.231.208.4 with SMTP id ga4cs14990ibb;\n",
"source": "me",
"indicator_status_id": 4,
"completed_at": null,
"created_at": "2017-03-22 00:54:34",
"updated_at": "2017-03-22 00:54:34",
"globals": {
"indicators": {
"attributes": []
},
"relations": {}
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/import/{event_import_id}{?with}
Update an Event Import.
Example URI
PUT /events/import/1?with=attachments,creatorSource
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- with
string(optional) Example: attachments,creatorSourceA comma-separated list of related objects to include in the response. Options for this endpoint: attachments, creatorSource, events, globalAttributes, globalIndicatorAttributes, globalObjectLinks, indicators, indicatorStatus, objectLinks, type.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"indicator_status_id": 1,
"globals": {
"indicators": {
"attributes": []
},
"relations": {
"adversaries": [],
"events": [],
"attachments": [],
"indicators": [],
"signatures": []
}
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/import/{event_import_id}
Delete an Event Import.
Example URI
DELETE /events/import/1
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Import Attachment ¶
UpdatePUT/events/import/{event_import_id}/attachments/{event_import_attachment_id}
Update an Event Import Attachment.
Example URI
PUT /events/import/1/attachments/2
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- event_import_attachment_id
integer(required) Example: 2Event Import Attachment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"title": "Attachment Title",
"type_id": 20
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 2,
"import_id": 1,
"type_id": 20,
"title": "Attachment Title",
"name": "Price list ChronArte Quadro.pdf",
"content_type": "application/pdf",
"file_size": 70914,
"source": "me"
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/import/{event_import_id}/attachments/{event_import_attachment_id}
Delete an Event Import Attachment.
Example URI
DELETE /events/import/1/attachments/2
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- event_import_attachment_id
integer(required) Example: 2Event Import Attachment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Import Event List ¶
Get ListGET/events/import/{event_import_id}/events{?limit,offset,sort,with}
Get a list of Event Import Events.
Example URI
GET /events/import/1/events?limit=500&offset=100&sort=id&with=attributes,import
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: attributes,importA comma-separated list of related objects to include in the response. Options for this endpoint: attributes, import, type.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 1,
"data": [
{
"id": 1,
"import_id": 1,
"title": "ChronArte wall clocks",
"type_id": 1,
"description": null,
"happened_at": "2011-04-29 13:31:38",
"hash": "214bd740d728a910874f4017a1775b9e",
"sources": [
{
"name": "Source"
}
]
}
]
}Response
401Access denied.
Create NewPOST/events/import/{event_import_id}/events
Create a new Event Import Event.
Example URI
POST /events/import/1/events
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"title": "Event Title",
"type_id": "1",
"description": "Event Description",
"happened_at": "2017-01-01 12:00:00",
"source": {
"name": "Source",
"tlp": {
"name": "AMBER"
}
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"import_id": "1",
"title": "Event Title",
"type_id": "1",
"description": "Event Description",
"happened_at": "2017-01-01 12:00:00",
"hash": "2fa82c530984cb46f49ca9a06069b008",
"id": 2,
"sources": [
{
"name": "Source"
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"import_id": "1",
"hash": null,
"errors": {
"type_id": [
"The type id field is required."
],
"title": [
"The title field is required."
],
"happened_at": [
"The happened at field is required."
],
"source": [
"The source field is required."
]
},
"sources": []
}
}Response
401Access denied.
Bulk DeleteDELETE/events/import/{event_import_id}/events
Bulk delete Event Import Events.
Example URI
DELETE /events/import/1/events
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
291,
292,
293,
299,
301,
303
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Import Event ¶
Get SingleGET/events/import/{event_import_id}/events/{event_import_event_id}{?with}
Get a single Event Import Event.
Example URI
GET /events/import/1/events/2?with=attributes,import
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- event_import_event_id
integer(required) Example: 2Event Import Event ID
- with
string(optional) Example: attributes,importA comma-separated list of related objects to include in the response. Options for this endpoint: attributes, import, type.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 2,
"import_id": 1,
"title": "Event Title",
"type_id": 2,
"description": "Event Description",
"happened_at": "2017-02-02 02:00:00",
"hash": "b06f2a5054dc17de1d4b07526ba4f07d",
"sources": [
{
"name": "Source"
}
]
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/import/{event_import_id}/events/{event_import_event_id}
Update an Event Import Event.
Example URI
PUT /events/import/1/events/2
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- event_import_event_id
integer(required) Example: 2Event Import Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"title": "Updated Event Title",
"type_id": "2",
"description": "Updated Description",
"happened_at": "2017-02-02 02:00:00"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 2,
"import_id": 1,
"title": "Updated Event Title",
"type_id": "2",
"description": "Updated Description",
"happened_at": "2017-02-02 02:00:00",
"hash": "b06f2a5054dc17de1d4b07526ba4f07d",
"sources": [
{
"name": "Source"
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/import/{event_import_id}/events/{event_import_event_id}
Delete an Event Import Event.
Example URI
DELETE /events/import/1/events/2
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- event_import_event_id
integer(required) Example: 2Event Import Event ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Import Indicator List ¶
Get ListGET/events/import/{event_import_id}/indicators{?sort,with}
Get a list of Event Import Indicators.
Example URI
GET /events/import/1/indicators?sort=id&with=attributes,comments
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: attributes,commentsA comma-separated list of related objects to include in the response. Options for this endpoint: attributes, comments, import, status, type.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"import_id": 1,
"value": "architonic@null.otherinbox.com",
"class": "network",
"type_id": 2,
"hash": "a12d8b4f5622e439651c5f1d7f6500b2",
"status_id": 4,
"whitelisted": "N",
"source": "me",
"indicator_id": null,
"attributes": [],
"comments": []
},
{
"id": 2,
"import_id": 1,
"value": "info@chronarte.ch",
"class": "network",
"type_id": 2,
"hash": "ab0233775a116907756968ef2136534e",
"status_id": 4,
"whitelisted": "N",
"source": "me",
"indicator_id": null,
"attributes": [],
"comments": []
}
]
}Response
401Access denied.
Create NewPOST/events/import/{event_import_id}/indicators
Create a new Event Import Indicator.
Example URI
POST /events/import/1/indicators
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "99.99.99.99",
"type_id": 10,
"status_id": 4,
"source": {
"name": "Source",
"tlp": {
"name": "AMBER"
}
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"value": "99.99.99.99",
"hash": "d225e18ca84bdaa618f9f00eb2920061",
"type_id": 10,
"status_id": 4,
"source": "Source",
"class": "network",
"import_id": 1,
"id": 23
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"import_id": 1,
"errors": {
"value": [
"The value field is required."
],
"class": [
"The class field is required."
],
"type_id": [
"The type id field is required."
],
"hash": [
"The hash field is required."
]
}
}
}Response
401Access denied.
Bulk DeleteDELETE/events/import/{event_import_id}/indicators
Bulk delete Event Import Indicators.
Example URI
DELETE /events/import/1/indicators
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
89,
90,
113,
115,
123,
189
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Import Indicator ¶
UpdatePUT/events/import/{event_import_id}/indicators/{event_import_indicator_id}
Update an Event Import Indicator.
Example URI
PUT /events/import/1/indicators/2
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- event_import_indicator_id
integer(required) Example: 2Event Import Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "98.98.98.98",
"status_id": "5"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 20,
"import_id": 1,
"value": "98.98.98.98",
"class": "network",
"type_id": 10,
"hash": "7e7709c4d4f1643c3de70c461b4d1453",
"status_id": "5",
"whitelisted": "N",
"source": "me",
"indicator_id": null
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/import/{event_import_id}/indicators/{event_import_indicator_id}
Delete an Event Import Indicator.
Example URI
DELETE /events/import/1/indicators/2
URI Parameters
- event_import_id
integer(required) Example: 1Event Import ID
- event_import_indicator_id
integer(required) Example: 2Event Import Indicator ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Events ¶
Event Types List ¶
Get ListGET/event/types{?limit,offset,sort,with}
Get a list of Event Types.
Example URI
GET /event/types?limit=500&offset=100&sort=id&with=events,plugins
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: events,pluginsA comma-separated list of related objects to include in the response. Options for this endpoint: events, plugins, pluginActions, pluginObjectTypes.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 13,
"data": [
{
"id": 1,
"name": "Spearphish",
"user_editable": "N",
"created_at": "2017-03-20 13:28:23",
"updated_at": "2017-03-20 13:28:23"
},
{
"id": 2,
"name": "Watering Hole",
"user_editable": "N",
"created_at": "2017-03-20 13:28:23",
"updated_at": "2017-03-20 13:28:23"
},
{
"id": 3,
"name": "SQL Injection Attack",
"user_editable": "N",
"created_at": "2017-03-20 13:28:23",
"updated_at": "2017-03-20 13:28:23"
},
{
"id": 4,
"name": "DoS Attack",
"user_editable": "N",
"created_at": "2017-03-20 13:28:23",
"updated_at": "2017-03-20 13:28:23"
}
]
}Response
401Access denied.
Create NewPOST/event/types
Create a new Event Type.
Example URI
POST /event/types
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "New Type",
"user_editable": "Y"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"name": "New Type",
"user_editable": "Y",
"updated_at": "2017-03-21 13:12:46",
"created_at": "2017-03-21 13:12:46",
"id": 14
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"name": [
"The name field is required."
]
}
}
}Response
401Access denied.
Event Type ¶
Get SingleGET/event/types/{event_type_id}{?with}
Get a single Event Type.
Example URI
GET /event/types/2?with=events,plugins
URI Parameters
- event_type_id
integer(required) Example: 2Event Type ID
- with
string(optional) Example: events,pluginsA comma-separated list of related objects to include in the response. Options for this endpoint: events, plugins, pluginActions, pluginObjectTypes.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Spearphish",
"user_editable": "N",
"created_at": "2017-03-20 13:28:23",
"updated_at": "2017-03-20 13:28:23"
}
}Response
401Access denied.
UpdatePUT/event/types/{event_type_id}{?with}
Update an Event Type.
Example URI
PUT /event/types/2?with=events,plugins
URI Parameters
- event_type_id
integer(required) Example: 2Event Type ID
- with
string(optional) Example: events,pluginsA comma-separated list of related objects to include in the response. Options for this endpoint: events, plugins, pluginActions, pluginObjectTypes.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Updated New Type"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 14,
"name": "Updated New Type",
"user_editable": "Y",
"created_at": "2017-03-21 13:12:46",
"updated_at": "2017-03-21 13:24:04"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"The user_editable field prevents this action."
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/event/types/{event_type_id}
Delete an Event Type.
Example URI
DELETE /event/types/2
URI Parameters
- event_type_id
integer(required) Example: 2Event Type ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event List ¶
Get ListGET/events{?limit,offset,sort,with}
Get a list of Events.
Example URI
GET /events?limit=500&offset=100&sort=id&with=adversaries,attachments
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, events, indicators, signatures, sources, spearphish, tags, type, watchlist.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 600,
"data": [
{
"id": 1,
"type_id": 1,
"title": "Subject - There was certainly not becoming. 'And that's the jury-box,' thought Alice, as she couldn't answer either.",
"description": "",
"happened_at": "2016-12-29 17:39:59",
"hash": "7566c6f14e7f08746855f851f27ed397",
"created_at": "2016-12-29 17:39:59",
"updated_at": "2016-12-29 17:39:59",
"touched_at": "2017-03-18 00:07:34"
},
{
"id": 2,
"type_id": 1,
"title": "Subject - YOU manage?' Alice asked. 'We called him Tortoise because he.",
"description": "",
"happened_at": "2016-12-21 13:53:23",
"hash": "8ad4cebe15c8fe57fff452faf2ccb32a",
"created_at": "2016-12-21 13:53:23",
"updated_at": "2016-12-21 13:53:23",
"touched_at": "2017-03-18 00:07:34"
},
{
"id": 3,
"type_id": 1,
"title": "Subject - Majesty,' said Two, in a.",
"description": "",
"happened_at": "2016-10-23 16:41:57",
"hash": "149475f8a7491a752dbe9ad1057b5337",
"created_at": "2016-10-23 16:41:57",
"updated_at": "2016-10-23 16:41:57",
"touched_at": "2017-03-18 00:07:34"
}
]
}Response
401Access denied.
Create NewPOST/events
Create a new Event.
Example URI
POST /events
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"title": "Event Name",
"type": "Spearphish",
"happened_at": "2017-03-20 01:43:05",
"sources": [
{
"name": "Event Source",
"tlp": {
"name": "AMBER"
}
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"title": "Event Name",
"type_id": 1,
"happened_at": "2017-03-20 01:43:05",
"hash": "e59c3274f3156b10aca1c8962a5880cb",
"updated_at": "2017-03-20 13:35:13",
"created_at": "2017-03-20 13:35:13",
"id": 601,
"type": {
"id": 1,
"name": "Spearphish",
"user_editable": "N",
"created_at": "2017-03-20 13:28:23",
"updated_at": "2017-03-20 13:28:23"
},
"sources": [
{
"type": "other_sources",
"name": "Event Source",
"updated_at": "2017-03-20 13:35:13",
"created_at": "2017-03-20 13:35:13",
"id": 10
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"hash": null,
"errors": {
"type_id": [
"The type id field is required."
],
"title": [
"The title field is required."
],
"happened_at": [
"The happened at field is required."
],
"hash": [
"The hash field is required."
]
}
}
}Response
401Access denied.
Event Comment Short ¶
Get SingleGET/events/comments/{event_comment_id}{?with}
Get a single Event Comment.
Example URI
GET /events/comments/2?with=event,sources
URI Parameters
- event_comment_id
integer(required) Example: 2Event Comment ID
- with
string(optional) Example: event,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: event, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/comments/{event_comment_id}{?with}
Update an Event Comment.
Example URI
PUT /events/comments/2?with=event,sources
URI Parameters
- event_comment_id
integer(required) Example: 2Event Comment ID
- with
string(optional) Example: event,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: event, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 62,
"event_id": 1,
"value": "This is an updated comment.",
"creator_source_id": 5,
"created_at": "2017-03-01 19:46:23",
"updated_at": "2017-03-01 20:06:04",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-02-28 20:13:18",
"updated_at": "2017-02-28 20:13:18",
"pivot": {
"id": 62,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"The current authenticated owner is not the owner of this comment."
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/comments/{event_comment_id}
Delete an Event Comment.
Example URI
DELETE /events/comments/2
URI Parameters
- event_comment_id
integer(required) Example: 2Event Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Consume ¶
Event ConsumePOST/events/consume
Consume a list of Event objects.
Required fields: title, happened_at, type
Optional fields: description, published_at, tlp (an object with a name field) or tlp_id, sources, attributes, comments, and tags.
Relations can also be included as optional fields in the request: adversaries, attachments, attack_pattern, campaign, course_of_action, events, exploit_target, identity, incident, indicators, intrusion_set, malware, report, signatures, tool, ttp, and vulnerability.
When including relations, if the relation is of the same type as the endpoint used (e.g. related events on Event Consume), the relation can be defined using the required fields. Otherwise, relations must be created in advance and the resulting IDs should be used in the request.
Note: Objects that already exist in the system will not be duplicated, any new context in the request will be added to the existing object. This endpoint does not fail on validation - any errors will be included in the response object.
Example URI
POST /events/consume
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"title": "Campaign: Triage_MSSP_21652 (9206)",
"happened_at": "2017-06-06 15:53:39",
"type": "Malware",
"tlp": {
"name": "WHITE"
},
"touched_at": "2017-06-20 12:01:48",
"published_at": "2017-01-01 00:00:00",
"events": [
{
"title": "Campaign: Triage_MSSP_21652 (9210)",
"happened_at": "2017-06-07 14:23:30",
"type": "Malware"
}
],
"comments": [
{
"value": "Found this during the investigation."
}
]
},
{
"title": "Campaign: Triage_MSSP_21652 (9207)",
"happened_at": "2017-05-04 10:33:21",
"type": "Malware",
"tlp_id": 3,
"attributes": [
{
"name": "Industry",
"value": "Hospitals"
}
],
"indicators": [
{
"id": 3
},
{
"id": 4
}
]
},
{
"title": "Campaign: Triage_MSSP_21652 (9208)",
"happened_at": "2018-01-06 08:54:00",
"type": "Malware",
"description": "Ongoing",
"sources": [
{
"name": "Digital Shadows",
"tlp": "AMBER"
}
],
"tags": [
{
"name": "Internal"
}
]
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 4,
"data": [
{
"title": "Campaign: Triage_MSSP_21652 (9206)",
"happened_at": "2017-06-06 15:53:39",
"type_id": 5,
"type": "malware",
"id": 603
},
{
"title": "Campaign: Triage_MSSP_21652 (9207)",
"happened_at": "2017-05-04 10:33:21",
"type_id": 5,
"type": "malware",
"id": 604
},
{
"title": "Campaign: Triage_MSSP_21652 (9208)",
"happened_at": "2018-01-06 08:54:00",
"type_id": 5,
"type": "malware",
"id": 606
},
{
"title": "Campaign: Triage_MSSP_21652 (9210)",
"happened_at": "2017-06-07 14:23:30",
"type_id": 5,
"type": "malware",
"id": 605
}
]
}Response
401Access denied.
Event Search ¶
Event SearchPOST/events/query{?limit,offset,sort}
Search the Threat Library for Events using criteria and filters.
Criteria and filters should be formatted in the convention of SOLR query structures.
Criteria Options: mentions, title
Filter Options: created_at, updated_at, expires_at, published_at, type_name, source_name, source_created_at, related, tags, attribute
Example URI
POST /events/query?limit=500&offset=100&sort=id
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"criteria": {
"+or": [
{
"mentions": "email"
},
{
"title": {
"+contains": "Subject"
}
}
]
},
"filters": {
"+and": [
{
"created_at": {
"+lt": "2021-01-27 22:35:00"
}
},
{
"+or": [
{
"expires_at": {
"+gt": "2021-01-26 23:59:59",
"+lt": "2021-01-28 00:00:00"
}
},
{
"expired_at": {
"+gt": "2021-01-26 23:59:59",
"+lt": "2021-01-28 00:00:00"
}
}
]
},
{
"+or": [
{
"type_name": "Spearphish"
}
]
},
{
"+or": [
{
"+and": [
{
"source_name": "Customer Admin"
},
{
"published_at": {
"+lt": "2021-01-27 22:50:00"
}
}
]
}
]
},
{
"+or": [
{
"related": {
"id": 1,
"type": "indicator"
}
}
]
},
{
"+or": [
{
"related": {
"object": "adversary"
}
}
]
},
{
"+or": [
{
"source_name": "Primary Contributor"
}
]
},
{
"+or": [
{
"tags": "Internal"
}
]
},
{
"updated_at": {
"+lt": "2021-01-27 22:51:00"
}
},
{
"+or": [
{
"+and": [
{
"source_name": "Primary Contributor"
},
{
"source_created_at": {
"+lt": "2021-01-27 22:50:00"
}
}
]
}
]
}
],
"+or": [
{
"attribute": {
"name": "Confidence",
"value": "High"
}
}
]
}
}Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"updated_at": "2020-09-13 18:36:45",
"description": "",
"title": "Subject - Because he knows it teases.' CHORUS. (In which the March Hare. 'It was the only one.",
"published_at": "2020-09-13 18:36:45",
"type_id": 1,
"happened_at": "2020-09-13 18:36:45",
"touched_at": "2021-01-27 19:55:25",
"created_at": "2020-09-13 18:36:45",
"id": 27,
"hash": "d1b0a81f1ce25ad37880a662eaf88178",
"adversaries": [
{
"name": "TOXIC PANDA"
}
],
"type": {
"name": "Spearphish",
"id": 1
},
"attributes": [
{
"created_at": "2020-12-25 09:06:15",
"touched_at": "2021-01-27 19:53:25",
"event_id": 27,
"id": 261,
"updated_at": "2021-01-27 19:53:25",
"attribute_id": 99,
"name": "X-Received",
"value": "by 10.49.73.202 with SMTP id n10mr985440qev.55.1366601039211;"
}
],
"sources": [
{
"updated_at": "2021-01-27 19:55:25",
"source_id": 5,
"type": "users",
"creator_source_id": 5,
"event_id": 27,
"created_at": "2021-01-13 19:56:04",
"id": 53,
"reference_id": 1,
"published_at": "2021-01-13 19:56:04",
"name": "Threat Quotient"
}
]
},
{
"updated_at": "2020-11-06 17:30:21",
"description": "",
"title": "Subject - I want to get through the wood..",
"published_at": "2020-11-06 17:30:21",
"type_id": 1,
"happened_at": "2020-11-06 17:30:21",
"touched_at": "2021-01-27 19:55:25",
"created_at": "2020-11-06 17:30:21",
"id": 26,
"hash": "5f5dde6b20c721be99f19a2fa001fce0",
"adversaries": [
{
"name": "FLYING KITTEN"
}
],
"type": {
"name": "Spearphish",
"id": 1
},
"attributes": [
{
"created_at": "2021-01-23 07:55:21",
"touched_at": "2021-01-27 19:53:25",
"event_id": 26,
"id": 251,
"updated_at": "2021-01-27 19:53:25",
"attribute_id": 99,
"name": "X-Received",
"value": "by 10.49.73.202 with SMTP id n10mr985440qev.55.1366601039211;"
}
],
"sources": [
{
"updated_at": "2021-01-27 19:55:25",
"source_id": 2,
"type": "clients",
"creator_source_id": 2,
"event_id": 26,
"created_at": "2021-01-07 18:33:36",
"id": 51,
"reference_id": 2,
"published_at": "2021-01-07 18:33:36",
"name": "Threat Quotient"
}
]
}
],
"offset": 0,
"limit": 25
}Response
401Access denied.
Event Watchlist Bulk ¶
Get ListGET/events/watchlist
Get all Events in a user’s Watchlist. Only users with administrator privileges can see Watchlists for all users.
Example URI
GET /events/watchlist
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 3,
"data": [
{
"id": 1,
"user_id": 1,
"object_type": "event",
"object_id": 229,
"created_at": "2017-03-20 14:01:10",
"updated_at": "2017-03-20 14:01:10",
"event": {
"id": 229,
"type_id": 2,
"title": "Origin - http://prohaska.com/dolore-debitis-nihil-molestiae-cupiditate-sint-amet",
"description": "",
"happened_at": "2017-03-14 16:46:21",
"hash": "6f42c58a46c0956ad89b6d323aa7858c",
"created_at": "2017-03-14 16:46:21",
"updated_at": "2017-03-14 16:46:21",
"touched_at": "2017-03-20 13:30:53"
}
},
{
"id": 2,
"user_id": 1,
"object_type": "event",
"object_id": 255,
"created_at": "2017-03-20 14:01:18",
"updated_at": "2017-03-20 14:01:18",
"event": {
"id": 255,
"type_id": 2,
"title": "Origin - https://parker.com/sunt-autem-aliquam-voluptas-dicta-culpa-tempore.html",
"description": "",
"happened_at": "2017-03-14 06:22:53",
"hash": "0b69e7093e150047c669a1bb085e8d1e",
"created_at": "2017-03-14 06:22:53",
"updated_at": "2017-03-14 06:22:53",
"touched_at": "2017-03-20 13:30:53"
}
},
{
"id": 3,
"user_id": 1,
"object_type": "event",
"object_id": 468,
"created_at": "2017-03-20 14:01:32",
"updated_at": "2017-03-20 14:01:32",
"event": {
"id": 468,
"type_id": 3,
"title": "SQL - 64J)6Yo//]78,i",
"description": "",
"happened_at": "2017-03-14 00:04:09",
"hash": "6feb5fc4aab0678d4f4047016cb7c053",
"created_at": "2017-03-14 00:04:09",
"updated_at": "2017-03-14 00:04:09",
"touched_at": "2017-03-20 13:30:54"
}
}
]
}Response
401Access denied.
Create NewPOST/events/watchlist
Bulk add Events to the user’s Watchlist.
Example URI
POST /events/watchlist
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"object_ids": [
5,
6,
7
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"object_type": "event",
"user_id": 1,
"object_id": "5",
"updated_at": "2017-03-20 14:11:38",
"created_at": "2017-03-20 14:11:38",
"id": 5
},
{
"object_type": "event",
"user_id": 1,
"object_id": "6",
"updated_at": "2017-03-20 14:11:38",
"created_at": "2017-03-20 14:11:38",
"id": 6
},
{
"object_type": "event",
"user_id": 1,
"object_id": "7",
"updated_at": "2017-03-20 14:11:38",
"created_at": "2017-03-20 14:11:38",
"id": 7
}
]
}Response
401Access denied.
Event ¶
DeleteDELETE/events/{event_id}
Delete an Event.
Example URI
DELETE /events/1
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Get SingleGET/events/{event_id}{?with}
Get a single Event.
Example URI
GET /events/1?with=adversaries,attachments
URI Parameters
- event_id
integer(required) Example: 1Event ID
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, events, indicators, signatures, sources, spearphish, tags, type, watchlist.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 601,
"type_id": 1,
"title": "Event Name",
"description": null,
"happened_at": "2017-03-20 01:43:05",
"hash": "e59c3274f3156b10aca1c8962a5880cb",
"created_at": "2017-03-20 13:35:13",
"updated_at": "2017-03-20 13:35:13",
"touched_at": "2017-03-20 13:35:13"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/{event_id}{?with}
Update an Event.
Example URI
PUT /events/1?with=adversaries,attachments
URI Parameters
- event_id
integer(required) Example: 1Event ID
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, events, indicators, signatures, sources, spearphish, tags, type, watchlist.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"title": "Updated Event Name",
"happened_at": "2017-03-21 01:43:05"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 601,
"type_id": 1,
"title": "Updated Event Name",
"description": null,
"happened_at": "2017-03-21 01:43:05",
"hash": "6f0b2d3b6b4b1060892ce37084908d85",
"created_at": "2017-03-20 13:35:13",
"updated_at": "2017-03-20 13:41:03",
"touched_at": "2017-03-20 13:35:13"
}
}Response
401Access denied.
Response
404Object not found.
Event Adversaries List ¶
Get ListGET/events/{event_id}/adversaries{?limit,offset,sort,with}
Get a list of Event Adversary links.
Example URI
GET /events/1/adversaries?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"name": "AMOROUS PANDA",
"created_at": "2018-03-24 03:49:31",
"updated_at": "2018-03-24 03:49:31",
"touched_at": "2018-04-02 16:16:38",
"deleted_at": null,
"sources": [
{
"name": "Customer Observer"
}
],
"pivot": {
"id": 62324,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 2,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"comments": [
{
"id": 54,
"type": "users",
"value": "This link is important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 16:19:51.184000",
"updated_at": "2018-04-02 16:23:40.426000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15066,
"name": "Industry",
"value": "Hospitals",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24424,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:16:38.663000",
"updated_at": "2018-04-02 16:16:38.663000"
}
}
]
}
},
{
"id": 3,
"name": "ANCHOR PANDA",
"created_at": "2018-01-08 23:05:37",
"updated_at": "2018-01-08 23:05:37",
"touched_at": "2018-04-02 16:17:00",
"deleted_at": null,
"sources": [
{
"name": "ThreatQ Front End"
},
{
"name": "Domain Tools"
}
],
"pivot": {
"id": 62325,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 3,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"comments": [
{
"id": 56,
"type": "users",
"value": "This link is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 16:20:25.327000",
"updated_at": "2018-04-02 16:20:25.327000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15065,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24426,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/events/{event_id}/adversaries
Create a link from an Adversary to an Event.
Example URI
POST /events/1/adversaries
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 2,
"data": [
{
"id": 2,
"name": "AMOROUS PANDA",
"created_at": "2017-03-06 14:05:24",
"updated_at": "2017-03-06 14:05:24",
"touched_at": "2017-03-10 19:25:48",
"pivot": {
"id": 62141,
"created_at": "2017-03-10 19:25:48",
"updated_at": "2017-03-10 19:25:48"
}
},
{
"id": 3,
"name": "ANCHOR PANDA",
"created_at": "2016-12-27 13:45:12",
"updated_at": "2016-12-27 13:45:12",
"touched_at": "2017-03-10 19:25:48",
"pivot": {
"id": 62142,
"created_at": "2017-03-10 19:25:48",
"updated_at": "2017-03-10 19:25:48"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/events/{event_id}/adversaries
Delete multiple Event Adversary links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /events/1/adversaries
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Event Adversary ¶
Get SingleGET/events/{event_id}/adversaries/{object_link_id}{?with}
Get a single Event Adversary link.
Example URI
GET /events/1/adversaries/2?with=sources,pivot.attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Advanced Pawn",
"created_at": "2018-01-18 22:47:52",
"updated_at": "2018-01-18 22:47:52",
"touched_at": "2018-04-02 16:17:00",
"pivot": {
"id": 62324,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"comments": [
{
"id": 54,
"object_link_id": 62324,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 16:23:40",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15066,
"object_link_id": 62324,
"attribute_id": 136,
"value": "Hospitals",
"created_at": "2018-04-02 16:25:47",
"updated_at": "2018-04-02 16:25:47",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15066,
"source_id": 8,
"id": 2,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"published_at": null,
"pivot": {
"object_link_id": 62324,
"source_id": 8,
"id": 24424,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 1,
"type": "clients",
"name": "ThreatQ Front End",
"tlp_id": null,
"created_at": "2018-02-05 12:29:56",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 1,
"id": 1,
"creator_source_id": 1
}
},
{
"id": 7,
"type": "plugins",
"name": "VirusTotal",
"tlp_id": null,
"created_at": "2018-01-31 03:41:47",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 7,
"id": 2,
"creator_source_id": 7
}
},
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-03-31 21:31:30",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 8,
"id": 3,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/adversaries/{object_link_id}
Delete an Event Adversary link.
Example URI
DELETE /events/1/adversaries/2
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Adversary Attributes List ¶
Get ListGET/events/{event_id}/adversaries/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Event Adversary link Attributes.
Example URI
GET /events/1/adversaries/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/adversaries/{object_link_id}/attributes
Create a new Event Adversary link Attribute.
Example URI
POST /events/1/adversaries/2/attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Event Adversary Attribute ¶
Get SingleGET/events/{event_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Event Adversary link Attribute.
Example URI
GET /events/1/adversaries/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/{event_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Update an Event Adversary link Attribute.
Example URI
PUT /events/1/adversaries/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Event Adversary link Attribute.
Example URI
DELETE /events/1/adversaries/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Adversary Comments List ¶
Get ListGET/events/{event_id}/adversaries/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Event Adversary link Comments.
Example URI
GET /events/1/adversaries/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/adversaries/{object_link_id}/comments
Create a new Event Adversary link Comment.
Example URI
POST /events/1/adversaries/2/comments
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Event Adversary Comment ¶
Get SingleGET/events/{event_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Get a single Event Adversary link Comment.
Example URI
GET /events/1/adversaries/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/{event_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Update an Event Adversary link Comment.
Example URI
PUT /events/1/adversaries/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Delete an Event Adversary link Comment.
Example URI
DELETE /events/1/adversaries/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Attachments List ¶
Get ListGET/events/{event_id}/attachments{?limit,offset,sort,with}
Get a list of Event Attachment links.
Example URI
GET /events/1/attachments?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"type_id": 19,
"title": "Honeybooboo.sh",
"name": "Honeybooboo.sh",
"hash": "4ece432b22f92461f9c4d2de2656d3e3",
"content_type_id": 2,
"file_size": 75,
"path": "6/b/d/0/d/c/1/2/e/5/d/f/a/0/4/3/e/b/4/9/6/0/9/f/a/4/7/c/4/f/1/0",
"malware_locked": "0",
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:39:18",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62326,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "attachment",
"dest_object_id": 2,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"comments": [
{
"id": 57,
"type": "users",
"value": "This link is important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 17:54:58.936000",
"updated_at": "2018-04-02 17:55:15.039000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15067,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 3,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24428,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 17:39:18.781000",
"updated_at": "2018-04-02 17:39:18.781000"
}
}
]
}
},
{
"id": 1,
"type_id": 10,
"title": "parsing-sample.pdf",
"name": "parsing-sample.pdf",
"hash": "89e17b2f6cd3888864237b0ee10048f0",
"content_type_id": 1,
"file_size": 11300,
"path": "e/a/f/d/d/7/1/e/5/c/e/1/1/9/b/0/5/6/4/a/6/d/5/9/a/2/3/5/3/1/0/4",
"malware_locked": "0",
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:40:48",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62327,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "attachment",
"dest_object_id": 1,
"created_at": "2018-04-02 17:40:48",
"updated_at": "2018-04-02 17:40:48",
"comments": [
{
"id": 58,
"type": "users",
"value": "This link is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 17:55:30.995000",
"updated_at": "2018-04-02 17:55:30.995000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15068,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 4,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24430,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 17:40:48.310000",
"updated_at": "2018-04-02 17:40:48.310000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/events/{event_id}/attachments
Create a link from an Attachment to an Event.
Example URI
POST /events/1/attachments
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 3,
"type_id": 3,
"title": "EXE like script",
"name": "Honeybooboo.sh",
"hash": "51774564f8d78fbddbfa22e1e7459af4",
"content_type_id": 1,
"file_size": 234234,
"malware_locked": 1,
"description": null,
"created_at": "2017-02-23 20:02:18",
"updated_at": "2017-02-23 20:02:18",
"touched_at": "2017-03-01 16:51:15",
"pivot": {
"id": 62394,
"created_at": "2017-03-01 16:51:15",
"updated_at": "2017-03-01 16:51:15"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/events/{event_id}/attachments
Delete multiple Event Attachment links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /events/1/attachments
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Event Attachment ¶
Get SingleGET/events/{event_id}/attachments/{object_link_id}{?with}
Get a single Event Attachment link.
Example URI
GET /events/1/attachments/2?with=sources,pivot.attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 2,
"type_id": 19,
"title": "Honeybooboo.sh",
"name": "Honeybooboo.sh",
"hash": "4ece432b22f92461f9c4d2de2656d3e3",
"content_type_id": 2,
"file_size": 75,
"malware_locked": 0,
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:39:18",
"pivot": {
"id": 62326,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"comments": [
{
"id": 57,
"object_link_id": 62326,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-02 17:54:58",
"updated_at": "2018-04-02 17:55:15",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 57,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15067,
"source_id": 8,
"id": 3,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"published_at": null,
"pivot": {
"object_link_id": 62326,
"source_id": 8,
"id": 24428,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"published_at": null,
"pivot": {
"attachment_id": 2,
"source_id": 8,
"id": 2,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/attachments/{object_link_id}
Delete an Event Attachment link.
Example URI
DELETE /events/1/attachments/2
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Attachment Attributes List ¶
Get ListGET/events/{event_id}/attachments/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Event Attachment link Attributes.
Example URI
GET /events/1/attachments/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/attachments/{object_link_id}/attributes
Create a new Event Attachment link Attribute.
Example URI
POST /events/1/attachments/2/attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Event Attachment Attribute ¶
Get SingleGET/events/{event_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Event Attachment link Attribute.
Example URI
GET /events/1/attachments/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/{event_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Update an Event Attachment link Attribute.
Example URI
PUT /events/1/attachments/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Event Attachment link Attribute.
Example URI
DELETE /events/1/attachments/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Attachment Comments List ¶
Get ListGET/events/{event_id}/attachments/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Event Attachment link Comments.
Example URI
GET /events/1/attachments/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/attachments/{object_link_id}/comments
Create a new Event Attachment link Comment.
Example URI
POST /events/1/attachments/2/comments
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Event Attachment Comment ¶
Get SingleGET/events/{event_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Get a single Event Attachment link Comment.
Example URI
GET /events/1/attachments/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/{event_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Update an Event Attachment link Comment.
Example URI
PUT /events/1/attachments/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Delete an Event Attachment link Comment.
Example URI
DELETE /events/1/attachments/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Attributes List ¶
Get ListGET/events/{event_id}/attributes{?limit,offset,sort,with}
Get a list of Event Attributes.
Example URI
GET /events/1/attributes?limit=500&offset=100&sort=id&with=attribute,sources
URI Parameters
- event_id
integer(required) Example: 1Event ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 10,
"data": [
{
"id": 1,
"event_id": 1,
"attribute_id": 244,
"value": "by 10.49.73.202 with SMTP id n10mr985440qev.55.1366601039211;",
"created_at": "2017-03-12 06:16:22",
"updated_at": "2017-03-20 13:30:25",
"touched_at": "2017-03-20 13:30:25",
"name": "X-Received",
"attribute": {
"id": 244,
"name": "X-Received",
"created_at": "2017-03-20 13:30:25",
"updated_at": "2017-03-20 13:30:25"
}
},
{
"id": 2,
"event_id": 1,
"attribute_id": 245,
"value": "198.13.119.91 smtp.rmopen.com bounce-33802-13249804149-wchiang=vt.edu@rmopen.com 2 pass",
"created_at": "2017-01-18 09:00:26",
"updated_at": "2017-03-20 13:30:25",
"touched_at": "2017-03-20 13:30:25",
"name": "X-Mirapoint-Received-SPF",
"attribute": {
"id": 245,
"name": "X-Mirapoint-Received-SPF",
"created_at": "2017-03-20 13:30:25",
"updated_at": "2017-03-20 13:30:25"
}
},
{
"id": 3,
"event_id": 1,
"attribute_id": 246,
"value": "UCE(300)",
"created_at": "2017-03-09 17:48:10",
"updated_at": "2017-03-20 13:30:25",
"touched_at": "2017-03-20 13:30:25",
"name": "X-Junkmail",
"attribute": {
"id": 246,
"name": "X-Junkmail",
"created_at": "2017-03-20 13:30:25",
"updated_at": "2017-03-20 13:30:25"
}
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/attributes
Create a new Event Attribute.
Example URI
POST /events/1/attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 2001,
"event_id": 1,
"attribute_id": 252,
"value": "Test Value 1",
"created_at": "2017-03-20 18:29:35",
"updated_at": "2017-03-20 18:29:35",
"touched_at": "2017-03-20 18:29:35",
"name": "Test Attribute 1",
"attribute": {
"id": 252,
"name": "Test Attribute 1",
"created_at": "2017-03-20 18:29:35",
"updated_at": "2017-03-20 18:29:35"
}
}
]
}Response
401Access denied.
Event Attribute ¶
Get SingleGET/events/{event_id}/attributes/{event_attribute_id}{?with}
Get a single Event Attribute.
Example URI
GET /events/1/attributes/2?with=attribute,sources
URI Parameters
- event_id
integer(required) Example: 1Event ID
- event_attribute_id
integer(required) Example: 2Event Attribute ID
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 9,
"event_id": 1,
"attribute_id": 251,
"value": "197.228.129.69",
"created_at": "2016-12-27 21:30:21",
"updated_at": "2017-03-20 13:30:25",
"touched_at": "2017-03-20 13:30:25",
"name": "X-Originator",
"attribute": {
"id": 251,
"name": "X-Originator",
"created_at": "2017-03-20 13:30:25",
"updated_at": "2017-03-20 13:30:25"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/{event_id}/attributes/{event_attribute_id}{?with}
Update an Event Attribute.
Example URI
PUT /events/1/attributes/2?with=attribute,sources
URI Parameters
- event_id
integer(required) Example: 1Event ID
- event_attribute_id
integer(required) Example: 2Event Attribute ID
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 9,
"event_id": 1,
"attribute_id": 251,
"value": "New Value",
"created_at": "2016-12-27 21:30:21",
"updated_at": "2017-03-21 12:53:55",
"touched_at": "2017-03-20 13:30:25",
"name": "X-Originator",
"attribute": {
"id": 251,
"name": "X-Originator",
"created_at": "2017-03-20 13:30:25",
"updated_at": "2017-03-20 13:30:25"
}
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"event_id": "1",
"attribute_id": "9",
"errors": {
"value": [
"The value field is required."
]
},
"name": "Campaign ID",
"attribute": {
"id": 9,
"name": "Campaign ID",
"created_at": "2017-03-04 13:03:02",
"updated_at": "2017-02-18 13:02:02"
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/attributes/{event_attribute_id}
Delete an Event Attribute.
Example URI
DELETE /events/1/attributes/2
URI Parameters
- event_id
integer(required) Example: 1Event ID
- event_attribute_id
integer(required) Example: 2Event Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Attribute Source ¶
UpdatePUT/events/{event_id}/attributes/{event_attribute_id}/sources/{event_attribute_source_id}
Update an Event Attribute Source.
Example URI
PUT /events/1/attributes/2/sources/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- event_attribute_id
integer(required) Example: 2Event Attribute ID
- event_attribute_source_id
integer(required) Example: 3Event Attribute Source ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"event_attribute_id": 1,
"source_id": 8,
"tlp_id": 1,
"created_at": "2018-09-20 21:22:20",
"updated_at": "2018-09-20 21:23:46",
"published_at": "2017-01-01 01:01:01",
"creator_source_id": 8
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/attributes/{event_attribute_id}/sources/{event_attribute_source_id}
Delete an Event Attribute Source.
Example URI
DELETE /events/1/attributes/2/sources/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- event_attribute_id
integer(required) Example: 2Event Attribute ID
- event_attribute_source_id
integer(required) Example: 3Event Attribute Source ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Comments List ¶
Get ListGET/events/{event_id}/comments{?limit,offset,sort,with}
Get a list of Event Comments.
Example URI
GET /events/1/comments?limit=500&offset=100&sort=id&with=event,sources
URI Parameters
- event_id
integer(required) Example: 1Event ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: event,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: event, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 55,
"event_id": 1,
"value": "This event has some suspicious stuff.",
"creator_source_id": 5,
"created_at": "2017-03-20 15:01:56",
"updated_at": "2017-03-20 15:01:56"
},
{
"id": 56,
"event_id": 1,
"value": "This event is really suspicious.",
"creator_source_id": 5,
"created_at": "2017-03-20 15:02:06",
"updated_at": "2017-03-20 15:02:45"
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/comments
Create a new Event Comment.
Example URI
POST /events/1/comments
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 57,
"event_id": 1,
"value": "This is a comment.",
"creator_source_id": 5,
"created_at": "2017-03-20 15:11:25",
"updated_at": "2017-03-20 15:11:25",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-03-20 13:29:01",
"updated_at": "2017-03-20 13:29:01",
"pivot": {
"id": 57,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"event_id": "1",
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Event Comment ¶
UpdatePUT/events/{event_id}/comments/{event_comment_id}{?with}
Update an Event Comment.
Example URI
PUT /events/1/comments/2?with=event,sources
URI Parameters
- event_id
integer(required) Example: 1Event ID
- event_comment_id
integer(required) Example: 2Event Comment ID
- with
string(optional) Example: event,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: event, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 62,
"event_id": 1,
"value": "This is an updated comment.",
"creator_source_id": 5,
"created_at": "2017-03-01 19:46:23",
"updated_at": "2017-03-01 20:06:04",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-02-28 20:13:18",
"updated_at": "2017-02-28 20:13:18",
"pivot": {
"id": 62,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"The current authenticated owner is not the owner of this comment."
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/comments/{event_comment_id}
Delete an Event Comment.
Example URI
DELETE /events/1/comments/2
URI Parameters
- event_id
integer(required) Example: 1Event ID
- event_comment_id
integer(required) Example: 2Event Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Events List ¶
Get ListGET/events/{event_id}/events{?limit,offset,sort,with}
Get a list of Event Event links.
Example URI
GET /events/1/events?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 13,
"type_id": 1,
"title": "Origin - http://halvorson.com/quia-reprehenderit-ullam-aut-accusantium-iusto-voluptas-omnis",
"description": "",
"happened_at": "2018-01-25 03:17:53",
"hash": "0ba76d18a6e5350a8e5979b5676bc8c8",
"created_at": "2018-01-25 03:17:53",
"updated_at": "2018-01-25 03:17:53",
"touched_at": "2018-04-03 15:34:22",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 61077,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "event",
"dest_object_id": 13,
"created_at": "2018-02-26 00:36:06",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 55,
"type": "users",
"value": "This is important.",
"source": "Threat Quotient",
"created_at": "2018-04-04 14:42:46.690000",
"updated_at": "2018-04-04 14:42:46.690000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 14948,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 22414,
"name": "Threat Quotient",
"type": "clients",
"pivot": {
"created_at": "2018-03-05 22:01:33",
"updated_at": "2018-04-03 15:34:22.693000"
}
}
]
}
},
{
"id": 46,
"type_id": 1,
"title": "Origin - http://kling.com/voluptate-nihil-sit-est-aut",
"description": "",
"happened_at": "2017-12-31 23:17:05",
"hash": "e2e96a1516420fc05ad8ac04de52bd89",
"created_at": "2017-12-31 23:17:05",
"updated_at": "2017-12-31 23:17:05",
"touched_at": "2018-04-03 15:34:22",
"deleted_at": null,
"sources": [
{
"name": "Domain Tools"
},
{
"name": "Emerging Threats"
},
{
"name": "VirusTotal"
}
],
"pivot": {
"id": 61144,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "event",
"dest_object_id": 46,
"created_at": "2018-03-01 23:54:52",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 56,
"type": "users",
"value": "This is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-04 14:43:10.692000",
"updated_at": "2018-04-04 14:43:10.692000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 14949,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 22513,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-02-24 09:36:30",
"updated_at": "2018-04-03 15:34:22.693000"
}
},
{
"id": 22514,
"name": "Customer Observer",
"type": "users",
"pivot": {
"created_at": "2018-02-25 22:27:11",
"updated_at": "2018-04-03 15:34:22.693000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/events/{event_id}/events
Create a link from an Event to another Event.
Example URI
POST /events/1/events
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"type_id": 2,
"title": "Origin - http://www.durgan.biz/vel-omnis-impedit-at-quod-quasi-reiciendis.html",
"description": "",
"happened_at": "2016-12-05 20:01:48",
"hash": "d13e682a5d567d51b99f676b7bdef980",
"created_at": "2016-12-05 20:01:48",
"updated_at": "2016-12-05 20:01:48",
"touched_at": "2017-02-28 20:14:59",
"pivot": {
"id": 62396,
"created_at": "2017-03-01 20:55:10",
"updated_at": "2017-03-01 20:55:10"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/events/{event_id}/events
Delete multiple Event Event links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /events/1/events
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Event Event ¶
Get SingleGET/events/{event_id}/events/{object_link_id}{?with}
Get a single Event Event link.
Example URI
GET /events/1/events/2?with=sources,pivot.attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 13,
"type_id": 1,
"title": "Origin - http://halvorson.com/quia-reprehenderit-ullam-aut-accusantium-iusto-voluptas-omnis",
"description": "",
"happened_at": "2018-01-25 03:17:53",
"hash": "0ba76d18a6e5350a8e5979b5676bc8c8",
"created_at": "2018-01-25 03:17:53",
"updated_at": "2018-01-25 03:17:53",
"touched_at": "2018-04-03 15:34:22",
"pivot": {
"id": 61077,
"created_at": "2018-02-26 00:36:06",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 55,
"object_link_id": 61077,
"value": "This is important.",
"creator_source_id": 8,
"created_at": "2018-04-04 14:42:46",
"updated_at": "2018-04-04 14:42:46",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-03 15:31:57",
"updated_at": "2018-04-03 15:31:57",
"pivot": {
"id": 55,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 14948,
"object_link_id": 61077,
"attribute_id": 135,
"value": "Universities",
"created_at": "2018-04-04 14:38:39",
"updated_at": "2018-04-04 14:38:39",
"name": "Industry",
"attribute": {
"id": 135,
"name": "Industry",
"created_at": "2018-04-03 19:41:04",
"updated_at": "2018-04-03 19:41:04"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 14948,
"source_id": 8,
"id": 1,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 2,
"type": "clients",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-03-05 22:01:33",
"updated_at": "2018-04-03 15:34:22",
"published_at": null,
"pivot": {
"object_link_id": 61077,
"source_id": 2,
"id": 22414,
"creator_source_id": 2
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-02-24 22:23:15",
"updated_at": "2018-04-03 15:34:22",
"published_at": null,
"pivot": {
"event_id": 13,
"source_id": 8,
"id": 27,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/events/{object_link_id}
Delete an Event Event link.
Example URI
DELETE /events/1/events/2
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Event Attributes List ¶
Get ListGET/events/{event_id}/events/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Event Event link Attributes.
Example URI
GET /events/1/events/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/events/{object_link_id}/attributes
Create a new Event Event link Attribute.
Example URI
POST /events/1/events/2/attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Event Event Attribute ¶
Get SingleGET/events/{event_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Event Event link Attribute.
Example URI
GET /events/1/events/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/{event_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Update an Event Event link Attribute.
Example URI
PUT /events/1/events/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Event Event link Attribute.
Example URI
DELETE /events/1/events/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Event Comments List ¶
Get ListGET/events/{event_id}/events/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Event Event link Comments.
Example URI
GET /events/1/events/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/events/{object_link_id}/comments
Create a new Event Event link Comment.
Example URI
POST /events/1/events/2/comments
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Event Event Comment ¶
Get SingleGET/events/{event_id}/events/{object_link_id}/comments/{object_link_comment_id}
Get a single Event Event link Comment.
Example URI
GET /events/1/events/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/{event_id}/events/{object_link_id}/comments/{object_link_comment_id}
Update an Event Event link Comment.
Example URI
PUT /events/1/events/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/events/{object_link_id}/comments/{object_link_comment_id}
Delete an Event Event link Comment.
Example URI
DELETE /events/1/events/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Indicators List ¶
Get ListGET/events/{event_id}/indicators{?limit,offset,sort,with}
Get a list of Event Indicator links.
Example URI
GET /events/1/indicators?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 24,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "bc77846655cdf4c183713a59f8c2a8f1",
"value": "brendon57@hotmail.com",
"description": null,
"last_detected_at": "2002-06-23 14:29:54",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"touched_at": "2018-04-04 19:30:57",
"deleted_at": null,
"sources": [
{
"name": "ThreatQ Example Feed"
}
],
"pivot": {
"id": 14896,
"src_type": "indicator",
"src_object_id": 24,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"comments": [
{
"id": 54,
"type": "users",
"value": "This link is important.",
"created_at": "2018-04-04 20:05:39.284000",
"updated_at": "2018-04-04 20:05:39.284000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 43,
"name": "Confidence",
"value": "75",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 62,
"name": "VirusTotal",
"type": "plugins",
"pivot": {
"created_at": "2018-02-19 02:14:29",
"updated_at": "2018-04-04 19:30:59.439000"
}
}
]
}
},
{
"id": 74,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "890a7aa3415d8b4fa39d9f51a026b7d8",
"value": "hazel.kilback@hotmail.com",
"description": null,
"last_detected_at": "1992-07-15 20:23:27",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"touched_at": "2018-04-04 19:30:57",
"deleted_at": null,
"sources": [
{
"name": "Customer Admin"
}
],
"pivot": {
"id": 14991,
"src_type": "indicator"",
"src_object_id": 74,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"comments": [
{
"id": 56,
"type": "users",
"value": "This link is also important.",
"created_at": "2018-04-04 20:09:29.324000",
"updated_at": "2018-04-04 20:09:29.324000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 138,
"name": "Confidence",
"value": "75",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 200,
"name": "Emerging Threats",
"type": "plugins",
"pivot": {
"created_at": "2018-01-13 11:24:36",
"updated_at": "2018-04-04 19:30:59.439000"
}
}
]
}
}
],
"limit": 2,
"offset": 0
}Response
401Access denied.
Create NewPOST/events/{event_id}/indicators
Create a link from an Indicator to an Event.
Example URI
POST /events/1/indicators
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"type_id": 2,
"status_id": 3,
"class": "network",
"hash": "bba60e76a34af96122b9f44e67ae8ea7",
"value": "oolson@yahoo.com",
"last_detected_at": "2013-12-13 08:58:00",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-02-28 20:13:19",
"updated_at": "2017-02-28 20:13:19",
"touched_at": "2017-03-02 14:57:32",
"pivot": {
"id": 62397,
"created_at": "2017-03-02 14:57:32",
"updated_at": "2017-03-02 14:57:32"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/events/{event_id}/indicators
Delete multiple Event Indicator links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /events/1/indicators
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Event Indicator ¶
Get SingleGET/events/{event_id}/indicators/{object_link_id}{?with}
Get a single Event Indicator link.
Example URI
GET /events/1/indicators/2?with=sources,pivot.attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 24,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "bc77846655cdf4c183713a59f8c2a8f1",
"value": "brendon57@hotmail.com",
"description": null,
"last_detected_at": "2002-06-23 14:29:54",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"touched_at": "2018-04-04 19:30:57",
"pivot": {
"id": 14896,
"created_at": "2018-03-09 14:32:27",
"updated_at": "2018-04-04 19:30:29",
"comments": [
{
"id": 54,
"object_link_id": 14896,
"value": "This link is also important.",
"creator_source_id": 8,
"created_at": "2018-04-04 20:05:39",
"updated_at": "2018-04-04 20:05:39",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-04 19:28:33",
"updated_at": "2018-04-04 19:28:33",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 43,
"object_link_id": 14896,
"attribute_id": 13,
"value": "75",
"created_at": "2018-02-24 14:33:41",
"updated_at": "-0001-11-30 00:00:00",
"name": "Confidence",
"attribute": {
"id": 13,
"name": "Confidence",
"created_at": "2018-03-28 19:03:33",
"updated_at": "2018-03-24 19:03:33"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 43,
"source_id": 8,
"id": 1,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 5,
"type": "plugins",
"name": "VirusTotal",
"tlp_id": null,
"created_at": "2018-02-19 02:14:29",
"updated_at": "2018-04-04 19:30:59",
"published_at": null,
"pivot": {
"object_link_id": 14896,
"source_id": 5,
"id": 62,
"creator_source_id": 5
}
}
]
},
"sources": [
{
"id": 3,
"type": "clients",
"name": "ThreatQ",
"tlp_id": null,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"published_at": null,
"pivot": {
"indicator_id": 24,
"source_id": 3,
"id": 59,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/indicators/{object_link_id}
Delete an Event Indicator link.
Example URI
DELETE /events/1/indicators/2
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Indicator Attributes List ¶
Get ListGET/events/{event_id}/indicators/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Event Indicator link Attributes.
Example URI
GET /events/1/indicators/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/indicators/{object_link_id}/attributes
Create a new Event Indicator link Attribute.
Example URI
POST /events/1/indicators/2/attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Event Indicator Attribute ¶
Get SingleGET/events/{event_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Event Indicator link Attribute.
Example URI
GET /events/1/indicators/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/{event_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Update an Event Indicator link Attribute.
Example URI
PUT /events/1/indicators/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Event Indicator link Attribute.
Example URI
DELETE /events/1/indicators/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Indicator Comments List ¶
Get ListGET/events/{event_id}/indicators/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Event Indicator link Comments.
Example URI
GET /events/1/indicators/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/indicators/{object_link_id}/comments
Create a new Event Indicator link Comment.
Example URI
POST /events/1/indicators/2/comments
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Event Indicator Comment ¶
Get SingleGET/events/{event_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Get a single Event Indicator link Comment.
Example URI
GET /events/1/indicators/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/{event_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Update an Event Indicator link Comment.
Example URI
PUT /events/1/indicators/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Delete an Event Indicator link Comment.
Example URI
DELETE /events/1/indicators/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Signatures List ¶
Get ListGET/events/{event_id}/signatures{?limit,offset,sort,with}
Get a list of Event Signature links.
Example URI
GET /events/1/signatures?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"name": "ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (2007937:4)",
"description": "",
"hash": "8cf2e60aeb0b7ed9874f2ed379b3f42d",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:\"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow\"; content:\"|44 53 52 65 71 75 65 73 74|\"; pcre:\"/[0-9a-zA-Z]{50}/R\"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:02:46",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62261,
"src_type": "signature",
"src_object_id": 2,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"comments": [
{
"id": 57,
"type": "users",
"value": "This link is important.",
"created_at": "2018-04-04 23:16:40.155000",
"updated_at": "2018-04-04 23:18:42.648000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 15080,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 3,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 24298,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-04 23:02:46.740000",
"updated_at": "2018-04-04 23:02:46.740000"
}
}
]
}
},
{
"id": 1,
"name": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)",
"description": "",
"hash": "737309fe355ef23e1c03a5e98bc364b5",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:\"ET EXPLOIT Arkeia full remote access without password or authentication\"; flow:to_server,established; content:\"|464F3A20596F75206861766520737563|\"; content:\"|6520636C69656E7420696E666F726D61|\"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:03:35",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62262,
"src_type": "signature",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"comments": [
{
"id": 58,
"type": "users",
"value": "This link is also important.",
"created_at": "2018-04-04 23:16:58.817000",
"updated_at": "2018-04-04 23:16:58.817000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 15081,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 4,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 24300,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-04 23:03:35.975000",
"updated_at": "2018-04-04 23:03:35.975000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/events/{event_id}/signatures
Create a link from a Signature to an Event.
Example URI
POST /events/1/signatures
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"name": "ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27 (2019448:1)",
"description": "",
"hash": "32eb2da7b59c7e85fbeec98f90adaf2d",
"value": "alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27\"; flow:established,to_server; content:\"%6e%61m%65[\"; nocase; fast_pattern:only; http_client_body; pcre:\"/(?:^|&|Content-Disposition[\\x3a][^\\n]*?name\\s*?=\\s*?[\\x22\\x27])\\%6e\\%61m\\%65\\[[^\\x5d]*?\\W/Pi\"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:1;)",
"status_id": 4,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-03-02 16:34:40",
"updated_at": "2017-03-02 16:34:40",
"touched_at": "2017-03-02 16:34:41",
"pivot": {
"id": 62337,
"created_at": "2017-03-02 16:43:29",
"updated_at": "2017-03-02 16:43:29"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/events/{event_id}/signatures
Delete multiple Event Signature links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /events/1/signatures
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Event Signature ¶
Get SingleGET/events/{event_id}/signatures/{object_link_id}{?with}
Get a single Event Signature link.
Example URI
GET /events/1/signatures/2?with=sources,pivot.attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 2,
"name": "ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (2007937:4)",
"description": "",
"hash": "8cf2e60aeb0b7ed9874f2ed379b3f42d",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:\"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow\"; content:\"|44 53 52 65 71 75 65 73 74|\"; pcre:\"/[0-9a-zA-Z]{50}/R\"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:02:46",
"pivot": {
"id": 62261,
"created_at": "2018-04-04 23:02:46",
"updated_at": "2018-04-04 23:02:46",
"comments": [
{
"id": 57,
"object_link_id": 62261,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-04 23:16:40",
"updated_at": "2018-04-04 23:18:42",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-04 19:28:33",
"updated_at": "2018-04-04 19:28:33",
"pivot": {
"id": 57,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15080,
"object_link_id": 62261,
"attribute_id": 135,
"value": "Universities",
"created_at": "2018-04-04 23:09:28",
"updated_at": "2018-04-04 23:09:28",
"name": "Industry",
"attribute": {
"id": 135,
"name": "Industry",
"created_at": "2018-04-04 20:01:00",
"updated_at": "2018-04-04 20:01:00"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15080,
"source_id": 8,
"id": 3,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-04 23:02:46",
"updated_at": "2018-04-04 23:02:46",
"published_at": null,
"pivot": {
"object_link_id": 62261,
"source_id": 8,
"id": 24298,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"published_at": null,
"pivot": {
"signature_id": 2,
"source_id": 8,
"id": 2,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/signatures/{object_link_id}
Delete an Event Signature link.
Example URI
DELETE /events/1/signatures/2
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Signature Attributes List ¶
Get ListGET/events/{event_id}/signatures/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Event Signature link Attributes.
Example URI
GET /events/1/signatures/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/signatures/{object_link_id}/attributes
Create a new Event Signature link Attribute.
Example URI
POST /events/1/signatures/2/attributes
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Event Signature Attribute ¶
Get SingleGET/events/{event_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Event Signature link Attribute.
Example URI
GET /events/1/signatures/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/{event_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Update an Event Signature link Attribute.
Example URI
PUT /events/1/signatures/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Event Signature link Attribute.
Example URI
DELETE /events/1/signatures/2/attributes/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Signature Comments List ¶
Get ListGET/events/{event_id}/signatures/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Event Signature link Comments.
Example URI
GET /events/1/signatures/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/signatures/{object_link_id}/comments
Create a new Event Signature link Comment.
Example URI
POST /events/1/signatures/2/comments
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Event Signature Comment ¶
Get SingleGET/events/{event_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Get a single Event Signature link Comment.
Example URI
GET /events/1/signatures/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/{event_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Update an Event Signature link Comment.
Example URI
PUT /events/1/signatures/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Delete an Event Signature link Comment.
Example URI
DELETE /events/1/signatures/2/comments/3
URI Parameters
- event_id
integer(required) Example: 1Event ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Sources ¶
Get ListGET/events/{event_id}/sources{?limit,offset,sort,with}
Get a list of Event Sources.
Example URI
GET /events/1/sources?limit=500&offset=100&sort=id&with=event,tlp
URI Parameters
- event_id
integer(required) Example: 1Event ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: event,tlpA comma-separated list of related objects to include in the response. Options for this endpoint: event, tlp.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"event_id": 1,
"source_id": 6,
"creator_source_id": 6,
"tlp_id": null,
"created_at": "2017-01-29 22:59:11",
"updated_at": "2017-03-20 13:30:53",
"published_at": null
},
{
"id": 2,
"event_id": 1,
"source_id": 7,
"creator_source_id": 7,
"tlp_id": null,
"created_at": "2016-12-26 17:11:35",
"updated_at": "2017-03-20 13:30:53",
"published_at": null
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/sources
Create a new Event Source.
Example URI
POST /events/1/sources
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Test Source",
"tlp": {
"name": "RED"
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 1176,
"event_id": 1,
"source_id": 11,
"creator_source_id": 5,
"tlp_id": 1,
"created_at": "2017-03-20 14:46:45",
"updated_at": "2017-03-20 14:46:45",
"published_at": null,
"deleted_at": null,
"existing": 0,
"name": "Test Source"
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"name": [
"The name field is required."
]
}
}
]
}Response
401Access denied.
Event Source ¶
Get SingleGET/events/{event_id}/sources/{event_source_id}
Get a single Event Source.
Example URI
GET /events/1/sources/2
URI Parameters
- event_id
integer(required) Example: 1Event ID
- event_source_id
integer(required) Example: 2Event Source ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"event_id": 1,
"source_id": 13,
"creator_source_id": 8,
"tlp_id": 4,
"created_at": "2018-10-30 20:10:24",
"updated_at": "2018-10-30 20:10:24",
"published_at": null
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/{event_id}/sources/{event_source_id}
Update an Event Source.
Example URI
PUT /events/1/sources/2
URI Parameters
- event_id
integer(required) Example: 1Event ID
- event_source_id
integer(required) Example: 2Event Source ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"event_id": 1,
"source_id": 13,
"creator_source_id": 8,
"tlp_id": 4,
"created_at": "2018-10-30 20:10:24",
"updated_at": "2018-10-30 20:10:24",
"published_at": null
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/sources/{event_source_id}
Delete an Event Source.
Example URI
DELETE /events/1/sources/2
URI Parameters
- event_id
integer(required) Example: 1Event ID
- event_source_id
integer(required) Example: 2Event Source ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Tag List ¶
Get ListGET/events/{event_id}/tags{?limit,offset,sort,with}
Get a list of Event Tags.
Example URI
GET /events/1/tags?limit=500&offset=100&sort=id&with=events
URI Parameters
- event_id
integer(required) Example: 1Event ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: eventsA comma-separated list of related objects to include in the response. Options for this endpoint: events.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"name": "New Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 1,
"created_at": "2017-03-02 21:22:02",
"updated_at": "2017-03-02 21:22:02"
}
},
{
"id": 2,
"name": "Another New Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 2,
"created_at": "2017-03-02 21:24:30",
"updated_at": "2017-03-02 21:24:30"
}
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/tags
Create a new Event Tag.
Example URI
POST /events/1/tags
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Tag Name"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 2,
"name": "Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 2,
"created_at": "2017-03-02 21:24:30",
"updated_at": "2017-03-02 21:24:30"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"name": [
"The name field is required."
]
}
}
}Response
401Access denied.
Event Tag ¶
Get SingleGET/events/{event_id}/tags/{tag_id}{?with}
Get a single Event Tag.
Example URI
GET /events/1/tags/2?with=events
URI Parameters
- event_id
integer(required) Example: 1Event ID
- tag_id
integer(required) Example: 2Tag ID
- with
string(optional) Example: eventsA comma-separated list of related objects to include in the response. Options for this endpoint: events.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 1,
"created_at": "2017-03-02 21:22:02",
"updated_at": "2017-03-02 21:22:02"
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/events/{event_id}/tags/{tag_id}
Delete an Event Tag.
Example URI
DELETE /events/1/tags/2
URI Parameters
- event_id
integer(required) Example: 1Event ID
- tag_id
integer(required) Example: 2Tag ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Event Watchlists ¶
Get SingleGET/events/{event_id}/watchlist
Get an Event in a user’s Watchlist.
Example URI
GET /events/1/watchlist
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 1,
"data": [
{
"id": 1,
"user_id": 1,
"object_type": "event",
"object_id": 229,
"created_at": "2017-03-20 14:01:10",
"updated_at": "2017-03-20 14:01:10",
"event": {
"id": 229,
"type_id": 2,
"title": "Origin - http://prohaska.com/dolore-debitis-nihil-molestiae-cupiditate-sint-amet",
"description": "",
"happened_at": "2017-03-14 16:46:21",
"hash": "6f42c58a46c0956ad89b6d323aa7858c",
"created_at": "2017-03-14 16:46:21",
"updated_at": "2017-03-14 16:46:21",
"touched_at": "2017-03-20 13:30:53"
}
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/watchlist
Add an Event to the user’s Watchlist.
Example URI
POST /events/1/watchlist
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Authorization: Bearer <access_token>Body
No Request Body.Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"object_type": "event",
"user_id": 1,
"object_id": "1",
"updated_at": "2017-03-20 14:03:16",
"created_at": "2017-03-20 14:03:16",
"id": 4
}
}Response
401Access denied.
Event Watchlist ¶
Event WatchlistDELETE/events/{event_id}/watchlist/{watchlist_id}
Remove an Event from the user’s Watchlist.
Example URI
DELETE /events/1/watchlist/2
URI Parameters
- event_id
integer(required) Example: 1Event ID
- watchlist_id
integer(required) Example: 2Watchlist ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Exporters ¶
Exporter List ¶
Get ListGET/exporters{?limit,offset,sort,with}
Get a list of Exporters.
Example URI
GET /exporters?limit=500&offset=100&sort=id&with=dataType,deliveryType
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: dataType,deliveryTypeA comma-separated list of related objects to include in the response. Options for this endpoint: dataType, deliveryType, config.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 24,
"data": [
{
"id": 1,
"name": "ArcSight",
"description": "ArcSight Description",
"delivery_type_id": 1,
"export_data_type_id": 8,
"export_definition": "{assign \"encodeCEF_find\" array('\\\\','|','=','\\\\r','\\\\n')}\n{assign \"encodeCEF_replace\" array('\\\\\\\\','\\\\|','\\\\=','\\\\\\\\r','\\\\\\\\n')}\n{foreach $data as $indicator}\n{if $indicator.deleted eq 'Y'}\nCEF:0|ThreatQuotient|ThreatQ|1.0|20|ThreatQ {$indicator.type} Indicator Remove|1|cs1Label=Status cs1=Disabled dst={$indicator.value|replace:$encodeCEF_find:$encodeCEF_replace} msg=ThreatQ Indicator - {$indicator.value|replace:$encodeCEF_find:$encodeCEF_replace} cn1Label=ThreatQ ID cn1={$indicator.id}\n\n{else}\nCEF:0|ThreatQuotient|ThreatQ|1.0|19|ThreatQ {$indicator.type} Indicator Add|1|cs1Label=Status cs1={$indicator.status} dst={$indicator.value|replace:$encodeCEF_find:$encodeCEF_replace} msg={$indicator.value|replace:$encodeCEF_find:$encodeCEF_replace} cn1Label=ThreatQ ID cn1={$indicator.id} deviceCustomDate1Label=Export Time deviceCustomDate1={$smarty.now|date_format:'%Y-%m-%d %H:%M:%S'} cs2Label=ThreatQ URL cs2=https://{$http_host}/indicators/{$indicator.id}/details cs3Label=Source Document cs3={foreach $indicator.Sources item=source name=Sources}{$source.value}{if $smarty.foreach.Sources.last == false},{/if}{/foreach}\n\n{/if}\n{/foreach}",
"parameters": "indicator.status=Active&indicator.type=Email Address&indicator.type=Email Attachment&indicator.type=Email Subject&indicator.type=FQDN&indicator.type=IP Address&indicator.type=String&indicator.type=User-agent&indicator.type=URL&indicator.type=URL Path&indicator.type=X-Mailer&indicator.class=network",
"url": "arcsight",
"user_editable": "N",
"enabled": "Y",
"created_at": "2017-04-05 19:59:08",
"updated_at": "2017-04-05 19:59:08"
},
{
"id": 2,
"name": "ArcSight Email Address",
"description": "ArcSight Email Address Description\nEmail Address delete is Type 6",
"delivery_type_id": 1,
"export_data_type_id": 8,
"export_definition": "{assign \"encodeCEF_find\" array('\\\\','|','=','\\\\r','\\\\n')}\n{assign \"encodeCEF_replace\" array('\\\\\\\\','\\\\|','\\\\=','\\\\\\\\r','\\\\\\\\n')}\n{foreach $data as $indicator}\n{if $indicator.deleted eq 'Y'}\nCEF:0|ThreatQuotient|ThreatQ|1.0|6|ThreatQ {$indicator.type} Indicator Remove|1|cs1Label=Status cs1=Disabled dst={$indicator.value|replace:$encodeCEF_find:$encodeCEF_replace} msg=ThreatQ Indicator - {$indicator.value|replace:$encodeCEF_find:$encodeCEF_replace} cn1Label=ThreatQ ID cn1={$indicator.id}\n\n{else}\nCEF:0|ThreatQuotient|ThreatQ|1.0|5|ThreatQ {$indicator.type} Indicator Add|1|cs1Label=Status cs1={$indicator.status} dst={$indicator.value|replace:$encodeCEF_find:$encodeCEF_replace} msg={$indicator.value|replace:$encodeCEF_find:$encodeCEF_replace} cn1Label=ThreatQ ID cn1={$indicator.id} deviceCustomDate1Label=Export Time deviceCustomDate1={$smarty.now|date_format:'%Y-%m-%d %H:%M:%S'} cs2Label=ThreatQ URL cs2=https://{$http_host}/indicators/{$indicator.id}/details cs3Label=Source Document cs3={foreach $indicator.Sources item=source name=Sources}{$source.value}{if $smarty.foreach.Sources.last == false},{/if}{/foreach}\n\n{/if}\n{/foreach}",
"parameters": "indicator.status=Active&indicator.type=Email Address&indicator.class=network",
"url": "arcsightemail",
"user_editable": "N",
"enabled": "Y",
"created_at": "2017-04-05 19:59:08",
"updated_at": "2017-04-05 19:59:08"
}
]
}Response
401Access denied.
Create NewPOST/exporters
Create a new Exporter.
Example URI
POST /exporters
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Exporter Name",
"description": "Exporter Description",
"delivery_type_id": "1",
"export_data_type_id": "1",
"export_definition": "{foreach $data as $indicator} {$indicator.value},{$indicator.type},{$indicator.status}{/foreach}",
"user_editable": "Y",
"enabled": "Y"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"name": "Exporter Name",
"description": "Exporter Description",
"delivery_type_id": "1",
"export_data_type_id": "1",
"export_definition": "{foreach $data as $indicator} {$indicator.value},{$indicator.type},{$indicator.status}{/foreach}",
"user_editable": "Y",
"enabled": "Y",
"url": "2e990a2ba845e306d44b83b8d7955857",
"updated_at": "2017-04-07 17:41:02",
"created_at": "2017-04-07 17:41:02",
"id": 26
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"name": [
"The name field is required."
],
"delivery_type_id": [
"The delivery type id field is required."
],
"export_data_type_id": [
"The export data type id field is required."
],
"export_definition": [
"The export definition field is required."
]
}
}
}Response
401Access denied.
Exporter Config Short List ¶
Get ListGET/exporters/config{?limit,offset,sort,with}
Get a list of Exporter Configurations.
Example URI
GET /exporters/config?limit=500&offset=100&sort=id&with=exporter
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: exporterA comma-separated list of related objects to include in the response. Options for this endpoint: exporter.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 53,
"data": [
{
"id": 1,
"exporter_id": 1,
"name": "ContentType",
"value": "text/plain",
"created_at": "2017-04-05 19:59:08",
"updated_at": "2017-04-05 19:59:08"
},
{
"id": 2,
"exporter_id": 1,
"name": "Token",
"value": "gkqGDs2K3hKHyRp4nRi6ily5fqdGWiG7",
"created_at": "2017-04-05 19:59:08",
"updated_at": "2017-04-05 19:59:08"
},
{
"id": 3,
"exporter_id": 2,
"name": "ContentType",
"value": "text/plain",
"created_at": "2017-04-05 19:59:08",
"updated_at": "2017-04-05 19:59:08"
}
]
}Response
401Access denied.
Create NewPOST/exporters/config
Create a new Exporter Configuration.
Example URI
POST /exporters/config
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Config Name",
"value": "Config Value",
"exporter_id": "5"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"exporter_id": "1",
"name": "Config Name",
"value": "Config Value",
"updated_at": "2017-04-10 14:52:28",
"created_at": "2017-04-10 14:52:28",
"id": 53
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"exporter_id": [
"The exporter id field is required."
],
"name": [
"The name field is required."
],
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Exporter Config Content Types ¶
Exporter Config Content TypesGET/exporters/config/contenttypes
Get a list of Exporter Configuration Content Types.
Example URI
GET /exporters/config/contenttypes
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 3,
"data": [
{
"name": "ContentType",
"value": "text/plain"
},
{
"name": "ContentType",
"value": "text/json"
},
{
"name": "ContentType",
"value": "text/csv"
}
]
}Response
401Access denied.
Exporter Config Short ¶
Get SingleGET/exporters/config/{exporter_config_id}{?with}
Get a single Exporter Configuration.
Example URI
GET /exporters/config/2?with=exporter
URI Parameters
- exporter_config_id
integer(required) Example: 2Exporter Config ID
- with
string(optional) Example: exporterA comma-separated list of related objects to include in the response. Options for this endpoint: exporter.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"exporter_id": 1,
"name": "ContentType",
"value": "text/plain",
"created_at": "2017-04-05 19:59:08",
"updated_at": "2017-04-05 19:59:08"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/exporters/config/{exporter_config_id}{?with}
Update an Exporter Configuration.
Example URI
PUT /exporters/config/2?with=exporter
URI Parameters
- exporter_config_id
integer(required) Example: 2Exporter Config ID
- with
string(optional) Example: exporterA comma-separated list of related objects to include in the response. Options for this endpoint: exporter.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Updated Config Name",
"value": "Updated Config Value"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"exporter_id": "1",
"name": "Updated Config Name",
"value": "Updated Config Value",
"updated_at": "2017-04-12 18:51:48",
"created_at": "2017-04-10 14:52:28",
"id": 53
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/exporters/config/{exporter_config_id}
Delete an Exporter Configuration.
Example URI
DELETE /exporters/config/2
URI Parameters
- exporter_config_id
integer(required) Example: 2Exporter Config ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Exporter Data Type Field List ¶
Exporter Data Type Field ListGET/exporters/datatypefields{?limit,offset,sort,with}
Get a list of Exporter Data Type Fields.
Example URI
GET /exporters/datatypefields?limit=500&offset=100&sort=id&with=dataType
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: dataTypeA comma-separated list of related objects to include in the response. Options for this endpoint: dataType.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 162,
"data": [
{
"id": 1,
"export_data_type_id": 1,
"name": "Adversary Created",
"description": "When the Adversary was created",
"sql_definition": "ADV.created_at",
"sql_column_alias": "created",
"template_definition": "adversary.created",
"created_at": "2017-04-05 19:59:07",
"updated_at": "2017-04-05 19:59:07"
},
{
"id": 2,
"export_data_type_id": 1,
"name": "Adversary Deleted",
"description": "Has the Adversary been deleted?",
"sql_definition": "IF(ADV.deleted_at IS NULL, 'N', 'Y')",
"sql_column_alias": "deleted",
"template_definition": "adversary.deleted",
"created_at": "2017-04-05 19:59:07",
"updated_at": "2017-04-05 19:59:07"
}
]
}Response
401Access denied.
Exporter Data Type Field ¶
Exporter Data Type FieldGET/exporters/datatypefields/{exporter_data_type_field_id}{?with}
Get a single Exporter Data Type Field.
Example URI
GET /exporters/datatypefields/1?with=dataType
URI Parameters
- exporter_data_type_field_id
integer(required) Example: 1Exporter Data Type Field ID
- with
string(optional) Example: dataTypeA comma-separated list of related objects to include in the response. Options for this endpoint: dataType.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Adversaries",
"base_table_definition": "select [fields] from adversaries ADV left join (select substring_index(group_concat(ADVD.value_id order by ADVD.created_at desc), ',', 1) as value_id, ADVD.adversary_id, max(ADVD.created_at) from adversary_descriptions ADVD group by ADVD.adversary_id) ADVD on ADV.id = ADVD.adversary_id left join adversary_description_values ADVDV on ADVD.value_id = ADVDV.id where 1 = 1 [where] group by ADV.id",
"differential_field": "ADV.updated_at",
"created_at": "2017-04-05 19:59:07",
"updated_at": "2017-04-05 19:59:07"
}
}Response
401Access denied.
Response
404Object not found.
Exporter Data Type List ¶
Exporter Data Type ListGET/exporters/datatypes{?limit,offset,sort,with}
Get a list of Exporter Data Types.
Example URI
GET /exporters/datatypes?limit=500&offset=100&sort=id&with=dataTypeFields,exporters
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: dataTypeFields,exportersA comma-separated list of related objects to include in the response. Options for this endpoint: dataTypeFields, exporters.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 13,
"data": [
{
"id": 1,
"name": "Adversaries",
"base_table_definition": "select [fields] from adversaries ADV left join (select substring_index(group_concat(ADVD.value_id order by ADVD.created_at desc), ',', 1) as value_id, ADVD.adversary_id, max(ADVD.created_at) from adversary_descriptions ADVD group by ADVD.adversary_id) ADVD on ADV.id = ADVD.adversary_id left join adversary_description_values ADVDV on ADVD.value_id = ADVDV.id where 1 = 1 [where] group by ADV.id",
"differential_field": "ADV.updated_at",
"created_at": "2017-04-05 19:59:07",
"updated_at": "2017-04-05 19:59:07"
},
{
"id": 2,
"name": "AdversariesWithRelated",
"base_table_definition": "select [fields] from adversaries ADV left join (select substring_index(group_concat(ADVD.value_id order by ADVD.created_at desc), ',', 1) as value_id, ADVD.adversary_id, max(ADVD.created_at) from adversary_descriptions ADVD group by ADVD.adversary_id) ADVD on ADV.id = ADVD.adversary_id left join adversary_description_values ADVDV on ADVD.value_id = ADVDV.id left join adversary_sources ADVSO on ADV.id = ADVSO.adversary_id and ADVSO.deleted_at is null left join sources S on ADVSO.source_id = S.id left join adversary_attributes ADVA on ADV.id = ADVA.adversary_id and ADVA.deleted_at is null left join attributes A ON ADVA.attribute_id = A.id left join object_links OL on ((OL.src_type = 'indicator' and OL.dest_type = 'adversary' and ADV.id = OL.dest_object_id) or (OL.dest_type in('adversary', 'event', 'attachment') and OL.src_type = 'adversary' and ADV.id = OL.src_object_id)) and OL.deleted_at is null and OL.dest_deleted <> 'Y' and \tOL.src_deleted <> 'Y' left join indicators I on OL.src_object_id = I.id and OL.src_type = 'indicator' left join adversaries ADVOL on OL.dest_object_id = ADVOL.id and OL.src_type = 'adversary' and OL.dest_type = 'adversary' left join events E on OL.dest_object_id = E.id and OL.dest_type = 'event' left join attachments ATT on OL.dest_object_id = ATT.id and OL.dest_type = 'attachment' where 1 = 1 [where] group by ADV.id",
"differential_field": "ADV.updated_at",
"created_at": "2017-04-05 19:59:07",
"updated_at": "2017-04-05 19:59:07"
}
]
}Response
401Access denied.
Exporter Data Type ¶
Exporter Data TypeGET/exporters/datatypes/{exporter_data_type_id}{?with}
Get a single Exporter Data Type.
Example URI
GET /exporters/datatypes/1?with=dataTypeFields,exporters
URI Parameters
- exporter_data_type_id
integer(required) Example: 1Exporter Data Type ID
- with
string(optional) Example: dataTypeFields,exportersA comma-separated list of related objects to include in the response. Options for this endpoint: dataTypeFields, exporters.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Adversaries",
"base_table_definition": "select [fields] from adversaries ADV left join (select substring_index(group_concat(ADVD.value_id order by ADVD.created_at desc), ',', 1) as value_id, ADVD.adversary_id, max(ADVD.created_at) from adversary_descriptions ADVD group by ADVD.adversary_id) ADVD on ADV.id = ADVD.adversary_id left join adversary_description_values ADVDV on ADVD.value_id = ADVDV.id where 1 = 1 [where] group by ADV.id",
"differential_field": "ADV.updated_at",
"created_at": "2017-04-05 19:59:07",
"updated_at": "2017-04-05 19:59:07"
}
}Response
401Access denied.
Response
404Object not found.
Exporter Delivery Type List ¶
Exporter Delivery Type ListGET/exporters/deliverytypes{?limit,offset,sort,with}
Get a list of Exporter Delivery Types.
Example URI
GET /exporters/deliverytypes?limit=500&offset=100&sort=id&with=configOptions,exporters
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: configOptions,exportersA comma-separated list of related objects to include in the response. Options for this endpoint: configOptions, exporters.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 1,
"data": [
{
"id": 1,
"name": "HTTP Pull",
"direction": "F",
"created_at": "2017-04-05 19:59:08",
"updated_at": "2017-04-05 19:59:08"
}
]
}Response
401Access denied.
Exporter Delivery Type Config Option ¶
Exporter Delivery Type Config OptionGET/exporters/deliverytypes/configoptions/{export_delivery_type_config_option_id}{?with}
Get a single Exporter Delivery Type Config Option.
Example URI
GET /exporters/deliverytypes/configoptions/1?with=deliveryType
URI Parameters
- export_delivery_type_config_option_id
integer(required) Example: 1Exporter Delivery Type Config Option ID
- with
string(optional) Example: deliveryTypeA comma-separated list of related objects to include in the response. Options for this endpoint: deliveryType.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"export_delivery_type_id": 1,
"name": "ContentType",
"type": "string:255",
"created_at": "2017-04-05 19:59:08",
"updated_at": "2017-04-05 19:59:08"
}
}Response
401Access denied.
Response
404Object not found.
Exporter Delivery Type ¶
Exporter Delivery TypeGET/exporters/deliverytypes/{exporter_delivery_type_id}{?with}
Get a single Exporter Delivery Type.
Example URI
GET /exporters/deliverytypes/1?with=configOptions,exporters
URI Parameters
- exporter_delivery_type_id
integer(required) Example: 1Exporter Delivery Type ID
- with
string(optional) Example: configOptions,exportersA comma-separated list of related objects to include in the response. Options for this endpoint: configOptions, exporters.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "HTTP Pull",
"direction": "F",
"created_at": "2017-04-05 19:59:08",
"updated_at": "2017-04-05 19:59:08"
}
}Response
401Access denied.
Response
404Object not found.
Exporter Delivery Type Config Option List ¶
Exporter Delivery Type Config Option ListGET/exporters/deliverytypes/{exporter_delivery_type_id}/configoptions{?limit,offset,sort,with}
Get a list of Exporter Delivery Type Config Options for an Exporter Delivery Type ID.
Example URI
GET /exporters/deliverytypes/1/configoptions?limit=500&offset=100&sort=id&with=deliveryType
URI Parameters
- exporter_delivery_type_id
integer(required) Example: 1Exporter Delivery Type ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: deliveryTypeA comma-separated list of related objects to include in the response. Options for this endpoint: deliveryType.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"export_delivery_type_id": 1,
"name": "ContentType",
"type": "string:255",
"created_at": "2017-04-05 19:59:08",
"updated_at": "2017-04-05 19:59:08"
},
{
"id": 2,
"export_delivery_type_id": 1,
"name": "token",
"type": "token",
"created_at": "2017-04-05 19:59:08",
"updated_at": "2017-04-05 19:59:08"
}
]
}Response
401Access denied.
Response
404Object not found.
Exporter Duplicate ¶
Exporter DuplicateGET/exporters/{exporter_id}/duplicate
Make a duplicate copy of an Export.
Example URI
GET /exporters/1/duplicate
URI Parameters
- exporter_id
integer(required) Example: 1Exporter ID
Request
Headers
Authorization: Bearer <access_token>Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"name": "Exporter Name Copy",
"description": "Exporter Description",
"delivery_type_id": 1,
"export_data_type_id": 1,
"export_definition": "{foreach $data as $indicator} {$indicator.value},{$indicator.type},{$indicator.status}{/foreach}",
"parameters": "indicator.status=Active",
"url": "df9715202db414fe2c3fd7cf8371f96e",
"user_editable": "Y",
"enabled": "N",
"updated_at": "2017-04-07 18:49:41",
"created_at": "2017-04-07 18:49:41",
"id": 28,
"config": []
}
}Response
401Access denied.
Exporter ¶
Get SingleGET/exporters/{exporter_id}{?with}
Get a single Exporter.
Example URI
GET /exporters/1?with=dataType,deliveryType
URI Parameters
- exporter_id
integer(required) Example: 1Exporter ID
- with
string(optional) Example: dataType,deliveryTypeA comma-separated list of related objects to include in the response. Options for this endpoint: dataType, deliveryType, config.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 26,
"name": "Exporter Name",
"description": "Exporter Description",
"delivery_type_id": 1,
"export_data_type_id": 1,
"export_definition": "{foreach $data as $indicator} {$indicator.value},{$indicator.type},{$indicator.status}{/foreach}",
"parameters": null,
"url": "2e990a2ba845e306d44b83b8d7955857",
"user_editable": "Y",
"enabled": "Y",
"created_at": "2017-04-07 17:41:02",
"updated_at": "2017-04-07 17:41:02"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/exporters/{exporter_id}{?with}
Update an Exporter.
Example URI
PUT /exporters/1?with=dataType,deliveryType
URI Parameters
- exporter_id
integer(required) Example: 1Exporter ID
- with
string(optional) Example: dataType,deliveryTypeA comma-separated list of related objects to include in the response. Options for this endpoint: dataType, deliveryType, config.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Updated Exporter Name",
"description": "Updated Exporter Description",
"export_data_type_id": "1",
"export_definition": "{foreach $data as $indicator} {$indicator.value},{$indicator.type},{$indicator.status}{/foreach}",
"enabled": "Y",
"parameters": "indicator.status=Active"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 26,
"name": "Updated Exporter Name",
"description": "Updated Exporter Description",
"delivery_type_id": 1,
"export_data_type_id": "2",
"export_definition": "{foreach $data as $indicator} {$indicator.value},{$indicator.type},{$indicator.status}{/foreach}",
"parameters": "indicator.status=Active",
"url": "2e990a2ba845e306d44b83b8d7955857",
"user_editable": "Y",
"enabled": "Y",
"created_at": "2017-04-07 17:41:02",
"updated_at": "2017-04-07 18:20:06"
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/exporters/{exporter_id}
Delete an Exporter.
Example URI
DELETE /exporters/1
URI Parameters
- exporter_id
integer(required) Example: 1Exporter ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Exporter Config List ¶
Get ListGET/exporters/{exporter_id}/config{?limit,offset,sort,with}
Get a list of Exporter Configurations.
Example URI
GET /exporters/1/config?limit=500&offset=100&sort=id&with=exporter
URI Parameters
- exporter_id
integer(required) Example: 1Exporter ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: exporterA comma-separated list of related objects to include in the response. Options for this endpoint: exporter.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"exporter_id": 1,
"name": "ContentType",
"value": "text/plain",
"created_at": "2017-04-05 19:59:08",
"updated_at": "2017-04-05 19:59:08"
},
{
"id": 2,
"exporter_id": 1,
"name": "Token",
"value": "gkqGDs2K3hKHyRp4nRi6ily5fqdGWiG7",
"created_at": "2017-04-05 19:59:08",
"updated_at": "2017-04-05 19:59:08"
}
]
}Response
401Access denied.
Create NewPOST/exporters/{exporter_id}/config
Create a new Exporter Configuration.
Example URI
POST /exporters/1/config
URI Parameters
- exporter_id
integer(required) Example: 1Exporter ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Config Name",
"value": "Config Value"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"exporter_id": "1",
"name": "Config Name",
"value": "Config Value",
"updated_at": "2017-04-10 14:52:28",
"created_at": "2017-04-10 14:52:28",
"id": 53
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"exporter_id": "1",
"errors": {
"name": [
"The name field is required."
],
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Exporter Config ¶
Get SingleGET/exporters/{exporter_id}/config/{exporter_config_id}{?with}
Get a single Exporter Configuration.
Example URI
GET /exporters/1/config/2?with=exporter
URI Parameters
- exporter_id
integer(required) Example: 1Exporter ID
- exporter_config_id
integer(required) Example: 2Exporter Config ID
- with
string(optional) Example: exporterA comma-separated list of related objects to include in the response. Options for this endpoint: exporter.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"exporter_id": 1,
"name": "ContentType",
"value": "text/plain",
"created_at": "2017-04-05 19:59:08",
"updated_at": "2017-04-05 19:59:08"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/exporters/{exporter_id}/config/{exporter_config_id}{?with}
Update an Exporter Configuration.
Example URI
PUT /exporters/1/config/2?with=exporter
URI Parameters
- exporter_id
integer(required) Example: 1Exporter ID
- exporter_config_id
integer(required) Example: 2Exporter Config ID
- with
string(optional) Example: exporterA comma-separated list of related objects to include in the response. Options for this endpoint: exporter.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Updated Config Name",
"value": "Updated Config Value"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"exporter_id": "1",
"name": "Updated Config Name",
"value": "Updated Config Value",
"updated_at": "2017-04-12 18:51:48",
"created_at": "2017-04-10 14:52:28",
"id": 53
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/exporters/{exporter_id}/config/{exporter_config_id}
Delete an Exporter Configuration.
Example URI
DELETE /exporters/1/config/2
URI Parameters
- exporter_id
integer(required) Example: 1Exporter ID
- exporter_config_id
integer(required) Example: 2Exporter Config ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Exports ¶
Generate Export ¶
Export GETGET/export/{name}{?token,limit}
Generate an Export via GET request.
Example URI
GET /export/fqdn?token=WFiD3vMUhrn78GDMX8ld1RBHH9rJpLSt&limit=500
URI Parameters
- name
string(required) Example: fqdnExport name.
- token
string(required) Example: WFiD3vMUhrn78GDMX8ld1RBHH9rJpLStExport configuration token.
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
fecko.es
telemetry.soundcloud.com
logentries.com
assetdrafting.com.au
teksoft.pro
warrendotwarren.url.ph
goldenlifewomen.com
foothillsofhemet.com
advstrk.com
yx9k5.bazaltbeton.netResponse
401Access denied.
Response
404Object not found.
Export POSTPOST/export/{name}{?token,limit}
Generate an Export via POST request.
Example URI
POST /export/fqdn?token=WFiD3vMUhrn78GDMX8ld1RBHH9rJpLSt&limit=500
URI Parameters
- name
string(required) Example: fqdnExport name.
- token
string(required) Example: WFiD3vMUhrn78GDMX8ld1RBHH9rJpLStExport configuration token.
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"token": "WFiD3vMUhrn78GDMX8ld1RBHH9rJpLSt",
"limit": "10"
}Response
200Object(s) retrieved successfully.
Body
fecko.es
telemetry.soundcloud.com
logentries.com
assetdrafting.com.au
teksoft.pro
warrendotwarren.url.ph
goldenlifewomen.com
foothillsofhemet.com
advstrk.com
yx9k5.bazaltbeton.netResponse
401Access denied.
Response
404Object not found.
Files ¶
File Content Type List ¶
Get ListGET/files/content-types{?limit,offset,sort}
Get a list of File Content Types.
Example URI
GET /files/content-types?limit=500&offset=100&sort=id
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"name": "application/pdf",
"is_parsable": 1,
"created_at": "2017-04-05 19:59:21",
"updated_at": "2017-04-05 19:59:21"
},
{
"id": 2,
"name": "application/json",
"is_parsable": 1,
"created_at": "2017-04-11 14:56:33",
"updated_at": "2017-04-11 14:56:33"
}
]
}Response
401Access denied.
Create NewPOST/files/content-types
Create a new File Content Type.
Example URI
POST /files/content-types
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "application/json",
"is_parsable": "1"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"is_parsable": "1",
"name": "application/json",
"updated_at": "2017-04-11 14:56:33",
"created_at": "2017-04-11 14:56:33",
"id": 2
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"is_parsable": 0,
"errors": {
"name": [
"The name field is required."
]
}
}
}Response
401Access denied.
File Content Type ¶
UpdatePUT/files/content-types/{content_type_id}
Update an File Content Type.
Example URI
PUT /files/content-types/1
URI Parameters
- content_type_id
integer(required) Example: 1Content Type ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"is_parsable": 0
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 2,
"name": "application/json",
"is_parsable": 0,
"created_at": "2017-04-11 14:56:33",
"updated_at": "2017-04-11 15:06:05"
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/files/content-types/{content_type_id}
Delete an File Content Type.
Example URI
DELETE /files/content-types/1
URI Parameters
- content_type_id
integer(required) Example: 1Content Type ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Gate ¶
Client List ¶
Get ListGET/gate/clients{?limit,offset,sort,with}
Get a list of Clients.
Example URI
GET /gate/clients?limit=500&offset=100&sort=id&with=groups,connector
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: groups,connectorA comma-separated list of related objects to include in the response. Options for this endpoint: groups, connector.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"name": "Client 1",
"description": null,
"type": "public",
"client_id": "y2i1yzewmzi2ndqxyjqznmnhyjy5zwri",
"client_secret": "ZGRlYWViYzdlMzE5MzY2ZmIyNDA5MTc5OWZjM2I0OGIwYmI5NmI2NDczYWZjYzg3",
"redirect_uri": null,
"created_at": "2017-04-12 13:23:28",
"updated_at": "2017-04-12 13:23:28"
},
{
"id": 4,
"name": "Client 2",
"description": null,
"type": "public",
"client_id": "ndzmnjqzotrmy2ywotewndfjzmi5mwnk",
"client_secret": "Y2I1NzRlNDg2ZWNlOTQ3ZjMwMzc3MjM5ZmQ3OWIxOTdiZWZiNmE3NDcwMWJkY2Ix",
"redirect_uri": null,
"created_at": "2017-04-12 13:23:28",
"updated_at": "2017-04-12 13:23:28"
}
]
}Response
401Access denied.
Create NewPOST/gate/clients
Create a new Client.
Example URI
POST /gate/clients
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "New Client",
"description": "New Client Description",
"type": "public",
"redirect_uri": "",
"group_id": "3"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"name": "New Client",
"description": "New Client Description",
"type": "public",
"redirect_uri": "",
"client_id": "nmmxyjdlzdg1ntgwzdewodcynjizm2nh",
"client_secret": "NGIxY2M3NzI1N2E3ZmQ1ZDJhYTMyZDA2OTI1NTk5NjQ3ZDIxNWY4ZTFjZjc1N2Yz",
"updated_at": "2017-04-12 13:54:12",
"created_at": "2017-04-12 13:54:12",
"id": 5
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"name": [
"The name field is required."
],
"type": [
"The type field is required."
]
}
}
}Response
401Access denied.
Client Regenerate ¶
Client RegeneratePUT/gate/clients/{client_id}/regenerate
Regenerate a Client’s id and secret.
Example URI
PUT /gate/clients/1/regenerate
URI Parameters
- client_id
integer(required) Example: 1Client ID
Request
Headers
Authorization: Bearer <access_token>Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 5,
"name": "Updated Client",
"description": "Updated Client Description",
"type": "public",
"client_id": "mdm5ndm2nzdmndgyzgy1nge4owqzzjlh",
"client_secret": "ZDNiOWRlNTU2MWVlODNmZjVkYzRmYjFhZGUzM2JjMjQ1MzNlM2JmMWI5ZTE3ODJj",
"redirect_uri": "",
"created_at": "2017-04-12 14:54:18",
"updated_at": "2017-04-12 15:30:53"
}
}Response
401Access denied.
Response
404Object not found.
Client ¶
Get SingleGET/gate/clients/{client_id}{?with}
Get a single Client.
Example URI
GET /gate/clients/1?with=groups,connector
URI Parameters
- client_id
integer(required) Example: 1Client ID
- with
string(optional) Example: groups,connectorA comma-separated list of related objects to include in the response. Options for this endpoint: groups, connector.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 5,
"name": "New Client",
"description": "New Client Description",
"type": "public",
"client_id": "mjq3yjlhnmu3njk4ntawzgiyntbiytfl",
"client_secret": "MGNhZjQ3NjQzNmVlNTE5MjcwNmMwMmZiYzY2YTRkOGVmNjQ5Zjc0NTg2NDc3YmQy",
"redirect_uri": "",
"created_at": "2017-04-12 14:54:18",
"updated_at": "2017-04-12 14:54:18"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/gate/clients/{client_id}{?with}
Update an Client.
Example URI
PUT /gate/clients/1?with=groups,connector
URI Parameters
- client_id
integer(required) Example: 1Client ID
- with
string(optional) Example: groups,connectorA comma-separated list of related objects to include in the response. Options for this endpoint: groups, connector.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Updated Client",
"description": "Updated Client Description",
"type": "public",
"redirect_uri": "",
"group_id": "4"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 5,
"name": "Updated Client",
"description": "Updated Client Description",
"type": "public",
"client_id": "mjq3yjlhnmu3njk4ntawzgiyntbiytfl",
"client_secret": "MGNhZjQ3NjQzNmVlNTE5MjcwNmMwMmZiYzY2YTRkOGVmNjQ5Zjc0NTg2NDc3YmQy",
"redirect_uri": "",
"created_at": "2017-04-12 14:54:18",
"updated_at": "2017-04-12 15:03:00"
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/gate/clients/{client_id}
Delete an Client.
Example URI
DELETE /gate/clients/1
URI Parameters
- client_id
integer(required) Example: 1Client ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Logout ¶
LogoutGET/logout
Deactivate an API session.
Example URI
GET /logout
Request
Headers
Authorization: Bearer <access_token>Response
401Access denied.
Token ¶
TokenPOST/token
Generate an authorization access token.
Example URI
POST /token
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"email": "user@threatq.com",
"password": "thisisapassword",
"grant_type": "password",
"client_id": "yjc0mmi1ymezn2fjmzvmy2i2otaxm2zm"
}Response
200Object(s) retrieved successfully.
Body
{
"access_token": "ODFiNWUzM2RmZDU1",
"token_type": "bearer",
"expires_in": 3600,
"refresh_token": "NzBiYjA0ODU0NjAy"
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"The `grant_type` parameter is required"
]
}
{
"errors": [
"User credentials are not valid."
]
}Imports ¶
Import List ¶
Get ListGET/imports{?limit,offset,sort,with}
Get a list of pending Imports.
Example URI
GET /imports?limit=500&offset=100&sort=id&with=attributes,indicators
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: attributes,indicatorsA comma-separated list of related objects to include in the response. Options for this endpoint: attributes, indicators, events, objectLinks, source.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 1,
"data": [
{
"id": 1,
"original_filename": "import_payload.json",
"file_description": null,
"file_type": 6,
"attachment_id": null,
"import_text": "99.99.99.99\n99.99.99.98\n99.99.99.97\n99.99.99.96\n99.99.99.95",
"import_size": 3507,
"import_type": 6,
"delete_after_import": null,
"import_source": null,
"indicator_global_status": null,
"source_id": 5,
"completed_at": null,
"created_at": "2017-04-12 19:34:00",
"updated_at": "2017-04-12 19:34:00"
}
]
}Response
401Access denied.
Create NewPOST/imports
Create a new Import. Accepts a body of text, a file, or an Attachment ID.
Example URI
POST /imports
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"content_type_id": 6,
"normalize": "Y",
"text": "99.99.99.99\n99.99.99.98\n99.99.99.97\n99.99.99.96\n99.99.99.95"
}
OR
{
"content_type_id": 6,
"normalize": "Y",
"attachment_id": 1
}
OR
------WebKitFormBoundaryPPjlkESLx9wSvvvc
Content-Disposition: form-data; name="resumableChunkNumber"
1
------WebKitFormBoundaryPPjlkESLx9wSvvvc
Content-Disposition: form-data; name="resumableChunkSize"
1048576
------WebKitFormBoundaryPPjlkESLx9wSvvvc
Content-Disposition: form-data; name="resumableCurrentChunkSize"
3507
------WebKitFormBoundaryPPjlkESLx9wSvvvc
Content-Disposition: form-data; name="resumableTotalSize"
3507
------WebKitFormBoundaryPPjlkESLx9wSvvvc
Content-Disposition: form-data; name="resumableType"
application/json
------WebKitFormBoundaryPPjlkESLx9wSvvvc
Content-Disposition: form-data; name="resumableIdentifier"
3507-cs_payloads_to_api_doomstone_shortjson
------WebKitFormBoundaryPPjlkESLx9wSvvvc
Content-Disposition: form-data; name="resumableFilename"
cs_payloads_to_api_doomstone_short.json
------WebKitFormBoundaryPPjlkESLx9wSvvvc
Content-Disposition: form-data; name="resumableRelativePath"
cs_payloads_to_api_doomstone_short.json
------WebKitFormBoundaryPPjlkESLx9wSvvvc
Content-Disposition: form-data; name="resumableTotalChunks"
1
------WebKitFormBoundaryPPjlkESLx9wSvvvc
Content-Disposition: form-data; name="content_type_id"
6
------WebKitFormBoundaryPPjlkESLx9wSvvvc
Content-Disposition: form-data; name="normalize"
Y
------WebKitFormBoundaryPPjlkESLx9wSvvvc
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream
------WebKitFormBoundaryPPjlkESLx9wSvvvc--Response
200Object(s) retrieved successfully.
Body
{
"data": {
"original_filename": "import_payload.json",
"import_text": "99.99.99.99\n99.99.99.98\n99.99.99.97\n99.99.99.96\n99.99.99.95",
"import_size": 3507,
"source_id": 5,
"import_type": "6",
"file_type": "6",
"updated_at": "2017-04-12 19:34:00",
"created_at": "2017-04-12 19:34:00",
"id": 1
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": {
"file": [
"The file field is required when none of text / attachment id are present."
],
"text": [
"The text field is required when none of file / attachment id are present."
],
"content_type_id": [
"The content type id field is required."
],
"attachment_id": [
"The attachment id field is required when none of file / text are present."
]
}
}Response
401Access denied.
Import Commit ¶
Import CommitGET/imports/{import_id}/commit
Commit an Import to the database.
Example URI
GET /imports/1/commit
URI Parameters
- import_id
integer(required) Example: 1Import ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": "Import Complete!"
}Response
401Access denied.
Import Indicator Bulk Delete ¶
Import Indicator Bulk DeleteDELETE/imports/{import_id}/indicators
Delete all Import Indicators.
Example URI
DELETE /imports/1/indicators
URI Parameters
- import_id
integer(required) Example: 1Import ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Import Indicator ObjectLink Bulk Store ¶
Import Indicator ObjectLink Bulk StorePOST/imports/{import_id}/indicators/objectlinks
Create a new Import Indicator ObjectLink.
Example URI
POST /imports/1/indicators/objectlinks
URI Parameters
- import_id
integer(required) Example: 1Import ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"indicator_ids": [
1,
3
],
"relations": {
"adversaries": [],
"events": [],
"attachments": [],
"indicators": [
{
"id": 3257,
"value": "37.135.247.104"
},
{
"id": 1,
"value": "37.139.40.0/21"
}
],
"signatures": []
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"dest_type": "indicator",
"dest_id": 3257,
"import_id": 1,
"src_type": "import_indicator",
"import_src_id": 1,
"id": 2,
"indicator": {
"id": 3257,
"type_id": 10,
"status_id": 1,
"class": "network",
"hash": "012d89a4aad7843dd425d2da7ca4c0c9",
"value": "37.135.247.104",
"last_detected_at": "1984-11-01 04:21:39",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-13 16:29:55",
"updated_at": "2017-04-13 16:29:55",
"touched_at": "2017-04-13 16:33:50"
}
},
{
"dest_type": "indicator",
"dest_id": 1,
"import_id": 1,
"src_type": "import_indicator",
"import_src_id": 1,
"id": 3,
"indicator": {
"id": 1,
"type_id": 1,
"status_id": 5,
"class": "network",
"hash": "4aba5ab07a3bda558d5d725a09d93ba6",
"value": "37.139.40.0/21",
"last_detected_at": "2005-01-25 19:07:44",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-13 16:29:28",
"updated_at": "2017-04-13 16:29:28",
"touched_at": "2017-04-13 16:33:46"
}
},
{
"dest_type": "indicator",
"dest_id": 3257,
"import_id": 1,
"src_type": "import_indicator",
"import_src_id": 3,
"id": 4,
"indicator": {
"id": 3257,
"type_id": 10,
"status_id": 1,
"class": "network",
"hash": "012d89a4aad7843dd425d2da7ca4c0c9",
"value": "37.135.247.104",
"last_detected_at": "1984-11-01 04:21:39",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-13 16:29:55",
"updated_at": "2017-04-13 16:29:55",
"touched_at": "2017-04-13 16:33:50"
}
},
{
"dest_type": "indicator",
"dest_id": 1,
"import_id": 1,
"src_type": "import_indicator",
"import_src_id": 3,
"id": 5,
"indicator": {
"id": 1,
"type_id": 1,
"status_id": 5,
"class": "network",
"hash": "4aba5ab07a3bda558d5d725a09d93ba6",
"value": "37.139.40.0/21",
"last_detected_at": "2005-01-25 19:07:44",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-13 16:29:28",
"updated_at": "2017-04-13 16:29:28",
"touched_at": "2017-04-13 16:33:46"
}
}
]
}Response
401Access denied.
Response
404Object not found.
Import ¶
Get SingleGET/imports/{import_id}
Get a single Import.
Example URI
GET /imports/1
URI Parameters
- import_id
integer(required) Example: 1Import ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"original_filename": "import_payload.json",
"file_description": null,
"file_type": 6,
"attachment_id": null,
"import_text": "import_payload.json",
"import_size": 3507,
"import_type": 6,
"delete_after_import": null,
"import_source": null,
"indicator_global_status": null,
"source_id": 5,
"completed_at": null,
"created_at": "2017-04-12 19:34:00",
"updated_at": "2017-04-12 19:34:00",
"attributes": []
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/imports/{import_id}
Update an Import.
Example URI
PUT /imports/1
URI Parameters
- import_id
integer(required) Example: 1Import ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"delete_after_import": 0,
"file_description": null,
"import_source": "Source",
"file_type": 6,
"indicator_global_status": 4,
"apply_attributes": [
{
"name": "IP Address",
"value": "99.99.99.99",
"sources": [
{
"name": "Source",
"tlp": {
"name": "GREEN"
}
}
]
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"original_filename": "import_payload.json",
"file_description": null,
"file_type": 6,
"attachment_id": null,
"import_text": "99.99.99.99\n99.99.99.98\n99.99.99.97\n99.99.99.96\n99.99.99.95",
"import_size": 3507,
"import_type": 6,
"delete_after_import": 0,
"import_source": "Source",
"indicator_global_status": 4,
"source_id": 5,
"completed_at": null,
"created_at": "2017-04-12 19:34:00",
"updated_at": "2017-04-12 20:11:30"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": {
"import_source": [
"The import source field is required."
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/imports/{import_id}
Delete an Import.
Example URI
DELETE /imports/1
URI Parameters
- import_id
integer(required) Example: 1Import ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Import Events ¶
Import EventsGET/imports/{import_id}/events{?limit,offset,sort,with}
Get a list of Import Events.
Example URI
GET /imports/1/events?limit=500&offset=100&sort=id&with=attributes,type
URI Parameters
- import_id
integer(required) Example: 1Import ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: attributes,typeA comma-separated list of related objects to include in the response. Options for this endpoint: attributes, type.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"import_id": 1,
"title": "Event 1",
"description": "Event Description",
"type_id": 1,
"happened_at": "2017-01-01 12:00:00",
"status_id": 1,
"source": "Source",
"whitelisted": "N",
"duplicate": "N",
"type": {
"id": 1,
"name": "Spearphish",
"user_editable": "N",
"created_at": "2017-04-13 13:28:41",
"updated_at": "2017-04-13 13:28:41"
}
},
{
"id": 2,
"import_id": 1,
"title": "Event 2",
"description": "Event Description",
"type_id": 1,
"happened_at": "2017-01-01 12:00:00",
"status_id": 1,
"source": "Source",
"whitelisted": "N",
"duplicate": "N",
"type": {
"id": 1,
"name": "Spearphish",
"user_editable": "N",
"created_at": "2017-04-13 13:28:41",
"updated_at": "2017-04-13 13:28:41"
}
}
]
}Response
401Access denied.
Import Indicator ¶
UpdatePUT/imports/{import_id}/indicators/{import_indicator_id}
Update an Import Indicator.
Example URI
PUT /imports/1/indicators/2
URI Parameters
- import_id
integer(required) Example: 1Import ID
- import_indicator_id
integer(required) Example: 2Import Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "99.99.99.96",
"type_id": "10",
"status_id": "2",
"source": {
"name": "Adversary source",
"tlp": {
"name": "GREEN"
}
},
"whitelisted": "Y"
}Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1133,
"import_id": 1,
"value": "99.99.99.96",
"hash": "3f560465e1b9a5e1fee97b2fbf45de16",
"type_id": 10,
"status_id": 2,
"source": "New Source",
"import_event_id": null,
"whitelisted": "Y",
"duplicate": "N",
"duplicate_indicator_id": null,
"created_indicator_id": null,
"parent_import_indicator_hash": null,
"type": {
"id": 10,
"name": "IP Address",
"class": "network",
"score": null,
"wildcard_matching": "N",
"created_at": "2017-04-13 16:28:54",
"updated_at": "2017-04-13 16:28:54"
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/imports/{import_id}/indicators/{import_indicator_id}
Delete an Import Indicator.
Example URI
DELETE /imports/1/indicators/2
URI Parameters
- import_id
integer(required) Example: 1Import ID
- import_indicator_id
integer(required) Example: 2Import Indicator ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Import Indicator Attribute List ¶
Get ListGET/imports/{import_id}/indicators/{import_indicator_id}/attributes{?limit,offset,sort}
Get a list of Import Indicator Attributes.
Example URI
GET /imports/1/indicators/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- import_id
integer(required) Example: 1Import ID
- import_indicator_id
integer(required) Example: 2Import Indicator ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"import_indicator_id": 178,
"name": "Scheme",
"value": "http",
"source": null
},
{
"id": 266,
"import_indicator_id": 178,
"name": "Attribute Name",
"value": "Attribute Value",
"source": "Source"
}
]
}Response
401Access denied.
Create NewPOST/imports/{import_id}/indicators/{import_indicator_id}/attributes
Create a new Import Indicator Attribute.
Example URI
POST /imports/1/indicators/2/attributes
URI Parameters
- import_id
integer(required) Example: 1Import ID
- import_indicator_id
integer(required) Example: 2Import Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Attribute Name",
"value": "Attribute Value",
"source": {
"name": "Source",
"tlp": {
"name": "RED"
}
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": {
"name": "Attribute Name",
"value": "Attribute Value",
"source": "Source",
"import_indicator_id": 178,
"id": 266
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"name": [
"The name field is required."
],
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Import Indicator Attribute Delete ¶
Import Indicator Attribute DeleteDELETE/imports/{import_id}/indicators/{import_indicator_id}/attributes/{import_indicator_attribute_id}
Delete an Import Indicator Attribute.
Example URI
DELETE /imports/1/indicators/2/attributes/3
URI Parameters
- import_id
integer(required) Example: 1Import ID
- import_indicator_id
integer(required) Example: 2Import Indicator ID
- import_indicator_attribute_id
integer(required) Example: 3Import Indicator Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Import Indicator Comment Delete ¶
Import Indicator Comment DeleteDELETE/imports/{import_id}/indicators/{import_indicator_id}/comments/{import_indicator_comment_id}
Delete an Import Indicator Comment.
Example URI
DELETE /imports/1/indicators/2/comments/3
URI Parameters
- import_id
integer(required) Example: 1Import ID
- import_indicator_id
integer(required) Example: 2Import Indicator ID
- import_indicator_comment_id
integer(required) Example: 3Import Indicator Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Import Indicator ObjectLink Delete ¶
Import Indicator ObjectLink DeleteDELETE/imports/{import_id}/indicators/{import_indicator_id}/objectlinks/{import_object_link_id}
Delete an Import Indicator ObjectLink.
Example URI
DELETE /imports/1/indicators/2/objectlinks/3
URI Parameters
- import_id
integer(required) Example: 1Import ID
- import_indicator_id
integer(required) Example: 2Import Indicator ID
- import_object_link_id
integer(required) Example: 3Import ObjectLink ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Import Indicator ObjectLink Attributes ¶
UpdatePUT/imports/{import_id}/indicators/{import_indicator_id}/objectlinks/{import_object_link_id}/attributes/{import_object_link_attribute_id}
Update an Import Indicator ObjectLink Attribute.
Example URI
PUT /imports/1/indicators/2/objectlinks/3/attributes/4
URI Parameters
- import_id
integer(required) Example: 1Import ID
- import_indicator_id
integer(required) Example: 2Import Indicator ID
- import_object_link_id
integer(required) Example: 3Import ObjectLink ID
- import_object_link_attribute_id
integer(required) Example: 4Import ObjectLink Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Updated Attribute Name",
"value": "Updated Attribute Value"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"import_id": 1,
"object_link_id": 1,
"name": "Updated Attribute Name",
"value": "Updated Attribute Value"
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/imports/{import_id}/indicators/{import_indicator_id}/objectlinks/{import_object_link_id}/attributes/{import_object_link_attribute_id}
Delete an Import Indicator ObjectLink Attribute.
Example URI
DELETE /imports/1/indicators/2/objectlinks/3/attributes/4
URI Parameters
- import_id
integer(required) Example: 1Import ID
- import_indicator_id
integer(required) Example: 2Import Indicator ID
- import_object_link_id
integer(required) Example: 3Import ObjectLink ID
- import_object_link_attribute_id
integer(required) Example: 4Import ObjectLink Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Import Indicator ObjectLink Comments ¶
UpdatePUT/imports/{import_id}/indicators/{import_indicator_id}/objectlinks/{import_object_link_id}/comments/{import_object_link_comment_id}
Update an Import Indicator ObjectLink Comment.
Example URI
PUT /imports/1/indicators/2/objectlinks/3/comments/4
URI Parameters
- import_id
integer(required) Example: 1Import ID
- import_indicator_id
integer(required) Example: 2Import Indicator ID
- import_object_link_id
integer(required) Example: 3Import ObjectLink ID
- import_object_link_comment_id
integer(required) Example: 4Import ObjectLink Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"import_id": 1,
"object_link_id": 1,
"value": "This is an updated comment."
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/imports/{import_id}/indicators/{import_indicator_id}/objectlinks/{import_object_link_id}/comments/{import_object_link_comment_id}
Delete an Import Indicator ObjectLink Comment.
Example URI
DELETE /imports/1/indicators/2/objectlinks/3/comments/4
URI Parameters
- import_id
integer(required) Example: 1Import ID
- import_indicator_id
integer(required) Example: 2Import Indicator ID
- import_object_link_id
integer(required) Example: 3Import ObjectLink ID
- import_object_link_comment_id
integer(required) Example: 4Import ObjectLink Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicators ¶
Indicator Statuses List ¶
Get ListGET/indicator/statuses{?limit,offset,sort,with}
Get a list of Indicator Statuses.
Example URI
GET /indicator/statuses?limit=500&offset=100&sort=id&with=indicators
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: indicatorsA comma-separated list of related objects to include in the response. Options for this endpoint: indicators.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 5,
"data": [
{
"id": 1,
"name": "Active",
"description": "Poses a threat and is being exported to detection tools.",
"user_editable": "N",
"visible": "Y",
"include_in_export": "Y",
"protected": "Y",
"created_at": "2017-04-17 04:35:21",
"updated_at": "2017-04-17 04:35:21"
},
{
"id": 2,
"name": "Expired",
"description": "No longer poses a serious threat.",
"user_editable": "N",
"visible": "Y",
"include_in_export": "Y",
"protected": "N",
"created_at": "2017-04-17 04:35:21",
"updated_at": "2017-04-17 04:35:21"
},
{
"id": 3,
"name": "Indirect",
"description": "Associated to an active indicator or event (i.e. pDNS).",
"user_editable": "N",
"visible": "Y",
"include_in_export": "Y",
"protected": "N",
"created_at": "2017-04-17 04:35:21",
"updated_at": "2017-04-17 04:35:21"
},
{
"id": 4,
"name": "Review",
"description": "Requires further analysis.",
"user_editable": "N",
"visible": "Y",
"include_in_export": "Y",
"protected": "N",
"created_at": "2017-04-17 04:35:21",
"updated_at": "2017-04-17 04:35:21"
},
{
"id": 5,
"name": "Whitelisted",
"description": "Poses NO risk and should never be deployed.",
"user_editable": "N",
"visible": "Y",
"include_in_export": "N",
"protected": "Y",
"created_at": "2017-04-17 04:35:21",
"updated_at": "2017-04-17 04:35:21"
}
]
}Response
401Access denied.
Create NewPOST/indicator/statuses
Create a new Indicator Status.
Example URI
POST /indicator/statuses
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Custom Status",
"description": "A custom status",
"user_editable": "Y",
"include_in_export": "Y",
"protected": "N"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"name": "Custom Status",
"user_editable": "Y",
"include_in_export": "Y",
"protected": "N",
"description": "A custom status",
"updated_at": "2017-04-17 09:39:12",
"created_at": "2017-04-17 09:39:12",
"id": 6
}
}Response
401Access denied.
Indicator Status ¶
Get SingleGET/indicator/statuses/{indicator_status_id}{?with}
Get a single Indicator Status.
Example URI
GET /indicator/statuses/2?with=indicators
URI Parameters
- indicator_status_id
integer(required) Example: 2Indicator Status ID
- with
string(optional) Example: indicatorsA comma-separated list of related objects to include in the response. Options for this endpoint: indicators.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Active",
"description": "Poses a threat and is being exported to detection tools.",
"user_editable": "N",
"visible": "Y",
"include_in_export": "Y",
"protected": "Y",
"created_at": "2017-04-17 04:35:21",
"updated_at": "2017-04-17 04:35:21"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicator/statuses/{indicator_status_id}{?with}
Update an Indicator Status.
Example URI
PUT /indicator/statuses/2?with=indicators
URI Parameters
- indicator_status_id
integer(required) Example: 2Indicator Status ID
- with
string(optional) Example: indicatorsA comma-separated list of related objects to include in the response. Options for this endpoint: indicators.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Updated Custom Status",
"description": "An updated custom status",
"user_editable": "N",
"include_in_export": "N",
"protected": "Y"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 6,
"name": "Updated Custom Status",
"description": "An updated custom status",
"user_editable": "N",
"visible": "Y",
"include_in_export": "N",
"protected": "Y",
"created_at": "2017-04-17 09:39:12",
"updated_at": "2017-04-17 09:44:30"
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicator/statuses/{indicator_status_id}
Delete an Indicator Status.
Example URI
DELETE /indicator/statuses/2
URI Parameters
- indicator_status_id
integer(required) Example: 2Indicator Status ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Types List ¶
Get ListGET/indicator/types{?limit,offset,sort,with}
Get a list of Indicator Types.
Example URI
GET /indicator/types?limit=500&offset=100&sort=id&with=indicators,plugins
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: indicators,pluginsA comma-separated list of related objects to include in the response. Options for this endpoint: indicators, plugins, pluginActions, pluginObjectTypes.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 24,
"data": [
{
"id": 1,
"name": "CIDR Block",
"class": "network",
"score": null,
"wildcard_matching": "Y",
"created_at": "2017-04-17 04:34:56",
"updated_at": "2017-04-17 04:34:56"
},
{
"id": 2,
"name": "Email Address",
"class": "network",
"score": null,
"wildcard_matching": "Y",
"created_at": "2017-04-17 04:34:56",
"updated_at": "2017-04-17 04:34:56"
},
{
"id": 3,
"name": "Email Attachment",
"class": "network",
"score": null,
"wildcard_matching": "Y",
"created_at": "2017-04-17 04:34:56",
"updated_at": "2017-04-17 04:34:56"
}
]
}Response
401Access denied.
Create NewPOST/indicator/types
Create a new Indicator Type.
Example URI
POST /indicator/types
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"score": "7",
"name": "New Type",
"class": "network"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"score": "7",
"name": "New Type",
"class": "network",
"updated_at": "2017-04-17 09:59:53",
"created_at": "2017-04-17 09:59:53",
"id": 25
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"name": [
"The name field is required."
],
"class": [
"The class field is required."
]
}
}
}Response
401Access denied.
Indicator Type ¶
Get SingleGET/indicator/types/{indicator_type_id}{?with}
Get a single Indicator Type.
Example URI
GET /indicator/types/2?with=indicators,plugins
URI Parameters
- indicator_type_id
integer(required) Example: 2Indicator Type ID
- with
string(optional) Example: indicators,pluginsA comma-separated list of related objects to include in the response. Options for this endpoint: indicators, plugins, pluginActions, pluginObjectTypes.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "CIDR Block",
"class": "network",
"score": null,
"wildcard_matching": "Y",
"created_at": "2017-04-17 04:34:56",
"updated_at": "2017-04-17 04:34:56"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicator/types/{indicator_type_id}{?with}
Update an Indicator Type.
Example URI
PUT /indicator/types/2?with=indicators,plugins
URI Parameters
- indicator_type_id
integer(required) Example: 2Indicator Type ID
- with
string(optional) Example: indicators,pluginsA comma-separated list of related objects to include in the response. Options for this endpoint: indicators, plugins, pluginActions, pluginObjectTypes.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"score": "4",
"name": "Updated Type",
"class": "host"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 25,
"name": "Updated Type",
"class": "host",
"score": "4",
"wildcard_matching": "Y",
"created_at": "2017-04-17 09:59:53",
"updated_at": "2017-04-17 10:04:24",
"plugins": []
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicator/types/{indicator_type_id}
Delete an Indicator Type.
Example URI
DELETE /indicator/types/2
URI Parameters
- indicator_type_id
integer(required) Example: 2Indicator Type ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator List ¶
Get ListGET/indicators{?limit,offset,sort,with}
Get a list of Indicators.
Example URI
GET /indicators?limit=500&offset=100&sort=id&with=adversaries,attachments
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, events, indicators, score, signatures, sources, status, tags, type, watchlist.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 7481,
"data": [
{
"id": 1,
"type_id": 1,
"status_id": 1,
"class": "network",
"hash": "4aba5ab07a3bda558d5d725a09d93ba6",
"value": "37.139.40.0/21",
"last_detected_at": "2016-06-03 12:41:02",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-14 13:36:31",
"updated_at": "2017-04-14 13:36:31",
"touched_at": "2017-04-14 13:48:31"
},
{
"id": 2,
"type_id": 1,
"status_id": 2,
"class": "network",
"hash": "0c7ec33474db30aa8f160840768a7adc",
"value": "62.76.40.0/21",
"last_detected_at": "2008-11-08 12:55:25",
"expires_at": null,
"expired_at": "2017-04-14 13:36:31",
"expires_calculated_at": null,
"created_at": "2017-04-14 13:36:31",
"updated_at": "2017-04-14 13:36:31",
"touched_at": "2017-04-14 13:48:31"
},
{
"id": 3,
"type_id": 1,
"status_id": 3,
"class": "network",
"hash": "a163b0d14775955cb9a1a81fa9e291ce",
"value": "62.76.176.0/22",
"last_detected_at": "2002-04-09 23:40:05",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-14 13:36:31",
"updated_at": "2017-04-14 13:36:31",
"touched_at": "2017-04-14 13:48:31"
}
]
}Response
401Access denied.
Create NewPOST/indicators
Create a new Indicator.
Example URI
POST /indicators
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"class": "network",
"value": "115.47.67.155",
"type_id": "10",
"status_id": 2,
"sources": [
{
"name": "Source",
"tlp": {
"name": "GREEN"
},
"published_at": "2016-07-18 02:00:00"
}
],
"attributes": [
{
"name": "Confidence",
"value": "High",
"sources": [
{
"name": "Source",
"tlp": {
"name": "GREEN"
},
"published_at": "2016-07-18 02:00:00"
}
]
},
{
"name": "Port",
"value": "4000"
},
{
"name": "Scheme",
"value": "https"
}
]
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 7908,
"type_id": 10,
"status_id": 2,
"class": "network",
"hash": "f9ebf8ab2aa46929ff3bb6136d255173",
"value": "115.47.67.155",
"last_detected_at": null,
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-14 19:05:47",
"updated_at": "2017-04-14 19:05:47",
"touched_at": "2017-04-14 19:05:47",
"existing": "N",
"type": {
"id": 10,
"name": "IP Address",
"class": "network",
"score": null,
"wildcard_matching": "N",
"created_at": "2017-04-14 19:01:07",
"updated_at": "2017-04-14 19:01:07"
},
"sources": [
{
"type": "other_sources",
"name": "Source",
"updated_at": "2017-04-14 19:05:47",
"created_at": "2017-04-14 19:05:47",
"id": 10
}
],
"attributes": [
{
"value": "High",
"indicator_id": 7908,
"id": 41255,
"attribute_id": 13,
"created_at": "2017-04-14 19:05:47",
"updated_at": "2017-04-14 19:05:47",
"name": "Confidence",
"attribute": {
"id": 13,
"name": "Confidence",
"created_at": "2017-04-07 19:04:42",
"updated_at": "2017-03-29 19:03:42"
},
"sources": [
{
"id": 10,
"type": "other_sources",
"name": "Source",
"expire_days": null,
"score": null,
"created_at": "2017-04-14 19:05:47",
"updated_at": "2017-04-14 19:05:47"
}
]
},
{
"value": "4000",
"indicator_id": 7908,
"id": 41256,
"attribute_id": 66,
"created_at": "2017-04-14 19:05:48",
"updated_at": "2017-04-14 19:05:48",
"name": "Port",
"attribute": {
"id": 66,
"name": "Port",
"created_at": "2017-03-31 19:03:42",
"updated_at": "2017-04-04 19:04:42"
}
},
{
"value": "https",
"indicator_id": 7908,
"id": 41257,
"attribute_id": 254,
"created_at": "2017-04-14 19:05:48",
"updated_at": "2017-04-14 19:05:48",
"name": "Scheme",
"attribute": {
"id": 254,
"name": "Scheme",
"created_at": "2017-04-14 19:05:48",
"updated_at": "2017-04-14 19:05:48"
}
}
]
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"type_id": [
"The type id field is required."
],
"status_id": [
"The status id field is required."
],
"class": [
"Class not provided or could not be inferred from type."
],
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Indicator Comment Short ¶
Get SingleGET/indicators/comments/{indicator_comment_id}{?with}
Get a single Indicator Comment.
Example URI
GET /indicators/comments/2?with=indicator,sources
URI Parameters
- indicator_comment_id
integer(required) Example: 2Indicator Comment ID
- with
string(optional) Example: indicator,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: indicator, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicators/comments/{indicator_comment_id}{?with}
Update an Indicator Comment.
Example URI
PUT /indicators/comments/2?with=indicator,sources
URI Parameters
- indicator_comment_id
integer(required) Example: 2Indicator Comment ID
- with
string(optional) Example: indicator,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: indicator, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 54,
"indicator_id": 1,
"value": "This is an updated comment.",
"creator_source_id": 5,
"created_at": "2017-04-16 14:39:28",
"updated_at": "2017-04-16 14:44:26",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-04-14 19:01:42",
"updated_at": "2017-04-14 19:01:42",
"pivot": {
"id": 54,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"The current authenticated owner is not the owner of this comment."
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/comments/{indicator_comment_id}
Delete an Indicator Comment.
Example URI
DELETE /indicators/comments/2
URI Parameters
- indicator_comment_id
integer(required) Example: 2Indicator Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Consume ¶
Indicator ConsumePOST/indicators/consume
Consume a list of Indicator objects.
Required fields: value, type_id, status_id
Optional fields: description, last_detected_at, published_at, tlp (an object with a name field) or tlp_id, sources, attributes, comments, and tags
Relations can also be included as optional fields in the request: adversaries, attachments, attack_pattern, campaign, course_of_action, events, exploit_target, identity, incident, indicators, intrusion_set, malware, report, signatures, tool, ttp, and vulnerability.
When including relations, if the relation is of the same type as the endpoint used (e.g. related indicators on Indicator Consume), the relation can be defined using the required fields. Otherwise, relations must be created in advance and the resulting IDs should be used in the request.
Note: Objects that already exist in the system will not be duplicated, any new context in the request will be added to the existing object. This endpoint does not fail on validation - any errors will be included in the response object.
Example URI
POST /indicators/consume
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"status_id": 1,
"type_id": 7,
"value": "badf0rm.net",
"tlp": {
"name": "WHITE"
},
"touched_at": "2017-06-20 12:01:48",
"published_at": "2017-01-01 00:00:00",
"indicators": [
{
"status_id": 1,
"type_id": 7,
"value": "an0therb@df0rm.net"
}
],
"comments": [
{
"value": "Found this during the investigation."
}
]
},
{
"type_id": 10,
"status_id": 2,
"value": "99.99.99.99",
"last_detected_at": "2019-07-11 11:31:55",
"tlp_id": 3,
"attributes": [
{
"name": "Industry",
"value": "Hospitals"
}
],
"adversaries": [
{
"id": 3
},
{
"id": 4
}
]
},
{
"type_id": 11,
"status_id": 3,
"value": "supp0rt@go0g1e.c0m",
"description": "Phishing email sender",
"sources": [
{
"name": "Digital Shadows",
"tlp": "AMBER"
}
],
"tags": [
{
"name": "Internal"
}
]
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 4,
"data": [
{
"type_id": 7,
"value": "badf0rm.net",
"published_at": "2017-01-01 00:00:00",
"type": "FQDN",
"hash": "e3e8b8c437ca6c8fcc7825ebbc91925d",
"id": 7199
},
{
"type_id": 10,
"value": "99.99.99.99",
"type": "IP Address",
"hash": "d225e18ca84bdaa618f9f00eb2920061",
"id": 7200
},
{
"type_id": 5,
"value": "supp0rt@go0g1e.c0m",
"description": "Phishing email sender",
"type": "Email Address",
"hash": "40922922c965cc4e61cb0770041d4344",
"id": 7202
},
{
"type_id": 7,
"value": "an0therb@df0rm.net",
"type": "FQDN",
"hash": "4df07c971acc8d7cf819b60c54f81fcd",
"id": 7201
}
]
}Response
401Access denied.
Indicator Search ¶
Indicator SearchPOST/indicators/query{?limit,offset,sort}
Search the Threat Library for Indicators using criteria and filters.
Criteria and filters should be formatted in the convention of SOLR query structures.
Criteria Options: mentions, value
Filter Options: created_at, updated_at, expires_at, published_at, cidr_ipv4, type_name, score, source_name, source_created_at, status_name, related, tags, attribute
Example URI
POST /indicators/query?limit=500&offset=100&sort=id
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"criteria": {
"+or": [
{
"mentions": "org"
},
{
"value": {
"+contains": "test.com"
}
}
]
},
"filters": {
"+and": [
{
"created_at": {
"+lt": "2021-01-27 22:35:00"
}
},
{
"+or": [
{
"expires_at": {
"+gt": "2021-01-26 23:59:59",
"+lt": "2021-01-28 00:00:00"
}
},
{
"expired_at": {
"+gt": "2021-01-26 23:59:59",
"+lt": "2021-01-28 00:00:00"
}
}
]
},
{
"+or": [
{
"type_name": "FQDN"
}
]
},
{
"+or": [
{
"status_name": "Active"
}
]
},
{
"+or": [
{
"cidr_ipv4": "19.34.212.155/8"
}
]
},
{
"+or": [
{
"score": {
"+gte": 6,
"+lte": 8
}
}
]
},
{
"+or": [
{
"+and": [
{
"source_name": "Customer Admin"
},
{
"published_at": {
"+lt": "2021-01-27 22:50:00"
}
}
]
}
]
},
{
"+or": [
{
"related": {
"id": 1,
"type": "indicator"
}
}
]
},
{
"+or": [
{
"related": {
"object": "adversary"
}
}
]
},
{
"+or": [
{
"source_name": "Primary Contributor"
}
]
},
{
"+or": [
{
"tags": "Internal"
}
]
},
{
"updated_at": {
"+lt": "2021-01-27 22:51:00"
}
},
{
"+or": [
{
"+and": [
{
"source_name": "Primary Contributor"
},
{
"source_created_at": {
"+lt": "2021-01-27 22:50:00"
}
}
]
}
]
}
],
"+or": [
{
"attribute": {
"name": "Confidence",
"value": "High"
}
}
]
}
}Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"class": "network",
"score": 0,
"value": "warrendotwarren.url.ph",
"expires_calculated_at": "2021-01-27 19:55:16",
"touched_at": "2021-01-27 19:55:14",
"id": 1401,
"updated_at": "2021-01-27 19:51:09",
"published_at": "2021-01-27 19:51:09",
"last_detected_at": "1983-02-15 16:34:02",
"created_at": "2021-01-27 19:51:09",
"status_id": 1,
"hash": "b3a1ed7baf47437c246b50dbe6eec2d2",
"type_id": 11,
"adversaries": [
{
"name": "Operation Windigo"
}
],
"type": {
"name": "FQDN",
"id": 11,
"class": "network"
},
"status": {
"name": "Active",
"id": 1,
"description": "Poses a threat and is being exported to detection tools."
},
"attributes": [
{
"value": "V.159709932c",
"created_at": "2021-01-25 23:04:06",
"indicator_id": 1401,
"updated_at": "2021-01-25 23:04:06",
"attribute_id": 32,
"id": 7711,
"touched_at": "2021-01-27 19:53:01",
"name": "Encryption Obfuscation"
}
],
"sources": [
{
"indicator_id": 1401,
"indicator_status_id": 1,
"published_at": "2021-01-27 19:51:11",
"source_id": 5,
"id": 3563,
"created_at": "2021-01-27 19:51:11",
"source_type": "users",
"creator_source_id": 5,
"indicator_type_id": 11,
"reference_id": 1,
"updated_at": "2021-01-27 19:51:11",
"name": "Threat Quotient"
}
]
},
{
"class": "network",
"score": 0,
"value": "gongbujx.com",
"touched_at": "2021-01-27 19:55:07",
"id": 1400,
"updated_at": "2021-01-27 19:51:09",
"published_at": "2021-01-27 19:51:09",
"last_detected_at": "1998-12-04 20:10:32",
"created_at": "2021-01-27 19:51:09",
"status_id": 2,
"hash": "05a9c4a6678bb19e083a8a1470c835e7",
"expired_at": "2021-01-27 19:51:09",
"type_id": 11,
"adversaries": [
{
"name": "SUNRISE PANDA"
}
],
"type": {
"name": "FQDN",
"id": 11,
"class": "network"
},
"status": {
"name": "Expired",
"id": 2,
"description": "No longer poses a serious threat."
},
"attributes": [
{
"value": "JS%2FiFrame.bsn",
"created_at": "2020-11-01 14:48:55",
"indicator_id": 1400,
"updated_at": "2020-11-01 14:48:55",
"attribute_id": 67,
"id": 7706,
"touched_at": "2021-01-27 19:53:01",
"name": "Query String"
}
],
"sources": [
{
"indicator_id": 1400,
"indicator_status_id": 2,
"published_at": "2021-01-27 19:51:11",
"source_id": 2,
"id": 3558,
"created_at": "2021-01-27 19:51:11",
"source_type": "clients",
"creator_source_id": 5,
"indicator_type_id": 11,
"reference_id": 2,
"updated_at": "2021-01-27 19:51:11",
"name": "Threat Quotient"
}
]
}
],
"offset": 0,
"limit": 25
}Response
401Access denied.
Indicator Basic Search ¶
Indicator Basic SearchGET/indicators/search{?limit,offset,value,with}
Search for Indicators with a value like the one provided in the request.
Example URI
GET /indicators/search?limit=500&offset=100&value=%test%&with=adversaries,sources
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- value
integer(required) Example: %test%Indicator Value, % is wildcard
- with
string(optional) Example: adversaries,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 9,
"data": [
{
"id": 478,
"value": "Copia Titulo Propiedad Estudio Juridico-02513696.jpg...rar",
"hash": "21a7bdb9806004702bcd794130825dc7",
"class": "network",
"type_id": 3,
"status_id": 4,
"last_detected_at": "2010-02-05T15:29:57Z",
"created_at": "2017-04-17 04:35:36",
"updated_at": "2017-04-17 04:35:36",
"touched_at": "2017-04-17 04:37:42",
"type": {
"id": 3,
"name": "Email Attachment"
},
"status": {
"id": 4,
"name": "Review",
"description": "Requires further analysis."
}
},
{
"id": 557,
"value": "_gpj.ArrestedXSuspects.rar",
"hash": "34a32284a591589b8915589eded9f002",
"class": "network",
"type_id": 3,
"status_id": 4,
"last_detected_at": "1990-11-26T10:48:57Z",
"created_at": "2017-04-17 04:35:37",
"updated_at": "2017-04-17 04:35:37",
"touched_at": "2017-04-17 04:37:45",
"type": {
"id": 3,
"name": "Email Attachment"
},
"status": {
"id": 4,
"name": "Review",
"description": "Requires further analysis."
}
},
{
"id": 558,
"value": "KingXhamadXonXofficialXvisitXtoX.rar",
"hash": "c6d7e371738b182572eee8e4c5fcda2d",
"class": "network",
"type_id": 3,
"status_id": 4,
"last_detected_at": "1998-03-31T04:17:08Z",
"created_at": "2017-04-17 04:35:37",
"updated_at": "2017-04-17 04:35:37",
"touched_at": "2017-04-17 04:37:46",
"type": {
"id": 3,
"name": "Email Attachment"
},
"status": {
"id": 4,
"name": "Review",
"description": "Requires further analysis."
}
}
],
"limit": 3,
"offset": 0
}Response
401Access denied.
Indicator Watchlist Bulk ¶
Get ListGET/indicators/watchlist
Get all Indicators in a user’s Watchlist. Only users with administrator privileges can see Watchlists for all users.
Example URI
GET /indicators/watchlist
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 3,
"data": [
{
"id": 1,
"user_id": 1,
"object_type": "indicator",
"object_id": 5,
"created_at": "2017-04-17 10:14:03",
"updated_at": "2017-04-17 10:14:03",
"indicator": {
"id": 5,
"type_id": 1,
"status_id": 4,
"class": "network",
"hash": "ae1ca1c71341cb398c95a19ee90a2d91",
"value": "62.76.182.0/23",
"last_detected_at": "2008-05-19 02:32:11",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-17 04:35:35",
"updated_at": "2017-04-17 04:35:35",
"touched_at": "2017-04-17 07:34:31"
}
},
{
"id": 2,
"user_id": 1,
"object_type": "indicator",
"object_id": 6,
"created_at": "2017-04-17 10:14:03",
"updated_at": "2017-04-17 10:14:03",
"indicator": {
"id": 6,
"type_id": 1,
"status_id": 3,
"class": "network",
"hash": "c29d544c60ea24c8aaa4d7bb8e628938",
"value": "62.76.184.0/21",
"last_detected_at": "2012-02-10 08:25:28",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-17 04:35:35",
"updated_at": "2017-04-17 04:35:35",
"touched_at": "2017-04-17 07:35:11"
}
},
{
"id": 3,
"user_id": 1,
"object_type": "indicator",
"object_id": 7,
"created_at": "2017-04-17 10:14:03",
"updated_at": "2017-04-17 10:14:03",
"indicator": {
"id": 7,
"type_id": 1,
"status_id": 4,
"class": "network",
"hash": "9bed599bac77d581bd01872112479cb1",
"value": "85.143.160.0/21",
"last_detected_at": "1982-09-05 02:19:35",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-17 04:35:35",
"updated_at": "2017-04-17 04:35:35",
"touched_at": "2017-04-17 05:14:58"
}
}
]
}Response
401Access denied.
Create NewPOST/indicators/watchlist
Bulk add Indicators to the user’s Watchlist.
Example URI
POST /indicators/watchlist
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"object_ids": [
5,
6,
7
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"object_type": "indicator",
"user_id": 1,
"object_id": "5",
"updated_at": "2017-04-17 10:14:03",
"created_at": "2017-04-17 10:14:03",
"id": 1
},
{
"object_type": "indicator",
"user_id": 1,
"object_id": "6",
"updated_at": "2017-04-17 10:14:03",
"created_at": "2017-04-17 10:14:03",
"id": 2
},
{
"object_type": "indicator",
"user_id": 1,
"object_id": "7",
"updated_at": "2017-04-17 10:14:03",
"created_at": "2017-04-17 10:14:03",
"id": 3
}
]
}Response
401Access denied.
Indicator Details ¶
Indicator DetailsGET/indicators/{indicator_id}/details
Get an Indicator’s Details.
Example URI
GET /indicators/1/details
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"type_id": 1,
"status_id": 1,
"class": "network",
"hash": "4aba5ab07a3bda558d5d725a09d93ba6",
"value": "37.139.40.0/21",
"last_detected_at": "2015-12-06 08:46:27",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": "2017-04-16 01:07:43",
"created_at": "2017-04-14 19:01:43",
"updated_at": "2017-04-16 01:07:43",
"touched_at": "2017-04-16 14:51:50",
"score": null,
"sources": [
{
"id": 6,
"type": "users",
"name": "Threat Quotient Feeds",
"tlp_id": null,
"created_at": "2017-04-14 19:01:43",
"updated_at": "2017-04-14 19:01:43",
"published_at": null,
"pivot": {
"indicator_id": 1,
"source_id": 6,
"id": 1,
"creator_source_id": 5
}
},
{
"id": 9,
"type": "users",
"name": "Primary Contributor",
"tlp_id": null,
"created_at": "2017-04-14 19:01:43",
"updated_at": "2017-04-14 19:01:43",
"published_at": null,
"pivot": {
"indicator_id": 1,
"source_id": 9,
"id": 2,
"creator_source_id": 5
}
},
{
"id": 10,
"type": "other_sources",
"name": "Source",
"tlp_id": null,
"created_at": "2017-04-16 01:07:43",
"updated_at": "2017-04-16 01:07:43",
"published_at": null,
"pivot": {
"indicator_id": 1,
"source_id": 10,
"id": 18714,
"creator_source_id": 0
}
}
],
"status": {
"id": 1,
"name": "Active",
"description": "Poses a threat and is being exported to detection tools.",
"user_editable": "N",
"visible": "Y",
"include_in_export": "Y",
"protected": "Y",
"created_at": "2017-04-14 19:01:30",
"updated_at": "2017-04-14 19:01:30"
},
"watchlist": [],
"adversaries": [
{
"id": 1,
"name": "Advanced Pawn",
"created_at": "2017-02-26 08:39:20",
"updated_at": "2017-02-26 08:39:20",
"touched_at": "2017-04-16 01:07:43",
"pivot": {
"id": 62391,
"created_at": "2017-04-16 01:07:43",
"updated_at": "2017-04-16 01:07:43"
},
"sources": [
{
"id": 2,
"type": "clients",
"name": "ThreatQ API",
"tlp_id": null,
"created_at": "2017-03-26 22:00:46",
"updated_at": "2017-04-14 19:03:41",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 2,
"id": 1,
"creator_source_id": 2
}
},
{
"id": 4,
"type": "clients",
"name": "ThreatQ Scoring Plugin Access",
"tlp_id": null,
"created_at": "2017-02-06 01:09:20",
"updated_at": "2017-04-14 19:03:41",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 4,
"id": 2,
"creator_source_id": 4
}
},
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2017-03-02 02:16:10",
"updated_at": "2017-04-14 19:03:41",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 5,
"id": 3,
"creator_source_id": 5
}
}
]
},
{
"id": 119,
"name": "OpLastResort",
"created_at": "2017-03-10 18:39:43",
"updated_at": "2017-03-10 18:39:43",
"touched_at": "2017-04-14 19:03:41",
"pivot": {
"id": 14842,
"created_at": "2017-02-02 14:09:35",
"updated_at": "2017-04-14 19:03:23"
},
"sources": [
{
"id": 4,
"type": "clients",
"name": "ThreatQ Scoring Plugin Access",
"tlp_id": null,
"created_at": "2017-03-27 06:40:18",
"updated_at": "2017-04-14 19:03:41",
"published_at": null,
"pivot": {
"adversary_id": 119,
"source_id": 4,
"id": 240,
"creator_source_id": 4
}
},
{
"id": 6,
"type": "users",
"name": "Threat Quotient Feeds",
"tlp_id": null,
"created_at": "2017-01-23 18:37:03",
"updated_at": "2017-04-14 19:03:41",
"published_at": null,
"pivot": {
"adversary_id": 119,
"source_id": 6,
"id": 241,
"creator_source_id": 6
}
},
{
"id": 9,
"type": "users",
"name": "Primary Contributor",
"tlp_id": null,
"created_at": "2017-04-09 04:28:54",
"updated_at": "2017-04-14 19:03:41",
"published_at": null,
"pivot": {
"adversary_id": 119,
"source_id": 9,
"id": 242,
"creator_source_id": 9
}
}
]
}
],
"attachments": [
{
"id": 1,
"type_id": 1,
"title": "Crazy File",
"name": "crazy-file.exe",
"hash": "f5f39c6886a66686af0950014dffe968",
"content_type_id": 1,
"file_size": 234235236,
"malware_locked": 1,
"description": null,
"created_at": "2017-04-14 19:04:42",
"updated_at": "2017-04-14 19:04:42",
"touched_at": "2017-04-14 19:03:41",
"pivot": {
"id": 1,
"created_at": "2017-03-07 12:15:19",
"updated_at": "2017-04-14 19:03:18"
},
"sources": []
},
{
"id": 2,
"type_id": 2,
"title": "Bad Malware",
"name": "Crazy effing malware!.net.org.exe",
"hash": "350649b5b5fa5436d325cbaf482d52c7",
"content_type_id": 1,
"file_size": 134232,
"malware_locked": 1,
"description": null,
"created_at": "2017-04-13 19:04:42",
"updated_at": "2017-04-13 19:04:42",
"touched_at": "2017-04-14 19:03:41",
"pivot": {
"id": 2,
"created_at": "2017-01-22 06:30:28",
"updated_at": "2017-04-14 19:03:18"
},
"sources": []
},
{
"id": 3,
"type_id": 3,
"title": "EXE like script",
"name": "Honeybooboo.sh",
"hash": "51774564f8d78fbddbfa22e1e7459af4",
"content_type_id": 1,
"file_size": 234234,
"malware_locked": 1,
"description": null,
"created_at": "2017-04-09 19:04:42",
"updated_at": "2017-04-09 19:04:42",
"touched_at": "2017-04-14 19:03:41",
"pivot": {
"id": 3,
"created_at": "2017-02-08 10:06:50",
"updated_at": "2017-04-14 19:03:18"
},
"sources": []
}
],
"attributes": [
{
"id": 1,
"indicator_id": 1,
"attribute_id": 8,
"value": "~DF2.tmp",
"created_at": "2017-02-14 03:24:28",
"updated_at": "2017-02-14 03:24:28",
"touched_at": "2017-04-14 19:02:49",
"name": "C2",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2017-04-14 19:02:36",
"updated_at": "2017-04-14 19:02:36",
"published_at": null,
"pivot": {
"indicator_attribute_id": 1,
"source_id": 5,
"id": 1,
"creator_source_id": 5
}
}
],
"attribute": {
"id": 8,
"name": "C2",
"created_at": "2017-03-22 19:03:42",
"updated_at": "2017-04-09 19:04:42"
}
},
{
"id": 2,
"indicator_id": 1,
"attribute_id": 68,
"value": "mshttp.dll",
"created_at": "2017-04-10 06:35:29",
"updated_at": "2017-04-10 06:35:29",
"touched_at": "2017-04-14 19:02:49",
"name": "Registrant",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2017-04-14 19:02:36",
"updated_at": "2017-04-14 19:02:36",
"published_at": null,
"pivot": {
"indicator_attribute_id": 2,
"source_id": 5,
"id": 2,
"creator_source_id": 5
}
}
],
"attribute": {
"id": 68,
"name": "Registrant",
"created_at": "2017-03-21 19:03:42",
"updated_at": "2017-03-21 19:03:42"
}
},
{
"id": 3,
"indicator_id": 1,
"attribute_id": 34,
"value": "Win32%2FInstallMonetizer.AY",
"created_at": "2017-03-07 10:10:29",
"updated_at": "2017-03-07 10:10:29",
"touched_at": "2017-04-14 19:02:49",
"name": "File Extension",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2017-04-14 19:02:36",
"updated_at": "2017-04-14 19:02:36",
"published_at": null,
"pivot": {
"indicator_attribute_id": 3,
"source_id": 5,
"id": 3,
"creator_source_id": 5
}
}
],
"attribute": {
"id": 34,
"name": "File Extension",
"created_at": "2017-03-16 19:03:42",
"updated_at": "2017-03-17 19:03:42"
}
},
{
"id": 4,
"indicator_id": 1,
"attribute_id": 97,
"value": "sysfiles",
"created_at": "2017-03-26 22:56:01",
"updated_at": "2017-03-26 22:56:01",
"touched_at": "2017-04-14 19:02:49",
"name": "Version",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2017-04-14 19:02:36",
"updated_at": "2017-04-14 19:02:36",
"published_at": null,
"pivot": {
"indicator_attribute_id": 4,
"source_id": 5,
"id": 4,
"creator_source_id": 5
}
}
],
"attribute": {
"id": 97,
"name": "Version",
"created_at": "2017-03-29 19:03:42",
"updated_at": "2017-04-06 19:04:42"
}
},
{
"id": 5,
"indicator_id": 1,
"attribute_id": 35,
"value": "PC bitmap, Windows 3.x format, 497 x 497 x 24",
"created_at": "2017-03-23 06:16:10",
"updated_at": "2017-03-23 06:16:10",
"touched_at": "2017-04-14 19:02:49",
"name": "File Identifier",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2017-04-14 19:02:36",
"updated_at": "2017-04-14 19:02:36",
"published_at": null,
"pivot": {
"indicator_attribute_id": 5,
"source_id": 5,
"id": 5,
"creator_source_id": 5
}
}
],
"attribute": {
"id": 35,
"name": "File Identifier",
"created_at": "2017-04-06 19:04:42",
"updated_at": "2017-03-30 19:03:42"
}
},
{
"id": 6,
"indicator_id": 1,
"attribute_id": 97,
"value": "XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators",
"created_at": "2017-02-12 16:21:53",
"updated_at": "2017-02-12 16:21:53",
"touched_at": "2017-04-14 19:02:49",
"name": "Version",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2017-04-14 19:02:36",
"updated_at": "2017-04-14 19:02:36",
"published_at": null,
"pivot": {
"indicator_attribute_id": 6,
"source_id": 5,
"id": 6,
"creator_source_id": 5
}
}
],
"attribute": {
"id": 97,
"name": "Version",
"created_at": "2017-03-29 19:03:42",
"updated_at": "2017-04-06 19:04:42"
}
},
{
"id": 7,
"indicator_id": 1,
"attribute_id": 58,
"value": "Trojan.Win32.PCPerformer.BB",
"created_at": "2017-01-20 10:25:16",
"updated_at": "2017-01-20 10:25:16",
"touched_at": "2017-04-14 19:02:49",
"name": "Network Identifier",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2017-04-14 19:02:36",
"updated_at": "2017-04-14 19:02:36",
"published_at": null,
"pivot": {
"indicator_attribute_id": 7,
"source_id": 5,
"id": 7,
"creator_source_id": 5
}
}
],
"attribute": {
"id": 58,
"name": "Network Identifier",
"created_at": "2017-04-11 19:04:42",
"updated_at": "2017-04-07 19:04:42"
}
},
{
"id": 41258,
"indicator_id": 1,
"attribute_id": 255,
"value": "New Value",
"created_at": "2017-04-16 00:34:25",
"updated_at": "2017-04-16 00:44:03",
"touched_at": "2017-04-16 00:44:03",
"name": "Test Attribute",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"tlp_id": 0,
"created_at": "2017-04-16 00:44:03",
"updated_at": "2017-04-16 00:44:03",
"published_at": null,
"pivot": {
"indicator_attribute_id": 41258,
"source_id": 5,
"id": 152,
"creator_source_id": 5
}
},
{
"id": 11,
"type": "other_sources",
"name": "Test Source",
"tlp_id": 1,
"created_at": "2017-04-16 00:34:25",
"updated_at": "2017-04-16 00:34:25",
"published_at": "2017-02-28 00:00:00",
"pivot": {
"indicator_attribute_id": 41258,
"source_id": 11,
"id": 151,
"creator_source_id": 5
},
"tlp": {
"id": 1,
"name": "RED",
"description": "Red",
"value": 0,
"user_editable": "N",
"created_at": "2017-04-14 19:01:11",
"updated_at": "2017-04-14 19:01:11"
}
}
],
"attribute": {
"id": 255,
"name": "Test Attribute",
"created_at": "2017-04-16 00:34:25",
"updated_at": "2017-04-16 00:34:25"
}
},
{
"id": 41259,
"indicator_id": 1,
"attribute_id": 13,
"value": "High",
"created_at": "2017-04-16 01:07:43",
"updated_at": "2017-04-16 01:07:43",
"touched_at": "2017-04-16 01:07:43",
"name": "Confidence",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2017-04-16 01:07:43",
"updated_at": "2017-04-16 01:07:43",
"published_at": null,
"pivot": {
"indicator_attribute_id": 41259,
"source_id": 5,
"id": 154,
"creator_source_id": 5
}
}
],
"attribute": {
"id": 13,
"name": "Confidence",
"created_at": "2017-04-07 19:04:42",
"updated_at": "2017-03-29 19:03:42"
}
},
{
"id": 41260,
"indicator_id": 1,
"attribute_id": 66,
"value": "4000",
"created_at": "2017-04-16 01:07:43",
"updated_at": "2017-04-16 01:07:43",
"touched_at": "2017-04-16 01:07:43",
"name": "Port",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2017-04-16 01:07:43",
"updated_at": "2017-04-16 01:07:43",
"published_at": null,
"pivot": {
"indicator_attribute_id": 41260,
"source_id": 5,
"id": 155,
"creator_source_id": 5
}
}
],
"attribute": {
"id": 66,
"name": "Port",
"created_at": "2017-03-31 19:03:42",
"updated_at": "2017-04-04 19:04:42"
}
},
{
"id": 41261,
"indicator_id": 1,
"attribute_id": 254,
"value": "http",
"created_at": "2017-04-16 01:07:43",
"updated_at": "2017-04-16 01:07:43",
"touched_at": "2017-04-16 01:07:43",
"name": "Scheme",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2017-04-16 01:07:43",
"updated_at": "2017-04-16 01:07:43",
"published_at": null,
"pivot": {
"indicator_attribute_id": 41261,
"source_id": 5,
"id": 156,
"creator_source_id": 5
}
}
],
"attribute": {
"id": 254,
"name": "Scheme",
"created_at": "2017-04-14 19:05:48",
"updated_at": "2017-04-14 19:05:48"
}
}
],
"comments": [
{
"id": 54,
"indicator_id": 1,
"value": "This indicator is really suspicious.",
"creator_source_id": 5,
"created_at": "2017-04-16 14:39:28",
"updated_at": "2017-04-16 14:44:26",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-04-14 19:01:42",
"updated_at": "2017-04-14 19:01:42",
"pivot": {
"id": 54,
"creator_source_id": 5
}
}
]
},
{
"id": 55,
"indicator_id": 1,
"value": "This is another comment.",
"creator_source_id": 5,
"created_at": "2017-04-16 14:51:50",
"updated_at": "2017-04-16 14:51:50",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-04-14 19:01:42",
"updated_at": "2017-04-14 19:01:42",
"pivot": {
"id": 55,
"creator_source_id": 5
}
}
]
}
],
"events": [
{
"id": 108,
"type_id": 1,
"title": "Subject - I wonder what I was.",
"description": "",
"happened_at": "2017-01-31 07:56:14",
"hash": "ce88a4c27ce2921f43d257b2039f6f34",
"created_at": "2017-01-31 07:56:14",
"updated_at": "2017-01-31 07:56:14",
"touched_at": "2017-04-14 19:03:43",
"pivot": {
"id": 29859,
"created_at": "2017-02-27 05:21:19",
"updated_at": "2017-04-14 19:03:30"
},
"sources": [
{
"id": 4,
"type": "clients",
"name": "ThreatQ Scoring Plugin Access",
"tlp_id": null,
"created_at": "2017-01-22 06:33:45",
"updated_at": "2017-04-14 19:03:43",
"published_at": null,
"pivot": {
"event_id": 108,
"source_id": 4,
"id": 233,
"creator_source_id": 4
}
}
],
"type": {
"id": 1,
"name": "Spearphish",
"user_editable": "N",
"created_at": "2017-04-14 19:01:09",
"updated_at": "2017-04-14 19:01:09"
}
}
],
"indicators": [
{
"id": 7353,
"type_id": 20,
"status_id": 4,
"class": "network",
"hash": "7156f2fb545942cab40741af564201be",
"value": "guiltiest.realitytv.mobi/topic/31277-pond-caveats-decries-stripes-remedial-unrepentant-allegiances/",
"last_detected_at": "1978-10-09 12:04:58",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-14 19:02:44",
"updated_at": "2017-04-14 19:02:44",
"touched_at": "2017-04-14 19:03:40",
"pivot": {
"id": 44904,
"created_at": "2017-02-12 16:06:49",
"updated_at": "2017-04-14 19:03:35"
},
"sources": [
{
"id": 1,
"type": "clients",
"name": "ThreatQ Front End",
"tlp_id": null,
"created_at": "2017-04-14 19:02:46",
"updated_at": "2017-04-14 19:02:46",
"published_at": null,
"pivot": {
"indicator_id": 7353,
"source_id": 1,
"id": 17524,
"creator_source_id": 5
}
},
{
"id": 6,
"type": "users",
"name": "Threat Quotient Feeds",
"tlp_id": null,
"created_at": "2017-04-14 19:02:46",
"updated_at": "2017-04-14 19:02:46",
"published_at": null,
"pivot": {
"indicator_id": 7353,
"source_id": 6,
"id": 17525,
"creator_source_id": 5
}
},
{
"id": 7,
"type": "users",
"name": "Customer Admin",
"tlp_id": null,
"created_at": "2017-04-14 19:02:46",
"updated_at": "2017-04-14 19:02:46",
"published_at": null,
"pivot": {
"indicator_id": 7353,
"source_id": 7,
"id": 17523,
"creator_source_id": 5
}
}
],
"type": {
"id": 20,
"name": "URL",
"class": "network",
"score": null,
"wildcard_matching": "Y",
"created_at": "2017-04-14 19:01:07",
"updated_at": "2017-04-14 19:01:07",
"plugins": []
}
}
],
"type": {
"id": 1,
"name": "CIDR Block",
"class": "network",
"score": null,
"wildcard_matching": "Y",
"created_at": "2017-04-14 19:01:07",
"updated_at": "2017-04-14 19:01:07",
"plugins": []
},
"signatures": []
}
}Response
401Access denied.
Response
404Object not found.
Indicator Expiration ¶
Indicator ExpirationPUT/indicators/{indicator_id}/expiration
Bump an Indicator’s Expiration date by a number of days.
Example URI
PUT /indicators/1/expiration
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"days": 10
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"expires_at": "2017-05-08 00:00:00"
}
}Response
500Internal Server Error.
Body
{
"errors": {
"days": [
"The days field is required."
]
}
}
{
"errors": {
"days": [
"The days must be an integer."
]
}
}Response
401Access denied.
Response
404Object not found.
Indicator ¶
Get SingleGET/indicators/{indicator_id}{?with}
Get a single Indicator.
Example URI
GET /indicators/1?with=adversaries,attachments
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, events, indicators, score, signatures, sources, status, tags, type, watchlist.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"type_id": 1,
"status_id": 1,
"class": "network",
"hash": "4aba5ab07a3bda558d5d725a09d93ba6",
"value": "37.139.40.0/21",
"last_detected_at": "2016-06-03 12:41:02",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-14 13:36:31",
"updated_at": "2017-04-14 13:36:31",
"touched_at": "2017-04-14 13:48:31"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicators/{indicator_id}{?with}
Update an Indicator.
Example URI
PUT /indicators/1?with=adversaries,attachments
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, events, indicators, score, signatures, sources, status, tags, type, watchlist.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "115.47.67.154",
"status_id": 2,
"sources": [
{
"name": "Another Source",
"tlp": {
"name": "GREEN"
},
"published_at": "2016-07-18 02:00:00"
}
],
"attributes": [
{
"name": "Another Attribute",
"value": "Another Attribute Value",
"sources": [
{
"name": "Another Source",
"tlp": {
"name": "GREEN"
},
"published_at": "2016-07-18 02:00:00"
}
]
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 7908,
"type_id": 10,
"status_id": 2,
"class": "network",
"hash": "67b2be742b2e5153effd488b78f22994",
"value": "115.47.67.154",
"last_detected_at": null,
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-14 18:45:24",
"updated_at": "2017-04-14 18:48:56",
"touched_at": "2017-04-14 18:45:24",
"sources": [
{
"type": "other_sources",
"name": "Another Source",
"updated_at": "2017-04-14 18:48:56",
"created_at": "2017-04-14 18:48:56",
"id": 11
}
],
"attributes": [
{
"value": "Another Attribute Value",
"indicator_id": 7908,
"id": 40902,
"attribute_id": 255,
"created_at": "2017-04-14 18:48:57",
"updated_at": "2017-04-14 18:48:57",
"name": "Another Attribute",
"attribute": {
"id": 255,
"name": "Another Attribute",
"created_at": "2017-04-14 18:48:57",
"updated_at": "2017-04-14 18:48:57"
},
"sources": [
{
"id": 11,
"type": "other_sources",
"name": "Another Source",
"expire_days": null,
"score": null,
"created_at": "2017-04-14 18:48:56",
"updated_at": "2017-04-14 18:48:56"
}
]
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}
Delete an Indicator.
Example URI
DELETE /indicators/1
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Adversaries List ¶
Get ListGET/indicators/{indicator_id}/adversaries{?limit,offset,sort,with}
Get a list of Indicator Adversary links.
Example URI
GET /indicators/1/adversaries?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"name": "AMOROUS PANDA",
"created_at": "2018-03-24 03:49:31",
"updated_at": "2018-03-24 03:49:31",
"touched_at": "2018-04-02 16:16:38",
"deleted_at": null,
"sources": [
{
"name": "Customer Observer"
}
],
"pivot": {
"id": 62324,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 2,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"comments": [
{
"id": 54,
"type": "users",
"value": "This link is important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 16:19:51.184000",
"updated_at": "2018-04-02 16:23:40.426000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15066,
"name": "Industry",
"value": "Hospitals",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24424,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:16:38.663000",
"updated_at": "2018-04-02 16:16:38.663000"
}
}
]
}
},
{
"id": 3,
"name": "ANCHOR PANDA",
"created_at": "2018-01-08 23:05:37",
"updated_at": "2018-01-08 23:05:37",
"touched_at": "2018-04-02 16:17:00",
"deleted_at": null,
"sources": [
{
"name": "ThreatQ Front End"
},
{
"name": "Domain Tools"
}
],
"pivot": {
"id": 62325,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 3,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"comments": [
{
"id": 56,
"type": "users",
"value": "This link is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 16:20:25.327000",
"updated_at": "2018-04-02 16:20:25.327000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15065,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24426,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/adversaries
Create a link from an Adversary to an Indicator.
Example URI
POST /indicators/1/adversaries
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 2,
"data": [
{
"id": 2,
"name": "AMOROUS PANDA",
"created_at": "2017-03-06 14:05:24",
"updated_at": "2017-03-06 14:05:24",
"touched_at": "2017-03-10 19:25:48",
"pivot": {
"id": 62141,
"created_at": "2017-03-10 19:25:48",
"updated_at": "2017-03-10 19:25:48"
}
},
{
"id": 3,
"name": "ANCHOR PANDA",
"created_at": "2016-12-27 13:45:12",
"updated_at": "2016-12-27 13:45:12",
"touched_at": "2017-03-10 19:25:48",
"pivot": {
"id": 62142,
"created_at": "2017-03-10 19:25:48",
"updated_at": "2017-03-10 19:25:48"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/indicators/{indicator_id}/adversaries
Delete multiple Indicator Adversary links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /indicators/1/adversaries
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Indicator Adversary ¶
Get SingleGET/indicators/{indicator_id}/adversaries/{object_link_id}{?with}
Get a single Indicator Adversary link.
Example URI
GET /indicators/1/adversaries/2?with=sources,pivot.attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Advanced Pawn",
"created_at": "2018-01-18 22:47:52",
"updated_at": "2018-01-18 22:47:52",
"touched_at": "2018-04-02 16:17:00",
"pivot": {
"id": 62324,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"comments": [
{
"id": 54,
"object_link_id": 62324,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 16:23:40",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15066,
"object_link_id": 62324,
"attribute_id": 136,
"value": "Hospitals",
"created_at": "2018-04-02 16:25:47",
"updated_at": "2018-04-02 16:25:47",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15066,
"source_id": 8,
"id": 2,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"published_at": null,
"pivot": {
"object_link_id": 62324,
"source_id": 8,
"id": 24424,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 1,
"type": "clients",
"name": "ThreatQ Front End",
"tlp_id": null,
"created_at": "2018-02-05 12:29:56",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 1,
"id": 1,
"creator_source_id": 1
}
},
{
"id": 7,
"type": "plugins",
"name": "VirusTotal",
"tlp_id": null,
"created_at": "2018-01-31 03:41:47",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 7,
"id": 2,
"creator_source_id": 7
}
},
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-03-31 21:31:30",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 8,
"id": 3,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
Indicator Adversary Attributes List ¶
Get ListGET/indicators/{indicator_id}/adversaries/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Indicator Adversary link Attributes.
Example URI
GET /indicators/1/adversaries/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/adversaries/{object_link_id}/attributes
Create a new Indicator Adversary link Attribute.
Example URI
POST /indicators/1/adversaries/2/attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Indicator Adversary Attribute ¶
Get SingleGET/indicators/{indicator_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Indicator Adversary link Attribute.
Example URI
GET /indicators/1/adversaries/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicators/{indicator_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Update an Indicator Adversary link Attribute.
Example URI
PUT /indicators/1/adversaries/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Indicator Adversary link Attribute.
Example URI
DELETE /indicators/1/adversaries/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Adversary Comments List ¶
Get ListGET/indicators/{indicator_id}/adversaries/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Indicator Adversary link Comments.
Example URI
GET /indicators/1/adversaries/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/adversaries/{object_link_id}/comments
Create a new Indicator Adversary link Comment.
Example URI
POST /indicators/1/adversaries/2/comments
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Indicator Adversary Comment ¶
Get SingleGET/indicators/{indicator_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Get a single Indicator Adversary link Comment.
Example URI
GET /indicators/1/adversaries/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicators/{indicator_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Update an Indicator Adversary link Comment.
Example URI
PUT /indicators/1/adversaries/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Delete an Indicator Adversary link Comment.
Example URI
DELETE /indicators/1/adversaries/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Attachments List ¶
Get ListGET/indicators/{indicator_id}/attachments{?limit,offset,sort,with}
Get a list of Indicator Attachment links.
Example URI
GET /indicators/1/attachments?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"type_id": 19,
"title": "Honeybooboo.sh",
"name": "Honeybooboo.sh",
"hash": "4ece432b22f92461f9c4d2de2656d3e3",
"content_type_id": 2,
"file_size": 75,
"path": "6/b/d/0/d/c/1/2/e/5/d/f/a/0/4/3/e/b/4/9/6/0/9/f/a/4/7/c/4/f/1/0",
"malware_locked": "0",
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:39:18",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62326,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "attachment",
"dest_object_id": 2,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"comments": [
{
"id": 57,
"type": "users",
"value": "This link is important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 17:54:58.936000",
"updated_at": "2018-04-02 17:55:15.039000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15067,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 3,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24428,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 17:39:18.781000",
"updated_at": "2018-04-02 17:39:18.781000"
}
}
]
}
},
{
"id": 1,
"type_id": 10,
"title": "parsing-sample.pdf",
"name": "parsing-sample.pdf",
"hash": "89e17b2f6cd3888864237b0ee10048f0",
"content_type_id": 1,
"file_size": 11300,
"path": "e/a/f/d/d/7/1/e/5/c/e/1/1/9/b/0/5/6/4/a/6/d/5/9/a/2/3/5/3/1/0/4",
"malware_locked": "0",
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:40:48",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62327,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "attachment",
"dest_object_id": 1,
"created_at": "2018-04-02 17:40:48",
"updated_at": "2018-04-02 17:40:48",
"comments": [
{
"id": 58,
"type": "users",
"value": "This link is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 17:55:30.995000",
"updated_at": "2018-04-02 17:55:30.995000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15068,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 4,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24430,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 17:40:48.310000",
"updated_at": "2018-04-02 17:40:48.310000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/attachments
Create a link from an Attachment to an Indicator.
Example URI
POST /indicators/1/attachments
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 3,
"type_id": 3,
"title": "EXE like script",
"name": "Honeybooboo.sh",
"hash": "51774564f8d78fbddbfa22e1e7459af4",
"content_type_id": 1,
"file_size": 234234,
"malware_locked": 1,
"description": null,
"created_at": "2017-02-23 20:02:18",
"updated_at": "2017-02-23 20:02:18",
"touched_at": "2017-03-01 16:51:15",
"pivot": {
"id": 62394,
"created_at": "2017-03-01 16:51:15",
"updated_at": "2017-03-01 16:51:15"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/indicators/{indicator_id}/attachments
Delete multiple Indicator Attachment links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /indicators/1/attachments
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Indicator Attachment ¶
Get SingleGET/indicators/{indicator_id}/attachments/{object_link_id}{?with}
Get a single Indicator Attachment link.
Example URI
GET /indicators/1/attachments/2?with=sources,pivot.attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 2,
"type_id": 19,
"title": "Honeybooboo.sh",
"name": "Honeybooboo.sh",
"hash": "4ece432b22f92461f9c4d2de2656d3e3",
"content_type_id": 2,
"file_size": 75,
"malware_locked": 0,
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:39:18",
"pivot": {
"id": 62326,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"comments": [
{
"id": 57,
"object_link_id": 62326,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-02 17:54:58",
"updated_at": "2018-04-02 17:55:15",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 57,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15067,
"source_id": 8,
"id": 3,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"published_at": null,
"pivot": {
"object_link_id": 62326,
"source_id": 8,
"id": 24428,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"published_at": null,
"pivot": {
"attachment_id": 2,
"source_id": 8,
"id": 2,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/attachments/{object_link_id}
Delete an Indicator Attachment link.
Example URI
DELETE /indicators/1/attachments/2
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Attachment Attributes List ¶
Get ListGET/indicators/{indicator_id}/attachments/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Indicator Attachment link Attributes.
Example URI
GET /indicators/1/attachments/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/attachments/{object_link_id}/attributes
Create a new Indicator Attachment link Attribute.
Example URI
POST /indicators/1/attachments/2/attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Indicator Attachment Attribute ¶
Get SingleGET/indicators/{indicator_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Indicator Attachment link Attribute.
Example URI
GET /indicators/1/attachments/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicators/{indicator_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Update an Indicator Attachment link Attribute.
Example URI
PUT /indicators/1/attachments/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Indicator Attachment link Attribute.
Example URI
DELETE /indicators/1/attachments/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Attachment Comments List ¶
Get ListGET/indicators/{indicator_id}/attachments/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Indicator Attachment link Comments.
Example URI
GET /indicators/1/attachments/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/attachments/{object_link_id}/comments
Create a new Indicator Attachment link Comment.
Example URI
POST /indicators/1/attachments/2/comments
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Indicator Attachment Comment ¶
Get SingleGET/indicators/{indicator_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Get a single Indicator Attachment link Comment.
Example URI
GET /indicators/1/attachments/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicators/{indicator_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Update an Indicator Attachment link Comment.
Example URI
PUT /indicators/1/attachments/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Delete an Indicator Attachment link Comment.
Example URI
DELETE /indicators/1/attachments/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Attributes List ¶
Get ListGET/indicators/{indicator_id}/attributes{?limit,offset,sort,with}
Get a list of Indicator Attributes.
Example URI
GET /indicators/1/attributes?limit=500&offset=100&sort=id&with=attribute,sources
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 7,
"data": [
{
"id": 1,
"indicator_id": 1,
"attribute_id": 8,
"value": "~DF2.tmp",
"created_at": "2017-02-14 03:24:28",
"updated_at": "2017-02-14 03:24:28",
"touched_at": "2017-04-14 19:02:49",
"name": "C2",
"attribute": {
"id": 8,
"name": "C2",
"created_at": "2017-03-22 19:03:42",
"updated_at": "2017-04-09 19:04:42"
}
},
{
"id": 2,
"indicator_id": 1,
"attribute_id": 68,
"value": "mshttp.dll",
"created_at": "2017-04-10 06:35:29",
"updated_at": "2017-04-10 06:35:29",
"touched_at": "2017-04-14 19:02:49",
"name": "Registrant",
"attribute": {
"id": 68,
"name": "Registrant",
"created_at": "2017-03-21 19:03:42",
"updated_at": "2017-03-21 19:03:42"
}
},
{
"id": 3,
"indicator_id": 1,
"attribute_id": 34,
"value": "Win32%2FInstallMonetizer.AY",
"created_at": "2017-03-07 10:10:29",
"updated_at": "2017-03-07 10:10:29",
"touched_at": "2017-04-14 19:02:49",
"name": "File Extension",
"attribute": {
"id": 34,
"name": "File Extension",
"created_at": "2017-03-16 19:03:42",
"updated_at": "2017-03-17 19:03:42"
}
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/attributes
Create a new Indicator Attribute.
Example URI
POST /indicators/1/attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"value": "Test Value",
"indicator_id": 1,
"id": 41258,
"attribute_id": 255,
"created_at": "2017-04-16 00:34:25",
"updated_at": "2017-04-16 00:34:25",
"name": "Test Attribute",
"attribute": {
"id": 255,
"name": "Test Attribute",
"created_at": "2017-04-16 00:34:25",
"updated_at": "2017-04-16 00:34:25"
},
"sources": [
{
"id": 11,
"type": "other_sources",
"name": "Test Source",
"tlp_id": 1,
"created_at": "2017-04-16 00:34:25",
"updated_at": "2017-04-16 00:34:25",
"published_at": "2017-02-28 00:00:00",
"pivot": {
"indicator_attribute_id": 41258,
"source_id": 11,
"id": 151,
"creator_source_id": 5
}
}
]
}
]
}Response
401Access denied.
Indicator Attribute ¶
Get SingleGET/indicators/{indicator_id}/attributes/{indicator_attribute_id}{?with}
Get a single Indicator Attribute.
Example URI
GET /indicators/1/attributes/2?with=attribute,sources
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- indicator_attribute_id
integer(required) Example: 2Indicator Attribute ID
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 41258,
"indicator_id": 1,
"attribute_id": 255,
"value": "Test Value",
"created_at": "2017-04-16 00:34:25",
"updated_at": "2017-04-16 00:34:25",
"touched_at": "2017-04-16 00:34:25",
"name": "Test Attribute",
"attribute": {
"id": 255,
"name": "Test Attribute",
"created_at": "2017-04-16 00:34:25",
"updated_at": "2017-04-16 00:34:25"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicators/{indicator_id}/attributes/{indicator_attribute_id}{?with}
Update an Indicator Attribute.
Example URI
PUT /indicators/1/attributes/2?with=attribute,sources
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- indicator_attribute_id
integer(required) Example: 2Indicator Attribute ID
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 41258,
"indicator_id": 1,
"attribute_id": 255,
"value": "New Value",
"created_at": "2017-04-16 00:34:25",
"updated_at": "2017-04-16 00:44:03",
"touched_at": "2017-04-16 00:34:25",
"name": "Test Attribute",
"attribute": {
"id": 255,
"name": "Test Attribute",
"created_at": "2017-04-16 00:34:25",
"updated_at": "2017-04-16 00:34:25"
}
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"indicator_id": "1",
"attribute_id": "41258",
"errors": {
"value": [
"The value field is required."
]
},
"name": null,
"attribute": null
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/attributes/{indicator_attribute_id}
Delete an Indicator Attribute.
Example URI
DELETE /indicators/1/attributes/2
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- indicator_attribute_id
integer(required) Example: 2Indicator Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Attribute Source ¶
UpdatePUT/indicators/{indicator_id}/attributes/{indicator_attribute_id}/sources/{indicator_attribute_source_id}
Update an Indicator Attribute Source.
Example URI
PUT /indicators/1/attributes/2/sources/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- indicator_attribute_id
integer(required) Example: 2Indicator Attribute ID
- indicator_attribute_source_id
integer(required) Example: 3Indicator Attribute Source ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"indicator_attribute_id": 1,
"source_id": 8,
"tlp_id": 1,
"created_at": "2018-09-20 21:22:20",
"updated_at": "2018-09-20 21:23:46",
"published_at": "2017-01-01 01:01:01",
"creator_source_id": 8
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/attributes/{indicator_attribute_id}/sources/{indicator_attribute_source_id}
Delete an Indicator Attribute Source.
Example URI
DELETE /indicators/1/attributes/2/sources/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- indicator_attribute_id
integer(required) Example: 2Indicator Attribute ID
- indicator_attribute_source_id
integer(required) Example: 3Indicator Attribute Source ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Comments List ¶
Get ListGET/indicators/{indicator_id}/comments{?limit,offset,sort,with}
Get a list of Indicator Comments.
Example URI
GET /indicators/1/comments?limit=500&offset=100&sort=id&with=indicator,sources
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: indicator,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: indicator, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"indicator_id": 1,
"value": "This is a comment.",
"creator_source_id": 5,
"created_at": "2017-04-16 14:39:28",
"updated_at": "2017-04-16 14:44:26"
},
{
"id": 55,
"indicator_id": 1,
"value": "This is another comment.",
"creator_source_id": 5,
"created_at": "2017-04-16 14:51:50",
"updated_at": "2017-04-16 14:51:50"
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/comments
Create a new Indicator Comment.
Example URI
POST /indicators/1/comments
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 54,
"indicator_id": 1,
"value": "This is a comment.",
"creator_source_id": 5,
"created_at": "2017-04-16 14:39:28",
"updated_at": "2017-04-16 14:39:28",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-04-14 19:01:42",
"updated_at": "2017-04-14 19:01:42",
"pivot": {
"id": 54,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"indicator_id": "1",
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Indicator Comment ¶
UpdatePUT/indicators/{indicator_id}/comments/{indicator_comment_id}{?with}
Update an Indicator Comment.
Example URI
PUT /indicators/1/comments/2?with=indicator,sources
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- indicator_comment_id
integer(required) Example: 2Indicator Comment ID
- with
string(optional) Example: indicator,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: indicator, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 54,
"indicator_id": 1,
"value": "This is an updated comment.",
"creator_source_id": 5,
"created_at": "2017-04-16 14:39:28",
"updated_at": "2017-04-16 14:44:26",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-04-14 19:01:42",
"updated_at": "2017-04-14 19:01:42",
"pivot": {
"id": 54,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"The current authenticated owner is not the owner of this comment."
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/comments/{indicator_comment_id}
Delete an Indicator Comment.
Example URI
DELETE /indicators/1/comments/2
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- indicator_comment_id
integer(required) Example: 2Indicator Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Events List ¶
Get ListGET/indicators/{indicator_id}/events{?limit,offset,sort,with}
Get a list of Indicator Event links.
Example URI
GET /indicators/1/events?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 13,
"type_id": 1,
"title": "Origin - http://halvorson.com/quia-reprehenderit-ullam-aut-accusantium-iusto-voluptas-omnis",
"description": "",
"happened_at": "2018-01-25 03:17:53",
"hash": "0ba76d18a6e5350a8e5979b5676bc8c8",
"created_at": "2018-01-25 03:17:53",
"updated_at": "2018-01-25 03:17:53",
"touched_at": "2018-04-03 15:34:22",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 61077,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "event",
"dest_object_id": 13,
"created_at": "2018-02-26 00:36:06",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 55,
"type": "users",
"value": "This is important.",
"source": "Threat Quotient",
"created_at": "2018-04-04 14:42:46.690000",
"updated_at": "2018-04-04 14:42:46.690000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 14948,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 22414,
"name": "Threat Quotient",
"type": "clients",
"pivot": {
"created_at": "2018-03-05 22:01:33",
"updated_at": "2018-04-03 15:34:22.693000"
}
}
]
}
},
{
"id": 46,
"type_id": 1,
"title": "Origin - http://kling.com/voluptate-nihil-sit-est-aut",
"description": "",
"happened_at": "2017-12-31 23:17:05",
"hash": "e2e96a1516420fc05ad8ac04de52bd89",
"created_at": "2017-12-31 23:17:05",
"updated_at": "2017-12-31 23:17:05",
"touched_at": "2018-04-03 15:34:22",
"deleted_at": null,
"sources": [
{
"name": "Domain Tools"
},
{
"name": "Emerging Threats"
},
{
"name": "VirusTotal"
}
],
"pivot": {
"id": 61144,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "event",
"dest_object_id": 46,
"created_at": "2018-03-01 23:54:52",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 56,
"type": "users",
"value": "This is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-04 14:43:10.692000",
"updated_at": "2018-04-04 14:43:10.692000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 14949,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 22513,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-02-24 09:36:30",
"updated_at": "2018-04-03 15:34:22.693000"
}
},
{
"id": 22514,
"name": "Customer Observer",
"type": "users",
"pivot": {
"created_at": "2018-02-25 22:27:11",
"updated_at": "2018-04-03 15:34:22.693000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/events
Create a link from an Indicator to an Event.
Example URI
POST /indicators/1/events
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"type_id": 2,
"title": "Origin - http://www.durgan.biz/vel-omnis-impedit-at-quod-quasi-reiciendis.html",
"description": "",
"happened_at": "2016-12-05 20:01:48",
"hash": "d13e682a5d567d51b99f676b7bdef980",
"created_at": "2016-12-05 20:01:48",
"updated_at": "2016-12-05 20:01:48",
"touched_at": "2017-02-28 20:14:59",
"pivot": {
"id": 62396,
"created_at": "2017-03-01 20:55:10",
"updated_at": "2017-03-01 20:55:10"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/indicators/{indicator_id}/events
Delete multiple Indicator Event links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /indicators/1/events
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Indicator Event ¶
Get SingleGET/indicators/{indicator_id}/events/{object_link_id}{?with}
Get a single Indicator Event link.
Example URI
GET /indicators/1/events/2?with=sources,pivot.attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 13,
"type_id": 1,
"title": "Origin - http://halvorson.com/quia-reprehenderit-ullam-aut-accusantium-iusto-voluptas-omnis",
"description": "",
"happened_at": "2018-01-25 03:17:53",
"hash": "0ba76d18a6e5350a8e5979b5676bc8c8",
"created_at": "2018-01-25 03:17:53",
"updated_at": "2018-01-25 03:17:53",
"touched_at": "2018-04-03 15:34:22",
"pivot": {
"id": 61077,
"created_at": "2018-02-26 00:36:06",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 55,
"object_link_id": 61077,
"value": "This is important.",
"creator_source_id": 8,
"created_at": "2018-04-04 14:42:46",
"updated_at": "2018-04-04 14:42:46",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-03 15:31:57",
"updated_at": "2018-04-03 15:31:57",
"pivot": {
"id": 55,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 14948,
"object_link_id": 61077,
"attribute_id": 135,
"value": "Universities",
"created_at": "2018-04-04 14:38:39",
"updated_at": "2018-04-04 14:38:39",
"name": "Industry",
"attribute": {
"id": 135,
"name": "Industry",
"created_at": "2018-04-03 19:41:04",
"updated_at": "2018-04-03 19:41:04"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 14948,
"source_id": 8,
"id": 1,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 2,
"type": "clients",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-03-05 22:01:33",
"updated_at": "2018-04-03 15:34:22",
"published_at": null,
"pivot": {
"object_link_id": 61077,
"source_id": 2,
"id": 22414,
"creator_source_id": 2
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-02-24 22:23:15",
"updated_at": "2018-04-03 15:34:22",
"published_at": null,
"pivot": {
"event_id": 13,
"source_id": 8,
"id": 27,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/events/{object_link_id}
Delete an Indicator Event link.
Example URI
DELETE /indicators/1/events/2
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Event Attributes List ¶
Get ListGET/indicators/{indicator_id}/events/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Indicator Event link Attributes.
Example URI
GET /indicators/1/events/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/events/{object_link_id}/attributes
Create a new Indicator Event link Attribute.
Example URI
POST /indicators/1/events/2/attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Indicator Event Attribute ¶
Get SingleGET/indicators/{indicator_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Indicator Event link Attribute.
Example URI
GET /indicators/1/events/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicators/{indicator_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Update an Indicator Event link Attribute.
Example URI
PUT /indicators/1/events/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Indicator Event link Attribute.
Example URI
DELETE /indicators/1/events/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Event Comments List ¶
Get ListGET/indicators/{indicator_id}/events/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Indicator Event link Comments.
Example URI
GET /indicators/1/events/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/events/{object_link_id}/comments
Create a new Indicator Event link Comment.
Example URI
POST /indicators/1/events/2/comments
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Indicator Event Comment ¶
Get SingleGET/indicators/{indicator_id}/events/{object_link_id}/comments/{object_link_comment_id}
Get a single Indicator Event link Comment.
Example URI
GET /indicators/1/events/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicators/{indicator_id}/events/{object_link_id}/comments/{object_link_comment_id}
Update an Indicator Event link Comment.
Example URI
PUT /indicators/1/events/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/events/{object_link_id}/comments/{object_link_comment_id}
Delete an Indicator Event link Comment.
Example URI
DELETE /indicators/1/events/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Indicators List ¶
Get ListGET/indicators/{indicator_id}/indicators{?limit,offset,sort,with}
Get a list of Indicator Indicator links.
Example URI
GET /indicators/1/indicators?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 24,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "bc77846655cdf4c183713a59f8c2a8f1",
"value": "brendon57@hotmail.com",
"description": null,
"last_detected_at": "2002-06-23 14:29:54",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"touched_at": "2018-04-04 19:30:57",
"deleted_at": null,
"sources": [
{
"name": "ThreatQ Example Feed"
}
],
"pivot": {
"id": 14896,
"src_type": "indicator",
"src_object_id": 24,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"comments": [
{
"id": 54,
"type": "users",
"value": "This link is important.",
"created_at": "2018-04-04 20:05:39.284000",
"updated_at": "2018-04-04 20:05:39.284000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 43,
"name": "Confidence",
"value": "75",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 62,
"name": "VirusTotal",
"type": "plugins",
"pivot": {
"created_at": "2018-02-19 02:14:29",
"updated_at": "2018-04-04 19:30:59.439000"
}
}
]
}
},
{
"id": 74,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "890a7aa3415d8b4fa39d9f51a026b7d8",
"value": "hazel.kilback@hotmail.com",
"description": null,
"last_detected_at": "1992-07-15 20:23:27",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"touched_at": "2018-04-04 19:30:57",
"deleted_at": null,
"sources": [
{
"name": "Customer Admin"
}
],
"pivot": {
"id": 14991,
"src_type": "indicator"",
"src_object_id": 74,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"comments": [
{
"id": 56,
"type": "users",
"value": "This link is also important.",
"created_at": "2018-04-04 20:09:29.324000",
"updated_at": "2018-04-04 20:09:29.324000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 138,
"name": "Confidence",
"value": "75",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 200,
"name": "Emerging Threats",
"type": "plugins",
"pivot": {
"created_at": "2018-01-13 11:24:36",
"updated_at": "2018-04-04 19:30:59.439000"
}
}
]
}
}
],
"limit": 2,
"offset": 0
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/indicators
Create a link from an Indicator to another Indicator.
Example URI
POST /indicators/1/indicators
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"type_id": 2,
"status_id": 3,
"class": "network",
"hash": "bba60e76a34af96122b9f44e67ae8ea7",
"value": "oolson@yahoo.com",
"last_detected_at": "2013-12-13 08:58:00",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-02-28 20:13:19",
"updated_at": "2017-02-28 20:13:19",
"touched_at": "2017-03-02 14:57:32",
"pivot": {
"id": 62397,
"created_at": "2017-03-02 14:57:32",
"updated_at": "2017-03-02 14:57:32"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/indicators/{indicator_id}/indicators
Delete multiple Indicator Indicator links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /indicators/1/indicators
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Indicator Indicator ¶
Get SingleGET/indicators/{indicator_id}/indicators/{object_link_id}{?with}
Get a single Indicator Indicator link.
Example URI
GET /indicators/1/indicators/2?with=sources,pivot.attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 24,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "bc77846655cdf4c183713a59f8c2a8f1",
"value": "brendon57@hotmail.com",
"description": null,
"last_detected_at": "2002-06-23 14:29:54",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"touched_at": "2018-04-04 19:30:57",
"pivot": {
"id": 14896,
"created_at": "2018-03-09 14:32:27",
"updated_at": "2018-04-04 19:30:29",
"comments": [
{
"id": 54,
"object_link_id": 14896,
"value": "This link is also important.",
"creator_source_id": 8,
"created_at": "2018-04-04 20:05:39",
"updated_at": "2018-04-04 20:05:39",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-04 19:28:33",
"updated_at": "2018-04-04 19:28:33",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 43,
"object_link_id": 14896,
"attribute_id": 13,
"value": "75",
"created_at": "2018-02-24 14:33:41",
"updated_at": "-0001-11-30 00:00:00",
"name": "Confidence",
"attribute": {
"id": 13,
"name": "Confidence",
"created_at": "2018-03-28 19:03:33",
"updated_at": "2018-03-24 19:03:33"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 43,
"source_id": 8,
"id": 1,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 5,
"type": "plugins",
"name": "VirusTotal",
"tlp_id": null,
"created_at": "2018-02-19 02:14:29",
"updated_at": "2018-04-04 19:30:59",
"published_at": null,
"pivot": {
"object_link_id": 14896,
"source_id": 5,
"id": 62,
"creator_source_id": 5
}
}
]
},
"sources": [
{
"id": 3,
"type": "clients",
"name": "ThreatQ",
"tlp_id": null,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"published_at": null,
"pivot": {
"indicator_id": 24,
"source_id": 3,
"id": 59,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/indicators/{object_link_id}
Delete an Indicator Indicator link.
Example URI
DELETE /indicators/1/indicators/2
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Indicator Attributes List ¶
Get ListGET/indicators/{indicator_id}/indicators/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Indicator Indicator link Attributes.
Example URI
GET /indicators/1/indicators/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/indicators/{object_link_id}/attributes
Create a new Indicator Indicator link Attribute.
Example URI
POST /indicators/1/indicators/2/attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Indicator Indicator Attribute ¶
Get SingleGET/indicators/{indicator_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Indicator Indicator link Attribute.
Example URI
GET /indicators/1/indicators/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicators/{indicator_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Update an Indicator Indicator link Attribute.
Example URI
PUT /indicators/1/indicators/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Indicator Indicator link Attribute.
Example URI
DELETE /indicators/1/indicators/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Indicator Comments List ¶
Get ListGET/indicators/{indicator_id}/indicators/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Indicator Indicator link Comments.
Example URI
GET /indicators/1/indicators/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/indicators/{object_link_id}/comments
Create a new Indicator Indicator link Comment.
Example URI
POST /indicators/1/indicators/2/comments
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Indicator Indicator Comment ¶
Get SingleGET/indicators/{indicator_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Get a single Indicator Indicator link Comment.
Example URI
GET /indicators/1/indicators/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicators/{indicator_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Update an Indicator Indicator link Comment.
Example URI
PUT /indicators/1/indicators/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Delete an Indicator Indicator link Comment.
Example URI
DELETE /indicators/1/indicators/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Signatures List ¶
Get ListGET/indicators/{indicator_id}/signatures{?limit,offset,sort,with}
Get a list of Indicator Signature links.
Example URI
GET /indicators/1/signatures?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"name": "ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (2007937:4)",
"description": "",
"hash": "8cf2e60aeb0b7ed9874f2ed379b3f42d",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:\"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow\"; content:\"|44 53 52 65 71 75 65 73 74|\"; pcre:\"/[0-9a-zA-Z]{50}/R\"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:02:46",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62261,
"src_type": "signature",
"src_object_id": 2,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"comments": [
{
"id": 57,
"type": "users",
"value": "This link is important.",
"created_at": "2018-04-04 23:16:40.155000",
"updated_at": "2018-04-04 23:18:42.648000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 15080,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 3,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 24298,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-04 23:02:46.740000",
"updated_at": "2018-04-04 23:02:46.740000"
}
}
]
}
},
{
"id": 1,
"name": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)",
"description": "",
"hash": "737309fe355ef23e1c03a5e98bc364b5",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:\"ET EXPLOIT Arkeia full remote access without password or authentication\"; flow:to_server,established; content:\"|464F3A20596F75206861766520737563|\"; content:\"|6520636C69656E7420696E666F726D61|\"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:03:35",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62262,
"src_type": "signature",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"comments": [
{
"id": 58,
"type": "users",
"value": "This link is also important.",
"created_at": "2018-04-04 23:16:58.817000",
"updated_at": "2018-04-04 23:16:58.817000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 15081,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 4,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 24300,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-04 23:03:35.975000",
"updated_at": "2018-04-04 23:03:35.975000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/signatures
Create a link from an Indicator to a Signature.
Example URI
POST /indicators/1/signatures
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"name": "ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27 (2019448:1)",
"description": "",
"hash": "32eb2da7b59c7e85fbeec98f90adaf2d",
"value": "alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27\"; flow:established,to_server; content:\"%6e%61m%65[\"; nocase; fast_pattern:only; http_client_body; pcre:\"/(?:^|&|Content-Disposition[\\x3a][^\\n]*?name\\s*?=\\s*?[\\x22\\x27])\\%6e\\%61m\\%65\\[[^\\x5d]*?\\W/Pi\"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:1;)",
"status_id": 4,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-03-02 16:34:40",
"updated_at": "2017-03-02 16:34:40",
"touched_at": "2017-03-02 16:34:41",
"pivot": {
"id": 62337,
"created_at": "2017-03-02 16:43:29",
"updated_at": "2017-03-02 16:43:29"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/indicators/{indicator_id}/signatures
Delete multiple Indicator Signature links. The request should include a list of object_link_ids to be deleted.
Example URI
DELETE /indicators/1/signatures
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Indicator Signature ¶
Get SingleGET/indicators/{indicator_id}/signatures/{object_link_id}{?with}
Get a single Indicator Signature link.
Example URI
GET /indicators/1/signatures/2?with=sources,pivot.attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 2,
"name": "ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (2007937:4)",
"description": "",
"hash": "8cf2e60aeb0b7ed9874f2ed379b3f42d",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:\"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow\"; content:\"|44 53 52 65 71 75 65 73 74|\"; pcre:\"/[0-9a-zA-Z]{50}/R\"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:02:46",
"pivot": {
"id": 62261,
"created_at": "2018-04-04 23:02:46",
"updated_at": "2018-04-04 23:02:46",
"comments": [
{
"id": 57,
"object_link_id": 62261,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-04 23:16:40",
"updated_at": "2018-04-04 23:18:42",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-04 19:28:33",
"updated_at": "2018-04-04 19:28:33",
"pivot": {
"id": 57,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15080,
"object_link_id": 62261,
"attribute_id": 135,
"value": "Universities",
"created_at": "2018-04-04 23:09:28",
"updated_at": "2018-04-04 23:09:28",
"name": "Industry",
"attribute": {
"id": 135,
"name": "Industry",
"created_at": "2018-04-04 20:01:00",
"updated_at": "2018-04-04 20:01:00"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15080,
"source_id": 8,
"id": 3,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-04 23:02:46",
"updated_at": "2018-04-04 23:02:46",
"published_at": null,
"pivot": {
"object_link_id": 62261,
"source_id": 8,
"id": 24298,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"published_at": null,
"pivot": {
"signature_id": 2,
"source_id": 8,
"id": 2,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/signatures/{object_link_id}
Delete an Indicator Signature link.
Example URI
DELETE /indicators/1/signatures/2
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Signature Attributes List ¶
Get ListGET/indicators/{indicator_id}/signatures/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Indicator Signature link Attributes.
Example URI
GET /indicators/1/signatures/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/signatures/{object_link_id}/attributes
Create a new Indicator Signature link Attribute.
Example URI
POST /indicators/1/signatures/2/attributes
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Indicator Signature Attribute ¶
Get SingleGET/indicators/{indicator_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Indicator Signature link Attribute.
Example URI
GET /indicators/1/signatures/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicators/{indicator_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Update an Indicator Signature link Attribute.
Example URI
PUT /indicators/1/signatures/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Delete an Indicator Signature link Attribute.
Example URI
DELETE /indicators/1/signatures/2/attributes/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Signature Comments List ¶
Get ListGET/indicators/{indicator_id}/signatures/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Indicator Signature link Comments.
Example URI
GET /indicators/1/signatures/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/signatures/{object_link_id}/comments
Create a new Indicator Signature link Comment.
Example URI
POST /indicators/1/signatures/2/comments
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Indicator Signature Comment ¶
Get SingleGET/indicators/{indicator_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Get a single Indicator Signature link Comment.
Example URI
GET /indicators/1/signatures/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicators/{indicator_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Update an Indicator Signature link Comment.
Example URI
PUT /indicators/1/signatures/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Delete an Indicator Signature link Comment.
Example URI
DELETE /indicators/1/signatures/2/comments/3
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Sources ¶
Get ListGET/indicators/{indicator_id}/sources{?limit,offset,sort,with}
Get a list of Indicator Sources.
Example URI
GET /indicators/1/sources?limit=500&offset=100&sort=id&with=indicator,tlp
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: indicator,tlpA comma-separated list of related objects to include in the response. Options for this endpoint: indicator, tlp.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 4,
"data": [
{
"id": 2,
"indicator_id": 1,
"source_id": 1,
"creator_source_id": 5,
"tlp_id": 2,
"created_at": "2017-04-17 04:35:35",
"updated_at": "2017-04-17 04:35:35",
"published_at": null
},
{
"id": 3,
"indicator_id": 1,
"source_id": 6,
"creator_source_id": 5,
"tlp_id": null,
"created_at": "2017-04-17 04:35:35",
"updated_at": "2017-04-17 04:35:35",
"published_at": "2017-04-17 04:35:35"
},
{
"id": 1,
"indicator_id": 1,
"source_id": 7,
"creator_source_id": 5,
"tlp_id": 3,
"created_at": "2017-04-17 04:35:35",
"updated_at": "2017-04-17 04:35:35",
"published_at": "2017-03-17 04:35:35"
},
{
"id": 4,
"indicator_id": 1,
"source_id": 8,
"creator_source_id": 5,
"tlp_id": null,
"created_at": "2017-04-17 04:35:35",
"updated_at": "2017-04-17 04:35:35",
"published_at": null
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/sources
Create a new Indicator Source.
Example URI
POST /indicators/1/sources
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Test Source",
"tlp": {
"name": "RED"
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 18987,
"indicator_id": 1,
"source_id": 10,
"creator_source_id": 5,
"tlp_id": 1,
"created_at": "2017-04-17 09:11:31",
"updated_at": "2017-04-17 09:11:31",
"published_at": null,
"deleted_at": null,
"existing": 0,
"name": "Test Source"
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"name": [
"The name field is required."
]
}
}
]
}Response
401Access denied.
Indicator Source ¶
Get SingleGET/indicators/{indicator_id}/sources/{indicator_source_id}
Get a single Indicator Source.
Example URI
GET /indicators/1/sources/2
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- indicator_source_id
integer(required) Example: 2Indicator Source ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"indicator_id": 1,
"source_id": 13,
"creator_source_id": 8,
"tlp_id": 4,
"created_at": "2018-10-30 20:10:24",
"updated_at": "2018-10-30 20:10:24",
"published_at": null
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/indicators/{indicator_id}/sources/{indicator_source_id}
Update an Indicator Source.
Example URI
PUT /indicators/1/sources/2
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- indicator_source_id
integer(required) Example: 2Indicator Source ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"indicator_id": 1,
"source_id": 13,
"creator_source_id": 8,
"tlp_id": 4,
"created_at": "2018-10-30 20:10:24",
"updated_at": "2018-10-30 20:10:24",
"published_at": null
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/sources/{indicator_source_id}
Delete an Indicator Source.
Example URI
DELETE /indicators/1/sources/2
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- indicator_source_id
integer(required) Example: 2Indicator Source ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Tag List ¶
Get ListGET/indicators/{indicator_id}/tags{?limit,offset,sort,with}
Get a list of Indicator Tags.
Example URI
GET /indicators/1/tags?limit=500&offset=100&sort=id&with=indicators
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: indicatorsA comma-separated list of related objects to include in the response. Options for this endpoint: indicators.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"name": "New Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 1,
"created_at": "2017-03-02 21:22:02",
"updated_at": "2017-03-02 21:22:02"
}
},
{
"id": 2,
"name": "Another New Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 2,
"created_at": "2017-03-02 21:24:30",
"updated_at": "2017-03-02 21:24:30"
}
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/tags
Create a new Indicator Tag.
Example URI
POST /indicators/1/tags
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Tag Name"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 2,
"name": "Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 2,
"created_at": "2017-03-02 21:24:30",
"updated_at": "2017-03-02 21:24:30"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"name": [
"The name field is required."
]
}
}
}Response
401Access denied.
Indicator Tag ¶
Get SingleGET/indicators/{indicator_id}/tags/{tag_id}{?with}
Get a single Indicator Tag.
Example URI
GET /indicators/1/tags/2?with=indicators
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- tag_id
integer(required) Example: 2Tag ID
- with
string(optional) Example: indicatorsA comma-separated list of related objects to include in the response. Options for this endpoint: indicators.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 1,
"created_at": "2017-03-02 21:22:02",
"updated_at": "2017-03-02 21:22:02"
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/indicators/{indicator_id}/tags/{tag_id}
Delete an Indicator Tag.
Example URI
DELETE /indicators/1/tags/2
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- tag_id
integer(required) Example: 2Tag ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Indicator Watchlists ¶
Get SingleGET/indicators/{indicator_id}/watchlist
Get an Indicator in a user’s Watchlist.
Example URI
GET /indicators/1/watchlist
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 1,
"data": [
{
"id": 4,
"user_id": 1,
"object_type": "indicator",
"object_id": 1,
"created_at": "2017-04-17 10:20:14",
"updated_at": "2017-04-17 10:20:14",
"indicator": {
"id": 1,
"type_id": 1,
"status_id": 5,
"class": "network",
"hash": "4aba5ab07a3bda558d5d725a09d93ba6",
"value": "37.139.40.0/21",
"last_detected_at": "1980-06-05 03:08:01",
"expires_at": "2017-05-08 00:00:00",
"expired_at": null,
"expires_calculated_at": "2017-04-17 04:41:31",
"created_at": "2017-04-17 04:35:35",
"updated_at": "2017-04-17 04:41:31",
"touched_at": "2017-04-17 09:12:13"
}
}
]
}Response
401Access denied.
Create NewPOST/indicators/{indicator_id}/watchlist
Add an Indicator to the user’s Watchlist.
Example URI
POST /indicators/1/watchlist
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Authorization: Bearer <access_token>Body
No Request Body.Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"object_type": "indicator",
"user_id": 1,
"object_id": "1",
"updated_at": "2017-04-17 10:20:14",
"created_at": "2017-04-17 10:20:14",
"id": 4
}
}Response
401Access denied.
Indicator Watchlist ¶
Indicator WatchlistDELETE/indicators/{indicator_id}/watchlist/{watchlist_id}
Remove an Indicator from the user’s Watchlist.
Example URI
DELETE /indicators/1/watchlist/2
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- watchlist_id
integer(required) Example: 2Watchlist ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Objectlinks ¶
ObjectLink Comment Short ¶
Get SingleGET/objectlinks/comments/{object_link_comment_id}{?with}
Get a single ObjectLink Comment.
Example URI
GET /objectlinks/comments/1?with=objectLink,sources
URI Parameters
- object_link_comment_id
integer(required) Example: 1ObjectLink Comment ID
- with
string(optional) Example: objectLink,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: objectLink, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/objectlinks/comments/{object_link_comment_id}{?with}
Update an ObjectLink Comment.
Example URI
PUT /objectlinks/comments/1?with=objectLink,sources
URI Parameters
- object_link_comment_id
integer(required) Example: 1ObjectLink Comment ID
- with
string(optional) Example: objectLink,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: objectLink, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 54,
"object_link_id": 1,
"value": "This is an updated comment.",
"creator_source_id": 5,
"created_at": "2017-04-17 16:20:31",
"updated_at": "2017-04-17 16:20:46",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-04-17 04:35:33",
"updated_at": "2017-04-17 04:35:33",
"pivot": {
"id": 54,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"The current authenticated owner is not the owner of this comment."
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/objectlinks/comments/{object_link_comment_id}
Delete an ObjectLink Comment.
Example URI
DELETE /objectlinks/comments/1
URI Parameters
- object_link_comment_id
integer(required) Example: 1ObjectLink Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
ObjectLink Attribute Source ¶
ObjectLink Attribute SourceDELETE/objectlinks/{object_link_id}/attributes/{object_link_attribute_id}/sources/{object_link_attribute_source_id}
Delete an ObjectLink Attribute Source.
Example URI
DELETE /objectlinks/2/attributes/3/sources/4
URI Parameters
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3ObjectLink Attribute ID
- object_link_attribute_source_id
integer(required) Example: 4ObjectLink Attribute Source ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
ObjectLink Comments List ¶
Get ListGET/objectlinks/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of ObjectLink Comments.
Example URI
GET /objectlinks/2/comments?limit=500&offset=100&sort=id&with=objectLink,sources
URI Parameters
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: objectLink,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: objectLink, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 1,
"value": "This is another comment.",
"creator_source_id": 5,
"created_at": "2017-04-17 16:20:31",
"updated_at": "2017-04-17 16:20:46"
},
{
"id": 55,
"object_link_id": 1,
"value": "This is a comment.",
"creator_source_id": 5,
"created_at": "2017-04-17 16:35:46",
"updated_at": "2017-04-17 16:35:46"
}
]
}Response
401Access denied.
Create NewPOST/objectlinks/{object_link_id}/comments
Create a new ObjectLink Comment.
Example URI
POST /objectlinks/2/comments
URI Parameters
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 55,
"object_link_id": 1,
"value": "This is a comment.",
"creator_source_id": 5,
"created_at": "2017-04-17 16:35:46",
"updated_at": "2017-04-17 16:35:46",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-04-17 04:35:33",
"updated_at": "2017-04-17 04:35:33",
"pivot": {
"id": 55,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"object_link_id": "1",
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
ObjectLink Comment ¶
UpdatePUT/objectlinks/{object_link_id}/comments/{object_link_comment_id}{?with}
Update an ObjectLink Comment.
Example URI
PUT /objectlinks/2/comments/1?with=objectLink,sources
URI Parameters
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 1ObjectLink Comment ID
- with
string(optional) Example: objectLink,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: objectLink, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 54,
"object_link_id": 1,
"value": "This is an updated comment.",
"creator_source_id": 5,
"created_at": "2017-04-17 16:20:31",
"updated_at": "2017-04-17 16:20:46",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-04-17 04:35:33",
"updated_at": "2017-04-17 04:35:33",
"pivot": {
"id": 54,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"The current authenticated owner is not the owner of this comment."
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/objectlinks/{object_link_id}/comments/{object_link_comment_id}
Delete an ObjectLink Comment.
Example URI
DELETE /objectlinks/2/comments/1
URI Parameters
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 1ObjectLink Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Plugins ¶
Plugin List ¶
Get ListGET/plugins{?forceRefresh,limit,offset,sort,with}
Get a list of Plugins (Operations).
Example URI
GET /plugins?forceRefresh=N&limit=500&offset=100&sort=id&with=action,config
URI Parameters
- forceRefresh
string(required) Example: NCan be (Y)es or (N)o. Forces a run of the threatq:plugin-sync command.
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: action,configA comma-separated list of related objects to include in the response. Options for this endpoint: action, config, objectType.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"name": "emerging_threats",
"friendly_name": "Emerging Threats",
"description": "Enrichment data from Emerging Threats IQRisk",
"package_name": "tq-op-emerging-threats",
"version": "1.0.1",
"required_threatq_version": "2.1",
"author": "ThreatQ",
"logo_path": "EmergingThreats.png",
"gate_oauth2_client_id": 15,
"enabled": 0,
"disable_proxy": 0,
"created_at": "2021-08-30 13:22:40",
"updated_at": "2021-08-30 13:22:40",
"deleted_at": null,
"is_deletable": true
},
{
"id": 2,
"name": "domaintools",
"friendly_name": "Domain Tools",
"description": "Enrichment data made available by domaintools.com",
"package_name": "tq-op-domaintools",
"version": "2.1.0",
"required_threatq_version": "2.1",
"author": "ThreatQ",
"logo_path": "domain_tools_logo.png",
"gate_oauth2_client_id": 16,
"enabled": 0,
"disable_proxy": 0,
"created_at": "2021-08-30 13:22:41",
"updated_at": "2021-08-30 13:22:41",
"deleted_at": null,
"is_deletable": true
}
]
}Response
401Access denied.
InstallPOST/plugins
Install a Plugin (Operation).
Example URI
POST /plugins
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
------WebKitFormBoundary4wYlIzdNWPeFgCSn
Content-Disposition: form-data; name="resumableChunkNumber"
1
------WebKitFormBoundary4wYlIzdNWPeFgCSn
Content-Disposition: form-data; name="resumableChunkSize"
1048576
------WebKitFormBoundary4wYlIzdNWPeFgCSn
Content-Disposition: form-data; name="resumableCurrentChunkSize"
3656
------WebKitFormBoundary4wYlIzdNWPeFgCSn
Content-Disposition: form-data; name="resumableTotalSize"
3656
------WebKitFormBoundary4wYlIzdNWPeFgCSn
Content-Disposition: form-data; name="resumableType"
------WebKitFormBoundary4wYlIzdNWPeFgCSn
Content-Disposition: form-data; name="resumableIdentifier"
3656-tq_plugin_all_objects-001-py3-none-anywhl
------WebKitFormBoundary4wYlIzdNWPeFgCSn
Content-Disposition: form-data; name="resumableFilename"
tq_plugin_all_objects-0.0.1-py3-none-any.whl
------WebKitFormBoundary4wYlIzdNWPeFgCSn
Content-Disposition: form-data; name="resumableRelativePath"
tq_plugin_all_objects-0.0.1-py3-none-any.whl
------WebKitFormBoundary4wYlIzdNWPeFgCSn
Content-Disposition: form-data; name="resumableTotalChunks"
1
------WebKitFormBoundary4wYlIzdNWPeFgCSn
Content-Disposition: form-data; name="package"; filename="blob"
Content-Type: application/octet-stream
------WebKitFormBoundary4wYlIzdNWPeFgCSn--Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": "Plugin successfully installed."
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": {
"package": [
"The package field is required."
]
}
}Response
401Access denied.
Plugin Disable ¶
Plugin DisablePUT/plugins/{plugin_id}/disable
Disable a Plugin (Operation).
Example URI
PUT /plugins/1/disable
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
Request
Headers
Authorization: Bearer <access_token>Body
No Request Body.Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{}Response
401Access denied.
Response
404Object not found.
Plugin Disable Proxy ¶
Plugin Disable ProxyPUT/plugins/{plugin_id}/disable-proxy
Disable a Proxy for a Plugin (Operation).
Example URI
PUT /plugins/1/disable-proxy
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
Request
Headers
Authorization: Bearer <access_token>Body
No Request Body.Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{}Response
401Access denied.
Response
404Object not found.
Plugin Enable ¶
Plugin EnablePUT/plugins/{plugin_id}/enable
Enable a Plugin (Operation).
Example URI
PUT /plugins/1/enable
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
Request
Headers
Authorization: Bearer <access_token>Body
No Request Body.Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{}Response
401Access denied.
Response
404Object not found.
Plugin Enable Proxy ¶
Plugin Enable ProxyPUT/plugins/{plugin_id}/enable-proxy
Enable a Proxy for a Plugin (Operation).
Example URI
PUT /plugins/1/enable-proxy
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
Request
Headers
Authorization: Bearer <access_token>Body
No Request Body.Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{}Response
401Access denied.
Response
404Object not found.
Plugin Execute ¶
Plugin ExecutePOST/plugins/{plugin_id}/execute
Execute a Plugin (Operation).
Example URI
POST /plugins/1/execute
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"type": "Indicator",
"id": "1397",
"action": "whois"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"markup": {
"renderer": "multi",
"horizontal": false,
"items": [
{
"renderer": "h1",
"text": "Registrant"
},
{
"renderer": "p",
"text": "best tablet"
},
{
"renderer": "h1",
"text": "Whois"
},
{
"renderer": "h3",
"text": "Date"
},
{
"renderer": "p",
"text": "2017-02-09"
},
{
"renderer": "pre",
"text": "Domain Name: SHAKHAWATHOSSAIN.COM\nRegistry Domain ID: 1965718890_DOMAIN_COM-VRSN\nRegistrar WHOIS Server: whois.publicdomainregistry.com\nRegistrar URL: www.publicdomainregistry.com\nUpdated Date: 2016-09-19T16:22:40Z\nCreation Date: 2015-10-03T15:02:13Z\nRegistrar Registration Expiration Date: 2017-10-03T15:02:13Z\nRegistrar: PDR Ltd. d/b/a PublicDomainRegistry.com\nRegistrar IANA ID: 303\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\nRegistry Registrant ID: Not Available From Registry\nRegistrant Name: Mohammed Mehedi Hasan\nRegistrant Organization: best tablet\nRegistrant Street: 493 west nakhalpara ,tejgaon , dhaka-1215 \nRegistrant City: Dhaka\nRegistrant State/Province: Tejgaon\nRegistrant Postal Code: 1215\nRegistrant Country: BD\nRegistrant Phone: +880.01776461457\nRegistrant Phone Ext: \nRegistrant Fax: \nRegistrant Fax Ext: \nRegistrant Email: hmehedi896@gmail.com\nRegistry Admin ID: Not Available From Registry\nAdmin Name: Mohammed Mehedi Hasan\nAdmin Organization: best tablet\nAdmin Street: 493 west nakhalpara ,tejgaon , dhaka-1215 \nAdmin City: Dhaka\nAdmin State/Province: Tejgaon\nAdmin Postal Code: 1215\nAdmin Country: BD\nAdmin Phone: +880.01776461457\nAdmin Phone Ext: \nAdmin Fax: \nAdmin Fax Ext: \nAdmin Email: hmehedi896@gmail.com\nRegistry Tech ID: Not Available From Registry\nTech Name: Mohammed Mehedi Hasan\nTech Organization: best tablet\nTech Street: 493 west nakhalpara ,tejgaon , dhaka-1215 \nTech City: Dhaka\nTech State/Province: Tejgaon\nTech Postal Code: 1215\nTech Country: BD\nTech Phone: +880.01776461457\nTech Phone Ext: \nTech Fax: \nTech Fax Ext: \nTech Email: hmehedi896@gmail.com\nName Server: ns1.hostseba.com\nName Server: ns2.hostseba.com\nDNSSEC:Unsigned\nRegistrar Abuse Contact Email: abuse-contact@publicdomainregistry.com\nRegistrar Abuse Contact Phone: +1.2013775952\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\n",
"title": "Whois Details"
}
]
},
"data": {
"whois": {
"record": "Domain Name: SHAKHAWATHOSSAIN.COM\nRegistry Domain ID: 1965718890_DOMAIN_COM-VRSN\nRegistrar WHOIS Server: whois.publicdomainregistry.com\nRegistrar URL: www.publicdomainregistry.com\nUpdated Date: 2016-09-19T16:22:40Z\nCreation Date: 2015-10-03T15:02:13Z\nRegistrar Registration Expiration Date: 2017-10-03T15:02:13Z\nRegistrar: PDR Ltd. d/b/a PublicDomainRegistry.com\nRegistrar IANA ID: 303\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\nRegistry Registrant ID: Not Available From Registry\nRegistrant Name: Mohammed Mehedi Hasan\nRegistrant Organization: best tablet\nRegistrant Street: 493 west nakhalpara ,tejgaon , dhaka-1215 \nRegistrant City: Dhaka\nRegistrant State/Province: Tejgaon\nRegistrant Postal Code: 1215\nRegistrant Country: BD\nRegistrant Phone: +880.01776461457\nRegistrant Phone Ext: \nRegistrant Fax: \nRegistrant Fax Ext: \nRegistrant Email: hmehedi896@gmail.com\nRegistry Admin ID: Not Available From Registry\nAdmin Name: Mohammed Mehedi Hasan\nAdmin Organization: best tablet\nAdmin Street: 493 west nakhalpara ,tejgaon , dhaka-1215 \nAdmin City: Dhaka\nAdmin State/Province: Tejgaon\nAdmin Postal Code: 1215\nAdmin Country: BD\nAdmin Phone: +880.01776461457\nAdmin Phone Ext: \nAdmin Fax: \nAdmin Fax Ext: \nAdmin Email: hmehedi896@gmail.com\nRegistry Tech ID: Not Available From Registry\nTech Name: Mohammed Mehedi Hasan\nTech Organization: best tablet\nTech Street: 493 west nakhalpara ,tejgaon , dhaka-1215 \nTech City: Dhaka\nTech State/Province: Tejgaon\nTech Postal Code: 1215\nTech Country: BD\nTech Phone: +880.01776461457\nTech Phone Ext: \nTech Fax: \nTech Fax Ext: \nTech Email: hmehedi896@gmail.com\nName Server: ns1.hostseba.com\nName Server: ns2.hostseba.com\nDNSSEC:Unsigned\nRegistrar Abuse Contact Email: abuse-contact@publicdomainregistry.com\nRegistrar Abuse Contact Phone: +1.2013775952\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\n",
"date": "2017-02-09"
},
"registration": {
"statuses": [
"clientTransferProhibited"
],
"updated": "2016-09-19",
"expires": "2017-10-03",
"created": "2015-10-03",
"registrar": "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM"
},
"name_servers": [
"NS1.HOSTSEBA.COM",
"NS2.HOSTSEBA.COM"
],
"record_source": "shakhawathossain.com",
"parsed_whois": {
"statuses": [
"clientTransferProhibited https://icann.org/epp#clientTransferProhibited"
],
"other_properties": {
"dnssec": "Unsigned",
"admin_id": "Not Available From Registry",
"tech_id": "Not Available From Registry",
"registry_registrant_id": "Not Available From Registry",
"registry_domain_id": "1965718890_DOMAIN_COM-VRSN"
},
"contacts": {
"admin": {
"city": "Dhaka",
"name": "Mohammed Mehedi Hasan",
"org": "best tablet",
"fax": "",
"state": "Tejgaon",
"postal": "1215",
"country": "BD",
"email": "hmehedi896@gmail.com",
"phone": "88001776461457",
"street": [
"493 west nakhalpara ,tejgaon , dhaka-1215"
]
},
"registrant": {
"city": "Dhaka",
"name": "Mohammed Mehedi Hasan",
"org": "best tablet",
"fax": "",
"state": "Tejgaon",
"postal": "1215",
"country": "BD",
"email": "hmehedi896@gmail.com",
"phone": "88001776461457",
"street": [
"493 west nakhalpara ,tejgaon , dhaka-1215"
]
},
"billing": {
"city": "",
"name": "",
"org": "",
"fax": "",
"state": "",
"postal": "",
"country": "",
"email": "",
"phone": "",
"street": []
},
"tech": {
"city": "Dhaka",
"name": "Mohammed Mehedi Hasan",
"org": "best tablet",
"fax": "",
"state": "Tejgaon",
"postal": "1215",
"country": "BD",
"email": "hmehedi896@gmail.com",
"phone": "88001776461457",
"street": [
"493 west nakhalpara ,tejgaon , dhaka-1215"
]
}
},
"expired_date": "2017-10-03T15:02:13+00:00",
"registrar": {
"name": "PDR Ltd. d/b/a PublicDomainRegistry.com",
"url": "www.publicdomainregistry.com",
"abuse_contact_phone": "12013775952",
"iana_id": "303",
"abuse_contact_email": "abuse-contact@publicdomainregistry.com",
"whois_server": "whois.publicdomainregistry.com"
},
"updated_date": "2016-09-19T16:22:40+00:00",
"name_servers": [
"ns1.hostseba.com",
"ns2.hostseba.com"
],
"domain": "shakhawathossain.com",
"created_date": "2015-10-03T15:02:13+00:00"
},
"registrant": "best tablet"
}
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": {
"type": [
"The type field is required."
],
"id": [
"The id field is required."
],
"action": [
"The action field is required."
]
}
}Response
401Access denied.
Response
500Internal Server Error.
Body
{
"errors": [
"indicator type is not accepted by plugin"
]
}Plugin ¶
Get SingleGET/plugins/{plugin_id}{?with}
Get a single Plugin (Operation).
Example URI
GET /plugins/1?with=action,config
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
- with
string(optional) Example: action,configA comma-separated list of related objects to include in the response. Options for this endpoint: action, config, objectType.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 3,
"name": "domaintools",
"friendly_name": "Domain Tools",
"description": "Enrichment data made available by domaintools.com",
"package_name": "threatq-pynoceros",
"version": "0.0.1",
"required_threatq_version": "2.1",
"author": "ThreatQ",
"logo_path": "dt_gear_logo_g.png",
"enabled": 0,
"disable_proxy": 0,
"created_at": "2017-04-18 21:25:33",
"updated_at": "2017-04-18 21:25:33",
"deleted_at": null
}
}Response
401Access denied.
Response
404Object not found.
UninstallDELETE/plugins/{plugin_id}
Uninstall a Plugin (Operation).
Example URI
DELETE /plugins/1
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Plugin Actions List ¶
Plugin Actions ListGET/plugins/{plugin_id}/actions{?limit,offset,sort,with}
Get a list of Plugin (Operation) Actions.
Example URI
GET /plugins/1/actions?limit=500&offset=100&sort=id&with=objectType
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: objectTypeA comma-separated list of related objects to include in the response. Options for this endpoint: objectType.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"plugin_id": 1,
"name": "reverse_ip",
"description": "Reverse IP lookup",
"logo_path": "DomainToolsReverseIp.png",
"created_at": "2017-04-19 00:59:36",
"updated_at": "2017-04-19 00:59:36"
},
{
"id": 2,
"plugin_id": 1,
"name": "whois",
"description": "Whois lookup",
"logo_path": "DomainToolsWhois.png",
"created_at": "2017-04-19 00:59:36",
"updated_at": "2017-04-19 00:59:36"
}
]
}Response
401Access denied.
Plugin Action ¶
Plugin ActionGET/plugins/{plugin_id}/actions/{plugin_action_id}{?with}
Get a single Plugin (Operation) Action.
Example URI
GET /plugins/1/actions/2?with=objectType
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
- plugin_action_id
integer(required) Example: 2Plugin Action ID
- with
string(optional) Example: objectTypeA comma-separated list of related objects to include in the response. Options for this endpoint: objectType.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"plugin_id": 1,
"name": "reverse_ip",
"description": "Reverse IP lookup",
"logo_path": "DomainToolsReverseIp.png",
"created_at": "2017-04-19 00:59:36",
"updated_at": "2017-04-19 00:59:36"
}
}Response
401Access denied.
Response
404Object not found.
Plugin Configuration List ¶
Get ListGET/plugins/{plugin_id}/config{?limit,offset,sort}
Get a list of Plugin (Operation) Configurations.
Example URI
GET /plugins/1/config?limit=500&offset=100&sort=id
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 3,
"data": [
{
"id": 1,
"plugin_id": 3,
"key": "string_value",
"value": "",
"type": "text",
"options": null,
"user_editable": 1,
"created_at": "2017-10-11 14:59:07",
"updated_at": "2017-10-11 14:59:07",
"mask": false
},
{
"id": 2,
"plugin_id": 3,
"key": "password_value",
"value": "",
"type": "password",
"options": null,
"user_editable": 1,
"created_at": "2017-10-11 14:59:07",
"updated_at": "2017-10-11 14:59:07",
"mask": true
},
{
"id": 3,
"plugin_id": 3,
"key": "textarea_value",
"value": "",
"type": "textarea",
"options": null,
"user_editable": 1,
"created_at": "2017-10-11 14:59:07",
"updated_at": "2017-10-11 14:59:07",
"mask": false
}
]
}Response
401Access denied.
Create NewPOST/plugins/{plugin_id}/config
Create a new Plugin (Operation) Configuration.
Example URI
POST /plugins/1/config
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"key": "test_key",
"value": "test_value",
"type": "text",
"options": "[{\"default\":false,\"value\":\"Sure Thing, Boss\",\"text\":\"Sure Thing, Boss\"},{\"default\":false,\"value\":\"okay\",\"text\":\"That Sounds okay\"},{\"default\":false,\"value\":\"wow\",\"text\":\"Wait, what?!\"}]"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"value": "test_value",
"type": "text",
"user_editable": 1,
"plugin_id": 3,
"key": "test_key",
"options": "[{\"default\":false,\"value\":\"Sure Thing, Boss\",\"text\":\"Sure Thing, Boss\"},{\"default\":false,\"value\":\"okay\",\"text\":\"That Sounds okay\"},{\"default\":false,\"value\":\"wow\",\"text\":\"Wait, what?!\"}]",
"updated_at": "2017-10-11 15:16:04",
"created_at": "2017-10-11 15:16:04",
"id": 12,
"mask": false
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"value": "",
"mask": 0,
"user_editable": 1,
"plugin_id": "1",
"errors": {
"key": [
"The key field is required."
]
}
}
}Response
401Access denied.
Plugin Configuration ¶
Get SingleGET/plugins/{plugin_id}/config/{plugin_config_id}
Get a single Plugin (Operation) Configuration.
Example URI
GET /plugins/1/config/2
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
- plugin_config_id
integer(required) Example: 2Plugin Configuration ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 10,
"plugin_id": 4,
"key": "radio_value",
"value": "",
"type": "radio",
"options": "[{\"text\":\"Radio 1\",\"value\":\"Radio 1\",\"default\":false},{\"text\":\"Radio 2\",\"value\":\"Radio 2\",\"default\":false},{\"text\":\"Radio 3\",\"value\":\"Radio 3\",\"default\":false}]",
"user_editable": 1,
"created_at": "2017-10-11 19:46:13",
"updated_at": "2017-10-11 19:46:13",
"mask": false
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/plugins/{plugin_id}/config/{plugin_config_id}
Update a Plugin (Operation) Configuration.
Example URI
PUT /plugins/1/config/2
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
- plugin_config_id
integer(required) Example: 2Plugin Configuration ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "updated_test_value"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 11,
"plugin_id": 4,
"key": "boolean_value",
"value": "updated_test_value",
"type": "checkbox",
"options": null,
"user_editable": 1,
"created_at": "2017-10-11 19:46:13",
"updated_at": "2017-10-11 19:53:16",
"mask": false
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/plugins/{plugin_id}/config/{plugin_config_id}
Delete a Plugin (Operation) Configuration.
Example URI
DELETE /plugins/1/config/2
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
- plugin_config_id
integer(required) Example: 2Plugin Configuration ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Plugin Object Types List ¶
Plugin Object Types ListGET/plugins/{plugin_id}/object_types{?limit,offset,sort}
Get a list of Plugin (Operation) Object Types.
Example URI
GET /plugins/1/object_types?limit=500&offset=100&sort=id
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 3,
"data": [
{
"id": 1,
"plugin_id": 1,
"action_id": 1,
"object_type": "indicator",
"object_type_id": 7,
"created_at": "2017-04-19 00:59:36",
"updated_at": "2017-04-19 00:59:36"
},
{
"id": 2,
"plugin_id": 1,
"action_id": 2,
"object_type": "indicator",
"object_type_id": 7,
"created_at": "2017-04-19 00:59:36",
"updated_at": "2017-04-19 00:59:36"
},
{
"id": 3,
"plugin_id": 1,
"action_id": 2,
"object_type": "indicator",
"object_type_id": 10,
"created_at": "2017-04-19 00:59:36",
"updated_at": "2017-04-19 00:59:36"
}
]
}Response
401Access denied.
Plugin Object Type ¶
Plugin Object TypeGET/plugins/{plugin_id}/object_types/{plugin_object_type_id}
Get a single Plugin (Operation) Object Type.
Example URI
GET /plugins/1/object_types/2
URI Parameters
- plugin_id
integer(required) Example: 1Plugin ID
- plugin_object_type_id
integer(required) Example: 2Plugin Object Type ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"plugin_id": 1,
"action_id": 1,
"object_type": "indicator",
"object_type_id": 7,
"created_at": "2017-04-19 00:59:36",
"updated_at": "2017-04-19 00:59:36"
}
}Response
401Access denied.
Response
404Object not found.
Reports ¶
Adversary Indicator Distribution ¶
Adversary Indicator DistributionGET/reports/adversaries/indicator-distribution
Get an Indicator count for each Adversary.
Example URI
GET /reports/adversaries/indicator-distribution
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 186,
"data": [
{
"id": 2,
"name": "AMOROUS PANDA",
"indicators": 107
},
{
"id": 73,
"name": "Kaptoxa",
"indicators": 104
},
{
"id": 134,
"name": "Russian Business Network",
"indicators": 104
},
{
"id": 11,
"name": "BERSERK BEAR",
"indicators": 102
}
...
]
}Response
401Access denied.
Adversary Indicators ¶
Adversary IndicatorsGET/reports/adversaries/indicators{?limit,offset,sort}
Get a list of Adversaries per Indicator.
Example URI
GET /reports/adversaries/indicators?limit=500&offset=100&sort=id
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 5019,
"data": [
{
"id": 1,
"type_id": 1,
"status_id": 4,
"class": "network",
"hash": "4aba5ab07a3bda558d5d725a09d93ba6",
"value": "37.139.40.0/21",
"last_detected_at": "2006-03-09 02:23:09",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-27 20:54:12",
"updated_at": "2017-04-27 20:54:12",
"touched_at": "2017-04-27 20:56:05",
"adversaries": [
{
"id": 70,
"name": "IXESHE",
"created_at": "2017-04-06 17:42:05",
"updated_at": "2017-04-06 17:42:05",
"touched_at": "2017-04-27 20:56:06",
"pivot": {
"id": 15030,
"created_at": "2017-01-30 15:36:49",
"updated_at": "2017-04-27 20:55:47"
}
},
{
"id": 87,
"name": "Mahdi",
"created_at": "2017-03-20 18:59:14",
"updated_at": "2017-03-20 18:59:14",
"touched_at": "2017-04-27 20:56:06",
"pivot": {
"id": 15031,
"created_at": "2017-04-14 09:22:31",
"updated_at": "2017-04-27 20:55:47"
}
},
{
"id": 157,
"name": "SUNRISE PANDA",
"created_at": "2017-04-02 17:50:44",
"updated_at": "2017-04-02 17:50:44",
"touched_at": "2017-04-27 20:56:06",
"pivot": {
"id": 15032,
"created_at": "2017-03-09 03:20:32",
"updated_at": "2017-04-27 20:55:47"
}
}
],
"type": {
"id": 1,
"name": "CIDR Block",
"class": "network",
"score": null,
"wildcard_matching": "Y",
"created_at": "2017-04-27 20:53:33",
"updated_at": "2017-04-27 20:53:33"
}
},
{
"id": 2,
"type_id": 1,
"status_id": 1,
"class": "network",
"hash": "0c7ec33474db30aa8f160840768a7adc",
"value": "62.76.40.0/21",
"last_detected_at": "1992-10-07 14:39:58",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-27 20:54:12",
"updated_at": "2017-04-27 20:54:12",
"touched_at": "2017-04-27 20:56:03",
"adversaries": [
{
"id": 71,
"name": "J41",
"created_at": "2017-03-09 13:35:58",
"updated_at": "2017-03-09 13:35:58",
"touched_at": "2017-04-27 20:56:06",
"pivot": {
"id": 15033,
"created_at": "2017-02-24 06:43:58",
"updated_at": "2017-04-27 20:55:47"
}
},
{
"id": 95,
"name": "Natty Dropper",
"created_at": "2017-02-23 12:49:08",
"updated_at": "2017-02-23 12:49:08",
"touched_at": "2017-04-27 20:56:06",
"pivot": {
"id": 15034,
"created_at": "2017-01-28 11:10:28",
"updated_at": "2017-04-27 20:55:47"
}
}
],
"type": {
"id": 1,
"name": "CIDR Block",
"class": "network",
"score": null,
"wildcard_matching": "Y",
"created_at": "2017-04-27 20:53:33",
"updated_at": "2017-04-27 20:53:33"
}
},
{
"id": 6,
"type_id": 1,
"status_id": 1,
"class": "network",
"hash": "c29d544c60ea24c8aaa4d7bb8e628938",
"value": "62.76.184.0/21",
"last_detected_at": "1984-01-08 10:49:41",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-04-27 20:54:12",
"updated_at": "2017-04-27 20:54:12",
"touched_at": "2017-04-27 20:56:04",
"adversaries": [
{
"id": 78,
"name": "LiveSafe",
"created_at": "2017-02-21 13:30:25",
"updated_at": "2017-02-21 13:30:25",
"touched_at": "2017-04-27 20:56:06",
"pivot": {
"id": 15038,
"created_at": "2017-03-23 00:25:26",
"updated_at": "2017-04-27 20:55:47"
}
},
{
"id": 151,
"name": "Sofacy",
"created_at": "2017-03-31 14:40:20",
"updated_at": "2017-03-31 14:40:20",
"touched_at": "2017-04-27 20:56:06",
"pivot": {
"id": 15039,
"created_at": "2017-03-15 07:27:26",
"updated_at": "2017-04-27 20:55:47"
}
}
],
"type": {
"id": 1,
"name": "CIDR Block",
"class": "network",
"score": null,
"wildcard_matching": "Y",
"created_at": "2017-04-27 20:53:33",
"updated_at": "2017-04-27 20:53:33"
}
}
]
}Response
401Access denied.
Adversary Audit Log ¶
Adversary Audit LogGET/reports/adversaries/{adversary_id}/auditlog{?filter,limit,offset}
Get an Adversary’s Audit Log.
Example URI
GET /reports/adversaries/1/auditlog?filter=attributes&limit=500&offset=100
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
- filter
string(optional) Example: attributesThe relation you wish to filter by.
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 188,
"data": [
{
"object_type": "source",
"fieldname": "source",
"event_type": "added",
"value": {
"id": "8",
"name": "Customer Observer"
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-27 20:56:06.558"
},
{
"object_type": "link",
"fieldname": "event",
"event_type": "linked",
"value": {
"id": 530,
"type": {
"id": 3,
"name": "SQL Injection Attack"
},
"value": "SQL - &pzDkeL/cAuK+M@"
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-27 20:56:06.445"
},
{
"object_type": "link",
"fieldname": "event",
"event_type": "linked",
"value": {
"id": 563,
"type": {
"id": 3,
"name": "SQL Injection Attack"
},
"value": "SQL - 2:;<^QZ1[%}+XY5~AH@{q"
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-27 20:56:06.445"
}
]
}Response
401Access denied.
Adversary Summary ¶
Adversary SummaryGET/reports/adversaries/{adversary_id}/summary
Get a summary of an Adversary’s relations.
Example URI
GET /reports/adversaries/1/summary
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"name": "Alias",
"title": "Alias",
"total": 0
},
{
"name": "Event",
"title": "Event",
"total": 11
},
{
"name": "Indicator",
"title": "Indicator",
"total": 87
},
{
"name": "Adversary",
"title": "Adversary",
"total": 0
},
{
"name": "Source",
"title": "Source",
"total": 1
}
]
}Response
401Access denied.
Adversary Timeline ¶
Adversary TimelineGET/reports/adversaries/{adversary_id}/timeline
Get a breakdown by day of an Adversary’s relations.
Example URI
GET /reports/adversaries/1/timeline
URI Parameters
- adversary_id
integer(required) Example: 1Adversary ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 62,
"data": {
"2017-04-26": [
{
"objectlink_id": 61266,
"object_id": 30,
"event_date": "2017-04-26",
"action": "Linked",
"datetime": "2017-04-26 03:32:17",
"details": "",
"name": "",
"source": "Source 1",
"type": "Event",
"value": null
}
],
"2017-04-25": [
{
"objectlink_id": 62014,
"object_id": 413,
"event_date": "2017-04-25",
"action": "Linked",
"datetime": "2017-04-25 13:35:42",
"details": "",
"name": "",
"source": "Threat Quotient",
"type": "Event",
"value": null
}
],
"2017-04-24": [
{
"objectlink_id": 27734,
"object_id": 6432,
"event_date": "2017-04-24",
"action": "Linked",
"datetime": "2017-04-24 20:22:54",
"details": null,
"name": "",
"source": "Source 2",
"type": "Indicator",
"value": "prueba"
},
{
"objectlink_id": 19136,
"object_id": 2062,
"event_date": "2017-04-24",
"action": "Linked",
"datetime": "2017-04-24 11:15:08",
"details": null,
"name": "",
"source": "Source 1",
"type": "Indicator",
"value": "icppwkeqm.exe"
}
],
...
}
}Response
401Access denied.
Reports - Attachments ¶
Attachment Audit Log ¶
Attachment Audit LogGET/reports/attachments/{attachment_id}/auditlog{?filter,limit,offset}
Get an Attachment’s Audit Log.
Example URI
GET /reports/attachments/1/auditlog?filter=attributes&limit=500&offset=100
URI Parameters
- attachment_id
integer(required) Example: 1Attachment ID
- filter
string(optional) Example: attributesThe relation you wish to filter by.
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 5541,
"data": [
{
"object_type": "link",
"fieldname": "event",
"event_type": "linked",
"value": {
"id": 487,
"type": {
"id": 3,
"name": "SQL Injection Attack"
},
"value": "SQL - oxq_kqCuTY%O"
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-27 20:56:06.093"
},
{
"object_type": "link",
"fieldname": "event",
"event_type": "linked",
"value": {
"id": 488,
"type": {
"id": 3,
"name": "SQL Injection Attack"
},
"value": "SQL - L^9lObqf^`>x"
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-27 20:56:06.093"
},
{
"object_type": "link",
"fieldname": "event",
"event_type": "linked",
"value": {
"id": 489,
"type": {
"id": 3,
"name": "SQL Injection Attack"
},
"value": "SQL - >T[G;)N>Wu"
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-27 20:56:06.093"
}
]
}Response
401Access denied.
Attribute Indicator Count ¶
Attribute Indicator CountGET/reports/attributes/attribute-indicator-counts{?class}
Get an Indicator count for each Attribute.
Example URI
GET /reports/attributes/attribute-indicator-counts?class=network
URI Parameters
- class
string(optional) Example: networkIndicator class, options are network or host
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 98,
"data": [
{
"id": 54,
"name": "MD5",
"total_indicators": 253
},
{
"id": 41,
"name": "Fuzzy Hash",
"total_indicators": 243
},
{
"id": 82,
"name": "Source",
"total_indicators": 241
},
{
"id": 44,
"name": "IQRisk Category",
"total_indicators": 240
},
...
]
}Response
401Access denied.
Attribute Value Count ¶
Attribute Value CountGET/reports/attributes/attribute-value-counts{?attribute_id,class}
Get an Indicator count for each value of an Attribute.
Example URI
GET /reports/attributes/attribute-value-counts?attribute_id=1&class=network
URI Parameters
- attribute_id
integer(required) Example: 1Attribute ID
- class
string(optional) Example: networkIndicator class, options are network or host
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 397,
"data": [
{
"value": "small",
"total_indicators": 2
},
{
"value": "sc.exe",
"total_indicators": 2
},
{
"value": "PSW.Agent.AZYF",
"total_indicators": 2
},
{
"value": "NSIS%3ABitCoinMiner-G+%5BTrj%5D",
"total_indicators": 2
},
...
]
}Response
401Access denied.
Reports - Configuration ¶
Configuration CPU Usage ¶
Configuration CPU UsageGET/reports/configuration/cpu-usage
Get the current CPU usage for your ThreatQ instance. A negative value for the “Other” category is an indicator that the CPU is maxed out and that there are processes still waiting for cycles.
Example URI
GET /reports/configuration/cpu-usage
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"date": 1493396385000,
"value": 100
}
}Response
401Access denied.
Configuration Memory Usage ¶
Configuration Memory UsageGET/reports/configuration/memory-usage
Get the current memory usage for your ThreatQ instance.
Example URI
GET /reports/configuration/memory-usage
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"date": 1493416635000,
"value": 32.0366
}
}Response
401Access denied.
Configuration Top CPU Processes ¶
Configuration Top CPU ProcessesGET/reports/configuration/top-cpu-processes
Get the top CPU processes for your ThreatQ instance.
Example URI
GET /reports/configuration/top-cpu-processes
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"Connectors and Consumers": 0,
"Database": 0,
"Application Server": 1.7,
"Broker Server": 0,
"Other": 98.3
}
}Response
401Access denied.
Configuration Top Memory Processes ¶
Configuration Top Memory ProcessesGET/reports/configuration/top-memory-processes
Get the top memory processes for your ThreatQ instance.
Example URI
GET /reports/configuration/top-memory-processes
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"Connectors and Consumers": 0,
"Database": 0,
"Application Server": 4,
"Broker Server": 0,
"Other": 96
}
}Response
401Access denied.
Configuration Version ¶
Configuration VersionGET/reports/configuration/version
Get the version of your ThreatQ instance.
Example URI
GET /reports/configuration/version
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"version": "125-301a68f8c0ab4d0d9aef1466bcf8beb3a981835b"
}
}Response
401Access denied.
Reports - Events ¶
Event Monthly Spearphish Adversaries ¶
Event Monthly Spearphish AdversariesGET/reports/events/adversary-spearphish-monthly{?start,end}
Get a list of Spearphish Event Adversary counts by month.
Example URI
GET /reports/events/adversary-spearphish-monthly?start=2017-01-01&end=2017-01-31
URI Parameters
- start
string(required) Example: 2017-01-01The start date. Format should be YYYY-MM-DD.
- end
string(required) Example: 2017-01-31The end date. Format should be YYYY-MM-DD.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"2017": {
"2": {
"AMOROUS PANDA": "2",
"ANCHOR PANDA": "2",
"ANDROMEDA SPIDER": "1",
"APT NineBlog": "1",
"APT1": "4",
"APT12": "3",
"AURORA PANDA": "1",
"Backdoor-DOI": "2",
"BbsSearch": "2",
"BERSERK BEAR": "3",
"Blackshades RAT": "2",
"BlacksunRAT": "1",
"BOULDER BEAR": "3",
"Buckshot Yankee": "2",
"Centerfielder": "1",
"CHARMING KITTEN": "2",
"Clever Kitten": "1",
"CNSCalc": "4",
"Comfoo": "4",
"Crimeware": "5",
"CUTTING KITTEN": "1",
"CyService": "3",
"DAGGER PANDA": "2",
"DarkSeoul": "3",
"DEADEYE JACKAL": "2",
"DEEP PANDA": "1",
"DerelicteCampaign": "3",
"DestroyRAT": "1",
"DNSCalc": "1",
"DoubleO": "1",
"Elderwood": "3",
"ELECTRIC PANDA": "1",
"ENERGETIC BEAR": "1",
"EVANESCENT BAT": "3",
"FakeM RAT": "2",
"FANCY BEAR": "2",
"FinFisher": "1",
"FLYING KITTEN": "2",
"Gauss": "1",
"GIBBERISH PANDA": "1",
"GOTHIC PANDA": "1",
"GTA Panda": "2",
"Guiwang": "1",
"HURRICANE PANDA": "3",
"IMPERSONATING PANDA": "3",
"InternalCluster2": "2",
"InternalCluster3": "3",
"InternalIceyPeach": "2",
"InternalTEAM BAT": "2",
"iSun": "1",
"J41": "2",
"Kaptoxa": "1",
"KEYHOLE PANDA": "4",
"Kimsuky Operation": "1",
"Korplug": "3",
"LiveSafe": "2",
"LookPro": "3",
"LOTUS PANDA": "1",
"Luckycat": "1",
"LunarEclipse": "2",
"Lurk": "1",
"MAGIC KITTEN": "1",
"Mahdi": "2",
"Maltego": "1",
"Melody": "1",
"Mirage": "2",
"MNkit": "2",
"Namihno": "2",
"Natty Dropper": "3",
"NetEagleScount": "3",
"NetTraveler": "2",
"Newscaster": "2",
"Nick": "3",
"Night Dragon": "2",
"NIGHTSHADE PANDA": "1",
"Nitro": "2",
"NjW0rm": "5",
"NUMBERED PANDA": "3",
"OldCarp": "1",
"Operation Arachnophobia": "2",
"Operation Beebus": "2",
"Operation DeputyDog": "2",
"Operation Ephemeral Hydra": "1",
"Operation High Roller": "1",
"Operation Molerats": "2",
"Operation Saffron Rose": "1",
"Operation Stteam": "1",
"Operation Windigo": "3",
"OpLastResort": "1",
"PCShare": "2",
"PipCreat": "4",
"PITTY PANDA": "1",
"POISONOUS PANDA": "1",
"PUPPET PANDA": "2",
"PUTTER PANDA": "1",
"Quarian": "1",
"RADIO PANDA": "2",
"Rainflow": "2",
"ROCKET KITTEN": "3",
"Russian Business Network": "2",
"SABRE PANDA": "3",
"Samurai Panda": "2",
"SB-PHP": "2",
"Searchfire": "2",
"Seinup": "2",
"SetOut": "1",
"Shamoon": "1",
"SilverViper": "2",
"smkdwn": "3",
"Smoaler": "2",
"Snake": "1",
"Sofacy": "1",
"SPICY PANDA": "1",
"Stactivex": "1",
"STONE PANDA": "1",
"Stonecarver": "1",
"StubbyRAT": "3",
"SUNRISE PANDA": "1",
"Sunshop Campaign": "4",
"Sykipot": "2",
"TACBOT": "1",
"Taidoor": "3",
"TCAMPAIGN": "3",
"TEAM BEAR": "1",
"TEMPER PANDA": "1",
"th3bug": "1",
"The Careto": "1",
"TieOnJoe": "5",
"TOXIC PANDA": "2",
"Tranchulas": "2",
"Unattributed": "1",
"UNION PANDA": "1",
"VENOMOUS BEAR": "1",
"VICEROY TIGER": "1",
"VIOLIN PANDA": "1",
"VIXEN PANDA": "2",
"VOHO": "1",
"WET PANDA": "3",
"WildHorse": "2",
"Winnti": "1",
"XinMic": "1",
"Zegost": "2",
"ZipToken": "1"
},
"3": {
"Advanced Pawn": "4",
"AMOROUS PANDA": "2",
"ANCHOR PANDA": "2",
"ANDROMEDA SPIDER": "3",
"APT NineBlog": "1",
"APT1": "1",
"AURORA PANDA": "2",
"BbsSearch": "1",
"BERSERK BEAR": "2",
"Blackshades RAT": "4",
"BlacksunRAT": "1",
"Blade2009Rick": "1",
"Buckshot Yankee": "2",
"Clever Kitten": "1",
"CNSCalc": "2",
"ComeON": "3",
"Comment Crew": "2",
"CTRLVIP": "1",
"CUTTING KITTEN": "3",
"CyService": "1",
"DAGGER PANDA": "3",
"DarkSeoul": "2",
"DEEP PANDA": "2",
"DNSCalc": "2",
"DYNAMITE PANDA": "2",
"Elderwood": "1",
"ELECTRIC PANDA": "1",
"EMISSARY PANDA": "2",
"ENERGETIC BEAR": "2",
"EXTREME JACKAL": "1",
"FANCY BEAR": "1",
"FinFisher": "2",
"FLYING KITTEN": "1",
"Gauss": "1",
"Gh0stRAT": "2",
"GIBBERISH PANDA": "1",
"GOBLIN PANDA": "1",
"GOTHIC PANDA": "1",
"GTA Panda": "2",
"Guiwang": "3",
"HeartBeat": "1",
"HURRICANE PANDA": "1",
"Icefog": "1",
"IMPERSONATING PANDA": "1",
"InternalCluster3": "1",
"InternalIceyPeach": "1",
"iSun": "2",
"KamikazeToxin": "2",
"Kaptoxa": "2",
"KEYHOLE PANDA": "2",
"Kimsuky Operation": "2",
"Korplug": "1",
"LiveSafe": "1",
"LOTUS PANDA": "1",
"Lurid": "1",
"Lurid Downloader": "2",
"Lurk": "2",
"Mahdi": "2",
"Maltego": "1",
"MAVERICK PANDA": "1",
"Melody": "1",
"MenuPass": "3",
"Mirage": "2",
"Namihno": "2",
"Natty Dropper": "1",
"NetEagleScount": "1",
"Newscaster": "1",
"Nflog": "3",
"NIGHTSHADE PANDA": "1",
"NjW0rm": "2",
"NUMBERED PANDA": "1",
"Operation Beebus": "1",
"Operation DeputyDog": "2",
"Operation Ephemeral Hydra": "2",
"Operation Hangover": "1",
"Operation Molerats": "1",
"Operation Saffron Rose": "1",
"OpLastResort": "1",
"PALE PANDA": "1",
"PCShare": "1",
"PipCreat": "1",
"PIRATE PANDA": "1",
"POISONOUS PANDA": "1",
"PREDATOR PANDA": "3",
"Project Blitzkrieg": "4",
"PUPPET PANDA": "2",
"RADIO PANDA": "1",
"Rainflow": "4",
"ROCKET KITTEN": "1",
"SABRE PANDA": "2",
"Samurai Panda": "1",
"Searchfire": "1",
"Seinup": "1",
"ShadowSoap": "4",
"SHARK SPIDER": "1",
"SILENT CHOLLIMA": "4",
"SLEEPY SAINT": "1",
"Smoaler": "2",
"Snake": "1",
"Sofacy": "2",
"SPICY PANDA": "4",
"Stactivex": "1",
"Stonecarver": "1",
"Sunshop Campaign": "1",
"Sykipot": "2",
"Syrian Electronic Army": "5",
"TACBOT": "2",
"Taidoor": "1",
"TEAM BEAR": "1",
"th3bug": "1",
"The Careto": "1",
"Thoper": "3",
"TieOnJoe": "1",
"TOXIC PANDA": "3",
"Tranchulas": "1",
"Unattributed": "1",
"UNION PANDA": "1",
"VENOMOUS BEAR": "1",
"VICEROY TIGER": "2",
"VIOLIN PANDA": "1",
"VIXEN PANDA": "1",
"VOHO": "1",
"WHOIS TEAM": "2",
"WICKED SPIDER": "3",
"WildHorse": "2",
"XinMic": "2",
"Zegost": "2"
}
},
"campaigns": {
"AMOROUS PANDA": 2,
"ANCHOR PANDA": 3,
"ANDROMEDA SPIDER": 4,
"APT NineBlog": 5,
"APT1": 6,
"APT12": 7,
"AURORA PANDA": 8,
"Backdoor-DOI": 9,
"BbsSearch": 10,
"BERSERK BEAR": 11,
"Blackshades RAT": 13,
"BlacksunRAT": 14,
"BOULDER BEAR": 16,
"Buckshot Yankee": 17,
"Centerfielder": 18,
"CHARMING KITTEN": 19,
"Clever Kitten": 20,
"CNSCalc": 21,
"Comfoo": 23,
"Crimeware": 26,
"CUTTING KITTEN": 28,
"CyService": 29,
"DAGGER PANDA": 30,
"DarkSeoul": 31,
"DEADEYE JACKAL": 32,
"DEEP PANDA": 33,
"DerelicteCampaign": 34,
"DestroyRAT": 35,
"DNSCalc": 36,
"DoubleO": 37,
"Elderwood": 39,
"ELECTRIC PANDA": 40,
"ENERGETIC BEAR": 42,
"EVANESCENT BAT": 44,
"FakeM RAT": 47,
"FANCY BEAR": 48,
"FinFisher": 49,
"FLYING KITTEN": 50,
"Gauss": 53,
"GIBBERISH PANDA": 56,
"GOTHIC PANDA": 58,
"GTA Panda": 59,
"Guiwang": 60,
"HURRICANE PANDA": 62,
"IMPERSONATING PANDA": 64,
"InternalCluster2": 65,
"InternalCluster3": 66,
"InternalIceyPeach": 67,
"InternalTEAM BAT": 68,
"iSun": 69,
"J41": 71,
"Kaptoxa": 73,
"KEYHOLE PANDA": 75,
"Kimsuky Operation": 76,
"Korplug": 77,
"LiveSafe": 78,
"LookPro": 79,
"LOTUS PANDA": 80,
"Luckycat": 81,
"LunarEclipse": 82,
"Lurk": 85,
"MAGIC KITTEN": 86,
"Mahdi": 87,
"Maltego": 88,
"Melody": 90,
"Mirage": 92,
"MNkit": 93,
"Namihno": 94,
"Natty Dropper": 95,
"NetEagleScount": 96,
"NetTraveler": 97,
"Newscaster": 98,
"Nick": 100,
"Night Dragon": 101,
"NIGHTSHADE PANDA": 102,
"Nitro": 103,
"NjW0rm": 104,
"NUMBERED PANDA": 105,
"OldCarp": 106,
"Operation Arachnophobia": 107,
"Operation Beebus": 108,
"Operation DeputyDog": 109,
"Operation Ephemeral Hydra": 110,
"Operation High Roller": 112,
"Operation Molerats": 114,
"Operation Saffron Rose": 116,
"Operation Stteam": 117,
"Operation Windigo": 118,
"OpLastResort": 119,
"PCShare": 121,
"PipCreat": 122,
"PITTY PANDA": 124,
"POISONOUS PANDA": 125,
"PUPPET PANDA": 128,
"PUTTER PANDA": 129,
"Quarian": 130,
"RADIO PANDA": 131,
"Rainflow": 132,
"ROCKET KITTEN": 133,
"Russian Business Network": 134,
"SABRE PANDA": 135,
"Samurai Panda": 136,
"SB-PHP": 137,
"Searchfire": 138,
"Seinup": 139,
"SetOut": 140,
"Shamoon": 142,
"SilverViper": 145,
"smkdwn": 148,
"Smoaler": 149,
"Snake": 150,
"Sofacy": 151,
"SPICY PANDA": 152,
"Stactivex": 153,
"STONE PANDA": 154,
"Stonecarver": 155,
"StubbyRAT": 156,
"SUNRISE PANDA": 157,
"Sunshop Campaign": 158,
"Sykipot": 159,
"TACBOT": 161,
"Taidoor": 162,
"TCAMPAIGN": 163,
"TEAM BEAR": 164,
"TEMPER PANDA": 165,
"th3bug": 166,
"The Careto": 167,
"TieOnJoe": 169,
"TOXIC PANDA": 170,
"Tranchulas": 171,
"Unattributed": 172,
"UNION PANDA": 173,
"VENOMOUS BEAR": 174,
"VICEROY TIGER": 175,
"VIOLIN PANDA": 176,
"VIXEN PANDA": 177,
"VOHO": 178,
"WET PANDA": 179,
"WildHorse": 182,
"Winnti": 183,
"XinMic": 184,
"Zegost": 185,
"ZipToken": 186,
"Advanced Pawn": 1,
"Blade2009Rick": 15,
"ComeON": 22,
"Comment Crew": 24,
"CTRLVIP": 27,
"DYNAMITE PANDA": 38,
"EMISSARY PANDA": 41,
"EXTREME JACKAL": 46,
"Gh0stRAT": 55,
"GOBLIN PANDA": 57,
"HeartBeat": 61,
"Icefog": 63,
"KamikazeToxin": 72,
"Lurid": 83,
"Lurid Downloader": 84,
"MAVERICK PANDA": 89,
"MenuPass": 91,
"Nflog": 99,
"Operation Hangover": 111,
"PALE PANDA": 120,
"PIRATE PANDA": 123,
"PREDATOR PANDA": 126,
"Project Blitzkrieg": 127,
"ShadowSoap": 141,
"SHARK SPIDER": 143,
"SILENT CHOLLIMA": 144,
"SLEEPY SAINT": 147,
"Syrian Electronic Army": 160,
"Thoper": 168,
"WHOIS TEAM": 180,
"WICKED SPIDER": 181
}
}Response
401Access denied.
Event Indicator Timeline ¶
Event Indicator TimelineGET/reports/events/timeline{?start,end}
Get a breakdown of Events by happened_at date, with Indicator counts.
Example URI
GET /reports/events/timeline?start=2017-01-01&end=2017-01-31
URI Parameters
- start
string(required) Example: 2017-01-01The start date. Format should be YYYY-MM-DD.
- end
string(required) Example: 2017-01-31The end date. Format should be YYYY-MM-DD.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"weekends": [
"2017-02-04",
"2017-02-05",
"2017-02-11",
"2017-02-12",
"2017-02-18",
"2017-02-19",
"2017-02-25",
"2017-02-26",
"2017-03-04",
"2017-03-05",
"2017-03-11",
"2017-03-12",
"2017-03-18",
"2017-03-19",
"2017-03-25",
"2017-03-26"
],
"holidays": {
"usa": [
"2017-02-01",
"2017-02-02",
"2017-02-14"
],
"prc": [
"2017-02-01",
"2017-02-02"
],
"mus": []
},
"events": [
{
"id": 49,
"type": "Spearphish",
"happened_at": "2017-03-31 21:20:27",
"title": "Subject - Gryphon remarked: 'because they lessen.",
"indicators": 24,
"sources": "ThreatQ Front End"
},
{
"id": 415,
"type": "SQL Injection Attack",
"happened_at": "2017-03-31 21:20:19",
"title": "SQL - 2_3`dXv;ZUoZ]",
"indicators": 23,
"sources": "Threat Quotient Feeds"
},
{
"id": 422,
"type": "SQL Injection Attack",
"happened_at": "2017-03-31 10:59:19",
"title": "SQL - hxu0tte_9",
"indicators": 31,
"sources": "ThreatQ Front End"
},
{
"id": 218,
"type": "Watering Hole",
"happened_at": "2017-03-29 19:40:30",
"title": "Origin - https:\/\/www.west.com\/et-consequatur-iure-eum-quibusdam",
"indicators": 17,
"sources": "ThreatQ Front End"
},
...
]
}Response
401Access denied.
Event Audit Log ¶
Event Audit LogGET/reports/events/{event_id}/auditlog{?filter,limit,offset}
Get an Event’s Audit Log.
Example URI
GET /reports/events/1/auditlog?filter=attributes&limit=500&offset=100
URI Parameters
- event_id
integer(required) Example: 1Event ID
- filter
string(optional) Example: attributesThe relation you wish to filter by.
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 40,
"data": [
{
"object_type": "source",
"fieldname": "source",
"event_type": "added",
"value": {
"id": "2",
"name": "ThreatQ API"
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-28 21:41:37.501"
},
{
"object_type": "link",
"fieldname": "adversary",
"event_type": "linked",
"value": {
"id": 151,
"value": "Sofacy"
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-28 21:41:35.203"
},
{
"object_type": "link",
"fieldname": "adversary",
"event_type": "linked",
"value": {
"id": 166,
"value": "th3bug"
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-28 21:41:35.203"
}
]
}Response
401Access denied.
Event Summary ¶
Event SummaryGET/reports/events/{event_id}/summary
Get a summary of an Event’s relations.
Example URI
GET /reports/events/1/summary
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"name": "Recipient",
"title": "Recipient",
"total": 0
},
{
"name": "Indicator",
"title": "Indicator",
"total": 20
},
{
"name": "Adversary",
"title": "Adversary",
"total": 2
},
{
"name": "Attachment",
"title": "Attachment",
"total": 3
}
]
}Response
401Access denied.
Event Timeline ¶
Event TimelineGET/reports/events/{event_id}/timeline
Get a breakdown by day of an Event’s relations.
Example URI
GET /reports/events/1/timeline
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 30,
"data": {
"2017-04-26": [
{
"objectlink_id": null,
"object_id": 250,
"event_date": "2017-04-26",
"action": "Added",
"datetime": "2017-04-26 11:10:41",
"details": null,
"name": "X-Gm-Spam",
"source": null,
"type": "Attribute",
"value": "1"
}
],
"2017-04-25": [
{
"objectlink_id": 39333,
"object_id": 4817,
"event_date": "2017-04-25",
"action": "Linked",
"datetime": "2017-04-25 05:32:03",
"details": null,
"name": "",
"source": null,
"type": "Indicator",
"value": "59980565dfddc375c7a771e710f6481d93bc5706"
}
],
"2017-04-20": [
{
"objectlink_id": 33634,
"object_id": 1884,
"event_date": "2017-04-20",
"action": "Linked",
"datetime": "2017-04-20 14:13:25",
"details": null,
"name": "",
"source": null,
"type": "Indicator",
"value": "nlsdata00201.dll"
}
],
...
}
}Response
401Access denied.
Reports - Highcharts ¶
Attachment Types ¶
Attachment TypesGET/reports/files/attachment-types
Get a File count for each Attachment Type.
Example URI
GET /reports/files/attachment-types
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 1,
"type": "Cuckoo",
"count": 1
},
{
"id": 2,
"type": "CrowdStrike Intelligence",
"count": 1
},
{
"id": 3,
"type": "Early Warning and Indicator Notice (EWIN)",
"count": 1
}
],
"count": 3
}Response
401Access denied.
Reports - Attributes ¶
Indicator Attack Phases ¶
Indicator Attack PhasesGET/reports/indicators/attack-phases{?indicatorClass,interval,start,end}
Get a list of Indicator Attack Phases.
Example URI
GET /reports/indicators/attack-phases?indicatorClass=network&interval=7&start=2017-01-01&end=2017-01-31
URI Parameters
- indicatorClass
string(optional) Example: networkIndicator class, options are network or host
- interval
integer(optional) Example: 7Interval days
- start
string(required) Example: 2017-01-01The start date. Format should be YYYY-MM-DD.
- end
string(required) Example: 2017-01-31The end date. Format should be YYYY-MM-DD.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Response
401Access denied.
Indicator Incoming Intelligence ¶
Indicator Incoming IntelligenceGET/reports/indicators/incoming-intelligence-overview{?interval}
Get an Indicator count by Feed.
Example URI
GET /reports/indicators/incoming-intelligence-overview?interval=7
URI Parameters
- interval
integer(optional) Example: 7Interval days
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 4,
"data": [
{
"id": null,
"name": "All Feeds",
"total": 111053,
"active": 111053,
"daily": [
{
"count": 0,
"date": "2017-04-25"
},
{
"count": 0,
"date": "2017-04-26"
},
{
"count": 0,
"date": "2017-04-27"
},
{
"count": 63565,
"date": "2017-04-28"
},
{
"count": 21950,
"date": "2017-04-29"
},
{
"count": 17084,
"date": "2017-04-30"
},
{
"count": 8454,
"date": "2017-05-01"
}
]
},
{
"id": 14,
"total": 109496,
"active": 109496,
"name": "blocklist.de (All)",
"is_active": "enabled",
"daily": [
{
"count": 0,
"date": "2017-04-25"
},
{
"count": 0,
"date": "2017-04-26"
},
{
"count": 0,
"date": "2017-04-27"
},
{
"count": 62777,
"date": "2017-04-28"
},
{
"count": 21606,
"date": "2017-04-29"
},
{
"count": 16840,
"date": "2017-04-30"
},
{
"count": 8273,
"date": "2017-05-01"
}
]
},
{
"id": 13,
"total": 1553,
"active": 1553,
"name": "HailaTaxii_Phishtank",
"is_active": "enabled",
"daily": [
{
"count": 0,
"date": "2017-04-25"
},
{
"count": 0,
"date": "2017-04-26"
},
{
"count": 0,
"date": "2017-04-27"
},
{
"count": 788,
"date": "2017-04-28"
},
{
"count": 344,
"date": "2017-04-29"
},
{
"count": 240,
"date": "2017-04-30"
},
{
"count": 181,
"date": "2017-05-01"
}
]
},
{
"id": 12,
"total": 4,
"active": 4,
"name": "haila_abuse",
"is_active": "enabled",
"daily": [
{
"count": 0,
"date": "2017-04-25"
},
{
"count": 0,
"date": "2017-04-26"
},
{
"count": 0,
"date": "2017-04-27"
},
{
"count": 0,
"date": "2017-04-28"
},
{
"count": 0,
"date": "2017-04-29"
},
{
"count": 4,
"date": "2017-04-30"
},
{
"count": 0,
"date": "2017-05-01"
}
]
}
]
}Response
401Access denied.
Indicator Recently Created ¶
Indicator Recently CreatedGET/reports/indicators/indicators-created-recent{?class,interval,start,end}
Get a list of recently created Indicators by Type.
Example URI
GET /reports/indicators/indicators-created-recent?class=network&interval=7&start=2017-01-01&end=2017-01-31
URI Parameters
- class
string(optional) Example: networkIndicator class, options are network or host
- interval
integer(optional) Example: 7Interval days
- start
string(required) Example: 2017-01-01The start date. Format should be YYYY-MM-DD.
- end
string(required) Example: 2017-01-31The end date. Format should be YYYY-MM-DD.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
[
{
"name": "FQDN",
"id": 8,
"count": 767,
"host": 0,
"network": 767,
"data": [
{
"date": "2017-04-28",
"count": 767,
"host": 0,
"network": 767,
"x": "1493337600000",
"y": 767
}
]
},
{
"name": "IP Address",
"id": 11,
"count": 505,
"host": 0,
"network": 505,
"data": [
{
"date": "2017-04-28",
"count": 505,
"host": 0,
"network": 505,
"x": "1493337600000",
"y": 505
}
]
},
{
"name": "Email Address",
"id": 3,
"count": 454,
"host": 0,
"network": 454,
"data": [
{
"date": "2017-04-28",
"count": 454,
"host": 0,
"network": 454,
"x": "1493337600000",
"y": 454
}
]
},
...
]Response
401Access denied.
Indicator Source Type ¶
Indicator Source TypeGET/reports/indicators/indicators-source-type{?indicatorClass,interval,start,end}
Get a list of recently created Indicators by Source.
Example URI
GET /reports/indicators/indicators-source-type?indicatorClass=network&interval=7&start=2017-01-01&end=2017-01-31
URI Parameters
- indicatorClass
string(optional) Example: networkIndicator class, options are network or host
- interval
integer(optional) Example: 7Interval days
- start
string(required) Example: 2017-01-01The start date. Format should be YYYY-MM-DD.
- end
string(required) Example: 2017-01-31The end date. Format should be YYYY-MM-DD.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Response
401Access denied.
Indicator Total By Type ¶
Indicator Total By TypeGET/reports/indicators/indicators-type-overview{?indicatorClass,interval,start,end}
Get an Indicator count by Type.
Example URI
GET /reports/indicators/indicators-type-overview?indicatorClass=network&interval=7&start=2017-01-01&end=2017-01-31
URI Parameters
- indicatorClass
string(optional) Example: networkIndicator class, options are network or host
- interval
integer(optional) Example: 7Interval days
- start
string(required) Example: 2017-01-01The start date. Format should be YYYY-MM-DD.
- end
string(required) Example: 2017-01-31The end date. Format should be YYYY-MM-DD.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Response
401Access denied.
Reports - Signatures ¶
Indicator Total By Status ¶
Indicator Total By StatusGET/reports/indicators/totals-by-status{?interval,start,end}
Get an Indicator count by Status.
Example URI
GET /reports/indicators/totals-by-status?interval=7&start=2017-01-01&end=2017-01-31
URI Parameters
- interval
integer(optional) Example: 7Interval days
- start
string(required) Example: 2017-01-01The start date. Format should be YYYY-MM-DD.
- end
string(required) Example: 2017-01-31The end date. Format should be YYYY-MM-DD.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Response
401Access denied.
Indicator Audit Log ¶
Indicator Audit LogGET/reports/indicators/{indicator_id}/auditlog{?filter,limit,offset}
Get an Indicator’s Audit Log.
Example URI
GET /reports/indicators/1/auditlog?filter=attributes&limit=500&offset=100
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
- filter
string(optional) Example: attributesThe relation you wish to filter by.
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 26,
"data": [
{
"object_type": "link",
"fieldname": "indicator",
"event_type": "linked",
"value": {
"id": 3064,
"type": {
"id": 11,
"name": "IP Address"
},
"value": "187.86.71.218"
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-28 21:41:31.296"
},
{
"object_type": "link",
"fieldname": "indicator",
"event_type": "linked",
"value": {
"id": 5075,
"type": {
"id": 17,
"name": "SHA-256"
},
"value": "de3e5a246b494fcfd9e7123ef03e2e1f36a6c1c7d6ae15102d21af86ac7ec0b9"
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-28 21:41:28.971"
},
{
"object_type": "link",
"fieldname": "indicator",
"event_type": "linked",
"value": {
"id": 7829,
"type": {
"id": 25,
"name": "X-Mailer"
},
"value": "YahooMailWebService/0.8.149.560"
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-28 21:41:28.971"
}
]
}Response
401Access denied.
Indicator Summary ¶
Indicator SummaryGET/reports/indicators/{indicator_id}/summary
Get a summary of an Indicator’s relations.
Example URI
GET /reports/indicators/1/summary
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"name": "Adversary",
"title": "Adversary",
"total": 1
},
{
"name": "Attachment",
"title": "Attachment",
"total": 3
},
{
"name": "Comment",
"title": "Comment",
"total": 0
},
{
"name": "Event",
"title": "Event",
"total": 2
},
{
"name": "Indicator",
"title": "Indicator",
"total": 10
},
{
"name": "Signature",
"title": "Signature",
"total": 0
},
{
"name": "Source",
"title": "Source",
"total": 1
}
]
}Response
401Access denied.
Indicator Timeline ¶
Indicator TimelineGET/reports/indicators/{indicator_id}/timeline
Get a breakdown by day of an Indicator’s relations.
Example URI
GET /reports/indicators/1/timeline
URI Parameters
- indicator_id
integer(required) Example: 1Indicator ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 16,
"data": {
"2017-04-25": [
{
"objectlink_id": 2,
"object_id": 2,
"event_date": "2017-04-25",
"action": "Linked",
"datetime": "2017-04-25 18:50:48",
"details": null,
"name": "Crazy effing malware!.net.org.exe",
"source": null,
"type": "Attachment",
"value": null
}
],
"2017-04-24": [
{
"objectlink_id": 44862,
"object_id": 852,
"event_date": "2017-04-24",
"action": "Linked",
"datetime": "2017-04-24 07:08:52",
"details": null,
"name": "",
"source": null,
"type": "Indicator",
"value": "ppfkxlad.jpg"
}
],
"2017-04-21": [
{
"objectlink_id": 44863,
"object_id": 1399,
"event_date": "2017-04-21",
"action": "Linked",
"datetime": "2017-04-21 05:47:19",
"details": null,
"name": "",
"source": null,
"type": "Indicator",
"value": "telemetry.soundcloud.com"
}
],
...
}
}Response
401Access denied.
Signature Audit Log ¶
Signature Audit LogGET/reports/signatures/{signature_id}/auditlog{?filter,limit,offset}
Get an Signature’s Audit Log.
Example URI
GET /reports/signatures/1/auditlog?filter=attributes&limit=500&offset=100
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- filter
string(optional) Example: attributesThe relation you wish to filter by.
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 6,
"data": [
{
"object_type": "source",
"fieldname": "source",
"event_type": "added",
"value": {
"id": "5",
"name": "Threat Quotient"
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-28 23:24:36.685"
},
{
"object_type": "signature",
"fieldname": "description",
"event_type": "added",
"value": {
"id": "1",
"value": ""
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-28 23:24:36.288"
},
{
"object_type": "signature",
"fieldname": "name",
"event_type": "added",
"value": {
"id": "1",
"value": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)"
},
"source": {
"id": 5,
"name": "Threat Quotient"
},
"changed_at": "2017-04-28 23:24:36.288"
}
]
}Response
401Access denied.
Search ¶
Threat Library ¶
Threat Library SearchPOST/{object}/query{?cursorMark,limit,offset,sort}
Run a search.
Example URI
POST /indicators/query?cursorMark='*'&limit=500&offset=100&sort=id
URI Parameters
- object
string(required) Example: indicatorsObject Types: adversaries, attachments, attack_pattern, campaign, course_of_action, events, exploit_target, identity, incident, indicators, intrusion_set, malware, reports, signatures, tasks, tool, ttp, vulnerability
- cursorMark
string(optional) Example: '*'Pagination parameter for large datasets. Requires limit parameter as well to specify page size (offset parameter is unnecessary and will be ignored if included). Use the ‘*’ character to pull the first page of results; subsequent requests should use the hash string provided in the nextCursorMark field included in the previous response. When the final page of the result set has been reached, the nextCursorMark field returned will match the one returned in the previous response.
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"criteria": {
"+or": [
{
"mentions": "mailer"
}
]
},
"filters": {
"+and": [
{
"+or": [
{
"type_name": "X-Mailer"
}
]
}
]
}
}Response
200Object(s) retrieved successfully.
Body
{
"total": 2800,
"data": [
{
"class": "network",
"score": "0",
"value": "Zen Mailer (Bartmail 2.0)",
"id": 7196,
"touched_at": "2020-07-23 20:51:55",
"updated_at": "2020-07-23 20:42:34",
"published_at": "2020-06-23 20:42:34",
"last_detected_at": "2020-07-21 20:42:34",
"created_at": "2020-06-24 20:42:34",
"status_id": 2,
"hash": "050af7c01211f1ab8f9d7aecfe4d5878",
"expired_at": "2020-07-15 20:50:47",
"type_id": 34,
"adversaries": [],
"type": {
"name": "X-Mailer",
"id": 34,
"class": "network"
},
"status": {
"name": "Expired",
"id": 2,
"description": "No longer poses a serious threat."
},
"attributes": [
{
"value": "Program.Unwanted.52",
"created_at": "2020-04-29 06:01:15",
"indicator_id": 7196,
"updated_at": "2020-04-29 06:01:15",
"attribute_id": 67,
"id": 39489,
"touched_at": "2020-07-15 20:51:08",
"name": "Query String"
}
],
"sources": [
{
"indicator_id": 7196,
"indicator_status_id": 2,
"published_at": "2020-07-15 20:50:48",
"source_id": 6,
"id": 18149,
"created_at": "2020-07-15 20:50:48",
"source_type": "plugins",
"creator_source_id": 7,
"indicator_type_id": 34,
"reference_id": 3,
"updated_at": "2020-07-15 20:50:48",
"name": "Domain Tools"
}
]
}
],
"nextCursorMark": "AoEwL2luZGljYXRvci8xMDg4Lw==",
"limit": 500,
"offset": 0
}Response
401Access denied.
Threat Library Export ¶
Threat Library ExportPOST/{object}/query/export
Export a Threat Library search result set to a CSV. A request to this endpoint will initiate a streaming download of the CSV.
Example URI
POST /indicators/query/export
URI Parameters
- object
string(required) Example: indicatorsObject Types: adversaries, attachments, attack_pattern, campaign, course_of_action, events, exploit_target, identity, incident, indicators, intrusion_set, malware, reports, signatures, tasks, tool, ttp, vulnerability
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"columns": [
"value",
"type",
"created_at",
"score",
"expires_at",
"tags",
"sources",
"adversaries"
],
"type": "indicators",
"criteria": {
"+or": [
{
"mentions": "mailer"
}
]
},
"filters": {
"+and": [
{
"+or": [
{
"status_name": "Active"
}
]
}
]
}
}Response
401Access denied.
Threat Library Saved Search List ¶
Threat Library Saved Search ListGET/search/query{?limit,offset,sort}
Get a list of Saved Searches.
Example URI
GET /search/query?limit=500&offset=100&sort=id
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 1,
"data": [
{
"name": "FQDNs",
"hash": "db63bdb10f1d52b80157c8bd280166dd",
"source_id": 7,
"json": "{\"ui_query\":{\"columns\":[],\"criteria\":{\"matchType\":[],\"items\":[]},\"filters\":{\"types\":[{\"object_name\":\"indicators\",\"type_name\":\"FQDN\",\"set_id\":0}]},\"objects\":{\"current\":\"indicators\",\"selected\":[\"indicators\"]},\"filter_sets\":[{\"id\":0,\"operator\":\"or\",\"isNegated\":false,\"expanded\":true}]},\"api_query\":{\"criteria\":[],\"filters\":{\"+and\":[{\"+or\":[{\"type_name\":\"FQDN\"}]}]}}}",
"created_at": "2020-07-23 20:51:55",
"updated_at": "2020-07-23 20:57:34"
}
]
}Response
401Access denied.
Threat Library Saved Search ¶
Get SingleGET/search/query/{hash}
Get a search by its hash.
Example URI
GET /search/query/20daaa5068b02db481a88beb99713924
URI Parameters
- hash
string(required) Example: 20daaa5068b02db481a88beb99713924Search Hash
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"name": "Test save 2",
"hash": "9e9beba1c0e298b48d1e21535fafeada",
"source_id": 7,
"json": {
"ui_query": {
"columns": [],
"criteria": {
"matchType": [],
"items": []
},
"filters": {
"created_at": [
{
"startDate": null,
"endDate": "2020-07-17 01:35:00",
"interval": null,
"type": "is before",
"set_id": 0
}
]
},
"objects": {
"current": "adversaries",
"selected": []
},
"filter_sets": [
{
"id": 0,
"operator": "or",
"isNegated": false,
"expanded": true
}
]
},
"api_query": {
"criteria": [],
"filters": {
"+and": [
{
"created_at": {
"+lt": "2020-07-17 01:35:00"
}
}
]
}
}
},
"created_at": "2020-07-17 01:35:07",
"updated_at": "2020-07-17 01:39:00"
}
}Response
401Access denied.
DeleteDELETE/search/query/{hash}
Delete a saved search.
Example URI
DELETE /search/query/20daaa5068b02db481a88beb99713924
URI Parameters
- hash
string(required) Example: 20daaa5068b02db481a88beb99713924Search Hash
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Basic Search ¶
Basic SearchGET/search{?limit,query}
Perform a basic search.
Example URI
GET /search?limit=500&query=62.16%
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- query
string(required) Example: 62.16%Search Query
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 2941,
"object": "indicator",
"value": "62.16.21.254"
},
{
"id": 3238,
"object": "indicator",
"value": "62.19.65.18"
},
{
"id": 2940,
"object": "indicator",
"value": "62.37.14.35"
},
{
"id": 3237,
"object": "indicator",
"value": "62.4.57.236"
},
{
"id": 3,
"object": "indicator",
"value": "62.76.176.0/22"
},
{
"id": 4,
"object": "indicator",
"value": "62.76.180.0/23"
},
{
"id": 5,
"object": "indicator",
"value": "62.76.182.0/23"
},
{
"id": 6,
"object": "indicator",
"value": "62.76.184.0/21"
},
{
"id": 2,
"object": "indicator",
"value": "62.76.40.0/21"
}
]
}Response
401Access denied.
Deprecated - Advanced Search ¶
(Deprecated) Get ListGET/search/advanced{?limit,offset,sort,with}
Get a list of recent searches.
Example URI
GET /search/advanced?limit=500&offset=100&sort=id&with=adversaries,attachments
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, events, indicators, score, signatures, sources, status, tags, type, watchlist.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 3,
"data": [
{
"name": null,
"hash": "63a3a2e0594b47b2fadb652c69e5d5cf",
"json": {
"indicators": [
[
{
"field": "indicator_type",
"operator": "is",
"value": 7
}
]
]
},
"scope": "indicators",
"created_at": "2017-04-27 15:40:53",
"updated_at": "2017-04-27 15:55:18"
},
{
"name": null,
"hash": "d78514ad49b205d9d4500f4517f9a190",
"json": {
"indicators": [
[
{
"field": "indicator_class",
"operator": "is",
"value": "network"
}
],
[
{
"field": "indicator_type",
"operator": "is",
"value": 7
},
{
"field": "adversary",
"operator": "like",
"value": "Malt"
}
]
]
},
"scope": "indicators",
"created_at": "2017-04-27 15:46:11",
"updated_at": "2017-04-27 15:46:11"
},
{
"name": null,
"hash": "e0a85a2c9735efc5719ed07c2bb3cb8a",
"json": {
"indicators": [
[
{
"field": "indicator_class",
"operator": "is",
"value": "network"
}
],
[
{
"field": "indicator_type",
"operator": "is",
"value": 7
}
]
]
},
"scope": "indicators",
"created_at": "2017-04-27 15:44:31",
"updated_at": "2017-04-27 15:44:31"
}
]
}Response
401Access denied.
(Deprecated) SearchPOST/search/advanced
Run a search.
Example URI
POST /search/advanced
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"indicators": [
[
{
"field": "indicator_class",
"operator": "is",
"value": "network"
}
],
[
{
"field": "indicator_type",
"operator": "is",
"value": 7
}
],
[
{
"field": "adversary",
"operator": "like",
"value": "Malt"
}
]
]
}Response
200Object(s) retrieved successfully.
Body
{
"total": 3650,
"data": [{
"id": 1397,
"type": {
"id": 7,
"name": "FQDN"
},
"status": {
"id": 5,
"name": "Whitelisted"
},
"value": "shakhawathossain.com",
"class": "network",
"created_at": "2017-04-27 14:44:32",
"published_at": "2017-04-27 14:44:32",
"score": null,
"expires_at": "",
"expired_at": "",
"hash": "38c886ed292ff4c49e1e7dde834c70bb",
"adversaries": [{
"id": 13,
"name": "Blackshades RAT"
}, {
"id": 88,
"name": "Maltego"
}, {
"id": 164,
"name": "TEAM BEAR"
}],
"sources": [{
"id": 2,
"name": "ThreatQ API"
}, {
"id": 4,
"name": "ThreatQ Scoring Plugin Access"
}]
}, {
"id": 1568,
"type": {
"id": 7,
"name": "FQDN"
},
"status": {
"id": 4,
"name": "Review"
},
"value": "yxjjcxrxolgle.ki",
"class": "network",
"created_at": "2017-04-27 14:44:40",
"published_at": "2017-04-27 14:44:40",
"score": null,
"expires_at": "",
"expired_at": "",
"hash": "365d18f0efa58c161c8fbfd2b1f63bee",
"adversaries": [{
"id": 88,
"name": "Maltego"
}],
"sources": [{
"id": 6,
"name": "Threat Quotient Feeds"
}, {
"id": 7,
"name": "Customer Admin"
}, {
"id": 8,
"name": "Customer Observer"
}]
}
...
],
"hash": "20daaa5068b02db481a88beb99713924",
"limit": 1000,
"offset": 0
}Response
401Access denied.
Deprecated - Saved Search ¶
(Deprecated) Get SingleGET/search/advanced/{hash}
Get a search by its hash.
Example URI
GET /search/advanced/20daaa5068b02db481a88beb99713924
URI Parameters
- hash
string(required) Example: 20daaa5068b02db481a88beb99713924Search Hash
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"name": null,
"hash": "20daaa5068b02db481a88beb99713924",
"json": {
"indicators": [
[
{
"field": "indicator_class",
"operator": "is",
"value": "network"
}
],
[
{
"field": "indicator_type",
"operator": "is",
"value": 7
}
],
[
{
"field": "adversary",
"operator": "like",
"value": "Malt"
}
]
]
},
"scope": "indicators",
"created_at": "2017-04-27 15:46:44",
"updated_at": "2017-04-27 15:46:44"
}
}Response
401Access denied.
(Deprecated) UpdatePUT/search/advanced/{hash}
Update a saved search.
Example URI
PUT /search/advanced/20daaa5068b02db481a88beb99713924
URI Parameters
- hash
string(required) Example: 20daaa5068b02db481a88beb99713924Search Hash
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "My Search"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"name": "My Search",
"hash": "20daaa5068b02db481a88beb99713924",
"json": {
"indicators": [
[
{
"field": "indicator_class",
"operator": "is",
"value": "network"
}
],
[
{
"field": "indicator_type",
"operator": "is",
"value": 7
}
],
[
{
"field": "adversary",
"operator": "like",
"value": "Malt"
}
]
]
},
"scope": "indicators",
"created_at": "2017-04-27 15:46:44",
"updated_at": "2017-04-27 16:21:00"
}
}Response
401Access denied.
Response
404Object not found.
(Deprecated) DeleteDELETE/search/advanced/{hash}
Delete a saved search.
Example URI
DELETE /search/advanced/20daaa5068b02db481a88beb99713924
URI Parameters
- hash
string(required) Example: 20daaa5068b02db481a88beb99713924Search Hash
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signatures ¶
Signature Statuses List ¶
Get ListGET/signature/statuses{?limit,offset,sort,with}
Get a list of Signature Statuses.
Example URI
GET /signature/statuses?limit=500&offset=100&sort=id&with=signatures
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: signaturesA comma-separated list of related objects to include in the response. Options for this endpoint: signatures.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 6,
"data": [
{
"id": 1,
"name": "Active",
"description": null,
"user_editable": "N",
"created_at": "2017-04-22 00:09:22",
"updated_at": "2017-04-22 00:09:22"
},
{
"id": 2,
"name": "Expired",
"description": null,
"user_editable": "N",
"created_at": "2017-04-22 00:09:22",
"updated_at": "2017-04-22 00:09:22"
},
{
"id": 3,
"name": "Inactive",
"description": null,
"user_editable": "N",
"created_at": "2017-04-22 00:09:22",
"updated_at": "2017-04-22 00:09:22"
},
{
"id": 4,
"name": "Non-malicious",
"description": null,
"user_editable": "N",
"created_at": "2017-04-22 00:09:22",
"updated_at": "2017-04-22 00:09:22"
},
{
"id": 5,
"name": "Review",
"description": null,
"user_editable": "N",
"created_at": "2017-04-22 00:09:22",
"updated_at": "2017-04-22 00:09:22"
},
{
"id": 6,
"name": "Whitelisted",
"description": null,
"user_editable": "N",
"created_at": "2017-04-22 00:09:22",
"updated_at": "2017-04-22 00:09:22"
}
]
}Response
401Access denied.
Create NewPOST/signature/statuses
Create a new Signature Status.
Example URI
POST /signature/statuses
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Custom Status",
"description": "A custom status",
"user_editable": "Y"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"user_editable": "Y",
"name": "Custom Status",
"description": "A custom status",
"updated_at": "2017-04-23 21:48:50",
"created_at": "2017-04-23 21:48:50",
"id": 7
}
}Response
401Access denied.
Signature Status ¶
Get SingleGET/signature/statuses/{signature_status_id}{?with}
Get a single Signature Status.
Example URI
GET /signature/statuses/2?with=signatures
URI Parameters
- signature_status_id
integer(required) Example: 2Signature Status ID
- with
string(optional) Example: signaturesA comma-separated list of related objects to include in the response. Options for this endpoint: signatures.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Active",
"description": null,
"user_editable": "N",
"created_at": "2017-04-22 00:09:22",
"updated_at": "2017-04-22 00:09:22"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signature/statuses/{signature_status_id}{?with}
Update a Signature Status.
Example URI
PUT /signature/statuses/2?with=signatures
URI Parameters
- signature_status_id
integer(required) Example: 2Signature Status ID
- with
string(optional) Example: signaturesA comma-separated list of related objects to include in the response. Options for this endpoint: signatures.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Updated Custom Status",
"description": "An updated custom status",
"user_editable": "N"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 6,
"name": "Updated Custom Status",
"description": "An updated custom status",
"user_editable": "N",
"created_at": "2017-04-22 00:09:22",
"updated_at": "2017-04-23 21:55:20"
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signature/statuses/{signature_status_id}
Delete a Signature Status.
Example URI
DELETE /signature/statuses/2
URI Parameters
- signature_status_id
integer(required) Example: 2Signature Status ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Types ¶
Signature TypesGET/signature/types{?limit,offset,sort,with}
Get a list of Signature Types.
Example URI
GET /signature/types?limit=500&offset=100&sort=id&with=plugins,pluginActions
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: plugins,pluginActionsA comma-separated list of related objects to include in the response. Options for this endpoint: plugins, pluginActions, signatures.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"name": "Snort",
"parsable": "Y",
"includes_indicators": "N",
"created_at": "2017-04-22 00:09:22",
"updated_at": "2017-04-22 00:09:22"
},
{
"id": 2,
"name": "OpenIOC",
"parsable": "Y",
"includes_indicators": "Y",
"created_at": "2017-04-22 00:09:22",
"updated_at": "2017-04-22 00:09:22"
}
]
}Response
401Access denied.
Signature Type ¶
Signature TypeGET/signature/types/{signature_type_id}{?with}
Get a single Signature Type.
Example URI
GET /signature/types/2?with=plugins,pluginActions
URI Parameters
- signature_type_id
integer(required) Example: 2Signature Type ID
- with
string(optional) Example: plugins,pluginActionsA comma-separated list of related objects to include in the response. Options for this endpoint: plugins, pluginActions, signatures.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Snort",
"parsable": "Y",
"includes_indicators": "N",
"created_at": "2017-04-22 00:09:22",
"updated_at": "2017-04-22 00:09:22"
}
}Response
401Access denied.
Response
404Object not found.
Signature List ¶
Get ListGET/signatures{?limit,offset,sort,with}
Get a list of Signatures.
Example URI
GET /signatures?limit=500&offset=100&sort=id&with=adversaries,attachments
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, events, indicators, signatures, sources, status, tag, type, watchlist.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 371,
"data": [
{
"id": 1,
"name": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)",
"description": "",
"hash": "737309fe355ef23e1c03a5e98bc364b5",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:\"ET EXPLOIT Arkeia full remote access without password or authentication\"; flow:to_server,established; content:\"|464F3A20596F75206861766520737563|\"; content:\"|6520636C69656E7420696E666F726D61|\"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)",
"status_id": 5,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-04-22 00:11:18",
"updated_at": "2017-04-22 00:11:18",
"touched_at": "2017-04-22 00:11:18"
},
{
"id": 2,
"name": "ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (2007937:4)",
"description": "",
"hash": "8cf2e60aeb0b7ed9874f2ed379b3f42d",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:\"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow\"; content:\"|44 53 52 65 71 75 65 73 74|\"; pcre:\"/[0-9a-zA-Z]{50}/R\"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;)",
"status_id": 4,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-04-22 00:11:18",
"updated_at": "2017-04-22 00:11:18",
"touched_at": "2017-04-22 00:11:18"
},
{
"id": 3,
"name": "ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS (2003370:3)",
"description": "",
"hash": "4f32170b15e4fb6be58e54e7b6ba0a9f",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:\"ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS\"; content:\"|00 00 00 00|\"; offset:4; depth:4; content:\"|00 00 00 03|\"; distance:8; within:4; content:\"|00 00 00 08|\"; distance:0; within:4; content:\"|00 00 00 00|\"; distance:0; within:4; content:\"|00 00 00 00|\"; distance:4; within:4; content:\"|00 00 00 00 00 00 00 00|\"; distance:8; within:32; reference:url,www.milw0rm.com/exploits/3248; reference:url,doc.emergingthreats.net/bin/view/Main/2003370; classtype:attempted-dos; sid:2003370; rev:3;)",
"status_id": 5,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-04-22 00:11:18",
"updated_at": "2017-04-22 00:11:18",
"touched_at": "2017-04-22 00:11:18"
}
]
}Response
401Access denied.
Create NewPOST/signatures
Create a new Signature.
Example URI
POST /signatures
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"name": "GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt (2103461:1)",
"value": "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:\"GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt\"; flow:to_server,established; content:\"GET %. HTTP/1.\"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:2103461; rev:1;)",
"description": "A description of the Signature.",
"type_id": "1",
"status_id": 6,
"sources": [
{
"name": "Source",
"tlp": {
"name": "GREEN"
},
"published_at": "2016-07-18 02:00:00"
}
]
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"name": "GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt (2103461:1)",
"value": "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:\"GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt\"; flow:to_server,established; content:\"GET %. HTTP/1.\"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:2103461; rev:1;)",
"description": "A description of the Signature.",
"type_id": 1,
"status_id": 6,
"hash": "",
"id": 513,
"last_detected_at": null,
"created_at": "2017-04-22 00:24:46",
"updated_at": "2017-04-22 00:24:46",
"touched_at": "2017-04-22 00:24:46",
"existing": "N",
"type": {
"id": 1,
"name": "Snort",
"parsable": "Y",
"includes_indicators": "N",
"created_at": "2017-04-22 00:09:22",
"updated_at": "2017-04-22 00:09:22"
},
"sources": [
{
"id": 10,
"type": "other_sources",
"name": "Source",
"tlp": {
"name": "RED"
},
"expire_days": null,
"score": null,
"created_at": "2017-04-22 00:23:17",
"updated_at": "2017-04-22 00:23:17"
}
]
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"name": [
"The name field is required."
],
"status_id": [
"The status id field is required."
],
"type_id": [
"The type id field is required."
],
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Signature Comment Short ¶
Get SingleGET/signatures/comments/{signature_comment_id}{?with}
Get a single Signature Comment.
Example URI
GET /signatures/comments/2?with=signature,sources
URI Parameters
- signature_comment_id
integer(required) Example: 2Signature Comment ID
- with
string(optional) Example: signature,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: signature, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signatures/comments/{signature_comment_id}{?with}
Update a Signature Comment.
Example URI
PUT /signatures/comments/2?with=signature,sources
URI Parameters
- signature_comment_id
integer(required) Example: 2Signature Comment ID
- with
string(optional) Example: signature,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: signature, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"signature_id": 1,
"value": "This is an updated comment.",
"creator_source_id": 5,
"created_at": "2017-04-23 17:38:32",
"updated_at": "2017-04-23 17:40:24",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-04-22 00:09:37",
"updated_at": "2017-04-22 00:09:37",
"pivot": {
"id": 1,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"The current authenticated owner is not the owner of this comment."
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/comments/{signature_comment_id}
Delete a Signature Comment.
Example URI
DELETE /signatures/comments/2
URI Parameters
- signature_comment_id
integer(required) Example: 2Signature Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Consume ¶
Signature ConsumePOST/signatures/consume
Consume a list of Signature objects.
Required fields: name, value, type_id, status_id
Optional fields: description, last_detected_at, published_at, tlp (an object with a name field) or tlp_id, sources, attributes, comments, and tags
Relations can also be included as optional fields in the request: adversaries, attachments, attack_pattern, campaign, course_of_action, events, exploit_target, identity, incident, indicators, intrusion_set, malware, report, signatures, tool, ttp, and vulnerability.
When including relations, if the relation is of the same type as the endpoint used (e.g. related signatures on Signature Consume), the relation can be defined using the required fields. Otherwise, relations must be created in advance and the resulting IDs should be used in the request.
Note: Objects that already exist in the system will not be duplicated, any new context in the request will be added to the existing object. This endpoint does not fail on validation - any errors will be included in the response object.
Example URI
POST /signatures/consume
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"status_id": 1,
"type_id": 7,
"value": "<?xml version=\"1.0\" encoding=\"us-ascii\"?>\r\n<ioc xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" id=\"aa4aa0ea-352d-4141-ab86-f0ec2627aa7d\" last-modified=\"2016-09-02T16:38:27\" xmlns=\"http://schemas.mandiant.com/2010/ioc\">\r\n <short_description>Email Subject Test</short_description>\r\n <description>Email Subject test</description>\r\n <authored_date>2016-09-02T16:37:18</authored_date>\r\n <links />\r\n <definition>\r\n <Indicator operator=\"OR\" id=\"42ba3130-cb62-4753-8afb-f84553ec55cf\">\r\n <IndicatorItem id=\"b72f33d4-598d-4853-adf7-acc5d053069c\" condition=\"contains\">\r\n <Context document=\"Email\" search=\"Email/Subject\" type=\"mir\" />\r\n <Content type=\"string\">This is a bad email!</Content>\r\n </IndicatorItem>\r\n <IndicatorItem id=\"c7fa5ccd-da7e-4c21-8518-a7c51ca4d299\" condition=\"contains\">\r\n <Context document=\"TaskItem\" search=\"TaskItem/ActionList/Action/EmailSubject\" type=\"mir\" />\r\n <Content type=\"string\">Another Bad E-Mail!</Content>\r\n </IndicatorItem>\r\n </Indicator>\r\n </definition>\r\n</ioc>",
"name": "Email Subject Test 2016-09-02T16:38:27",
"tlp": {
"name": "WHITE"
},
"touched_at": "2017-06-20 12:01:48",
"published_at": "2017-01-01 00:00:00",
"signatures": [
{
"status_id": 1,
"type_id": 6,
"value": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)",
"name": "Snort rule #45213"
}
],
"comments": [
{
"value": "Found this during the investigation."
}
]
},
{
"type_id": 6,
"status_id": 2,
"value": "GPL EXPLOIT bootp x86 linux overflow (2100319:6)",
"name": "Snort rule #31256",
"last_detected_at": "2019-07-11 11:31:55",
"tlp_id": 3,
"attributes": [
{
"name": "Industry",
"value": "Hospitals"
}
],
"indicators": [
{
"id": 3
},
{
"id": 4
}
]
},
{
"type_id": 8,
"status_id": 3,
"value": "rule ExampleRule { strings: $my_text_string = \"text here\" $my_hex_string = { E2 34 A1 C8 23 FB } condition: $my_text_string or $my_hex_string }",
"name": "Sample YARA rule",
"description": "For detecting things",
"sources": [
{
"name": "Digital Shadows",
"tlp": "AMBER"
}
],
"tags": [
{
"name": "Internal"
}
]
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 4,
"data": [
{
"name": "Email Subject Test 2016-09-02T16:38:27",
"value": "<?xml version=\"1.0\" encoding=\"us-ascii\"?>\r\n<ioc xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" id=\"aa4aa0ea-352d-4141-ab86-f0ec2627aa7d\" last-modified=\"2016-09-02T16:38:27\" xmlns=\"http://schemas.mandiant.com/2010/ioc\">\r\n <short_description>Email Subject Test</short_description>\r\n <description>Email Subject test</description>\r\n <authored_date>2016-09-02T16:37:18</authored_date>\r\n <links />\r\n <definition>\r\n <Indicator operator=\"OR\" id=\"42ba3130-cb62-4753-8afb-f84553ec55cf\">\r\n <IndicatorItem id=\"b72f33d4-598d-4853-adf7-acc5d053069c\" condition=\"contains\">\r\n <Context document=\"Email\" search=\"Email/Subject\" type=\"mir\" />\r\n <Content type=\"string\">This is a bad email!</Content>\r\n </IndicatorItem>\r\n <IndicatorItem id=\"c7fa5ccd-da7e-4c21-8518-a7c51ca4d299\" condition=\"contains\">\r\n <Context document=\"TaskItem\" search=\"TaskItem/ActionList/Action/EmailSubject\" type=\"mir\" />\r\n <Content type=\"string\">Another Bad E-Mail!</Content>\r\n </IndicatorItem>\r\n </Indicator>\r\n </definition>\r\n</ioc>",
"type_id": 7,
"hash": "e94b32786a97f198c4834536c5cfc50b",
"id": 372
},
{
"name": "Sample Snort rule",
"value": "GPL EXPLOIT bootp x86 linux overflow (2100319:6)",
"type_id": 6,
"hash": "2da36948c6d57ac7a2a24bc0a128a1f1",
"id": 370
},
{
"name": "Sample YARA rule",
"value": "rule ExampleRule { strings: $my_text_string = \"text here\" $my_hex_string = { E2 34 A1 C8 23 FB } condition: $my_text_string or $my_hex_string }",
"type_id": 8,
"hash": "6d5642ee7f4774f11faa05908b014116",
"id": 373
},
{
"name": "Sample Snort rule",
"value": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)",
"type_id": 6,
"hash": "737309fe355ef23e1c03a5e98bc364b5",
"id": 1
}
]
}Response
401Access denied.
Signature Import ¶
Signature ImportPOST/signatures/import
Import a list of Signatures.
Example URI
POST /signatures/import
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="type_id"
1
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="file"; filename="emerging-exploit.rules"
Content-Type: application/octet-stream
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2016, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for snort-2.9.0.
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte"; flow: to_server,established; content:".pdf|00|"; fast_pattern:only; nocase; http_uri; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference:cve,2004-0629; reference:url,doc.emergingthreats.net/bin/view/Main/2001217; classtype:attempted-admin; sid:2001217; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"ET EXPLOIT Arkeia full remote access without password or authentication"; flow:to_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 71 75 65 73 74|"; pcre:"/[0-9a-zA-Z]{50}/R"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption"; flow:established,to_server; content:"|4e 3d 2c 1b|"; depth:4; isdataat:2891,relative; reference:cve,2007-0449; reference:url,doc.emergingthreats.net/bin/view/Main/2003369; classtype:attempted-admin; sid:2003369; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 00 00 03|"; distance:8; within:4; content:"|00 00 00 08|"; distance:0; within:4; content:"|00 00 00 00|"; distance:0; within:4; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:8; within:32; reference:url,www.milw0rm.com/exploits/3248; reference:url,doc.emergingthreats.net/bin/view/Main/2003370; classtype:attempted-dos; sid:2003370; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow"; flow:established,to_server; content:"0000033000"; depth:10; isdataat:1000,relative; reference:url,www.milw0rm.com/exploits/3244; reference:url,doc.emergingthreats.net/bin/view/Main/2003378; classtype:attempted-admin; sid:2003378; rev:3;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS"; flow:established,to_server; content:"|ff ff ff ff|"; offset:16; depth:4; reference:url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003379; classtype:attempted-dos; sid:2003379; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 bf 00 00 00 00 00 00 00 00|"; distance:4; within:12; reference:url,www.milw0rm.com/exploits/3604; reference:url,doc.emergingthreats.net/bin/view/Main/2003518; classtype:attempted-admin; sid:2003518; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe caloggerd DoS"; flow:established,to_server; content:"|00 06 09 82|"; offset:16; depth:4; content:"|00 00 00 01 00 00 00 00 00 00 00 00|"; within:12; reference:url,www.milw0rm.com/exploits/3939; reference:url,doc.emergingthreats.net/bin/view/Main/2003750; classtype:attempted-dos; sid:2003750; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 7e 00 00 00 00 00 00 00 00|"; within:12; reference:url, www.milw0rm.com/exploits/3940; reference:url,doc.emergingthreats.net/bin/view/Main/2003751; classtype:attempted-dos; sid:2003751; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Linux)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset: 0; depth: 20; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000048; classtype:attempted-admin; sid:2000048; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target BSD)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000031; classtype:attempted-admin; sid:2000031; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Solaris)"; flow: to_server,established; dsize: >512; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000049; classtype:attempted-admin; sid:2000049; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET EXPLOIT Catalyst SSH protocol mismatch"; flow: to_server,established; content:"|61 25 61 25 61 25 61 25 61 25 61 25 61 25|"; reference:url,www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000007; classtype:attempted-dos; sid:2000007; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Telnet Buffer Overflow"; flow: to_server,established; content:"|3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58|"; detection_filter: track by_src, count 1, seconds 120; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000005; classtype:attempted-dos; sid:2000005; rev:8;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT UPnP DLink M-Search Overflow Attempt"; content:"M-SEARCH "; depth:9; nocase; isdataat:500,relative; pcre:"/M-SEARCH\s+[^\n]{500}/i"; reference:url,www.eeye.com/html/research/advisories/AD20060714.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003039; classtype:attempted-user; sid:2003039; rev:4;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; reference:url,doc.emergingthreats.net/bin/view/Main/2002315; classtype:misc-attack; sid:2002315; rev:7;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; reference:url,doc.emergingthreats.net/bin/view/Main/2002316; classtype:misc-attack; sid:2002316; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 427 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - udp"; content:"language"; content:"|65 7a 69 70 3a 2f 2f 62 6c 61 2f 62 6c 61 3f 53 4e 3d 62 6c 61 3f 50 4e 3d 62 6c 61 3f 55 4e 3d 62 6c 61|"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0767; reference:url,doc.emergingthreats.net/bin/view/Main/2007876; classtype:successful-dos; sid:2007876; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp"; flow:established,to_server; content:"|12 06 41 46 50 33 2e 31|"; pcre:"/[a-zA-Z0-9]{5}/i"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0759; reference:url,doc.emergingthreats.net/bin/view/Main/2007877; classtype:successful-dos; sid:2007877; rev:4;)
alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT GsecDump executed"; flow:to_server,established; content:"|67 00 73 00 65 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-gsecdump.html; reference:url,doc.emergingthreats.net/2010783; classtype:suspicious-filename-detect; sid:2010783; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1"; flow:established; content:"cwd"; depth:4; nocase; dsize:>74; pcre:"/(\/\.){70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; reference:url,doc.emergingthreats.net/bin/view/Main/2008776; classtype:web-application-attack; sid:2008776; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2"; flow:established; content:"list"; depth:5; nocase; dsize:>74; pcre:"/[\w]{70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; reference:url,doc.emergingthreats.net/bin/view/Main/2008777; classtype:web-application-attack; sid:2008777; rev:3;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT GuppY error.php POST Arbitrary Remote Code Execution"; flow: to_server,established; content:"POST"; http_method; nocase; content:"/error.php?"; nocase; http_uri; content:"err="; nocase; http_uri; pcre:"/Cookie\:\ +REMOTE_ADDR=/i"; reference:bugtraq,15609; reference:url,doc.emergingthreats.net/bin/view/Main/2003332; classtype:web-application-attack; sid:2003332; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1530 (msg:"ET EXPLOIT HP Open View Data Protector Buffer Overflow Attempt"; flow:established,to_server; content:"|B6 29 8C 23 FF FF FF|"; pcre:"/\xB6\x29\x8C\x23\xFF\xFF\xFF[\xF8-\xFF]/"; reference:url,dvlabs.tippingpoint.com/advisory/TPTI-09-15; reference:url,doc.emergingthreats.net/2010546; reference:cve,2007-2281; classtype:attempted-admin; sid:2010546; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"ET EXPLOIT HP-UX Printer LPD Command Insertion"; flow:established,to_server; content:"|02|msf28|30|"; depth:7; content:"|60|"; distance:0; within:20; reference:cve,2005-3277; reference:bugtraq,15136; reference:url,doc.emergingthreats.net/bin/view/Main/2002852; classtype:attempted-user; sid:2002852; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command"; flow:established,to_server; content:"SITE "; nocase; isdataat:150,relative; content:!"|0d 0a|"; within:150; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009828; reference:cve,2009-3023; classtype:attempted-admin; sid:2009828; rev:6;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit"; flow:established,to_server; content:"NLST "; nocase; content:"|2a 2f 2e 2e 2f|"; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009860; reference:cve,2009-3023; classtype:attempted-admin; sid:2009860; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: !M; fragoffset: >0; reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - ACK reset"; fragbits: M; flags: !A,12; reference:url,doc.emergingthreats.net/bin/view/Main/2001023; classtype:bad-unknown; sid:2001023; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - illegal flags"; fragbits: M; flags: *FSR,12; reference:url,doc.emergingthreats.net/bin/view/Main/2001024; classtype:bad-unknown; sid:2001024; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/jammail.pl?"; nocase; http_uri; fast_pattern:only; pcre:"/[\?&]mail=[^&]+?[\x3b\x2c\x7c\x27]/Ui"; reference:bugtraq,13937; reference:url,doc.emergingthreats.net/bin/view/Main/2001990; classtype:web-application-attack; sid:2001990; rev:8;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Width exceeds limit"; flow: established,from_server; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001191; classtype:misc-activity; sid:2001191; rev:12;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"sPLT"; isdataat:80,relative; content:!"|00|"; distance: 0; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001195; classtype:misc-activity; sid:2001195; rev:9;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libpng tRNS overflow attempt"; flow: established,to_client; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:cve,CAN-2004-0597; reference:url,doc.emergingthreats.net/bin/view/Main/2001058; classtype:attempted-admin; sid:2001058; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys WRT54g Authentication Bypass Attempt"; flow:established,to_server; content:"/Security.tri"; nocase; http_uri; content:"SecurityMode=0"; nocase; reference:url,secunia.com/advisories/21372/; reference:url,doc.emergingthreats.net/bin/view/Main/2003072; classtype:attempted-admin; sid:2003072; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys WAP54G debug.cgi Shell Access as Gemtek"; flow:established,to_server; content:"Authorization|3a| Basic R2VtdGVrOmdlbXRla3N3ZA==|0d 0a|"; http_header; content:"/debug.cgi"; http_uri; reference:url,seclists.org/fulldisclosure/2010/Jun/176; reference:url,doc.emergingthreats.net/2011669; classtype:attempted-admin; sid:2011669; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit"; flow: established; content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e 5c 05 78|"; nocase; reference:url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php; reference:url,doc.emergingthreats.net/bin/view/Main/2001369; classtype:shellcode-detect; sid:2001369; rev:7;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001363; classtype:shellcode-detect; sid:2001363; rev:7;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt"; flow: established; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 4F 44 21|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001364; classtype:shellcode-detect; sid:2001364; rev:7;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Bad EMF file"; flow: from_server,established; content:"|01 00 00 00|"; depth: 4; content:"|20 45 4d 46|"; offset: 40; depth: 44; byte_test:4, >, 256, 60, little; reference:url,www.sygate.com/alerts/SSR20041013-0001.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001374; classtype:misc-activity; sid:2001374; rev:8;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack"; flow: to_client,established; content:"RIFF"; content:"ACON"; distance: 8; content:"anih"; distance: 160; byte_test:4,>,36,0,relative,little; reference:url,doc.emergingthreats.net/bin/view/Main/2001668; classtype:misc-attack; sid:2001668; rev:6;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (1)"; flow: to_server,established; content:"X-LINK2STATE"; fast_pattern:only; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001848; classtype:misc-activity; sid:2001848; rev:8;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 691 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (2)"; flow: to_server,established; content:"X-LSA-2"; fast_pattern:only; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001849; classtype:misc-activity; sid:2001849; rev:8;)
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; flow: to_server, established; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; threshold: type limit, track by_src, count 1, seconds 60; flowbits:set,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001873; classtype:misc-activity; sid:2001873; rev:9;)
#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"ET EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags: R; flowbits:isset,msxlsa; flowbits: unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001874; classtype:misc-activity; sid:2001874; rev:8;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Windows Media Player parsing BMP file with 0 size offset to start of image"; flow:established,from_server; file_data; content:"BM"; depth:2; byte_test:8,=,0,4,relative; reference:url,www.milw0rm.com/id.php?id=1500; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002802; classtype:attempted-user; sid:2002802; rev:10;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT BMP with invalid bfOffBits"; flow:established,to_client; content:"|0d 0a 0d 0a|BM"; fast_pattern; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002803; classtype:attempted-user; sid:2002803; rev:9;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT "; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; distance:21; content:"|01 00 00 00 00 00|"; distance:1; within:6; byte_test:2,=,17,0,little,relative; content:"|5C|MAILSLOT|5C|"; within:10; distance:2; reference:url,www.milw0rm.com/exploits/2057; reference:url,www.microsoft.com/technet/security/bulletin/MS06-035.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003067; classtype:attempted-dos; sid:2003067; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MSSQL Hello Overflow Attempt"; flow:established,to_server; dsize:>400; content:"|12 01 00 34 00 00 00 00|"; offset:0; depth:8; reference:cve,2002-1123; reference:bugtraq,5411; reference:url,doc.emergingthreats.net/bin/view/Main/2002845; classtype:attempted-admin; sid:2002845; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection closing string plus line comment"; flow: to_server,established; content:"'|00|"; content:"-|00|-|00|"; reference:url,owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/bin/view/Main/2000488; classtype:attempted-user; sid:2000488; rev:8;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection running SQL statements line comment"; flow: to_server,established; content:"|3b 00|"; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000372; classtype:attempted-user; sid:2000372; rev:8;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection line comment"; flow: to_server,established; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000373; classtype:attempted-user; sid:2000373; rev:7;)
alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL heap overflow attempt"; content:"|08 3A 31|"; depth: 3; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000377; classtype:attempted-admin; sid:2000377; rev:7;)
#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS attempt (08)"; dsize: >1; content:"|08|"; depth: 1; content:!"|3A|"; offset: 1; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000378; classtype:attempted-dos; sid:2000378; rev:8;)
#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS attempt (08) 1 byte"; dsize: 1; content:"|08|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000379; classtype:attempted-dos; sid:2000379; rev:7;)
alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL Spike buffer overflow"; content:"|12 01 00 34|"; depth: 4; reference:bugtraq,5411; reference:url,doc.emergingthreats.net/bin/view/Main/2000380; classtype:attempted-admin; sid:2000380; rev:9;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_servicecontrol access"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|c|00|o|00|n|00|t|00|r|00|o|00|l|00|"; nocase; reference:url,doc.emergingthreats.net/2009999; classtype:attempted-user; sid:2009999; rev:3;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_fileexist access"; flow:to_server,established; content:"x|00|p|00|_|00|f|00|i|00|l|00|e|00|e|00|x|00|i|00|s|00|t|00|"; nocase; reference:url,doc.emergingthreats.net/2010000; classtype:attempted-user; sid:2010000; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; reference:url,doc.emergingthreats.net/2010001; classtype:attempted-user; sid:2010001; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_readerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|a|00|d|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; reference:url,doc.emergingthreats.net/2010002; classtype:attempted-user; sid:2010002; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumdsn access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|d|00|s|00|n|00|"; nocase; reference:url,doc.emergingthreats.net/2010003; classtype:attempted-user; sid:2010003; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit"; flow:established,to_server; content:"FLAGS BODY"; pcre:"/[0-9a-zA-Z]{200,}/R"; content:"|EB 06 90 90 8b 11 DC 64 90|"; distance:0; reference:url,www.milw0rm.com/exploits/5248; reference:bugtraq,28245; reference:url,doc.emergingthreats.net/bin/view/Main/2008063; reference:cve,2008-1358; classtype:successful-user; sid:2008063; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"ET EXPLOIT MySQL MaxDB Buffer Overflow"; flow: to_server,established; content:"GET"; content:"|31 c9 83 e9 af d9 ee|"; pcre:"/(GET).\/%.{1586,}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001988; classtype:attempted-admin; sid:2001988; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt"; flow:established,to_server; content:"|41 30 30 31|"; depth:4; content:"CREATE "; within:10; isdataat:500,relative; content:!"|0A|"; within:500; reference:url,www.exploit-db.com/exploits/14379/; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-129/; reference:url,www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7006374&sliceId=2&docTypeID=DT_TID_1_1&dialogID=155271264&stateId=0 0 155267598; reference:url,doc.emergingthreats.net/2011235; classtype:attempted-admin; sid:2011235; rev:2;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003145; classtype:web-application-attack; sid:2003145; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003146; classtype:web-application-attack; sid:2003146; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap)"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003148; classtype:web-application-attack; sid:2003148; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap)"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003147; classtype:web-application-attack; sid:2003147; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8800 (msg:"ET EXPLOIT Now SMS/MMS Gateway HTTP BOF Vulnerability"; flow:established,to_server; content:"GET "; depth:4; content:"Authorization:"; distance:0; content:"Basic"; distance:0; pcre:"/Authorization\x3a\s*Basic\s*[a-zA-Z0-9]{255,}==/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007874; classtype:web-application-attack; sid:2007874; rev:7;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 2775 (msg:"ET EXPLOIT Now SMS/MMS Gateway SMPP BOF Vulnerability"; flow:established,to_server; content:"|00 00 00 04|"; content:"|00 00 00 01|"; distance:1; pcre:"/[a-zA-Z0-9]{1000,}/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007875; classtype:web-application-attack; sid:2007875; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated script"; flow:established,from_server; content:"US-ASCII"; fast_pattern:only; nocase; pcre:"/\xbc[\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003400; classtype:web-application-attack; sid:2003400; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript download file"; flow:established,from_server; content:"US-ASCII"; fast_pattern:only; nocase; pcre:"/\xae[\xef\xcf][\xf0\xd0][\xe5\xc5][\xee\xce]\xa0\xa2[\xe7\xc7][\xe5\xc5][\xf4\xd4]\xa2/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003401; classtype:web-application-attack; sid:2003401; rev:5;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript execute command"; flow:established,from_server; content:"US-ASCII"; fast_pattern:only; nocase; pcre:"/[\xf3\xd3][\xe8\xc8][\xe5\xc5][\xec\xcc][\xec\xcc][\xe5\xc5][\xf8\xd8][\xe5\xc5][\xe3\xc3][\xf5\xd5][\xf4\xd4][\xe5\xc5]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003402; classtype:web-application-attack; sid:2003402; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript"; flow:established,from_server; content:"US-ASCII"; fast_pattern:only; nocase; pcre:"/[\xf6\xd6][\xe2\xc2][\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003403; classtype:web-application-attack; sid:2003403; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_domain_index_metadata Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexMetadata"; nocase; content:"sys.dbms_export_extension.get_domain_index_metadata"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002886; classtype:attempted-admin; sid:2002886; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_domain_index_tables Access"; flow:established,to_server; content:"sys.dbms_export_extension.get_domain_index_tables"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002887; classtype:attempted-admin; sid:2002887; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_v2_domain_index_tables Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexUtilGetTableNames"; nocase; content:"sys.dbms_export_extension.get_v2_domain_index_tables"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002888; classtype:attempted-admin; sid:2002888; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt"; flow:established,to_server; content:"ctxsys|2E|drvxtabc|2E|create|5F|tables"; nocase; content:"dbms|5F|sql|2E|execute"; nocase; distance:0; pcre:"/ctxsys\x2Edrvxtabc\x2Ecreate\x5Ftables.+(SELECT|DELETE|CREATE|INSERT|UPDATE|OUTFILE)/si"; reference:url,www.securityfocus.com/bid/36748; reference:cve,2009-1991; reference:url,doc.emergingthreats.net/2010375; classtype:attempted-admin; sid:2010375; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP .message file write"; flow:to_server,established; content:"STOR "; nocase; depth:5; content:".message|0d 0a|"; distance:0; pcre:"/[^a-zA-Z0-9]+\.message/"; flowbits:set,BE.ftp.message; reference:url,www.milw0rm.com/exploits/2856; reference:url,doc.emergingthreats.net/bin/view/Main/2003196; classtype:misc-attack; sid:2003196; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT ProFTPD .message file overflow attempt"; flowbits:isset,BE.ftp.message; flow:to_server,established; content:"CWD "; depth:4; nocase; flowbits:unset,BE.ftp.message; reference:url,www.milw0rm.com/exploits/2856; reference:url,doc.emergingthreats.net/bin/view/Main/2003197; classtype:misc-attack; sid:2003197; rev:6;)
alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump3e Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000565; classtype:suspicious-login; sid:2000565; rev:9;)
alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump3e Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000566; classtype:suspicious-login; sid:2000566; rev:9;)
alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump3e pwservice.exe Access port 445"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000564; classtype:misc-attack; sid:2000564; rev:10;)
alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump3e pwservice.exe Access port 139"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000567; classtype:misc-attack; sid:2000567; rev:9;)
alert tcp $HOME_NET 445 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 445"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000563; classtype:misc-attack; sid:2000563; rev:12;)
alert tcp $HOME_NET 139 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 139"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000568; classtype:misc-attack; sid:2000568; rev:11;)
alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT NTDump.exe Service Started port 139"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001053; classtype:misc-activity; sid:2001053; rev:8;)
alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT NTDump.exe Service Started port 445"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001544; classtype:misc-activity; sid:2001544; rev:8;)
alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT NTDump Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001052; classtype:misc-activity; sid:2001052; rev:9;)
alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT NTDump Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001543; classtype:misc-activity; sid:2001543; rev:8;)
alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump4 Session Established GetHash port 139"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001753; classtype:suspicious-login; sid:2001753; rev:5;)
alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump4 Session Established GetHash port 445"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001754; classtype:suspicious-login; sid:2001754; rev:5;)
alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT PWDump4 Password dumping exe copied to victim"; flow:to_server,established; content:"|4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 50 00 57 00 44 00 55 00 4D 00 50 00 34 00 2E 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-pwdump4.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008444; classtype:suspicious-filename-detect; sid:2008444; rev:3;)
alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Pwdump6 Session Established test file created on victim"; flow:to_server,established; content:"|5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64|"; fast_pattern:only; reference:url,xinn.org/Snort-pwdump6.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008445; classtype:suspicious-filename-detect; sid:2008445; rev:4;)
alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Foofus.net Password dumping, dll injection"; flow:to_server,established; content:"|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61|"; fast_pattern:only; reference:url,xinn.org/Snort-fgdump.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008476; classtype:suspicious-filename-detect; sid:2008476; rev:4;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Possible Vulnerable Server Response"; flow:established; dsize:12; content:"RFB 003.00"; depth:11; flowbits:noalert; flowbits:set,BSposs.vuln.vnc.svr; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002912; classtype:misc-activity; sid:2002912; rev:7;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Client response"; flowbits:isset,BSposs.vuln.vnc.svr; flow:established; dsize:12; content:"RFB 003.0"; depth:9; flowbits:noalert; flowbits:set,BSis.vnc.setup; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002913; classtype:misc-activity; sid:2002913; rev:7;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server VNC Auth Offer"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:20; content:"|00 00 00 02|"; depth:4; flowbits:noalert; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002914; classtype:misc-activity; sid:2002914; rev:6;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server VNC Auth Offer - No Challenge string"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:2; content:"|01 02|"; depth:2; flowbits:noalert; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002918; classtype:misc-activity; sid:2002918; rev:6;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server Not Requiring Authentication"; flowbits:isset,BSis.vnc.setup; flow:established; content:"|01 01|"; depth:2; flowbits:set,BSvnc.auth.offered; flowbits:unset,BSis.vnc.setup; flowbits:unset,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002924; classtype:misc-activity; sid:2002924; rev:7;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server Not Requiring Authentication (case 2)"; flowbits:isset,BSis.vnc.setup; dsize:4; flow:established; content:"|00 00 00 01|"; depth:4; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002923; classtype:misc-activity; sid:2002923; rev:6;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Good Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:2; content:"|02|"; flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002919; classtype:attempted-admin; sid:2002919; rev:7;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:16; flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002915; classtype:attempted-admin; sid:2002915; rev:6;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RealVNC Authentication Bypass Attempt"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:1; content:"|01|"; depth:1; flowbits:set,BSvnc.null.auth.sent; reference:url,secunia.com/advisories/20107/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002916; classtype:attempted-admin; sid:2002916; rev:6;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT RealVNC Server Authentication Bypass Successful"; flowbits:isset,BSvnc.null.auth.sent; flow:established; dsize:4; content:"|00 00 00 00|"; depth:4; flowbits:unset,BSis.vnc.setup; flowbits:unset,BSvnc.auth.offered; reference:url,secunia.com/advisories/20107/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002917; classtype:successful-admin; sid:2002917; rev:6;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Multiple Authentication Failures"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:<50; content:"|00 00 00 02|"; depth:4; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002921; classtype:attempted-admin; sid:2002921; rev:6;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT SQL sp_configure - configuration change"; flow:to_server,established; content:"s|00|p|00|_|00|c|00|o|00|n|00|f|00|i|00|g|00|u|00|r|00|e|00|"; fast_pattern:only; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2008517; classtype:attempted-user; sid:2008517; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT SQL sp_configure attempt"; flow:to_server,established; content:"sp_configure"; fast_pattern:only; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2008518; classtype:attempted-user; sid:2008518; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 (msg:"ET EXPLOIT SecurityGateway 1.0.1 Remote Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/SecurityGateway.dll"; nocase; distance:0; content:"logon"; nocase; distance:0; content:"&username"; nocase; distance:0; pcre:"/\x3d[^\x26]{720}/R"; reference:url,frsirt.com/english/advisories/2008/1717; reference:url,milw0rm.com/exploits/5718; reference:url,doc.emergingthreats.net/bin/view/Main/2008426; reference:cve,2008-4193; classtype:misc-attack; sid:2008426; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ShixxNote buffer-overflow + remote shell attempt"; flow: established,to_server; content:"|68 61 63 6b 75|"; offset: 126; depth: 5; content:"|68 61 63 6b 90 61 61 61 61|"; offset: 519; depth: 9; reference:url,aluigi.altervista.org/adv/shixxbof-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2001385; classtype:shellcode-detect; sid:2001385; rev:6;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"ET EXPLOIT Siemens Gigaset SE361 WLAN Data Flood Denial of Service Vulnerability"; flow:to_server; content:"|90 90 90 90 90|"; depth:5; content:"|90 90 90 90 90|"; distance:0; content:"|90 90 90 90 90|"; distance:0; pcre:"/\x90{200}/"; reference:cve,CVE-2009-3322; reference:bugtraq,36366; reference:url,www.milw0rm.com/exploits/9646; reference:url,doc.emergingthreats.net/2009976; classtype:denial-of-service; sid:2009976; rev:4;)
#alert tcp $EXTERNAL_NET 31337 -> $HOME_NET 64876 (msg:"ET EXPLOIT malformed Sack - Snort DoS-by-$um$id"; seq:0; ack:0; window:65535; dsize:0; reference:url,doc.emergingthreats.net/bin/view/Main/2002656; classtype:attempted-dos; sid:2002656; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Solaris TTYPROMPT environment variable set"; flow: established,to_server; content:"|00 54 54 59 50 52 4F 4D 50 54|"; fast_pattern:only; reference:url,online.securityfocus.com/archive/1/293844; reference:url,doc.emergingthreats.net/bin/view/Main/2001780; classtype:attempted-admin; sid:2001780; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Solaris telnet USER environment vuln Attack inbound"; flow:to_server,established; content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; reference:url,riosec.com/solaris-telnet-0-day; reference:url,isc.sans.org/diary.html?n&storyid=2220; reference:url,doc.emergingthreats.net/bin/view/Main/2003411; reference:cve,2007-0882; classtype:attempted-user; sid:2003411; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Solaris telnet USER environment vuln Attack outbound"; flow:to_server,established; content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; reference:url,riosec.com/solaris-telnet-0-day; reference:url,isc.sans.org/diary.html?n&storyid=2220; reference:url,doc.emergingthreats.net/bin/view/Main/2003412; reference:cve,2007-0882; classtype:attempted-user; sid:2003412; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; classtype:attempted-user; sid:2010877; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible Sendmail SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010941; classtype:attempted-user; sid:2010941; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"ET EXPLOIT Squid NTLM Auth Overflow Exploit"; flow: to_server; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; offset: 96; reference:url,www.idefense.com/application/poi/display?id=107; reference:cve,CAN-2004-0541; reference:url,doc.emergingthreats.net/bin/view/Main/2000342; classtype:misc-attack; sid:2000342; rev:6;)
#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java runtime.exec() call"; flow:from_server,established; content:"|52 75 6e 74 69 6d 65 3b 01 00 04 65 78 65 63 01 00|"; fast_pattern:only; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002783; classtype:trojan-activity; sid:2002783; rev:6;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java private function call sun.misc.unsafe"; flow:from_server,established; content:"sun/misc/Unsafe"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002784; classtype:trojan-activity; sid:2002784; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8004 (msg:"ET EXPLOIT Symantec Scan Engine Request Password Hash"; flow:established,to_server; content:"POST"; nocase; depth:4; content:"/xml.xml"; nocase; distance:1; within:10; content:"<request"; nocase; distance:0; content:"<key "; distance:0; reference:cve,2006-0230; reference:bugtraq,17637; reference:url,doc.emergingthreats.net/bin/view/Main/2002896; classtype:attempted-recon; sid:2002896; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2967:2968 (msg:"ET EXPLOIT Symantec Remote Management RTVScan Exploit"; flow:established,to_server; content:"|10|"; depth:2; content:"|00 24 00|"; distance:0; within:20; content:"|5c|"; distance:0; isdataat:380,relative; reference:cve,2006-3455; reference:url,research.eeye.com/html/advisories/published/AD20060612.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003250; classtype:attempted-admin; sid:2003250; rev:4;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET EXPLOIT TFTP Invalid Mode in file Get"; content:"|01|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003198; classtype:non-standard-protocol; sid:2003198; rev:4;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET EXPLOIT TFTP Invalid Mode in file Put"; content:"|02|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003199; classtype:non-standard-protocol; sid:2003199; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TAC Attack Directory Traversal"; flow:established,to_server; content:"/ISALogin.dll?"; nocase; http_uri; pcre:"/Template=.*\.\./UGi"; reference:cve,2005-3040; reference:url,secunia.com/advisories/16854; reference:url,cirt.dk/advisories/cirt-37-advisory.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002406; classtype:attempted-recon; sid:2002406; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 14942 (msg:"ET EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable Cookie Attempt"; flow:established,to_server; content:"splx_2376_info"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=477; reference:url,www.trendmicro.com/download/product.asp?productid=20; reference:url,doc.emergingthreats.net/bin/view/Main/2003434; classtype:attempted-admin; sid:2003434; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"ET EXPLOIT TrendMicro ServerProtect Exploit possible worma(little-endian DCERPC Request)"; flow:established,to_server; dsize:>1000; content:"|05|"; depth:1; content:"|10 00 00 00|"; distance:3; within:4; content:"|00 00 88 88 28 25 5b bd d1 11 9d 53 00 80 c8 3a 5c 2c 04 00 03 00|"; distance:14; within:22; content:"|1c 13 74 65|"; distance:500; reference:url,isc.sans.org/diary.html?storyid=3310; reference:url,doc.emergingthreats.net/bin/view/Main/2007584; classtype:misc-attack; sid:2007584; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"ET EXPLOIT VLC web interface buffer overflow attempt"; flow:to_server,established; content:"|2F|requests|2F|status|2E|xml|3F|"; nocase; http_uri; content:"input|3D|smb|3A 2F|"; nocase; http_uri; pcre:"/\x2Frequests\x2Fstatus\x2Exml\x3F[^\x0A\x0D]*input\x3D[^\x0A\x0D\x26\x3B]{1000}/iU"; reference:url,milw0rm.org/exploits/9029; reference:url,doc.emergingthreats.net/2009511; classtype:web-application-attack; sid:2009511; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT M3U File Request Flowbit Set"; flow:to_server,established; content:"GET"; http_method; content:".m3u"; http_uri; flowbits:set,ET.m3u.download; flowbits:noalert; reference:url,doc.emergingthreats.net/2011241; classtype:not-suspicious; sid:2011241; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits:isset,ET.m3u.download; flow:established,to_client; content:"ftp|3A|//"; nocase; content:"PRAV"; within:10; isdataat:2000,relative; content:!"|0A|"; within:2000; reference:url,securitytracker.com/alerts/2010/Jul/1024172.html; reference:url,doc.emergingthreats.net/2011242; classtype:attempted-user; sid:2011242; rev:3;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; content: "|09 01|"; offset:18; depth:2; content:"|00 03|"; distance:10; within:2; byte_jump:2,2,relative,big; content:"|00 00|"; within:2; byte_test:2,>,512,0,relative,big; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002061; classtype:attempted-admin; sid:2002061; rev:5;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (outbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002062; classtype:attempted-admin; sid:2002062; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Veritas backupexec_agent exploit"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; offset:12; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; byte_jump: 4, 32; byte_test: 4,>,3000,0,relative; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,doc.emergingthreats.net/bin/view/Main/2002065; reference:cve,2004-1172; classtype:misc-attack; sid:2002065; rev:8;)
alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon"; flow:established,from_server; content:"|00 00 05 02|"; offset:16; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; reference:url,www.ndmp.org/download/sdk_v4/draft-skardal-ndmp4-04.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2002068; classtype:attempted-recon; sid:2002068; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt"; flow:to_server,established; flowbits:isnotset,SID2002181; content:"|0000 0000 0000 0901 0000 0000 0000 0000 0000 0002 0000 0004 726f 6f74 b4b8 0f26 205c 4234 03fc aeee 8f91 3d6f|"; offset:8; depth:52; flowbits:set,SID2002181; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002181; classtype:default-login-attempt; sid:2002181; rev:5;)
alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Backup Exec Windows Agent Remote File Access - Vulnerable"; flow:from_server,established; flowbits:isset,SID2002181; content:"|0000 0001 0000 0901|"; offset:8; depth:16; content:"|0000 0000 0000 0000|"; distance:4; within:12; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002182; classtype:misc-attack; sid:2002182; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference:url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002734; classtype:attempted-user; sid:2002734; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; reference:url,www.securityfocus.com/bid/38010; reference:url,doc.emergingthreats.net/2010759; classtype:attempted-admin; sid:2010759; rev:2;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability"; flow:established; content:"|21 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007933; classtype:misc-attack; sid:2007933; rev:8;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability"; flow:established; content:"|61 00 09 00 08 00 07 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007934; classtype:misc-attack; sid:2007934; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Foxit PDF Reader Authentication Bypass Attempt"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"Type/Action"; distance:0; nocase; content:"Launch"; nocase; within:40; content:"NewWindow true"; nocase; distance:0; pcre:"/Type\x2FAction.+Launch.+\x28\x2F[a-z]\x2F[a-z].+NewWindow\x20true/si"; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0836; reference:url,doc.emergingthreats.net/2010878; classtype:attempted-user; sid:2010878; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"act="; nocase; content:"app="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/app\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012682; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 2"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"app="; nocase; content:"act="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/act\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012683; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 50002 (msg:"ET EXPLOIT Possible Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"<!DOCTYPE"; nocase; distance:0; content:"<!ENTITY"; nocase; distance:0; content:"<soapenv|3A|Envelope"; nocase; distance:0; content:"<ns1|3A|Username>"; nocase; distance:0; flowbits:set,ET.etrust.fieldis; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011502; rev:1;)
alert tcp $HOME_NET 50002 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flowbits:isset,ET.etrust.fieldis; flow:established,from_server; content:"<soap|3A|faultstring>Unknown user"; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011503; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView Network Node Manager OvJavaLocale Cookie Value Buffer Overflow Attempt"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/OvCgi/webappmon.exe"; http_uri; nocase; content:"ins=nowait"; http_uri; nocase; content:"cache="; http_uri; nocase; content:"OvJavaLocale="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow; reference:bugtraq,42154; reference:cve,2010-2709; classtype:web-application-attack; sid:2011328; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"|47 CA FF|"; content:"|3E C6 FF|"; distance:0; isdataat:84,relative; content:!"|0A|"; within:84; reference:url,www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx; reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user; sid:2011478; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT VMware Tools Update OS Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"exec|3A|"; nocase; content:"args|3A|"; nocase; distance:0; content:"UpgradeTools_Task"; distance:0; reference:url,www.exploit-db.com/exploits/15717/; reference:cve,2010-4297; classtype:attempted-admin; sid:2012045; rev:4;)
alert tcp any any -> $HOME_NET 8765 (msg:"ET EXPLOIT JDownloader Webinterface Source Code Disclosure"; flow:established,to_server; content:"|2f|index|2e|tmpl"; depth:80; nocase; pcre:"/\x2findex\x2etmpl(\x3a\x3a\x24DATA|\x2f|\x2e)\x0d\x0a/i"; reference:url,packetstormsecurity.org/files/view/96126/jdownloader-disclose.txt; classtype:attempted-recon; sid:2012055; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8307 (msg:"ET EXPLOIT VMware 2 Web Server Directory Traversal"; flow:established,to_server; content:"|2f 2e 2e 2f 2e 2e 2f 2e 2e 2f|"; depth:60; reference:url,www.exploit-db.com/exploits/15617/; classtype:attempted-recon; sid:2012057; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP LaserJet PLJ Interface Directory Traversal"; flow:established,to_server; content:"|1b 25 2d|"; depth:3; content:"|20 28 29 20 50 4a 4c 20|"; distance:0; within:25; content:"FSDIRLIST|20|NAME="; nocase; content:"|22|0|3a 5c 2e 2e 5c 2e 2e 5c 2e 2e|"; distance:0; within:25; reference:url,www.exploit-db.com/exploits/15631/; reference:bugtraq,44882; reference:cve,2010-4107; classtype:misc-attack; sid:2012058; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8899 (msg:"ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt"; flow: to_server,established; content:"POST"; http_method; content:"|0d 0a 0d 0a 3c 3f|xml|20|version"; nocase; content:"|3c|methodCall|3e|"; distance:0; content:"|3c|methodName|3e|"; distance:0; within:25; content:"|3c|params|3e|"; content:"|3c 2f|value|3e|"; distance:0; within:400; content:"|3c|param| 3e|"; distance:0; content:"|3c|value|3e|"; within:50; content:"|3c|string|3e|"; content:"|27|"; distance:0; within:50; content:"|3b|"; within:10; content:"|3b|"; content:"|27|"; distance:0; within:100; reference:url,exploit-db.com/exploits/15244/; classtype:attempted-user; sid:2012101; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT D-Link bsc_wlan.php Security Bypass"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/bsc_wlan.php"; nocase; http_uri; content:"ACTION_POST=final&"; nocase; http_client_body; content:"&f_ssid="; nocase; http_client_body; content:"&f_authentication=7&"; nocase; http_client_body; within:135; content:"f_cipher=2&"; nocase; http_client_body; content:"f_wep_len=&f_wep_format=&f_wep_def_key=&"; nocase; http_client_body; within:40; content:"&f_wep=&f_wpa_psk_type=1&f_wpa_psk="; nocase; http_client_body; content:"&f_radius_ip1=&f_radius_port1=&f_radius_secret1="; nocase; http_client_body; within:70; reference:url,packetstormsecurity.org/files/view/96100/dlinkwlan-bypass.txt; classtype:web-application-attack; sid:2012103; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 1"; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; distance:0; within:50; content:"|FE FF|"; distance:0; within:50; content:"|FE|"; byte_test:1,>,11,0,relative; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012154; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2"; content:"|FE|"; byte_test:1,>,11,0,relative; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; distance:0; within:50; content:"|FE FF|"; distance:0; within:50; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012155; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows Common Control Library Heap Buffer Overflow"; flow:established,from_server; content:"Content-Type|3a| image/svg|2b|xml"; http_header; file_data; content:"|3c|svg xmlns="; distance:0; content:"style|3d 22|fill|3a 20 23|ffffff|22|"; distance:0; content:"transform"; distance:0; pcre:"/^=\s*\x22\s*[^\s\x22\x28]{1000}/iR"; reference:bugtraq,43717; reference:url,www.microsoft.com/technet/security/bulletin/MS10-081.mspx; classtype:attempted-admin; sid:2012174; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Lexmark Printer RDYMSG Cross Site Scripting Attempt"; flow:established,to_server; content:"pjl_ready_message="; http_uri; nocase; fast_pattern:only; pcre:"/pjl\x5Fready\x5Fmessage\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,packetstormsecurity.org/files/view/97265/lexmark-xss.txt; classtype:web-application-attack; sid:2012193; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Unknown Exploit Pack URL Detected"; flow:to_server,established; content:"/imgurl"; nocase; http_uri; content:".php"; distance:0; nocase; http_uri; content:"hl="; distance:0; nocase; http_uri; classtype:bad-unknown; sid:2012324; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 13364 (msg:"ET EXPLOIT RXS-3211 IP Camera Password Information Disclosure Attempt"; content:"|FF FF FF FF FF FF 00 06 FF F9|"; fast_pattern:only; reference:bid,47976; classtype:attempted-admin; sid:2012866; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via GET"; flow:established,to_server; content:"/xslt?PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; http_uri; content:"&PASSWORD="; http_uri; distance:0; content:"&PASSWORD_CONF="; http_uri; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013165; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via POST"; flow:established,to_server; content:"/xslt"; http_uri; content:"PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; http_client_body; content:"&PASSWORD="; http_client_body; distance:0; content:"&PASSWORD_CONF="; http_client_body; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013166; rev:1;)
#alert tcp $HOME_NET $SSH_PORTS -> any any (msg:"ET EXPLOIT FreeBSD OpenSSH 3.5p1 possible vulnerable server"; flow:established,from_server; content:"SSH-1.99-OpenSSH_3.5p1 FreeBSD-200"; reference:url,packetstormsecurity.org/files/view/102683/ssh_preauth_freebsd.txt; reference:url,seclists.org/2011/Jul/6; classtype:misc-activity; sid:2013167; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT VSFTPD Backdoor User Login Smiley"; flow:established,to_server; content:"USER "; depth:5; content:"|3a 29|"; distance:0; classtype:attempted-admin; sid:2013188; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"/OvCgi/Toolbar.exe?"; http_uri; content:"/OvCgi/Toolbar.exe?"; isdataat:1024,relative; content:!"|0A|"; within:1024; reference:url,exploit-db.com/exploits/17536/; classtype:web-application-attack; sid:2013288; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Possible BSNL Router DNS Change Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/dnscfg.cgi"; http_uri; content:"dnsPrimary="; http_client_body; content:"&dnsSecondary="; http_client_body; content:"&dnsDynamic="; http_client_body; content:"&dnsRefresh="; http_client_body; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2013918; rev:2;)
alert tcp any any -> $HOME_NET 3389 (msg:"ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|7f 65 82 01 94|"; distance:24; within:5; content:"|30 19|"; distance:9; within:2; byte_test:1,<,6,3,relative; reference:url,msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; classtype:attempted-admin; sid:2014383; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit Specific"; flow:established,from_server; file_data; content:"|3c|applet archive=|22|"; distance:0; content:".jar|22|"; distance:0; within:14; content:"code=|22|msf.x.Exploit.class|22|"; distance:0; fast_pattern:6,19; reference:cve,CVE-2012-0507; reference:url,www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray; classtype:bad-unknown; sid:2014461; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific config files upload"; flow:established,to_server; content:"STOR "; content:".conf|0d 0a|"; distance:0; fast_pattern; pcre:"/^\s*?STOR\s+[^\r\n]*?\x2f(tgt|trace|rbp(c|p))\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015513; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit nsswitch.conf Upload"; flow:established,to_server; content:"STOR "; content:"nsswitch.conf|0d 0a|"; distance:0; pcre:"/^\s*?STOR\s+[^\r\n]*?nsswitch\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015514; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific (CHMOD 777)"; flow:established,to_server; content:"SITE CHMOD 777 NONEXISTANT"; depth:26; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015515; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific"; flow:to_server,established; content:"grant"; nocase; content:"file"; nocase; distance:0; content:"on"; distance:0; nocase; pcre:"/^\s+A{500}/R"; reference:url,seclists.org/fulldisclosure/2012/Dec/4; classtype:attempted-user; sid:2015975; rev:5;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Heap based buffer overrun Exploit Specific"; flow:to_server,established; byte_test:3,>,10000,0,little; content:"|00 03|"; offset:3; depth:2; pcre:"/^(USE|PASS|SELECT|UPDATE|INSERT|ASCII|SHOW|CREATE|DESCRIBE|DROP|ALTER)\s+?(.{1})\2{300}/Ri"; reference:url,archives.neohapsis.com/archives/fulldisclosure/2012-12/0006.html; classtype:attempted-user; sid:2015987; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL (Linux) Database Privilege Elevation (Exploit Specific)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |27|TYPE=TRIGGERS|27| into outfile|27|"; nocase; pcre:"/\s*?\/.+?\.TRG\x27\s*?LINES TERMINATED BY \x27\x5fntriggers=/Ri"; content:"CREATE DEFINER=|60|root|60|@|60|localhost|60|"; nocase; distance:0; pcre:"/\s+?trigger\s+?[^\x20]+?\s+?after\s+?insert\s+?on\s+?/Ri"; content:"UPDATE mysql.user"; nocase; fast_pattern:only; reference:cve,2012-5613; reference:url,seclists.org/fulldisclosure/2012/Dec/6; classtype:attempted-user; sid:2015992; rev:7;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique DUMP INTO executable)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"SELECT data FROM"; nocase; distance:0; content:"INTO DUMPFILE"; nocase; distance:0; content:"c|3a|/windows/system32/"; nocase; fast_pattern; content:".exe"; nocase; distance:0; pcre:"/SELECT data FROM [^\x20]+?\x20INTO DUMPFILE [\x27\x22]c\x3a\/windows\/system32\/[a-z0-9_-]+?\.exe[\x27\x22]/i"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015995; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Technique)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"INSERT INTO"; nocase; distance:0; content:"#pragma namespace("; nocase; distance:0; content:"|5c 5c 5c|.|5c 5c 5c 5c|root|5c 5c 5c 5c|"; nocase; distance:0; content:"__EventFilter"; nocase; distance:0; content:" __InstanceModificationEvent"; nocase; distance:0; content:"TargetInstance"; nocase; distance:0; content:"Win32_LocalTime"; nocase; distance:0; content:"ActiveScriptEventConsumer"; nocase; distance:0; content:"JScript"; nocase; distance:0; content:"WScript.Shell"; nocase; distance:0; content:"WSH.run"; nocase; distance:0; content:".exe"; distance:0; content:"__FilterToConsumerBinding"; pcre:"/WSH\.run\x28\x5c+?[\x22\x27][a-z0-9_-]+?\.exe/"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015996; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded"; flow:established,to_client; file_data; content:"PK"; within:2; content:"msf|2f|x|2f|"; distance:0; classtype:bad-unknown; sid:2016028; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit js_property_spray sprayHeap"; flow:established,from_server; file_data; content:"sprayHeap"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016519; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit mstime_malloc no-spray"; flow:established,from_server; file_data; content:"mstime_malloc"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016824; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim/Dovecot Possible MAIL FROM Command Execution"; flow:to_server,established; content:"${IFS}"; fast_pattern:only; content:"mail from|3a|"; nocase; pcre:"/^[^\r\n]*?\x60[^\x60]*?\$\{IFS\}/R"; reference:url,redteam-pentesting.de/de/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution; classtype:attempted-admin; sid:2016835; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI"; flow:to_server,established; content:"java.lang.Runtime@getRuntime().exec("; http_uri; nocase; classtype:attempted-user; sid:2016953; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in client body"; flow:to_server,established; content:"memberAccess"; http_client_body; nocase; content:"allowStaticMethodAccess"; http_client_body; nocase; classtype:attempted-user; sid:2016954; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in URI"; flow:to_server,established; content:"memberAccess"; http_uri; nocase; content:"allowStaticMethodAccess"; http_uri; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016956; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec in client body"; flow:to_server,established; content:"java.lang.Runtime@getRuntime().exec("; http_client_body; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016957; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in client_body"; flow:to_server,established; content:"java.io.FileOutputStream"; http_client_body; nocase; content:".write"; distance:0; nocase; http_client_body; content:"sun.misc.BASE64Decoder"; nocase; http_client_body; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016958; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in URI"; flow:to_server,established; content:"java.io.FileOutputStream"; http_uri; nocase; content:".write"; distance:0; nocase; http_uri; content:"sun.misc.BASE64Decoder"; nocase; http_uri; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016959; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,to_client; file_data; content:"ScriptBridge.ScriptBridge"; content:"|00|h|00|t|00|t|00|p|00 3a 00 2f 00 2f 00|"; content:"|2f 00|v|00|w|00|.|00|p|00|h|00|p|00|?|00|i|00|="; distance:0; fast_pattern; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017006; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,from_client; content:"/vw.php?i="; http_uri; fast_pattern:only; pcre:"/\/vw\.php\?i=[a-fA-F0-9]+?\-[a-fA-F0-9]+?$/U"; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017007; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit Specific"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; content:"db.php?j="; distance:0; content:"msnmusax.ninn"; fast_pattern:only; classtype:attempted-user; sid:2017008; rev:5;)
alert tcp $HOME_NET any -> $HTTP_SERVERS [5353,5656,80] (msg:"ET EXPLOIT SolusVM 1.13.03 SQL injection"; flow:established,to_server; content:"POST "; depth:5; content:"/centralbackup.php?"; fast_pattern:only; content:"_v="; content:"deleteid="; classtype:trojan-activity; sid:2017060; rev:2;)
alert tcp $HOME_NET any -> $HTTP_SERVERS [5353,5656,80] (msg:"ET EXPLOIT SolusVM 1.13.03 Access to solusvmc-node setuid bin"; flow:established,to_server; content:"POST "; depth:5; content:"solusvmc-node"; fast_pattern:only; pcre:"/\bsolusvmc-node\b/"; classtype:trojan-activity; sid:2017061; rev:3;)
alert tcp $HOME_NET any -> $HTTP_SERVERS [5353,5656,80] (msg:"ET EXPLOIT SolusVM WHMCS CURL Multi-part Boundary Issue"; flow:established,to_server; content:"POST "; depth:5; content:"/rootpassword.php?"; fast_pattern:only; content:"name=action"; content:"name=action"; distance:0; content:"name=action"; distance:0; reference:url,localhost.re/p/solusvm-whmcs-module-316-vulnerability; classtype:trojan-activity; sid:2017063; rev:1;)
alert udp any any -> $HOME_NET [623,664] (msg:"ET EXPLOIT IPMI Cipher 0 Authentication mode set"; content:"|07 06 10 00 00 00 00 00 00 00 00|"; offset:3; depth:11; content:"|00 00|"; distance:2; within:2; content:"|00 00 00 08 00 00 00 00 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00|"; distance:6; within:24; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; reference:url,community.rapid7.com/community/metasploit/blog/2013/06/23/a-penetration-testers-guide-to-ipmi; classtype:attempted-admin; sid:2017094; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder URI"; flow:to_server,established; content:"java.lang.ProcessBuilder("; http_uri; nocase; classtype:attempted-user; sid:2017172; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder in client body"; flow:to_server,established; content:"java.lang.ProcessBuilder("; http_client_body; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2017173; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_server; content:"WScript.Shell"; nocase; content:".Run"; nocase; within:100; pcre:"/[\r\n\s]+(?P<var1>([a-z]([a-z0-9_])*|_+([a-z0-9])([a-z0-9_])*))[\r\n\s]*\x3d[\r\n\s]*CreateObject\(\s*[\x22\x27]Wscript\.Shell[\x27\x22]\s*\).+?(?P=var1)\.run/si"; classtype:attempted-user; sid:2017205; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-3205 Exploit Specific"; flow:established,to_client; file_data; content:"function putPayload("; nocase; fast_pattern:only; classtype:attempted-user; sid:2017510; rev:1;)
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET EXPLOIT Microsoft Outlook/Crypto API X.509 oid id-pe-authorityInfoAccessSyntax design bug allow blind HTTP requests attempt"; flow:to_server,established; content:"multipart/signed|3B|"; nocase; content:"application/pkcs7-signature|3B|"; nocase; distance:0; content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|"; distance:0; reference:cve,2013-3870; reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; classtype:attempted-admin; sid:2017712; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT JavaX Toolkit Posting Plugin-Detect Data"; flow:established,to_server; content:"/post.php?referanceMod="; http_uri; nocase; content:"java"; http_uri; nocase; reference:url,github.com/MrXors/Javax/; classtype:attempted-user; sid:2017730; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Adobe PDF CVE-2013-0640"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".keep.previous"; nocase; fast_pattern:only; content:".resolveNode"; nocase; pcre:"/^[\r\n\s]*?\\?\(.+?\\?\)\.keep\.previous[\r\n\s]*?=[\r\n\s]*?[\x22\x27]contentArea/Rsi"; reference:url,www.exploit-db.com/exploits/29881/; classtype:attempted-user; sid:2017790; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Zollard PHP Exploit UA"; flow:established,to_server; content:"Zollard"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?Zollard/Hmi"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:2017798; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Inbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017799; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Outbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017800; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect"; flow:from_server,established; file_data; content:"misc_addons_detect.hasSilverlight"; classtype:trojan-activity; sid:2017810; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Zollard PHP Exploit UA Outbound"; flow:established,to_server; content:"Zollard"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?Zollard/Hmi"; reference:cve,2012-1823; reference:url,blogs.cisco.com/security/the-internet-of-everything-including-malware/; classtype:trojan-activity; sid:2017825; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 1"; flow:established,to_server; content:"Jm9zX2ZsYXZvcj"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017896; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 2"; flow:established,to_server; content:"Zvc19mbGF2b3I9"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017897; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 3"; flow:established,to_server; content:"mb3NfZmxhdm9yP"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017898; rev:3;)
alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Little Endian)"; flow:established,to_server; content:"MMcS"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017923; rev:2;)
alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Big Endian)"; flow:established,to_server; content:"ScMM"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017924; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass fw_sys_up.cgi"; flow:to_server,established; content:"GET "; depth:4; content:"/cgi-bin/fw_sys_up.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018156; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass override.cgi"; flow:to_server,established; content:"GET "; depth:4; content:"/cgi-bin/override.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018157; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass share_editor.cgi"; flow:to_server,established; content:"GET "; depth:4; content:"/cgi-bin/share_editor.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018158; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass switch_boot.cgi"; flow:to_server,established; content:"GET "; depth:4; content:"/cgi-bin/switch_boot.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018159; rev:2;)
alert tcp $HOME_NET 8083 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys Failed Upgrade BackDoor Access (Server Response)"; flow:from_server,established; content:"Utopia_Init|3a 20|SUCCEEDED"; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018160; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 1"; flow:established,to_server; content:"/PSBlock"; fast_pattern:only; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018585; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 2"; flow:established,to_server; content:"/PSStore"; fast_pattern:only; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018586; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 3"; flow:established,to_server; content:"/PMConfig.dat"; fast_pattern:only; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018587; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 4"; flow:established,to_server; content:"/wsman/simple_auth.passwd"; fast_pattern:5,20; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018588; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit FireFox WebIDL Privileged Javascript Injection"; flow:from_server,established; file_data; content:".atob(String.fromCharCode("; pcre:"/^(?:90|0x5a|0+?132)\s*?,\s*?(?:71|0x47|0+?107)\s*?,\s*?(?:70|0x46|0+?106)\s*?,\s*?(?:48|0x30|0+?60)\s*?,\s*?(?:89|0x59|0+?131)\s*?,\s*?(?:84|0x54|0+?124)\s*?,\s*?(?:112|0x70|0+?160)/Rsi"; reference:url,www.exploit-db.com/exploits/34448/; classtype:trojan-activity; sid:2019085; rev:4;)
alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi access attempt"; flow:to_server,established; dsize:4; content:"cmi|0a|"; fast_pattern:only; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019087; rev:4;)
alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys access attempt"; flow:to_server,established; content:"cmi/var/ssh/root/authorized_keys"; fast_pattern:only; flowbits:set,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019088; rev:3;)
alert tcp any 873 -> any any (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful exfiltration"; flow:from_server,established; content:"ssh-rsa"; fast_pattern:only; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019089; rev:2;)
alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful upload"; flow:to_server,established; content:"ssh-rsa"; fast_pattern:only; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019090; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Random Base CharCode JS Encoded String"; flow:from_server,established; file_data; content:"String.fromCharCode("; pcre:"/^(?=(?:(:?0x[a-f0-9]{2}|0+?\d{1,3})\s*?,\s*?)*?\d{1,3})(?=(?:(:?0x[a-f0-9]{2}|\d{1,3})\s*?,\s*?)*?0+?\d{1,3})(?=(?:(:?0+?\d{1,3}|\d{1,3})\s*?,\s*?)*?0x[a-f0-9]{2})(?:(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?,\s*?)+(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?\)/Rsi"; classtype:trojan-activity; sid:2019091; rev:2;)
alert udp any 67 -> any 68 (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK"; content:"|02 01|"; depth:2; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019237; rev:4;)
alert udp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019289; rev:3;)
alert tcp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019290; rev:2;)
alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Qmail CVE-2014-6271 Mail From attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern:only; pcre:"/^mail\s*?from\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b/mi"; reference:url,marc.info/?l=qmail&m=141183309314366&w=2; classtype:attempted-admin; sid:2019293; rev:2;)
alert udp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019322; rev:2;)
alert tcp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server,established; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019323; rev:2;)
alert tcp any any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible Pure-FTPd CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b 20|"; fast_pattern:only; reference:url,gist.github.com/jedisct1/88c62ee34e6fa92c31dc; reference:cve,2014-6271; classtype:attempted-admin; sid:2019335; rev:1;)
alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Postfix CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern:only; pcre:"/^[a-z-]+\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b.*\x3b.*\x7d\s*\x3b(?!=[\r\n])/mi"; reference:url,exploit-db.com/exploits/34896/; reference:cve,2014-6271; classtype:attempted-admin; sid:2019389; rev:4;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 malicious DNS response"; byte_test:1,&,128,2; content:"|28 29 20 7b|"; fast_pattern:only; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019402; rev:1;)
alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DNS"; byte_test:1,&,128,4; content:"|28 29 20 7b|"; fast_pattern:only; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019403; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1"; flow:established,to_server; content:"name["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019422; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 2"; flow:established,to_server; content:"name%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019423; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 3"; flow:established,to_server; content:"nam%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019424; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 4"; flow:established,to_server; content:"nam%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019425; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 5"; flow:established,to_server; content:"na%6de["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019426; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 6"; flow:established,to_server; content:"na%6de%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019427; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 7"; flow:established,to_server; content:"na%6d%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019428; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 8"; flow:established,to_server; content:"na%6d%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019429; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 9"; flow:established,to_server; content:"n%61me["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019430; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 10"; flow:established,to_server; content:"n%61me%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019431; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 11"; flow:established,to_server; content:"n%61m%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019432; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 12"; flow:established,to_server; content:"n%61m%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019433; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 13"; flow:established,to_server; content:"n%61%6de["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019434; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 14"; flow:established,to_server; content:"n%61%6de%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019435; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 15"; flow:established,to_server; content:"n%61%6d%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019436; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 16"; flow:established,to_server; content:"n%61%6d%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019437; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 17"; flow:established,to_server; content:"%6eame["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019438; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 18"; flow:established,to_server; content:"%6eame%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019439; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 19"; flow:established,to_server; content:"%6eam%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019440; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 20"; flow:established,to_server; content:"%6eam%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019441; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 21"; flow:established,to_server; content:"%6ea%6de["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019442; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 22"; flow:established,to_server; content:"%6ea%6de%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019443; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 23"; flow:established,to_server; content:"%6ea%6d%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019444; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 24"; flow:established,to_server; content:"%6ea%6d%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019445; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 25"; flow:established,to_server; content:"%6e%61me["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019446; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 26"; flow:established,to_server; content:"%6e%61me%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019447; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27"; flow:established,to_server; content:"%6e%61m%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 28"; flow:established,to_server; content:"%6e%61m%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019449; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 29"; flow:established,to_server; content:"%6e%61%6de["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019450; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 30"; flow:established,to_server; content:"%6e%61%6de%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019451; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 31"; flow:established,to_server; content:"%6e%61%6d%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019452; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 32"; flow:established,to_server; content:"%6e%61%6d%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019453; rev:1;)
alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response to External Network"; dsize:12; content:"|80 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019490; rev:2;)
alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful TCP Map to External Network"; dsize:16; content:"|82 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019491; rev:2;)
alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful UDP Map to External Network"; dsize:16; content:"|81 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019492; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; http_method; urilen:10; content:"/login.cgi"; http_uri; content:"GO=&jump="; http_client_body; depth:9; isdataat:1380,relative; reference:cve,CVE-2014-1635; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2019686; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name"; flow:to_client,established; file_data; content:"function"; pcre:"/^(?:\x25(?:25)*?20|\s)*?runmumaa\W/Rs"; content:"runmumaa"; fast_pattern:only; reference:cve,2014-6332; classtype:attempted-user; sid:2019733; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct"; flow:to_client,established; file_data; content:"chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)"; reference:cve,2014-6332; classtype:attempted-user; sid:2019734; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct Hex Encode"; flow:to_client,established; file_data; content:"chrw|25|"; pcre:"/^(?:25)?282176\x25(?:25)?29\x25(?:25)?26chrw\x25(?:25)?2801/Rs"; reference:cve,2014-6332; classtype:attempted-user; sid:2019735; rev:2;)
alert tcp any 2067 -> $EXTERNAL_NET any (msg:"ET EXPLOIT DLSw Information Disclosure CVE-2014-7992"; flow:established,from_server; content:"Cisco"; nocase; pcre:"/^(?: Systems|\.com\/techsupport)/Ri"; threshold:type both,count 1,seconds 60,track by_dst; reference:url,www.fishnetsecurity.com/6labs/blog/cisco-dlsw-leakage-allows-retrieval-packet-contents-remote-routers; reference:url,github.com/tatehansen/dlsw_exploit; reference:cve,2014-7992; classtype:trojan-activity; sid:2019778; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1599)"; flow:established,to_server; content:"GET"; http_method; content:"/cgi-bin/rtpd.cgi?"; http_uri; fast_pattern:only; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019801; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1600)"; flow:established,to_server; urilen:17; content:"GET"; http_method; content:"/upnp/asf-mp4.asf"; http_uri; fast_pattern:only; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019802; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1601)"; flow:established,to_server; urilen:12; content:"GET"; http_method; content:"/md/lums.cgi"; http_uri; fast_pattern:only; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019803; rev:1;)
alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible PYKEK Priv Esc in-use"; flow:established,to_server; content:"|a4 11 18 0f|19700101000000Z|a5 11 18 0f|19700101000000Z|a6 11 18 0f|19700101000000Z"; content:"|a8 05 30 03 02 01 17|"; distance:8; within:7; threshold: type limit, track by_src, seconds 60, count 1; reference:url,github.com/bidord/pykek; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019897; rev:2;)
alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible GoldenPac Priv Esc in-use"; flow:established,to_server; content:"|a0 07 03 05 00 50 80 00 00|"; content:"|a8 05 30 03 02 01 17|"; distance:0; isdataat:!1,relative; threshold: type limit, track by_src, seconds 60, count 1; reference:url,code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019922; rev:2;)
alert tcp any any -> any [$HTTP_PORTS,7547] (msg:"ET EXPLOIT Possible Misfortune Cookie - SET"; flow:established,to_server; content:"Cookie|3a| C"; nocase; pcre:"/^[0-9][^=]/R"; flowbits:set,ET.Misfortune_Cookie; flowbits:noalert; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020100; rev:1;)
alert tcp any [$HTTP_PORTS,7547] -> any any (msg:"ET EXPLOIT Possible Misfortune Cookie RomPager Server banner"; flow:established,from_server; flowbits:isset,ET.Misfortune_Cookie; content:"Server|3a| RomPager"; nocase; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020101; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (HELO)"; flow:to_server,established; content:"HELO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020325; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (EHLO)"; flow:to_server,established; content:"EHLO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020326; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Possible dlink-DSL2640B DNS Change Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/ddnsmngr.cmd?action=apply"; http_uri; fast_pattern:only; content:"dnsPrimary="; http_uri; content:"&dnsSecondary="; http_uri; content:"&dnsDynamic="; http_uri; content:"&dnsRefresh="; http_uri; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020485; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Possible ShuttleTech 915WM DNS Change Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/dnscfg.cgi?"; http_uri; fast_pattern:only; content:"dnsPrimary="; http_uri; content:"&dnsSecondary="; http_uri; content:"&dnsDynamic="; http_uri; content:"&dnsRefresh="; http_uri; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020486; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Generic ADSL Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"dnsPrimary="; http_uri; fast_pattern:only; content:"&dnsSecondary="; http_uri; content:"&dnsDynamic="; http_uri; content:"&dnsRefresh="; http_uri; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020487; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Generic ADSL Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; content:"dnsPrimary="; http_client_body; fast_pattern:only; content:"dnsSecondary="; http_client_body; content:"dnsDynamic="; http_client_body; content:"dnsRefresh="; http_client_body; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2020488; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Seagate Business NAS Unauthenticated Remote Command Execution"; flow:to_server,established; content:"POST"; http_method; content:"/index.php/mv_system/get_general_setup?_=1413463189043"; http_uri; fast_pattern:only; content:"set_general"; http_client_body; reference:url,beyondbinary.io/advisory/seagate-nas-rce; classtype:attempted-admin; sid:2020583; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT PCMan FTP Server 2.0.7 Remote Command Execution"; flow:to_server,established; content:"|65 82 a5 7c|"; fast_pattern; content:"|90 90 90 90 90|"; distance:0; within:10; reference:url,exploit-db.com/exploits/36078; classtype:attempted-admin; sid:2020585; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (ping.ccp) 2015-1187"; flow:to_server,established; content:"POST"; http_method; urilen:9; content:"/ping.ccp"; http_uri; fast_pattern:only; content:"ccp_act=ping_v6&ping_addr="; http_client_body; depth:26; pcre:"/ping_addr=[\d.]*[^\d.]/P"; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020590; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (fwupdate.cpp) 2015-1187"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/fwupgrade.ccp"; http_uri; fast_pattern:only; content:"|0d 0a|fwupgrade"; http_client_body; content:"|0d 0a|resolv.conf"; nocase; http_client_body; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020603; rev:1;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 03|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020630; rev:6;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 06|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020631; rev:6;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 08|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020632; rev:5;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0E|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020633; rev:6;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 11|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020659; rev:4;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 14|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020660; rev:4;)
alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 19|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020661; rev:3;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 26|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020662; rev:5;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 27|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020663; rev:4;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 28|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020664; rev:4;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 29|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020665; rev:4;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2A|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020666; rev:4;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020667; rev:4;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020668; rev:2;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 17|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020669; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 4"; flow:established,to_server; content:"POST"; http_method; content:"b3NfbmFtZT"; depth:10; http_client_body; pcre:"/^b3NfbmFtZT[A-Za-z0-9+/]{2}(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020751; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 5"; flow:established,to_server; content:"POST"; http_method; content:"Jm9zX3ZlbmRvcj"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020752; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 6"; flow:established,to_server; content:"POST"; http_method; content:"Zvc192ZW5kb3I9"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020753; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 7"; flow:established,to_server; content:"POST"; http_method; content:"mb3NfdmVuZG9yP"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020754; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect 2"; flow:from_server,established; file_data; content:"var os_name|3b|"; content:"var os_vendor|3b|"; content:"var os_device|3b|"; content:"var os_flavor|3b|"; classtype:trojan-activity; sid:2020755; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TP-LINK TL-WR340G Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/userRpm/WanDynamicIpCfgRpm.htm?"; http_uri; depth:32; content:"&dnsserver="; http_uri; content:"&Save=Save"; http_uri; fast_pattern:only; reference:url,www.exploit-db.com/exploits/34583; classtype:attempted-admin; sid:2020856; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Belkin Wireless G Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:22; content:"/cgi-bin/setup_dns.exe"; http_uri; content:"getpage=|2e 2e|/html/setup/dns.htm"; http_client_body; depth:29; fast_pattern:9,20; content:"resolver|3a|settings/nameserver1="; http_client_body; distance:0; reference:url,www.exploit-db.com/exploits/3605; classtype:attempted-admin; sid:2020857; rev:3;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:10; content:"/apply.cgi"; content:"submit_button=index"; http_client_body; depth:19; fast_pattern; content:"&action=Apply"; http_client_body; distance:0; nocase; content:"&lan_dns0="; http_client_body; distance:0; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020858; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Netgear WNDR Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:26; content:"/apply.cgi?/BAS_update.htm"; http_uri; content:"submit_flag=ether"; http_client_body; depth:17; fast_pattern; content:"ðer_dnsaddr1="; http_client_body; distance:0; nocase; content:"&Apply=Apply"; http_client_body; distance:0; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020859; rev:2;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Motorola SBG900 Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/goformFOO/AlFrame?"; http_uri; content:"/goformFOO/AlFrame?"; http_uri; distance:0; content:"Gateway.Wan.dnsAddress1="; http_uri; distance:0; reference:url,github.com/hkm/routerpwn.com/blob/master/index.html; classtype:attempted-admin; sid:2020861; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 1"; flow:to_server,established; content:"GET"; http_method; content:"/start_apply.htm?"; http_uri; content:"wan_dns1="; http_uri; distance:0; content:"action_mode=apply"; http_uri; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020862; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 2"; flow:to_server,established; content:"GET"; http_method; content:"/start_apply.htm?"; http_uri; content:"wan_dns1_x="; http_uri; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020863; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT FritzBox RCE POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/cgi-bin/webcm"; http_uri; fast_pattern:only; content:"getpage="; http_client_body; depth:10; content:"errorpage="; http_client_body; distance:0; content:"/html/index.html&login|3a|command"; http_client_body; distance:0; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020867; rev:2;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT FritzBox RCE GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/cgi-bin/webcm?"; http_uri; fast_pattern; content:"getpage="; http_uri; distance:0; content:"|2e 2e|/html/menus/menu2.html"; http_raw_uri; content:"&var|3a|lang="; http_uri; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020868; rev:2;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 3"; flow:to_server,established; content:"GET"; http_method; content:"/start_apply.htm?"; http_uri; fast_pattern; content:"dnsserver="; http_uri; distance:0; content:"&dnsserver2="; http_uri; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020871; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TP-LINK Known Malicious Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/basic/uiViewIPAddr="; fast_pattern; http_uri; content:"&uiViewDns1Mark="; http_uri; distance:0; content:"&uiViewDns2Mark="; http_uri; distance:0; reference:url,pastebin.com/u0MRLmjp; classtype:attempted-admin; sid:2020872; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT D-link DI604 Known Malicious Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/prim.htm?"; http_uri; depth:10; fast_pattern; nocase; content:"i00110004="; http_uri; distance:0; content:"&i00110005="; http_uri; distance:0; nocase; content:"&i00035007="; http_uri; distance:0; nocase; reference:url,www.gnucitizen.org/blog/router-hacking-challenge; classtype:attempted-admin; sid:2020873; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/setup.cgi?todo=wan_dns1="; http_uri; fast_pattern:only; reference:url,www.rapid7.com/db/modules/exploit/linux/http/netgear_dgn1000b_setup_exec; classtype:attempted-admin; sid:2020874; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Belkin G F5D7230-4 Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/setup_dns.stm?page=setup_dns"; http_uri; content:"&dns1_1="; http_uri; reference:url,www.gnucitizen.org/blog/holes-in-embedded-devices-authentication-bypass-pt-4; classtype:attempted-admin; sid:2020875; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/apply.cgi?wan_primary_dns="; http_uri; fast_pattern:only; content:"&wan_secondary_dns="; http_uri; reference:url,malwr.com/analysis/MGY1ZDFhYjE1MzQ4NDAwM2EyZTI5YmY3MWZjMWE5OGM; classtype:attempted-admin; sid:2020876; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Known Malicious Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/router/add_dhcp_segment.cgi?"; http_uri; fast_pattern:only; content:"is_router_as_dns=1"; http_uri; content:"&dns1="; http_uri; content:"submitbutton="; http_uri; reference:url,wepawet.cs.ucsb.edu/view.php?hash=5e14985415814ed1e107c0583a27a1a2&t=1384961238&type=js; classtype:attempted-admin; sid:2020877; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TP-LINK TL-WR841N Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/userRpm/LanDhcpServerRpm.htm?"; http_uri; fast_pattern; content:"dhcpserver=1"; http_uri; content:"&dnsserver="; http_uri; content:"&Save="; http_uri; reference:url,www.exploit-db.com/exploits/34584; classtype:attempted-admin; sid:2020878; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys WRT54GL DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/Basic.tri?"; http_uri; fast_pattern; content:"&dns0_0="; http_uri; content:"&dns0_1="; http_uri; reference:url,sebug.net/paper/Exploits-Archives/2008-exploits/0803-exploits/linksys-bypass.txt; classtype:attempted-admin; sid:2020879; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TP-LINK TL-WR750N DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/userRpm/WanStaticIpCfgRpm.htm"; http_uri; fast_pattern; content:"&dnsserver="; http_uri; content:"&Save=Save"; http_uri; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2020880; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution"; flow:established,to_server; content:"POST"; http_method; content:"SOAPAction|3a|"; http_header; content:"http|3a|//purenetworks.com/HNAP1/"; fast_pattern; http_header; pcre:"/^SOAPAction\x3a\s+?[^\r\n]*?http\x3a\/\/purenetworks\.com\/HNAP1\/([^\x2f]+?[\x2f])?[^\x2f]+?\x60/Hmi"; reference:url,devttys0.com/2015/04/hacking-the-d-link-dir-890l/; classtype:attempted-admin; sid:2020899; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 302"; flow:from_server,established; content:"302"; http_stat_code; content:"Found"; http_stat_msg; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020916; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 301"; flow:from_server,established; content:"301"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020917; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 307"; flow:from_server,established; content:"307"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,blog.cylance.com/redirect-to-smb; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/; classtype:attempted-user; sid:2020976; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 303"; flow:from_server,established; content:"303"; http_stat_code; content:"Location|3a| file|3a 2f 2f|"; http_header; fast_pattern:only; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020977; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT WNR2000v4 HTTP POST RCE Attempt Via Timestamp Discovery"; flow:to_server,established; content:"POST"; http_method; content:"/apply_noauth.cgi"; http_uri; fast_pattern:only; content:"timestamp="; http_client_body; threshold: type both, track by_dst, count 10, seconds 60; reference:url,seclists.org/fulldisclosure/2015/Apr/72; classtype:attempted-admin; sid:2021018; rev:1;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 63|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021124; rev:2;)
#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 65|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021125; rev:2;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT AirLive RCI HTTP Request"; flow:to_server,established; content:"GET"; http_method; content:"/cgi_test.cgi?write_"; http_uri; fast_pattern:only; pcre:"/\?write_(?:m(?:ac|sn)|hdv|pid|tan)&[^&]*\x3b/Ui"; reference:url,packetstormsecurity.com/files/132585/CORE-2015-0012.txt; classtype:attempted-admin; sid:2021408; rev:1;)
alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M1"; content:"|01 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021572; rev:3;)
alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M2"; content:"|01 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021573; rev:4;)
alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M3"; content:"|00 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021574; rev:3;)
alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M4"; content:"|00 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021575; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M1"; flow:established,from_server; file_data; content:"|76 69 65 77 2d 73 6f 75 72 63 65 3a|"; nocase; content:"|61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 6f 7a 2d 70 6c 61 79 70 72 65 76 69 65 77 2d 70 64 66 6a 73|"; fast_pattern:15,20; nocase; content:"|73 61 6e 64 62 6f 78 43 6f 6e 74 65 78 74|"; nocase; content:"return "; pcre:"/\We[\s\x22\x27,+]*?v[\s\x22\x27,+]*?a[\s\x22\x27,+]*?l\W/"; reference:cve,2015-4495; classtype:attempted-user; sid:2021601; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M2"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 73 5f 73 65 61 72 63 68 5f 61 6e 64 5f 75 70 6c 6f 61 64 5f 69 6e 5f 61 70 70 5f 64 61 74 61 5f 62 79 5f 64 69 73 6b|"; nocase; content:"|64 71 2e 61 77 61 69 74 41 6c 6c 28 63 61 6c 6c 62 61 63 6b 29|"; nocase; reference:url,nakedsecurity.sophos.com/2015/08/07/firefox-zero-day-hole-used-against-windows-and-linux-to-steal-passwords/; reference:cve,2015-4495; classtype:attempted-user; sid:2021606; rev:1;)
alert tcp any any -> any 8081 (msg:"ET EXPLOIT Websense Content Gateway submit_net_debug.cgi cmd_param Param Buffer Overflow Attempt"; flow:to_server,established; content:"POST"; nocase; content:"/submit_net_debug.cgi"; nocase; content:"cmd_param="; nocase; isdataat:500,relative; content:!"|0A|"; within:500; pcre:"/[\?\&]cmd_param=[^\&\r\n]{500}/si"; reference:cve,2015-5718; reference:url,seclists.org/fulldisclosure/2015/Aug/8; classtype:web-application-attack; sid:2021644; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"|3c 66 6f 72 6d 3e 3c 73 74 79 6c 65 3e 66 6f 72 6d 7b 2d 6d 73 2d 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 22 63 22 29 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 66 6f 72 6d 3e|"; nocase; fast_pattern:13,20; reference:cve,2015-2444; classtype:attempted-user; sid:2021713; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT FireEye Appliance Unauthorized File Disclosure"; flow:established,to_server; content:"/NEI_ModuleDispatch.php"; http_uri; content:"module=NEI_AdvancedConfig"; distance:0; http_uri; content:"&function=HapiGetFileContents"; http_uri; fast_pattern:10,19; distance:0; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/Ii"; reference:url,www.exploit-db.com/exploits/38090/; classtype:trojan-activity; sid:2021756; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"/system/bin/sh"; fast_pattern:only; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021757; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - ROP"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"|98 2A 00 B0 B3 38 00 B0|"; fast_pattern; content:"|00 10 00 00 07 00 00 00 03 D0 00 D0 04 D0 00 D0 44 11 00 B0|"; distance:4; within:20; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021758; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC"; flow:established,from_server; file_data; content:"stsc|00 00 00 00 C0 00 00 03|"; fast_pattern; content:!"|00 00 00 00|"; within:4; pcre:"/^(?P<addr1>.{4})(?P<addr2>.{4})(?P=addr2)(?P=addr1)/Rsi"; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021759; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"rO0ABXNyA"; content:"jb21tb25zLmNvbGxlY3Rpb25z"; fast_pattern; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022114; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"commons.collections"; nocase; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022115; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"java/io/Serializable"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022116; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Groovy Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.codehaus.groovy.runtime.ConversionHandler"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022117; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Spring Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.springframework.core.SerializableTypeWrapper"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022118; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli)"; flow:established,to_server; content:"JDatabaseDriverMysqli"; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]*JDatabaseDriverMysqli/Hmi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022261; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Joomla RCE M2 (Serialized PHP in UA)"; flow:established,to_server; content:"O|3a|"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/Hmi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022263; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Joomla RCE M3 (Serialized PHP in XFF)"; flow:established,to_server; content:"O|3a|"; http_header; fast_pattern:only; pcre:"/^X-Forwarded-For\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/Hmi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022268; rev:1;)
alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Juniper ScreenOS telnet Backdoor Default Password Attempt"; flow:established,to_server; content:"|3c 3c 3c 20 25 73 28 75 6e 3d 27 25 73 27 29 20 3d 20 25 75|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:cve,2015-7755; reference:url,community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor; classtype:attempted-admin; sid:2022291; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (openUrlInDefaultBrowser)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/openUrlInDefaultBrowser?"; fast_pattern:only; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022352; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (showSB)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/showSB?url="; fast_pattern:only; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022353; rev:1;)
alert tcp any $SSH_PORTS -> any any (msg:"ET EXPLOIT Possible CVE-2016-0777 Server Advertises Suspicious Roaming Support"; flow:established,to_client; content:"|14|"; offset:6; content:"resume@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022369; rev:1;)
alert tcp any any -> any $SSH_PORTS (msg:"ET EXPLOIT Possible CVE-2016-0777 Client Sent Roaming Resume Request"; flow:established,to_server; content:"|14|"; offset:6; content:"roaming@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022370; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound"; flow:to_server; content:"|84 00 00|"; byte_test:1,<,8,0,relative; byte_jump:1,0,relative,post_offset -4; content:"|00 00 00|"; within:3; byte_test:1,<,8,0,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022506; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 2"; flow:to_server; content:"|84 20|"; depth:2; offset:16; byte_test:2,<,8,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022515; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 3"; flow:to_server; content:"|84 10|"; depth:2; offset:16; byte_test:2,<,8,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022516; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT D-Link DCS-930L Remote Command Execution attempt"; flow:to_server,established; urilen:17; content:"POST"; nocase; http_method; content:"/setSystemCommand"; nocase; http_uri; content:"SystemCommand="; nocase; http_client_body; reference:url,www.exploit-db.com/exploits/39437/; classtype:web-application-attack; sid:2022518; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS16-009 IE MSHTML Form Element Type Confusion (CVE-2016-0061)"; flow:from_server,established; file_data; content:"opener"; nocase; fast_pattern; pcre:"/^\s*\[\s*[\x22\x27]\\u[a-f0-9]{4}\\u[a-f0-9]{4}/Rsi"; reference:cve,2016-0061; classtype:attempted-user; sid:2022524; rev:2;)
alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 Malformed Server response"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:8; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^[^\x00]+\x00\x00\x01/R"; reference:cve,2015-7547; classtype:attempted-user; sid:2022531; rev:1;)
alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 PoC Server Response"; flow:from_server; content:"|83 80 00 01 00 00 00 00 00 00|"; offset:2; depth:10; isdataat:2049; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022542; rev:1;)
alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 01 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022543; rev:1;)
alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 1c 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022544; rev:1;)
alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:10; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022545; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set)"; flow:established,to_server; byte_test:2,<,513,0; byte_test:1,!&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01 00 00 00 00 00 00|"; offset:6; depth:8; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; flowbits:set,ET.CVE20157547.primer; flowbits:noalert; reference:cve,2015-7547; classtype:attempted-user; sid:2022546; rev:1;)
alert tcp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query"; flow:established,from_server; flowbits:isset,ET.CVE20157547.primer; byte_test:2,>,2048,0; byte_test:1,&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01|"; offset:6; depth:2; reference:cve,2015-7547; classtype:attempted-user; sid:2022547; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT FireEye Detection Evasion %temp% attempt - Inbound"; flow:to_server,established; content:"%"; http_raw_uri; content:"temp%"; nocase; http_raw_uri; within:7; pcre:"/\%(?:25)?temp\%/Ii"; content:"temp%"; fast_pattern:only; reference:url,labs.bluefrostsecurity.de/advisories/bfs-sa-2016-001/; classtype:misc-attack; sid:2022554; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js (Remote Debugger)"; flow:from_server,established; file_data; content:"/json/new/"; content:"javascript|3a|require"; distance:0; content:"child_process"; fast_pattern; distance:0; content:"spawnSync"; distance:0; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=773; classtype:trojan-activity; sid:2022693; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Quanta LTE Router Information Disclosure Exploit Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/data.ria?CfgType=get_homeCfg&file="; http_uri; fast_pattern; depth:35; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022698; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 39889 (msg:"ET EXPLOIT Quanta LTE Router UDP Backdoor Activation Attempt"; flow:to_server; content:"HELODBG"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022699; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 1 (ping)"; flow:to_server,established; content:"POST"; http_method; content:"/webpost.cgi"; http_uri; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 70 69 6e 67 22 2c 22 63 6d 64 22 3a 22 70 69 6e 67 22 2c 22 75 72 6c 22 3a 22|"; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/Ri"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022700; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 2 (traceroute)"; flow:to_server,established; content:"POST"; http_method; content:"/webpost.cgi"; http_uri; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 74 72 61 63 65 72 74 22 2c 22 63 6d 64 22 3a 22 74 72 61 63 65 72 74 22 2c 22 75 72 6c 22 3a 22|"; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/Ri"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022701; rev:1;)
alert tcp any any -> any 6129 (msg:"ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)"; flow:established,to_server; content:"|44 9c 00 00|"; depth:4; content:"|90 90 90 90 90 90 90 90|"; distance:0; content:"|eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff|"; distance:0; reference:cve,2016-2345; reference:url,www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345; classtype:attempted-admin; sid:2022712; rev:1;)
alert tcp any any -> $HOME_NET 8080 (msg:"ET EXPLOIT Linksys Router Unauthenticated Remote Code Execution"; flow:to_server,established; content:"POST"; http_method; content:".cgi"; http_uri; nocase; content:"%74%74%63%70%5f%69%70%3d%2d%68%20%60"; http_client_body; fast_pattern:only; content:"Authorization|3a| Basic"; http_header; reference:url,sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902; classtype:attempted-user; sid:2022758; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2"; flow:established,from_server; file_data; content:"redim"; nocase; fast_pattern:only; content:"Preserve"; nocase; content:"VBScript"; nocase; content:"chrw"; content:"32767"; distance:0; content:"chrw"; content:"2176"; distance:0; classtype:attempted-admin; sid:2022797; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT CVE-2016-1287 Public Exploit ShellCode"; content:"|60 c7 02 90 67 b9 09 8b 45 f8 8b 40 5c 8b 40 04 8b 40 08 8b 40 04 8b 00 85 c0 74 3b 50 8b 40 08 8b 40 04 8d 98 d8 00 00 00 58 81 3b d0 d4 00 e1 75 e4 83 7b 04 31 74 de 89 d8 2d 00 01 00 00 c7 40 04 03 01 00 00 c7 40 0c d0 00 00 00 c7 80 f8|"; reference:url,github.com/exodusintel/disclosures/blob/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022820; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M1"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F 91 03 00 00|"; content:!"|00 00|"; distance:503; within:2; content:"|00 00 BA 0F 16 01 00 00|"; distance:913; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022923; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M2"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F A9 03 00 00|"; content:!"|00 00|"; distance:50; within:2; content:"|00 00 BA 0F 2E 01 00 00|"; distance:937; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022924; rev:1;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow"; flow:established,from_server; file_data; content:"|4d 53 43 46|"; depth:4; byte_jump:4,8,little; isdataat:1; reference:cve,2016-2211; reference:cve,CVE-2014-9732; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022930; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M2"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022932; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M1"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022933; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M3"; flow:established,to_server; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022935; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M4"; flow:established,to_client; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022936; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M3"; flow:established,to_client; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022937; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M4"; flow:established,to_server; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022938; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M1"; flow:established,from_server; file_data; content:"%u0008%u4141%u4141%u4141"; nocase; content:"redim"; nocase; content:"Preserve"; content:"2000"; distance:0; pcre:"/^\s*?\x29/Rs"; content:"%u400C%u0000%u0000%u0000"; nocase; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022971; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M2"; flow:established,from_server; file_data; content:"triggerBug"; nocase; content:"Dim "; nocase; distance:0; content:".resize"; nocase; pcre:"/^\s*\x28/Rs"; content:"Mid"; pcre:"/^\s*?\(x\s*,\s*1,\s*24000\s*\x29/Rs"; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022972; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT LastPass RCE Attempt"; flow:from_server,established; file_data; content:"getBoundingClientRect"; nocase; content:"MouseEvent"; fast_pattern:only; content:"dispatchEvent"; nocase; pcre:"/^\s*\x28\s*new\s*MouseEvent\s*\x28\s*[\x22\x27]\s*click/Rsi"; content:"addEventListener"; nocase; pcre:"/^\s*\x28\s*[\x22\x27]\s*message/Rsi"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=884; classtype:trojan-activity; sid:2022989; rev:1;)
#alert ip any any -> any any (msg:"GPL EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102464; rev:8;)
#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102462; rev:8;)
#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102463; rev:8;)
#alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"GPL EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:2101838; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101327; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"GPL EXPLOIT CVS non-relative path access attempt"; flow:to_server,established; content:"Argument "; content:"Directory"; distance:0; pcre:"/^Argument\s+\//smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102318; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; fast_pattern:only; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100571; rev:10;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; fast_pattern:only; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100570; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"GPL EXPLOIT cachefsd buffer overflow attempt"; flow:to_server,established; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:2101751; rev:8;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:2103199; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"GPL EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:2101261; rev:12;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"GPL EXPLOIT rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2102113; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL EXPLOIT rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; reference:arachnids,387; classtype:attempted-admin; sid:2100604; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL EXPLOIT rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:2100607; rev:6;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22 60|"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:2101821; rev:9;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:2100302; rev:10;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"GPL EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:2101398; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"GPL EXPLOIT Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:2103453; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"GPL EXPLOIT xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:2101987; rev:8;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt 2"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101898; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101894; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101896; rev:9;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt 3"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101899; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101895; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101897; rev:9;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102559; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; nocase; isdataat:432,relative; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102556; rev:6;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102552; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102557; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102558; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102560; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102554; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102553; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102555; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL EXPLOIT rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2102047; rev:3;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL EXPLOIT EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:2100600; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT echo command attempt"; flow:to_server,established; content:"/bin/echo"; fast_pattern:only; nocase; classtype:web-application-attack; sid:2101334; rev:7;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT tftp command attempt"; flow:to_server,established; content:"tftp%20"; fast_pattern:only; nocase; classtype:web-application-attack; sid:2101340; rev:7;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT formmail access"; flow:to_server,established; content:"/formmail"; nocase; http_uri; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:2100884; rev:16;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT formmail arbitrary command execution attempt"; flow:to_server,established; content:"/formmail"; nocase; http_uri; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:2101610; rev:13;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT php.cgi access"; flow:to_server,established; content:"/php.cgi"; nocase; http_uri; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:2100824; rev:15;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT administrators.pwd access"; flow:to_server,established; content:"/administrators.pwd"; nocase; http_uri; reference:bugtraq,1205; classtype:web-application-activity; sid:2100953; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .cmd executable file parsing attack"; flow:established,to_server; content:".cmd|22|"; nocase; http_uri; pcre:"/\.cmd\x22.*?\x26/Ui"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:2103193; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .cnf access"; flow:to_server,established; content:".cnf"; nocase; http_uri; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100977; rev:13;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .htr access"; flow:to_server,established; content:".htr"; nocase; http_uri; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:2100987; rev:16;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT /iisadmpwd/aexp2.htr access"; flow:to_server,established; content:"/iisadmpwd/aexp2.htr"; http_uri; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:2101487; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT /msadc/samples/ access"; flow:to_server,established; content:"/msadc/samples/"; http_uri; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:2101401; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT Alternate Data streams ASP file access attempt"; flow:to_server,established; content:".asp|3A 3A 24|DATA"; nocase; http_uri; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q188806; classtype:web-application-attack; sid:2100975; rev:14;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:2101256; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .ida access"; flow:to_server,established; content:".ida"; nocase; http_uri; pcre:"/\.ida$/iU"; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101242; rev:13;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .ida attempt"; flow:to_server,established; content:".ida?"; nocase; http_uri; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:2101243; rev:13;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .idq access"; flow:to_server,established; content:".idq"; nocase; http_uri; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101245; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .idq attempt"; flow:to_server,established; content:".idq?"; nocase; http_uri; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:2101244; rev:16;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; http_header; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2102386; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; fast_pattern:32,4; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102090; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:2101661; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; http_uri; classtype:web-application-attack; sid:2101003; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT fpcount access"; flow:to_server,established; content:"/fpcount.exe"; nocase; http_uri; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:2101013; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT iisadmpwd attempt"; flow:to_server,established; content:"/iisadmpwd/aexp"; nocase; http_uri; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:2101018; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT iissamples access"; flow:to_server,established; content:"/iissamples/"; nocase; http_uri; reference:nessus,11032; classtype:web-application-attack; sid:2101402; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT site/iisamples access"; flow:to_server,established; content:"/site/iisamples"; nocase; http_uri; reference:nessus,10370; classtype:web-application-activity; sid:2101046; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100981; rev:14;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100982; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100983; rev:15;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:2101111; rev:12;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:2101808; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:2101059; rev:7;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100679; rev:7;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100676; rev:7;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100695; rev:10;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL EXPLOIT xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2100687; rev:6;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"GPL EXPLOIT xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2101759; rev:6;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"GPL EXPLOIT login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:2103274; rev:4;)
alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2102123; rev:7;)
alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:2101900; rev:11;)
alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:2101901; rev:11;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL EXPLOIT portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102092; rev:6;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"GPL EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:2100312; rev:7;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2102486; rev:6;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102413; rev:11;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102380; rev:5;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102376; rev:4;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102379; rev:7;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102414; rev:10;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102377; rev:4;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102415; rev:10;)
alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"GPL EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:2100315; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:2100319; rev:6;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2102039; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:2103461; rev:1;)
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="source"
Sample Source
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="status_id"
2
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="attributes[0][name]"
Attribute 1 Name
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="attributes[0][value]"
Attribute 1 Value
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="attributes[1][name]"
Attribute 2 Name
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="attributes[1][value]"
Attribute 2 Value
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="resumableChunkNumber"
1
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="resumableChunkSize"
1048576
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="resumableCurrentChunkSize"
200011
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="resumableTotalSize"
200011
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="resumableType"
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="resumableIdentifier"
200011-emerging-exploitrules
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="resumableFilename"
emerging-exploit.rules
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="resumableRelativePath"
emerging-exploit.rules
--__X_PAW_BOUNDARY__
Content-Disposition: form-data; name="resumableTotalChunks"
1
--__X_PAW_BOUNDARY__--Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 371,
"threshold": "1000",
"data": [
{
"attributes": [
{
"name": "flow",
"value": "to_server,established"
},
{
"name": "content",
"value": "|464F3A20596F75206861766520737563|"
}
],
"name": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:\"ET EXPLOIT Arkeia full remote access without password or authentication\"; flow:to_server,established; content:\"|464F3A20596F75206861766520737563|\"; content:\"|6520636C69656E7420696E666F726D61|\"; reference:url,metasploit.com\/research\/vulns\/arkeia_agent; reference:url,doc.emergingthreats.net\/bin\/view\/Main\/2001742; classtype:attempted-admin; sid:2001742; rev:9;)",
"type_id": 1,
"hash": "737309fe355ef23e1c03a5e98bc364b5",
"id": "1",
"exists": true
},
{
"attributes": [
{
"name": "content",
"value": "|44 53 52 65 71 75 65 73 74|"
},
{
"name": "pcre",
"value": "\/[0-9a-zA-Z]{50}\/R"
}
],
"name": "ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (2007937:4)",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:\"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow\"; content:\"|44 53 52 65 71 75 65 73 74|\"; pcre:\"\/[0-9a-zA-Z]{50}\/R\"; reference:bugtraq,28084; reference:url,aluigi.altervista.org\/adv\/visibroken-adv.txt; reference:url,doc.emergingthreats.net\/bin\/view\/Main\/2007937; classtype:successful-dos; sid:2007937; rev:4;)",
"type_id": 1,
"hash": "8cf2e60aeb0b7ed9874f2ed379b3f42d",
"id": "2",
"exists": true
},
{
"attributes": [
{
"name": "content",
"value": "|00 00 00 00|"
},
{
"name": "offset",
"value": "4"
}
],
"name": "ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS (2003370:3)",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:\"ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS\"; content:\"|00 00 00 00|\"; offset:4; depth:4; content:\"|00 00 00 03|\"; distance:8; within:4; content:\"|00 00 00 08|\"; distance:0; within:4; content:\"|00 00 00 00|\"; distance:0; within:4; content:\"|00 00 00 00|\"; distance:4; within:4; content:\"|00 00 00 00 00 00 00 00|\"; distance:8; within:32; reference:url,www.milw0rm.com\/exploits\/3248; reference:url,doc.emergingthreats.net\/bin\/view\/Main\/2003370; classtype:attempted-dos; sid:2003370; rev:3;)",
"type_id": 1,
"hash": "4f32170b15e4fb6be58e54e7b6ba0a9f",
"id": "3",
"exists": true
},
...
]
}Response
401Access denied.
Signature Search ¶
Signature SearchPOST/signatures/query{?limit,offset,sort}
Search the Threat Library for Signatures using criteria and filters.
Criteria and filters should be formatted in the convention of SOLR query structures.
Criteria Options: mentions, name
Filter Options: created_at, updated_at, expires_at, published_at, type_name, source_name, source_created_at, status_name, related, tags, attribute
Example URI
POST /signatures/query?limit=500&offset=100&sort=id
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"criteria": {
"+or": [
{
"mentions": "indicator"
},
{
"value": {
"+contains": "exploit"
}
}
]
},
"filters": {
"+and": [
{
"created_at": {
"+lt": "2021-01-27 22:35:00"
}
},
{
"+or": [
{
"expires_at": {
"+gt": "2021-01-26 23:59:59",
"+lt": "2021-01-28 00:00:00"
}
},
{
"expired_at": {
"+gt": "2021-01-26 23:59:59",
"+lt": "2021-01-28 00:00:00"
}
}
]
},
{
"+or": [
{
"type_name": "Snort"
}
]
},
{
"+or": [
{
"status_name": "Active"
}
]
},
{
"+or": [
{
"+and": [
{
"source_name": "Customer Admin"
},
{
"published_at": {
"+lt": "2021-01-27 22:50:00"
}
}
]
}
]
},
{
"+or": [
{
"related": {
"id": 1,
"type": "indicator"
}
}
]
},
{
"+or": [
{
"related": {
"object": "adversary"
}
}
]
},
{
"+or": [
{
"source_name": "Primary Contributor"
}
]
},
{
"+or": [
{
"tags": "Internal"
}
]
},
{
"updated_at": {
"+lt": "2021-01-27 22:51:00"
}
},
{
"+or": [
{
"+and": [
{
"source_name": "Primary Contributor"
},
{
"source_created_at": {
"+lt": "2021-01-27 22:50:00"
}
}
]
}
]
}
],
"+or": [
{
"attribute": {
"name": "Confidence",
"value": "High"
}
}
]
}
}Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"value": "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"ET EXPLOIT Joomla RCE M2 (Serialized PHP in UA)\"; flow:established,to_server; content:\"O|3a|\"; http_header; fast_pattern:only; pcre:\"/^User-Agent\\x3a[^\\r\\n]*\\bO\\x3a\\d+\\x3a[^\\r\\n]*?\\{[^\\r\\n]*?\\}/Hmi\"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022263; rev:1;)",
"touched_at": "2021-01-27 19:53:33",
"published_at": "2021-01-27 19:53:29",
"id": 283,
"type_id": 6,
"created_at": "2021-01-27 19:53:29",
"name": "ET EXPLOIT Joomla RCE M2 (Serialized PHP in UA) (2022263:1)",
"updated_at": "2021-01-27 19:53:29",
"description": "",
"hash": "6718218127274014f1851513d7863896",
"status_id": 1,
"adversaries": [
{
"name": "Operation Windigo"
}
],
"type": {
"name": "Snort",
"id": 6
},
"status": {
"name": "Active",
"id": 1
},
"sources": [
{
"updated_at": "2021-01-27 19:53:33",
"source_id": 5,
"type": "users",
"creator_source_id": 5,
"signature_id": 283,
"created_at": "2021-01-27 19:53:33",
"id": 283,
"reference_id": 1,
"published_at": "2021-01-27 19:53:33",
"name": "Threat Quotient"
}
]
},
{
"value": "alert tcp any any -> $HOME_NET any (msg:\"ET EXPLOIT Serialized Spring Java Object Generated by ysoserial\"; flow:to_server,established; content:\"|ac ed 00 05 73 72 00|\"; fast_pattern; content:\"org.springframework.core.SerializableTypeWrapper\"; nocase; distance:0; content:\"ysoserial/payloads/util/Gadgets\"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022118; rev:1;)",
"touched_at": "2021-01-27 19:53:33",
"published_at": "2021-01-27 19:53:29",
"id": 281,
"type_id": 6,
"created_at": "2021-01-27 19:53:29",
"name": "ET EXPLOIT Serialized Spring Java Object Generated by ysoserial (2022118:1)",
"updated_at": "2021-01-27 19:53:29",
"description": "",
"hash": "2c07e1e325b9ca4bbaf34b08dba2f0d2",
"status_id": 1,
"adversaries": [
{
"name": "SUNRISE PANDA"
}
],
"type": {
"name": "Snort",
"id": 6
},
"status": {
"name": "Active",
"id": 1
},
"sources": [
{
"updated_at": "2021-01-27 19:53:33",
"source_id": 5,
"type": "users",
"creator_source_id": 5,
"signature_id": 281,
"created_at": "2021-01-27 19:53:33",
"id": 281,
"reference_id": 1,
"published_at": "2021-01-27 19:53:33",
"name": "Threat Quotient"
}
]
}
],
"offset": 0,
"limit": 25
}Response
401Access denied.
Signature Watchlist Bulk ¶
Get ListGET/signatures/watchlist
Get all Signatures in a user’s Watchlist. Only users with administrator privileges can see Watchlists for all users.
Example URI
GET /signatures/watchlist
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 3,
"data": [
{
"id": 1,
"user_id": 1,
"object_type": "signature",
"object_id": 1,
"created_at": "2017-04-23 22:10:17",
"updated_at": "2017-04-23 22:10:17",
"signature": {
"id": 1,
"name": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)",
"description": "",
"hash": "737309fe355ef23e1c03a5e98bc364b5",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:\"ET EXPLOIT Arkeia full remote access without password or authentication\"; flow:to_server,established; content:\"|464F3A20596F75206861766520737563|\"; content:\"|6520636C69656E7420696E666F726D61|\"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)",
"status_id": 5,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-04-22 00:11:18",
"updated_at": "2017-04-22 00:11:18",
"touched_at": "2017-04-23 21:26:16"
}
},
{
"id": 2,
"user_id": 1,
"object_type": "signature",
"object_id": 2,
"created_at": "2017-04-23 22:15:46",
"updated_at": "2017-04-23 22:15:46",
"signature": {
"id": 2,
"name": "ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (2007937:4)",
"description": "",
"hash": "8cf2e60aeb0b7ed9874f2ed379b3f42d",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:\"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow\"; content:\"|44 53 52 65 71 75 65 73 74|\"; pcre:\"/[0-9a-zA-Z]{50}/R\"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;)",
"status_id": 4,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-04-22 00:11:18",
"updated_at": "2017-04-22 00:11:18",
"touched_at": "2017-04-22 00:11:18"
}
},
{
"id": 3,
"user_id": 1,
"object_type": "signature",
"object_id": 3,
"created_at": "2017-04-23 22:15:50",
"updated_at": "2017-04-23 22:15:50",
"signature": {
"id": 3,
"name": "ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS (2003370:3)",
"description": "",
"hash": "4f32170b15e4fb6be58e54e7b6ba0a9f",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:\"ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS\"; content:\"|00 00 00 00|\"; offset:4; depth:4; content:\"|00 00 00 03|\"; distance:8; within:4; content:\"|00 00 00 08|\"; distance:0; within:4; content:\"|00 00 00 00|\"; distance:0; within:4; content:\"|00 00 00 00|\"; distance:4; within:4; content:\"|00 00 00 00 00 00 00 00|\"; distance:8; within:32; reference:url,www.milw0rm.com/exploits/3248; reference:url,doc.emergingthreats.net/bin/view/Main/2003370; classtype:attempted-dos; sid:2003370; rev:3;)",
"status_id": 5,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-04-22 00:11:18",
"updated_at": "2017-04-22 00:11:18",
"touched_at": "2017-04-22 00:11:18"
}
}
]
}Response
401Access denied.
Create NewPOST/signatures/watchlist
Bulk add Signatures to the user’s Watchlist.
Example URI
POST /signatures/watchlist
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"object_ids": [
5,
6,
7
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"object_type": "signature",
"user_id": 1,
"object_id": "5",
"updated_at": "2017-04-23 22:16:56",
"created_at": "2017-04-23 22:16:56",
"id": 4
},
{
"object_type": "signature",
"user_id": 1,
"object_id": "6",
"updated_at": "2017-04-23 22:16:56",
"created_at": "2017-04-23 22:16:56",
"id": 5
},
{
"object_type": "signature",
"user_id": 1,
"object_id": "7",
"updated_at": "2017-04-23 22:16:56",
"created_at": "2017-04-23 22:16:56",
"id": 6
}
]
}Response
401Access denied.
Signature ¶
Get SingleGET/signatures/{signature_id}{?with}
Get a single Signature.
Example URI
GET /signatures/1?with=adversaries,attachments
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, events, indicators, signatures, sources, status, tag, type, watchlist.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)",
"description": "",
"hash": "737309fe355ef23e1c03a5e98bc364b5",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:\"ET EXPLOIT Arkeia full remote access without password or authentication\"; flow:to_server,established; content:\"|464F3A20596F75206861766520737563|\"; content:\"|6520636C69656E7420696E666F726D61|\"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)",
"status_id": 5,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-04-22 00:11:18",
"updated_at": "2017-04-22 00:11:18",
"touched_at": "2017-04-22 00:11:18"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signatures/{signature_id}{?with}
Update a Signature.
Example URI
PUT /signatures/1?with=adversaries,attachments
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- with
string(optional) Example: adversaries,attachmentsA comma-separated list of related objects to include in the response. Options for this endpoint: adversaries, attachments, attributes, comments, events, indicators, signatures, sources, status, tag, type, watchlist.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "GPL EXPLOIT WEB-MISC (Updated) JBoss RMI class download service directory listing attempt (2103461:1)",
"value": "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:\"GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt\"; flow:to_server,established; content:\"GET %. HTTP/1.\"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:2103461; rev:1;)",
"description": "An updated description of the Signature.",
"status_id": 1,
"sources": [
{
"name": "Another Source",
"tlp": {
"name": "GREEN"
},
"published_at": "2016-07-18 02:00:00"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 513,
"name": "GPL EXPLOIT WEB-MISC (Updated) JBoss RMI class download service directory listing attempt (2103461:1)",
"description": "An updated description of the Signature.",
"hash": "8be22ff371a691228056c9a66aeb8ac4",
"value": "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:\"GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt\"; flow:to_server,established; content:\"GET %. HTTP/1.\"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:2103461; rev:1;)",
"status_id": 1,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-04-22 00:24:46",
"updated_at": "2017-04-22 00:31:32",
"touched_at": "2017-04-22 00:24:46",
"sources": [
{
"type": "other_sources",
"name": "Another Source",
"tlp": {
"name": "RED"
},
"updated_at": "2017-04-22 00:31:32",
"created_at": "2017-04-22 00:31:32",
"id": 11
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}
Delete a Signature.
Example URI
DELETE /signatures/1
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Adversaries List ¶
Get ListGET/signatures/{signature_id}/adversaries{?limit,offset,sort,with}
Get a list of Signature Adversary links.
Example URI
GET /signatures/1/adversaries?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"name": "AMOROUS PANDA",
"created_at": "2018-03-24 03:49:31",
"updated_at": "2018-03-24 03:49:31",
"touched_at": "2018-04-02 16:16:38",
"deleted_at": null,
"sources": [
{
"name": "Customer Observer"
}
],
"pivot": {
"id": 62324,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 2,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"comments": [
{
"id": 54,
"type": "users",
"value": "This link is important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 16:19:51.184000",
"updated_at": "2018-04-02 16:23:40.426000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15066,
"name": "Industry",
"value": "Hospitals",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24424,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:16:38.663000",
"updated_at": "2018-04-02 16:16:38.663000"
}
}
]
}
},
{
"id": 3,
"name": "ANCHOR PANDA",
"created_at": "2018-01-08 23:05:37",
"updated_at": "2018-01-08 23:05:37",
"touched_at": "2018-04-02 16:17:00",
"deleted_at": null,
"sources": [
{
"name": "ThreatQ Front End"
},
{
"name": "Domain Tools"
}
],
"pivot": {
"id": 62325,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 3,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"comments": [
{
"id": 56,
"type": "users",
"value": "This link is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 16:20:25.327000",
"updated_at": "2018-04-02 16:20:25.327000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15065,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24426,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/adversaries
Create a link from an Adversary to an Signature.
Example URI
POST /signatures/1/adversaries
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 2,
"data": [
{
"id": 2,
"name": "AMOROUS PANDA",
"created_at": "2017-03-06 14:05:24",
"updated_at": "2017-03-06 14:05:24",
"touched_at": "2017-03-10 19:25:48",
"pivot": {
"id": 62141,
"created_at": "2017-03-10 19:25:48",
"updated_at": "2017-03-10 19:25:48"
}
},
{
"id": 3,
"name": "ANCHOR PANDA",
"created_at": "2016-12-27 13:45:12",
"updated_at": "2016-12-27 13:45:12",
"touched_at": "2017-03-10 19:25:48",
"pivot": {
"id": 62142,
"created_at": "2017-03-10 19:25:48",
"updated_at": "2017-03-10 19:25:48"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/signatures/{signature_id}/adversaries
Delete multiple Signature Adversary links.
Example URI
DELETE /signatures/1/adversaries
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Signature Adversary ¶
Get SingleGET/signatures/{signature_id}/adversaries/{object_link_id}{?with}
Get a single Signature Adversary link.
Example URI
GET /signatures/1/adversaries/2?with=sources,pivot.attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Advanced Pawn",
"created_at": "2018-01-18 22:47:52",
"updated_at": "2018-01-18 22:47:52",
"touched_at": "2018-04-02 16:17:00",
"pivot": {
"id": 62324,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"comments": [
{
"id": 54,
"object_link_id": 62324,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 16:23:40",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15066,
"object_link_id": 62324,
"attribute_id": 136,
"value": "Hospitals",
"created_at": "2018-04-02 16:25:47",
"updated_at": "2018-04-02 16:25:47",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15066,
"source_id": 8,
"id": 2,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:16:38",
"updated_at": "2018-04-02 16:16:38",
"published_at": null,
"pivot": {
"object_link_id": 62324,
"source_id": 8,
"id": 24424,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 1,
"type": "clients",
"name": "ThreatQ Front End",
"tlp_id": null,
"created_at": "2018-02-05 12:29:56",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 1,
"id": 1,
"creator_source_id": 1
}
},
{
"id": 7,
"type": "plugins",
"name": "VirusTotal",
"tlp_id": null,
"created_at": "2018-01-31 03:41:47",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 7,
"id": 2,
"creator_source_id": 7
}
},
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-03-31 21:31:30",
"updated_at": "2018-04-02 15:49:40",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 8,
"id": 3,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/adversaries/{object_link_id}
Delete a Signature Adversary link.
Example URI
DELETE /signatures/1/adversaries/2
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Adversary Attributes List ¶
Get ListGET/signatures/{signature_id}/adversaries/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Signature Adversary link Attributes.
Example URI
GET /signatures/1/adversaries/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/adversaries/{object_link_id}/attributes
Create a new Signature Adversary link Attribute.
Example URI
POST /signatures/1/adversaries/2/attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Signature Adversary Attribute ¶
Get SingleGET/signatures/{signature_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Signature Adversary link Attribute.
Example URI
GET /signatures/1/adversaries/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signatures/{signature_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Update a Signature Adversary link Attribute.
Example URI
PUT /signatures/1/adversaries/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/adversaries/{object_link_id}/attributes/{object_link_attribute_id}
Delete a Signature Adversary link Attribute.
Example URI
DELETE /signatures/1/adversaries/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Adversary Comments List ¶
Get ListGET/signatures/{signature_id}/adversaries/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Signature Adversary link Comments.
Example URI
GET /signatures/1/adversaries/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/adversaries/{object_link_id}/comments
Create a new Signature Adversary link Comment.
Example URI
POST /signatures/1/adversaries/2/comments
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Signature Adversary Comment ¶
Get SingleGET/signatures/{signature_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Get a single Signature Adversary link Comment.
Example URI
GET /signatures/1/adversaries/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signatures/{signature_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Update a Signature Adversary link Comment.
Example URI
PUT /signatures/1/adversaries/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/adversaries/{object_link_id}/comments/{object_link_comment_id}
Delete a Signature Adversary link Comment.
Example URI
DELETE /signatures/1/adversaries/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Attachments List ¶
Get ListGET/signatures/{signature_id}/attachments{?limit,offset,sort,with}
Get a list of Signature Attachment links.
Example URI
GET /signatures/1/attachments?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"type_id": 19,
"title": "Honeybooboo.sh",
"name": "Honeybooboo.sh",
"hash": "4ece432b22f92461f9c4d2de2656d3e3",
"content_type_id": 2,
"file_size": 75,
"path": "6/b/d/0/d/c/1/2/e/5/d/f/a/0/4/3/e/b/4/9/6/0/9/f/a/4/7/c/4/f/1/0",
"malware_locked": "0",
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:39:18",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62326,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "attachment",
"dest_object_id": 2,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"comments": [
{
"id": 57,
"type": "users",
"value": "This link is important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 17:54:58.936000",
"updated_at": "2018-04-02 17:55:15.039000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15067,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 3,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24428,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 17:39:18.781000",
"updated_at": "2018-04-02 17:39:18.781000"
}
}
]
}
},
{
"id": 1,
"type_id": 10,
"title": "parsing-sample.pdf",
"name": "parsing-sample.pdf",
"hash": "89e17b2f6cd3888864237b0ee10048f0",
"content_type_id": 1,
"file_size": 11300,
"path": "e/a/f/d/d/7/1/e/5/c/e/1/1/9/b/0/5/6/4/a/6/d/5/9/a/2/3/5/3/1/0/4",
"malware_locked": "0",
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:40:48",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62327,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "attachment",
"dest_object_id": 1,
"created_at": "2018-04-02 17:40:48",
"updated_at": "2018-04-02 17:40:48",
"comments": [
{
"id": 58,
"type": "users",
"value": "This link is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-02 17:55:30.995000",
"updated_at": "2018-04-02 17:55:30.995000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 15068,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 4,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 16:17:00.689000",
"updated_at": "2018-04-02 16:17:00.689000"
}
}
]
}
],
"sources": [
{
"id": 24430,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-02 17:40:48.310000",
"updated_at": "2018-04-02 17:40:48.310000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/attachments
Create a link from an Attachment to a Signature.
Example URI
POST /signatures/1/attachments
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 3,
"type_id": 3,
"title": "EXE like script",
"name": "Honeybooboo.sh",
"hash": "51774564f8d78fbddbfa22e1e7459af4",
"content_type_id": 1,
"file_size": 234234,
"malware_locked": 1,
"description": null,
"created_at": "2017-02-23 20:02:18",
"updated_at": "2017-02-23 20:02:18",
"touched_at": "2017-03-01 16:51:15",
"pivot": {
"id": 62394,
"created_at": "2017-03-01 16:51:15",
"updated_at": "2017-03-01 16:51:15"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/signatures/{signature_id}/attachments
Delete multiple Signature Attachment links.
Example URI
DELETE /signatures/1/attachments
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Signature Attachment ¶
Get SingleGET/signatures/{signature_id}/attachments/{object_link_id}{?with}
Get a single Signature Attachment link.
Example URI
GET /signatures/1/attachments/2?with=sources,pivot.attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 2,
"type_id": 19,
"title": "Honeybooboo.sh",
"name": "Honeybooboo.sh",
"hash": "4ece432b22f92461f9c4d2de2656d3e3",
"content_type_id": 2,
"file_size": 75,
"malware_locked": 0,
"placeholder": 0,
"description": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"touched_at": "2018-04-02 17:39:18",
"pivot": {
"id": 62326,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"comments": [
{
"id": 57,
"object_link_id": 62326,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-02 17:54:58",
"updated_at": "2018-04-02 17:55:15",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 57,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 16:17:00",
"updated_at": "2018-04-02 16:17:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15067,
"source_id": 8,
"id": 3,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 17:39:18",
"updated_at": "2018-04-02 17:39:18",
"published_at": null,
"pivot": {
"object_link_id": 62326,
"source_id": 8,
"id": 24428,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-02 15:47:22",
"updated_at": "2018-04-02 15:47:22",
"published_at": null,
"pivot": {
"attachment_id": 2,
"source_id": 8,
"id": 2,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/attachments/{object_link_id}
Delete a Signature Attachment link.
Example URI
DELETE /signatures/1/attachments/2
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Attachment Attributes List ¶
Get ListGET/signatures/{signature_id}/attachments/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Signature Attachment link Attributes.
Example URI
GET /signatures/1/attachments/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/attachments/{object_link_id}/attributes
Create a new Signature Attachment link Attribute.
Example URI
POST /signatures/1/attachments/2/attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Signature Attachment Attribute ¶
Get SingleGET/signatures/{signature_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Signature Attachment link Attribute.
Example URI
GET /signatures/1/attachments/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signatures/{signature_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Update a Signature Attachment link Attribute.
Example URI
PUT /signatures/1/attachments/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/attachments/{object_link_id}/attributes/{object_link_attribute_id}
Delete a Signature Attachment link Attribute.
Example URI
DELETE /signatures/1/attachments/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Attachment Comments List ¶
Get ListGET/signatures/{signature_id}/attachments/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Signature Attachment link Comments.
Example URI
GET /signatures/1/attachments/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/attachments/{object_link_id}/comments
Create a new Signature Attachment link Comment.
Example URI
POST /signatures/1/attachments/2/comments
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Signature Attachment Comment ¶
Get SingleGET/signatures/{signature_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Get a single Signature Attachment link Comment.
Example URI
GET /signatures/1/attachments/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signatures/{signature_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Update a Signature Attachment link Comment.
Example URI
PUT /signatures/1/attachments/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/attachments/{object_link_id}/comments/{object_link_comment_id}
Delete a Signature Attachment link Comment.
Example URI
DELETE /signatures/1/attachments/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Attributes List ¶
Get ListGET/signatures/{signature_id}/attributes{?limit,offset,sort,with}
Get a list of Signature Attributes.
Example URI
GET /signatures/1/attributes?limit=500&offset=100&sort=id&with=attribute,sources
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"signature_id": 1,
"attribute_id": 252,
"value": "Test Value",
"created_at": "2017-04-22 16:29:11",
"updated_at": "2017-04-22 16:29:11",
"name": "Test Attribute",
"attribute": {
"id": 252,
"name": "Test Attribute",
"created_at": "2017-04-22 16:29:11",
"updated_at": "2017-04-22 16:29:11"
}
},
{
"id": 2,
"signature_id": 1,
"attribute_id": 253,
"value": "Another Test Value",
"created_at": "2017-04-22 16:29:28",
"updated_at": "2017-04-22 16:29:28",
"name": "Another Test Attribute",
"attribute": {
"id": 253,
"name": "Another Test Attribute",
"created_at": "2017-04-22 16:29:28",
"updated_at": "2017-04-22 16:29:28"
}
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/attributes
Create a new Signature Attribute.
Example URI
POST /signatures/1/attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"value": "Test Value",
"signature_id": 1,
"id": 1,
"attribute_id": 252,
"created_at": "2017-04-22 16:29:11",
"updated_at": "2017-04-22 16:29:11",
"name": "Test Attribute",
"attribute": {
"id": 252,
"name": "Test Attribute",
"created_at": "2017-04-22 16:29:11",
"updated_at": "2017-04-22 16:29:11"
},
"sources": [
{
"id": 12,
"type": "other_sources",
"name": "Test Source",
"tlp_id": 1,
"created_at": "2017-04-22 16:29:11",
"updated_at": "2017-04-22 16:29:11",
"published_at": "2017-02-28 00:00:00",
"pivot": {
"signature_attribute_id": 1,
"source_id": 12,
"id": 1,
"creator_source_id": 5
}
}
]
}
]
}Response
401Access denied.
Signature Attribute ¶
Get SingleGET/signatures/{signature_id}/attributes/{signature_attribute_id}{?with}
Get a single Signature Attribute.
Example URI
GET /signatures/1/attributes/2?with=attribute,sources
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- signature_attribute_id
integer(required) Example: 2Signature Attribute ID
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"signature_id": 1,
"attribute_id": 252,
"value": "Test Value",
"created_at": "2017-04-22 16:29:11",
"updated_at": "2017-04-22 16:29:11",
"name": "Test Attribute",
"attribute": {
"id": 252,
"name": "Test Attribute",
"created_at": "2017-04-22 16:29:11",
"updated_at": "2017-04-22 16:29:11"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signatures/{signature_id}/attributes/{signature_attribute_id}{?with}
Update a Signature Attribute.
Example URI
PUT /signatures/1/attributes/2?with=attribute,sources
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- signature_attribute_id
integer(required) Example: 2Signature Attribute ID
- with
string(optional) Example: attribute,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: attribute, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"signature_id": 1,
"attribute_id": 252,
"value": "New Value",
"created_at": "2017-04-22 16:29:11",
"updated_at": "2017-04-22 16:36:27",
"name": "Test Attribute",
"attribute": {
"id": 252,
"name": "Test Attribute",
"created_at": "2017-04-22 16:29:11",
"updated_at": "2017-04-22 16:29:11"
}
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"signature_id": "1",
"attribute_id": "1",
"errors": {
"value": [
"The value field is required."
]
},
"name": "Accessed Time",
"attribute": {
"id": 1,
"name": "Accessed Time",
"created_at": "2017-04-21 00:04:37",
"updated_at": "2017-03-31 00:03:37"
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/attributes/{signature_attribute_id}
Delete a Signature Attribute.
Example URI
DELETE /signatures/1/attributes/2
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- signature_attribute_id
integer(required) Example: 2Signature Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Attribute Source ¶
UpdatePUT/signatures/{signature_id}/attributes/{signature_attribute_id}/sources/{signature_attribute_source_id}
Update an Signature Attribute Source.
Example URI
PUT /signatures/1/attributes/2/sources/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- signature_attribute_id
integer(required) Example: 2Signature Attribute ID
- signature_attribute_source_id
integer(required) Example: 3Signature Attribute Source ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"signature_attribute_id": 1,
"source_id": 8,
"tlp_id": 1,
"created_at": "2018-09-20 21:22:20",
"updated_at": "2018-09-20 21:23:46",
"published_at": "2017-01-01 01:01:01",
"creator_source_id": 8
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/attributes/{signature_attribute_id}/sources/{signature_attribute_source_id}
Delete a Signature Attribute Source.
Example URI
DELETE /signatures/1/attributes/2/sources/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- signature_attribute_id
integer(required) Example: 2Signature Attribute ID
- signature_attribute_source_id
integer(required) Example: 3Signature Attribute Source ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Comments List ¶
Get ListGET/signatures/{signature_id}/comments{?limit,offset,sort,with}
Get a list of Signature Comments.
Example URI
GET /signatures/1/comments?limit=500&offset=100&sort=id&with=signature,sources
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: signature,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: signature, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"signature_id": 1,
"value": "This is a comment.",
"creator_source_id": 5,
"created_at": "2017-04-23 17:38:32",
"updated_at": "2017-04-23 17:40:24"
},
{
"id": 2,
"signature_id": 1,
"value": "This is another comment.",
"creator_source_id": 5,
"created_at": "2017-04-23 17:38:37",
"updated_at": "2017-04-23 17:38:37"
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/comments
Create a new Signature Comment.
Example URI
POST /signatures/1/comments
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"signature_id": 1,
"value": "This is a comment.",
"creator_source_id": 5,
"created_at": "2017-04-23 17:38:32",
"updated_at": "2017-04-23 17:38:32",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-04-22 00:09:37",
"updated_at": "2017-04-22 00:09:37",
"pivot": {
"id": 1,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"signature_id": "1",
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Signature Comment ¶
UpdatePUT/signatures/{signature_id}/comments/{signature_comment_id}{?with}
Update a Signature Comment.
Example URI
PUT /signatures/1/comments/2?with=signature,sources
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- signature_comment_id
integer(required) Example: 2Signature Comment ID
- with
string(optional) Example: signature,sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: signature, sources.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"signature_id": 1,
"value": "This is an updated comment.",
"creator_source_id": 5,
"created_at": "2017-04-23 17:38:32",
"updated_at": "2017-04-23 17:40:24",
"sources": [
{
"id": 5,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2017-04-22 00:09:37",
"updated_at": "2017-04-22 00:09:37",
"pivot": {
"id": 1,
"creator_source_id": 5
}
}
]
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"The current authenticated owner is not the owner of this comment."
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/comments/{signature_comment_id}
Delete a Signature Comment.
Example URI
DELETE /signatures/1/comments/2
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- signature_comment_id
integer(required) Example: 2Signature Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Events List ¶
Get ListGET/signatures/{signature_id}/events{?limit,offset,sort,with}
Get a list of Signature Event links.
Example URI
GET /signatures/1/events?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 13,
"type_id": 1,
"title": "Origin - http://halvorson.com/quia-reprehenderit-ullam-aut-accusantium-iusto-voluptas-omnis",
"description": "",
"happened_at": "2018-01-25 03:17:53",
"hash": "0ba76d18a6e5350a8e5979b5676bc8c8",
"created_at": "2018-01-25 03:17:53",
"updated_at": "2018-01-25 03:17:53",
"touched_at": "2018-04-03 15:34:22",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 61077,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "event",
"dest_object_id": 13,
"created_at": "2018-02-26 00:36:06",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 55,
"type": "users",
"value": "This is important.",
"source": "Threat Quotient",
"created_at": "2018-04-04 14:42:46.690000",
"updated_at": "2018-04-04 14:42:46.690000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 14948,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 22414,
"name": "Threat Quotient",
"type": "clients",
"pivot": {
"created_at": "2018-03-05 22:01:33",
"updated_at": "2018-04-03 15:34:22.693000"
}
}
]
}
},
{
"id": 46,
"type_id": 1,
"title": "Origin - http://kling.com/voluptate-nihil-sit-est-aut",
"description": "",
"happened_at": "2017-12-31 23:17:05",
"hash": "e2e96a1516420fc05ad8ac04de52bd89",
"created_at": "2017-12-31 23:17:05",
"updated_at": "2017-12-31 23:17:05",
"touched_at": "2018-04-03 15:34:22",
"deleted_at": null,
"sources": [
{
"name": "Domain Tools"
},
{
"name": "Emerging Threats"
},
{
"name": "VirusTotal"
}
],
"pivot": {
"id": 61144,
"src_type": "adversary",
"src_object_id": 1,
"dest_type": "event",
"dest_object_id": 46,
"created_at": "2018-03-01 23:54:52",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 56,
"type": "users",
"value": "This is also important.",
"source": "Threat Quotient",
"created_at": "2018-04-04 14:43:10.692000",
"updated_at": "2018-04-04 14:43:10.692000",
"creator_source_id": 8
}
],
"attributes": [
{
"id": 14949,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 22513,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-02-24 09:36:30",
"updated_at": "2018-04-03 15:34:22.693000"
}
},
{
"id": 22514,
"name": "Customer Observer",
"type": "users",
"pivot": {
"created_at": "2018-02-25 22:27:11",
"updated_at": "2018-04-03 15:34:22.693000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/events
Create a link from an Signature to an Event.
Example URI
POST /signatures/1/events
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"type_id": 2,
"title": "Origin - http://www.durgan.biz/vel-omnis-impedit-at-quod-quasi-reiciendis.html",
"description": "",
"happened_at": "2016-12-05 20:01:48",
"hash": "d13e682a5d567d51b99f676b7bdef980",
"created_at": "2016-12-05 20:01:48",
"updated_at": "2016-12-05 20:01:48",
"touched_at": "2017-02-28 20:14:59",
"pivot": {
"id": 62396,
"created_at": "2017-03-01 20:55:10",
"updated_at": "2017-03-01 20:55:10"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/signatures/{signature_id}/events
Delete multiple Signature Event links.
Example URI
DELETE /signatures/1/events
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Signature Event ¶
Get SingleGET/signatures/{signature_id}/events/{object_link_id}{?with}
Get a single Signature Event link.
Example URI
GET /signatures/1/events/2?with=sources,pivot.attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 13,
"type_id": 1,
"title": "Origin - http://halvorson.com/quia-reprehenderit-ullam-aut-accusantium-iusto-voluptas-omnis",
"description": "",
"happened_at": "2018-01-25 03:17:53",
"hash": "0ba76d18a6e5350a8e5979b5676bc8c8",
"created_at": "2018-01-25 03:17:53",
"updated_at": "2018-01-25 03:17:53",
"touched_at": "2018-04-03 15:34:22",
"pivot": {
"id": 61077,
"created_at": "2018-02-26 00:36:06",
"updated_at": "2018-04-03 15:34:20",
"comments": [
{
"id": 55,
"object_link_id": 61077,
"value": "This is important.",
"creator_source_id": 8,
"created_at": "2018-04-04 14:42:46",
"updated_at": "2018-04-04 14:42:46",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-03 15:31:57",
"updated_at": "2018-04-03 15:31:57",
"pivot": {
"id": 55,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 14948,
"object_link_id": 61077,
"attribute_id": 135,
"value": "Universities",
"created_at": "2018-04-04 14:38:39",
"updated_at": "2018-04-04 14:38:39",
"name": "Industry",
"attribute": {
"id": 135,
"name": "Industry",
"created_at": "2018-04-03 19:41:04",
"updated_at": "2018-04-03 19:41:04"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 14948,
"source_id": 8,
"id": 1,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 2,
"type": "clients",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-03-05 22:01:33",
"updated_at": "2018-04-03 15:34:22",
"published_at": null,
"pivot": {
"object_link_id": 61077,
"source_id": 2,
"id": 22414,
"creator_source_id": 2
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-02-24 22:23:15",
"updated_at": "2018-04-03 15:34:22",
"published_at": null,
"pivot": {
"event_id": 13,
"source_id": 8,
"id": 27,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/events/{object_link_id}
Delete an Signature Event link.
Example URI
DELETE /signatures/1/events/2
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Event Attributes List ¶
Get ListGET/signatures/{signature_id}/events/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Signature Event link Attributes.
Example URI
GET /signatures/1/events/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/events/{object_link_id}/attributes
Create a new Signature Event link Attribute.
Example URI
POST /signatures/1/events/2/attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Signature Event Attribute ¶
Get SingleGET/signatures/{signature_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Signature Event link Attribute.
Example URI
GET /signatures/1/events/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signatures/{signature_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Update a Signature Event link Attribute.
Example URI
PUT /signatures/1/events/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/events/{object_link_id}/attributes/{object_link_attribute_id}
Delete a Signature Event link Attribute.
Example URI
DELETE /signatures/1/events/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Event Comments List ¶
Get ListGET/signatures/{signature_id}/events/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Signature Event link Comments.
Example URI
GET /signatures/1/events/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/events/{object_link_id}/comments
Create a new Signature Event link Comment.
Example URI
POST /signatures/1/events/2/comments
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Signature Event Comment ¶
Get SingleGET/signatures/{signature_id}/events/{object_link_id}/comments/{object_link_comment_id}
Get a single Signature Event link Comment.
Example URI
GET /signatures/1/events/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signatures/{signature_id}/events/{object_link_id}/comments/{object_link_comment_id}
Update a Signature Event link Comment.
Example URI
PUT /signatures/1/events/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/events/{object_link_id}/comments/{object_link_comment_id}
Delete a Signature Event link Comment.
Example URI
DELETE /signatures/1/events/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Indicators List ¶
Get ListGET/signatures/{signature_id}/indicators{?limit,offset,sort,with}
Get a list of Signature Indicator links.
Example URI
GET /signatures/1/indicators?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 24,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "bc77846655cdf4c183713a59f8c2a8f1",
"value": "brendon57@hotmail.com",
"description": null,
"last_detected_at": "2002-06-23 14:29:54",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"touched_at": "2018-04-04 19:30:57",
"deleted_at": null,
"sources": [
{
"name": "ThreatQ Example Feed"
}
],
"pivot": {
"id": 14896,
"src_type": "indicator",
"src_object_id": 24,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"comments": [
{
"id": 54,
"type": "users",
"value": "This link is important.",
"created_at": "2018-04-04 20:05:39.284000",
"updated_at": "2018-04-04 20:05:39.284000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 43,
"name": "Confidence",
"value": "75",
"sources": [
{
"id": 1,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 62,
"name": "VirusTotal",
"type": "plugins",
"pivot": {
"created_at": "2018-02-19 02:14:29",
"updated_at": "2018-04-04 19:30:59.439000"
}
}
]
}
},
{
"id": 74,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "890a7aa3415d8b4fa39d9f51a026b7d8",
"value": "hazel.kilback@hotmail.com",
"description": null,
"last_detected_at": "1992-07-15 20:23:27",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"touched_at": "2018-04-04 19:30:57",
"deleted_at": null,
"sources": [
{
"name": "Customer Admin"
}
],
"pivot": {
"id": 14991,
"src_type": "indicator"",
"src_object_id": 74,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"comments": [
{
"id": 56,
"type": "users",
"value": "This link is also important.",
"created_at": "2018-04-04 20:09:29.324000",
"updated_at": "2018-04-04 20:09:29.324000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 138,
"name": "Confidence",
"value": "75",
"sources": [
{
"id": 2,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 200,
"name": "Emerging Threats",
"type": "plugins",
"pivot": {
"created_at": "2018-01-13 11:24:36",
"updated_at": "2018-04-04 19:30:59.439000"
}
}
]
}
}
],
"limit": 2,
"offset": 0
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/indicators
Create a link from an Indicator to a Signature.
Example URI
POST /signatures/1/indicators
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"type_id": 2,
"status_id": 3,
"class": "network",
"hash": "bba60e76a34af96122b9f44e67ae8ea7",
"value": "oolson@yahoo.com",
"last_detected_at": "2013-12-13 08:58:00",
"expires_at": null,
"expired_at": null,
"expires_calculated_at": null,
"created_at": "2017-02-28 20:13:19",
"updated_at": "2017-02-28 20:13:19",
"touched_at": "2017-03-02 14:57:32",
"pivot": {
"id": 62397,
"created_at": "2017-03-02 14:57:32",
"updated_at": "2017-03-02 14:57:32"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/signatures/{signature_id}/indicators
Delete multiple Signature Indicator links.
Example URI
DELETE /signatures/1/indicators
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Signature Indicator ¶
Get SingleGET/signatures/{signature_id}/indicators/{object_link_id}{?with}
Get a single Signature Indicator link.
Example URI
GET /signatures/1/indicators/2?with=sources,pivot.attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 24,
"type_id": 3,
"status_id": 3,
"class": "network",
"hash": "bc77846655cdf4c183713a59f8c2a8f1",
"value": "brendon57@hotmail.com",
"description": null,
"last_detected_at": "2002-06-23 14:29:54",
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2018-04-04 19:28:34",
"updated_at": "2018-04-04 19:28:34",
"touched_at": "2018-04-04 19:30:57",
"pivot": {
"id": 14896,
"created_at": "2018-03-09 14:32:27",
"updated_at": "2018-04-04 19:30:29",
"comments": [
{
"id": 54,
"object_link_id": 14896,
"value": "This link is also important.",
"creator_source_id": 8,
"created_at": "2018-04-04 20:05:39",
"updated_at": "2018-04-04 20:05:39",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-04 19:28:33",
"updated_at": "2018-04-04 19:28:33",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 43,
"object_link_id": 14896,
"attribute_id": 13,
"value": "75",
"created_at": "2018-02-24 14:33:41",
"updated_at": "-0001-11-30 00:00:00",
"name": "Confidence",
"attribute": {
"id": 13,
"name": "Confidence",
"created_at": "2018-03-28 19:03:33",
"updated_at": "2018-03-24 19:03:33"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 43,
"source_id": 8,
"id": 1,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 5,
"type": "plugins",
"name": "VirusTotal",
"tlp_id": null,
"created_at": "2018-02-19 02:14:29",
"updated_at": "2018-04-04 19:30:59",
"published_at": null,
"pivot": {
"object_link_id": 14896,
"source_id": 5,
"id": 62,
"creator_source_id": 5
}
}
]
},
"sources": [
{
"id": 3,
"type": "clients",
"name": "ThreatQ",
"tlp_id": null,
"created_at": "2018-04-04 19:28:35",
"updated_at": "2018-04-04 19:28:35",
"published_at": null,
"pivot": {
"indicator_id": 24,
"source_id": 3,
"id": 59,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/indicators/{object_link_id}
Delete an Signature Indicator link.
Example URI
DELETE /signatures/1/indicators/2
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Indicator Attributes List ¶
Get ListGET/signatures/{signature_id}/indicators/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Signature Indicator link Attributes.
Example URI
GET /signatures/1/indicators/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/indicators/{object_link_id}/attributes
Create a new Signature Indicator link Attribute.
Example URI
POST /signatures/1/indicators/2/attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Signature Indicator Attribute ¶
Get SingleGET/signatures/{signature_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Signature Indicator link Attribute.
Example URI
GET /signatures/1/indicators/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signatures/{signature_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Update a Signature Indicator link Attribute.
Example URI
PUT /signatures/1/indicators/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/indicators/{object_link_id}/attributes/{object_link_attribute_id}
Delete a Signature Indicator link Attribute.
Example URI
DELETE /signatures/1/indicators/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Indicator Comments List ¶
Get ListGET/signatures/{signature_id}/indicators/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Signature Indicator link Comments.
Example URI
GET /signatures/1/indicators/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/indicators/{object_link_id}/comments
Create a new Signature Indicator link Comment.
Example URI
POST /signatures/1/indicators/2/comments
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Signature Indicator Comment ¶
Get SingleGET/signatures/{signature_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Get a single Signature Indicator link Comment.
Example URI
GET /signatures/1/indicators/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signatures/{signature_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Update a Signature Indicator link Comment.
Example URI
PUT /signatures/1/indicators/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/indicators/{object_link_id}/comments/{object_link_comment_id}
Delete a Signature Indicator link Comment.
Example URI
DELETE /signatures/1/indicators/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Signatures List ¶
Get ListGET/signatures/{signature_id}/signatures{?limit,offset,sort,with}
Get a list of Signature Signature links.
Example URI
GET /signatures/1/signatures?limit=500&offset=100&sort=id&with=sources,pivot.attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 2,
"name": "ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (2007937:4)",
"description": "",
"hash": "8cf2e60aeb0b7ed9874f2ed379b3f42d",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:\"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow\"; content:\"|44 53 52 65 71 75 65 73 74|\"; pcre:\"/[0-9a-zA-Z]{50}/R\"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:02:46",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62261,
"src_type": "signature",
"src_object_id": 2,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"comments": [
{
"id": 57,
"type": "users",
"value": "This link is important.",
"created_at": "2018-04-04 23:16:40.155000",
"updated_at": "2018-04-04 23:18:42.648000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 15080,
"name": "Industry",
"value": "Universities",
"sources": [
{
"id": 3,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 24298,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-04 23:02:46.740000",
"updated_at": "2018-04-04 23:02:46.740000"
}
}
]
}
},
{
"id": 1,
"name": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)",
"description": "",
"hash": "737309fe355ef23e1c03a5e98bc364b5",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:\"ET EXPLOIT Arkeia full remote access without password or authentication\"; flow:to_server,established; content:\"|464F3A20596F75206861766520737563|\"; content:\"|6520636C69656E7420696E666F726D61|\"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:03:35",
"deleted_at": null,
"sources": [
{
"name": "Threat Quotient"
}
],
"pivot": {
"id": 62262,
"src_type": "signature",
"src_object_id": 1,
"dest_type": "adversary",
"dest_object_id": 1,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"comments": [
{
"id": 58,
"type": "users",
"value": "This link is also important.",
"created_at": "2018-04-04 23:16:58.817000",
"updated_at": "2018-04-04 23:16:58.817000",
"creator_source_id": 8,
"sources": [
{
"id": 8,
"name": "Threat Quotient"
}
]
}
],
"attributes": [
{
"id": 15081,
"name": "Industry",
"value": "Mining",
"sources": [
{
"id": 4,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "0000-00-00 00:00:00",
"updated_at": "0000-00-00 00:00:00"
}
}
]
}
],
"sources": [
{
"id": 24300,
"name": "Threat Quotient",
"type": "users",
"pivot": {
"created_at": "2018-04-04 23:03:35.975000",
"updated_at": "2018-04-04 23:03:35.975000"
}
}
]
}
}
],
"limit": 100,
"offset": 0
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/signatures
Create a link from a Signature to another Signature.
Example URI
POST /signatures/1/signatures
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
{
"id": 2
},
{
"id": 3
}
]Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 202,
"name": "ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27 (2019448:1)",
"description": "",
"hash": "32eb2da7b59c7e85fbeec98f90adaf2d",
"value": "alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27\"; flow:established,to_server; content:\"%6e%61m%65[\"; nocase; fast_pattern:only; http_client_body; pcre:\"/(?:^|&|Content-Disposition[\\x3a][^\\n]*?name\\s*?=\\s*?[\\x22\\x27])\\%6e\\%61m\\%65\\[[^\\x5d]*?\\W/Pi\"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:1;)",
"status_id": 4,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-03-02 16:34:40",
"updated_at": "2017-03-02 16:34:40",
"touched_at": "2017-03-02 16:34:41",
"pivot": {
"id": 62337,
"created_at": "2017-03-02 16:43:29",
"updated_at": "2017-03-02 16:43:29"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"id": [
"The id field is required."
]
}
}
]
}Response
401Access denied.
Bulk DeleteDELETE/signatures/{signature_id}/signatures
Delete multiple Signature Signature links.
Example URI
DELETE /signatures/1/signatures
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
[
62351,
62352
]Response
204Object(s) were successfully deleted.
Response
401Access denied.
Signature Signature ¶
Get SingleGET/signatures/{signature_id}/signatures/{object_link_id}{?with}
Get a single Signature Signature link.
Example URI
GET /signatures/1/signatures/2?with=sources,pivot.attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- with
string(optional) Example: sources,pivot.attributesA comma-separated list of related objects to include in the response. Options for this endpoint: pivot.comments, pivot.comments.sources, pivot.attributes, pivot.attributes.attribute, pivot.attributes.sources, pivot.sources, sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 2,
"name": "ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow (2007937:4)",
"description": "",
"hash": "8cf2e60aeb0b7ed9874f2ed379b3f42d",
"value": "alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:\"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow\"; content:\"|44 53 52 65 71 75 65 73 74|\"; pcre:\"/[0-9a-zA-Z]{50}/R\"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;)",
"status_id": 3,
"type_id": 6,
"last_detected_at": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"touched_at": "2018-04-04 23:02:46",
"pivot": {
"id": 62261,
"created_at": "2018-04-04 23:02:46",
"updated_at": "2018-04-04 23:02:46",
"comments": [
{
"id": 57,
"object_link_id": 62261,
"value": "This link is important.",
"creator_source_id": 8,
"created_at": "2018-04-04 23:16:40",
"updated_at": "2018-04-04 23:18:42",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-04 19:28:33",
"updated_at": "2018-04-04 19:28:33",
"pivot": {
"id": 57,
"creator_source_id": 8
}
}
]
}
],
"attributes": [
{
"id": 15080,
"object_link_id": 62261,
"attribute_id": 135,
"value": "Universities",
"created_at": "2018-04-04 23:09:28",
"updated_at": "2018-04-04 23:09:28",
"name": "Industry",
"attribute": {
"id": 135,
"name": "Industry",
"created_at": "2018-04-04 20:01:00",
"updated_at": "2018-04-04 20:01:00"
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "-0001-11-30 00:00:00",
"updated_at": "-0001-11-30 00:00:00",
"published_at": null,
"pivot": {
"object_link_attribute_id": 15080,
"source_id": 8,
"id": 3,
"creator_source_id": 0
}
}
]
}
],
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-04 23:02:46",
"updated_at": "2018-04-04 23:02:46",
"published_at": null,
"pivot": {
"object_link_id": 62261,
"source_id": 8,
"id": 24298,
"creator_source_id": 8
}
}
]
},
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"tlp_id": null,
"created_at": "2018-04-04 19:30:18",
"updated_at": "2018-04-04 19:30:18",
"published_at": null,
"pivot": {
"signature_id": 2,
"source_id": 8,
"id": 2,
"creator_source_id": 8
}
}
]
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/signatures/{object_link_id}
Delete a Signature Signature link.
Example URI
DELETE /signatures/1/signatures/2
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Signature Attributes List ¶
Get ListGET/signatures/{signature_id}/signatures/{object_link_id}/attributes{?limit,offset,sort}
Get a list of Signature Signature link Attributes.
Example URI
GET /signatures/1/signatures/2/attributes?limit=500&offset=100&sort=id
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 15067,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Universities",
"created_at": "2018-04-02 17:46:43",
"updated_at": "2018-04-02 17:50:18",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
},
{
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/signatures/{object_link_id}/attributes
Create a new Signature Signature link Attribute.
Example URI
POST /signatures/1/signatures/2/attributes
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Port",
"value": "4000",
"sources": [
{
"name": "TQ User",
"tlp": {
"name": "RED"
},
"published_at": "2017-02-28 01:01:01"
}
]
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"id": 15059,
"object_link_id": 61561,
"attribute_id": 401,
"value": "4000",
"created_at": "2017-03-01 21:47:14",
"updated_at": "2017-03-01 21:47:14",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Signature Signature Attribute ¶
Get SingleGET/signatures/{signature_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Get a single Signature Signature link Attribute.
Example URI
GET /signatures/1/signatures/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 15068,
"object_link_id": 62326,
"attribute_id": 136,
"value": "Mining",
"created_at": "2018-04-02 17:52:14",
"updated_at": "2018-04-02 17:52:14",
"name": "Industry",
"attribute": {
"id": 136,
"name": "Industry",
"created_at": "2018-04-02 16:25:21",
"updated_at": "2018-04-02 16:25:21"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signatures/{signature_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Update a Signature Signature link Attribute.
Example URI
PUT /signatures/1/signatures/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "New Value",
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": [
{
"id": 15058,
"object_link_id": 61561,
"attribute_id": 14,
"value": "New Value",
"created_at": "2017-01-24 14:54:31",
"updated_at": "2017-03-01 22:13:22",
"deleted_at": null
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/signatures/{object_link_id}/attributes/{object_link_attribute_id}
Delete a Signature Signature link Attribute.
Example URI
DELETE /signatures/1/signatures/2/attributes/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_attribute_id
integer(required) Example: 3Object Link Attribute ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Signature Comments List ¶
Get ListGET/signatures/{signature_id}/signatures/{object_link_id}/comments{?limit,offset,sort,with}
Get a list of Signature Signature link Comments.
Example URI
GET /signatures/1/signatures/2/comments?limit=500&offset=100&sort=id&with=sources
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: sourcesA comma-separated list of related objects to include in the response. Options for this endpoint: sources.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 54,
"object_link_id": 62325,
"value": "This has some suspicious stuff.",
"creator_source_id": 8,
"created_at": "2018-04-02 16:19:51",
"updated_at": "2018-04-02 18:21:06",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 54,
"creator_source_id": 8
}
}
]
},
{
"id": 56,
"object_link_id": 62325,
"value": "Compile date: 10/17/2011",
"creator_source_id": 8,
"created_at": "2018-04-02 16:20:25",
"updated_at": "2018-04-02 16:20:25",
"sources": [
{
"id": 8,
"type": "users",
"name": "Threat Quotient",
"expire_days": null,
"score": null,
"created_at": "2018-04-02 15:47:21",
"updated_at": "2018-04-02 15:47:21",
"pivot": {
"id": 56,
"creator_source_id": 8
}
}
]
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/signatures/{object_link_id}/comments
Create a new Signature Signature link Comment.
Example URI
POST /signatures/1/signatures/2/comments
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is a comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"id": 69,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 14:12:32",
"updated_at": "2017-03-02 14:12:32"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"errors": [
"Undefined index: value"
]
}Response
401Access denied.
Signature Signature Comment ¶
Get SingleGET/signatures/{signature_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Get a single Signature Signature link Comment.
Example URI
GET /signatures/1/signatures/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 54,
"value": "This is a comment.",
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-03-02 23:18:29",
"updated_at": "2017-03-02 23:18:29"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signatures/{signature_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Update a Signature Signature link Comment.
Example URI
PUT /signatures/1/signatures/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"value": "This is an updated comment."
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"value": "This is an updated comment.",
"id": 67,
"sources": [
{
"id": 5,
"name": "Threat Quotient"
}
],
"created_at": "2017-02-28 20:18:50",
"updated_at": "2017-03-02 14:37:49"
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"creator_source_id": 5,
"errors": {
"value": [
"The value field is required."
]
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/signatures/{object_link_id}/comments/{object_link_comment_id}
Delete a Signature Signature link Comment.
Example URI
DELETE /signatures/1/signatures/2/comments/3
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- object_link_id
integer(required) Example: 2Object Link ID
- object_link_comment_id
integer(required) Example: 3Object Link Comment ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Sources ¶
Get ListGET/signatures/{signature_id}/sources{?limit,offset,sort,with}
Get a list of Signature Sources.
Example URI
GET /signatures/1/sources?limit=500&offset=100&sort=id&with=signature,tlp
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: signature,tlpA comma-separated list of related objects to include in the response. Options for this endpoint: signature, tlp.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 1,
"data": [
{
"id": 1,
"signature_id": 1,
"source_id": 5,
"creator_source_id": 5,
"tlp_id": null,
"created_at": "2017-04-22 00:11:18",
"updated_at": "2017-04-22 00:11:18",
"published_at": null
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/sources
Create a new Signature Source.
Example URI
POST /signatures/1/sources
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Test Source",
"tlp": {
"name": "RED"
}
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 376,
"signature_id": 1,
"source_id": 10,
"creator_source_id": 5,
"tlp_id": 1,
"created_at": "2017-04-23 21:26:16",
"updated_at": "2017-04-23 21:26:16",
"published_at": null,
"deleted_at": null,
"existing": 0,
"name": "Source"
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": [
{
"errors": {
"name": [
"The name field is required."
]
}
}
]
}Response
401Access denied.
Signature Source ¶
Get SingleGET/signatures/{signature_id}/sources/{signature_source_id}
Get a single Signature Source.
Example URI
GET /signatures/1/sources/2
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- signature_source_id
integer(required) Example: 2Signature Source ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"signature_id": 1,
"source_id": 13,
"creator_source_id": 8,
"tlp_id": 4,
"created_at": "2018-10-30 20:10:24",
"updated_at": "2018-10-30 20:10:24",
"published_at": null
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/signatures/{signature_id}/sources/{signature_source_id}
Update an Signature Source.
Example URI
PUT /signatures/1/sources/2
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- signature_source_id
integer(required) Example: 2Signature Source ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"tlp": {
"name": "RED"
}
}Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"signature_id": 1,
"source_id": 13,
"creator_source_id": 8,
"tlp_id": 4,
"created_at": "2018-10-30 20:10:24",
"updated_at": "2018-10-30 20:10:24",
"published_at": null
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/sources/{signature_source_id}
Delete an Signature Source.
Example URI
DELETE /signatures/1/sources/2
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- signature_source_id
integer(required) Example: 2Signature Source ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Tag List ¶
Get ListGET/signatures/{signature_id}/tags{?limit,offset,sort,with}
Get a list of Signature Tags.
Example URI
GET /signatures/1/tags?limit=500&offset=100&sort=id&with=signatures
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: signaturesA comma-separated list of related objects to include in the response. Options for this endpoint: signatures.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"name": "New Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 1,
"created_at": "2017-03-02 21:22:02",
"updated_at": "2017-03-02 21:22:02"
}
},
{
"id": 2,
"name": "Another New Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 2,
"created_at": "2017-03-02 21:24:30",
"updated_at": "2017-03-02 21:24:30"
}
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/tags
Create a new Signature Tag.
Example URI
POST /signatures/1/tags
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"name": "Tag Name"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"total": 1,
"data": [
{
"id": 2,
"name": "Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 2,
"created_at": "2017-03-02 21:24:30",
"updated_at": "2017-03-02 21:24:30"
}
}
]
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"errors": {
"name": [
"The name field is required."
]
}
}
}Response
401Access denied.
Signature Tag ¶
Get SingleGET/signatures/{signature_id}/tags/{tag_id}{?with}
Get a single Signature Tag.
Example URI
GET /signatures/1/tags/2?with=signatures
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- tag_id
integer(required) Example: 2Tag ID
- with
string(optional) Example: signaturesA comma-separated list of related objects to include in the response. Options for this endpoint: signatures.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "Tag Name",
"pivot": {
"object_id": 1,
"tag_id": 1,
"created_at": "2017-03-02 21:22:02",
"updated_at": "2017-03-02 21:22:02"
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/signatures/{signature_id}/tags/{tag_id}
Delete a Signature Tag.
Example URI
DELETE /signatures/1/tags/2
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- tag_id
integer(required) Example: 2Tag ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Signature Watchlists ¶
Get SingleGET/signatures/{signature_id}/watchlist
Get a Signature in a user’s Watchlist.
Example URI
GET /signatures/1/watchlist
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 1,
"data": [
{
"id": 1,
"user_id": 1,
"object_type": "signature",
"object_id": 1,
"created_at": "2017-04-23 22:10:17",
"updated_at": "2017-04-23 22:10:17",
"signature": {
"id": 1,
"name": "ET EXPLOIT Arkeia full remote access without password or authentication (2001742:9)",
"description": "",
"hash": "737309fe355ef23e1c03a5e98bc364b5",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:\"ET EXPLOIT Arkeia full remote access without password or authentication\"; flow:to_server,established; content:\"|464F3A20596F75206861766520737563|\"; content:\"|6520636C69656E7420696E666F726D61|\"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)",
"status_id": 5,
"type_id": 1,
"last_detected_at": null,
"created_at": "2017-04-22 00:11:18",
"updated_at": "2017-04-22 00:11:18",
"touched_at": "2017-04-23 21:26:16"
}
}
]
}Response
401Access denied.
Create NewPOST/signatures/{signature_id}/watchlist
Add a Signature to the user’s Watchlist.
Example URI
POST /signatures/1/watchlist
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
Request
Headers
Authorization: Bearer <access_token>Body
No Request Body.Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"object_type": "signature",
"user_id": 1,
"object_id": "1",
"updated_at": "2017-04-23 22:10:17",
"created_at": "2017-04-23 22:10:17",
"id": 1
}
}Response
401Access denied.
Signature Watchlist ¶
Signature WatchlistDELETE/signatures/{signature_id}/watchlist/{watchlist_id}
Remove a Signature from the user’s Watchlist.
Example URI
DELETE /signatures/1/watchlist/2
URI Parameters
- signature_id
integer(required) Example: 1Signature ID
- watchlist_id
integer(required) Example: 2Watchlist ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Sources ¶
Source List ¶
Source ListGET/sources{?limit,offset,sort}
Get a list of Sources.
Example URI
GET /sources?limit=500&offset=100&sort=id
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 9,
"data": [
{
"id": 1,
"type": "clients",
"name": "Source 1",
"default_tlp_id": 1,
"expire_days": null,
"score": null,
"created_at": "2017-04-24 21:42:23",
"updated_at": "2017-04-24 21:42:23"
},
{
"id": 2,
"type": "clients",
"name": "Source 2",
"default_tlp_id": 2,
"expire_days": null,
"score": null,
"created_at": "2017-04-24 21:42:23",
"updated_at": "2017-04-24 21:42:23"
},
{
"id": 3,
"type": "clients",
"name": "Source 3",
"default_tlp_id": 3,
"expire_days": null,
"score": null,
"created_at": "2017-04-24 21:42:23",
"updated_at": "2017-04-24 21:42:23"
}
]
}Response
401Access denied.
Source ¶
Get SingleGET/sources/{source_id}
Get a single Source.
Example URI
GET /sources/1
URI Parameters
- source_id
integer(required) Example: 1Source ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"type": "clients",
"name": "Source 1",
"default_tlp_id": 1,
"expire_days": null,
"score": null,
"created_at": "2017-04-24 21:42:23",
"updated_at": "2017-04-24 21:42:23"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/sources/{source_id}
Update an Source.
Example URI
PUT /sources/1
URI Parameters
- source_id
integer(required) Example: 1Source ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"score": "3",
"default_tlp_id": 1
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"type": "clients",
"name": "ThreatQ Front End",
"default_tlp_id": 1,
"expire_days": null,
"score": "3",
"created_at": "2017-04-24 21:42:23",
"updated_at": "2017-04-25 00:42:44"
}
}Response
401Access denied.
Response
404Object not found.
Spearphish ¶
Spearphish Events List ¶
Get ListGET/events/{event_id}/spearphish{?limit,offset,sort,with}
Get a list of Spearphish Events.
Example URI
GET /events/1/spearphish?limit=500&offset=100&sort=id&with=event
URI Parameters
- event_id
integer(required) Example: 1Event ID
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: eventA comma-separated list of related objects to include in the response. Options for this endpoint: event.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 163,
"event_id": 1,
"hash": "1f98b70a43afef4b1f6e388baa8947e2",
"subject": "Ma! said the Mock Turtle.",
"sender": "random@example.com",
"last_parsed_at": "0000-00-00 00:00:00",
"value": "Delivered-To: user@threatq.com\nReceived: by 10.194.92.35 with SMTP id cj3csp19236wjb;\n Sat, 30 Mar 2013 08:51:20 -0700 (PDT)\nX-Received: by 10.49.30.70 with SMTP id q6mr7994138qeh.28.1364658679725;\n Sat, 30 Mar 2013 08:51:19 -0700 (PDT)\nReturn-Path: <prof.hamiltonreeds2013@rediffmail.com>\nReceived: from steiner.cc.vt.edu (steiner.cc.vt.edu. [198.82.163.51])\n by mx.google.com with ESMTP id s12si3077013qct.20.2013.03.30.08.51.19;\n Sat, 30 Mar 2013 08:51:19 -0700 (PDT)\nReceived-SPF: softfail (google.com: domain of transitioning prof.hamiltonreeds2013@rediffmail.com does not designate 196.214.157.106 as permitted sender) client-ip=196.214.157.106;\nAuthentication-Results: mx.google.com;\n spf=softfail (google.com: domain of transitioning prof.hamiltonreeds2013@rediffmail.com does not designate 196.214.157.106 as permitted sender) smtp.mail=prof.hamiltonreeds2013@rediffmail.com\nReceived: from exchange.pjcdental.co.za (EHLO exchange.pjcdental.co.za) ([196.214.157.106])\n\tby steiner.cc.vt.edu (MOS 4.3.3-GA FastPath queued)\n\twith ESMTP id WDV72281;\n\tSat, 30 Mar 2013 11:51:19 -0400 (EDT)\nReceived: from User ([110.142.146.226]) by exchange.pjcdental.co.za with Microsoft SMTPSVC(6.0.3790.4675);\n\t Sat, 30 Mar 2013 14:26:41 +0200\nReply-To: <prof.hamiltonreeds2013@rediffmail.com>\nFrom: \"Hamilton reeds\"<prof.hamiltonreeds2013@rediffmail.com>\nSubject: BBC ONE NATIONAL LOTTERY TEAM! CLAIM YOUR LUCKY PRICE\nDate: Sat, 30 Mar 2013 23:30:55 +1100\nMIME-Version: 1.0\nContent-Type: text/plain;\n\tcharset=\"Windows-1251\"\nContent-Transfer-Encoding: 7bit\nX-Priority: 3\nX-MSMail-Priority: Normal\nX-Mailer: Microsoft Outlook Express 6.00.2600.0000\nX-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000\nMessage-ID: <SERVERrK9W4HHfq4Gba0000176e@exchange.pjcdental.co.za>\nX-OriginalArrivalTime: 30 Mar 2013 12:26:41.0593 (UTC) FILETIME=[D55A9290:01CE2D41]\nX-TM-AS-Product-Ver: SMEX-8.6.0.1168-7.000.1014-19756.004\nX-TM-AS-Result: Yes-94.389100-8.000000-31\nX-TM-AS-User-Approved-Sender: No\nX-TM-AS-User-Blocked-Sender: No\nBcc:\nX-Mirapoint-Received-SPF: 196.214.157.106 exchange.pjcdental.co.za prof.hamiltonreeds2013@rediffmail.com 4 softfail\nX-Junkmail: UCE(50)\nX-Junkmail-Status: score=50/50, host=steiner.cc.vt.edu\nX-Junkmail-Signature-Raw: score=bulk(0),\n\trefid=str=0001.0A020204.515709F5.0180,ss=3,sh,re=0.000,fgs=0,\n\tip=196.214.157.106,\n\tso=2011-07-25 19:15:43,\n\tdmn=2011-05-27 18:58:46,\n\tmode=single engine\nX-Junkmail-IWF: false\nX-Gm-Spam: 1\nX-Gm-Spam: 1\nX-Gm-Spam: 1\n\nRegistration details\nCamelot UK Lotteries Limited\nRegistered office: Tolpits Lane, Watford, Herts WD18 9RN\nRegistered in England and Wales No. 2822203\n\n\nThe National Lottery\nPO Box 287\nWatford\nWD18 9TT\nWedsite: http://www.bbc.co.uk/lottery/\n\n\nThis is the Camelot UK Lotteries organised by BBCWORLD approved by United Kingdom Government. We are pleased and honoured to announce to you that your e-mail address has been chosen during official publication of results of our E-mail electronic online Sweepstakes which holds every tuesdays and fridays in London as one of our EuroMillions Online Lottery Bonanza Draw amongst all. The selection process was carried out through random selection in our Computerized Email Selection System (C.E.S.S.) from a database of over a million email addresses from each continent of the world.\n\nHowever, having being one our chosen amongst all, you have won yourself the sum of\n",
"created_at": "2017-07-05 23:46:56",
"updated_at": "2017-07-05 23:46:56",
"event": {
"id": 1,
"type_id": 1,
"title": "Subject - Alice. 'And ever since that,' the.",
"description": "",
"happened_at": "2017-05-08 12:50:01",
"hash": "9a318ca3d1811dbd3aff9dcb4cc5a51f",
"created_at": "2017-05-08 12:50:01",
"updated_at": "2017-05-08 12:50:01",
"touched_at": "2017-07-05 23:46:56"
}
},
{
"id": 163,
"event_id": 1,
"hash": "1f98b70a43afef4b1f6e388baa8947e2",
"subject": "Duchess: 'flamingoes and mustard both bite.'",
"sender": "random@example.com",
"last_parsed_at": "0000-00-00 00:00:00",
"value": "Delivered-To: user@threatq.comReceived: by 10.194.122.228 with SMTP id lv4csp119531wjb; Tue, 26 Mar 2013 08:47:55 -0700 (PDT)X-Received: by 10.229.114.209 with SMTP id f17mr3086377qcq.156.1364312874617; Tue, 26 Mar 2013 08:47:54 -0700 (PDT)Return-Path: <bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc>Received: from dagger.cc.vt.edu (dagger.cc.vt.edu. [198.82.163.114]) by mx.google.com with ESMTP id u14si4973358qct.62.2013.03.26.08.47.54; Tue, 26 Mar 2013 08:47:54 -0700 (PDT)Received-SPF: permerror (google.com: domain of bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc uses a mechanism not recognized by this client. unknown mechanisms: )) client-ip=78.128.8.128;Authentication-Results: mx.google.com; spf=permerror (google.com: domain of bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc uses a mechanism not recognized by this client. unknown mechanisms: )) smtp.mail=bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc; dkim=neutral (bad format) header.i=newsletter@poperation.cu.ccReceived: from 128.coridecer.net (EHLO smtp.poperation.cu.cc) ([78.128.8.128])\tby dagger.cc.vt.edu (MOS 4.3.3-GA FastPath queued)\twith ESMTP id ZLG73592;\tTue, 26 Mar 2013 11:47:53 -0400 (EDT)DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=poperation.cu.cc; h=From:To:Reply-To:Subject:Date:List-Unsubscribe:MIME-Version:Content-Type; i=newsletter@poperation.cu.cc; bh=56bFPMj2wk5zMFESfT4GKmBfhV0=; b=V4ZHGEXzEsnA/yByjbuxwUVJLwuEtPOLw/x3ZBqFwcFHBFenaFyQkfU4TWM4ENID6Kdk3AeQYJ0P DZSdzf64VEZYwA7UZo1ktx73qOh4z8E2r9deDKO5thGf4QUgmlgtCnlRLMOF35jrGXetgddGI1SA vVhj2v3YKFgPDwCv/Mg=DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=poperation.cu.cc; b=JufAXol2C1+Cj7IvMIUqi3MeYad+LLYFbkzPG8aC+6VhqCOMFjI8I5CoU+ri6lHeZ/wOVntprGhH Lkax0zf7Ng2VE0PPbFEjvqoaJfN+hkwO0Pt3giWJafpjJnG4d4dKQFfcQUjcY4rpeRl9amNpjHiI S8YbfhjORSNLmzbwJuo=;From: \"Website Design\" <newsletter@poperation.cu.cc>To: wchiang@vt.eduReply-To: \"Website Design\" <newsletter@poperation.cu.cc>Subject: Because not everyone's a web designer.Date: Tue, 26 Mar 2013 11:47:59 -0400List-Unsubscribe: <http://www.poperation.cu.cc/c6dced/?uh8d5h2e6d55fdh0h5dee54>MIME-Version: 1.0Content-Type: multipart/alternative; boundary=\"3770f4aa41e936f10cfb86e01ee3168119c83c76\"Message-Id: <201303261547.ZLG73592@dagger.cc.vt.edu>X-Mirapoint-Received-SPF: 78.128.8.128 smtp.poperation.cu.cc bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc 2 passX-Junkmail: UCE(51)X-Junkmail-Status: score=51/50, host=dagger.cc.vt.eduX-Junkmail-Signature-Raw: score=bulk(1),\trefid=str=0001.0A020203.5151A869.0089,ss=3,sh,re=0.000,fgs=0,\tip=78.128.8.128,\tso=2011-07-25 19:15:43,\tdmn=2011-05-27 18:58:46,\tmode=single engineX-Junkmail-IWF: falseX-Gm-Spam: 1X-Gm-Spam: 1X-Gm-Spam: 1--3770f4aa41e936f10cfb86e01ee3168119c83c76Content-Type: text/plain;Your email client cannot read this email. Please view the HTML version.--3770f4aa41e936f10cfb86e01ee3168119c83c76Content-Type: text/html;<html><head><title>Because not everyone's a web designer.</title><style type=\"text/css\">fireplaceimaginejargulfartducki'dblockdrove {\t/* complexslightlyclimatelaterapartlocateslippedsubjectproudcondition */\tuniversetreatedraisetoolworriedslipsugar//2e6d55fd//picturedconsistchosebasicpossiblymouthbrighttrail//2e6d55fd\tcrowdcoffeeunusualguidewhereverborntaughtaboardourselvesproduction//eightsuggestcorrectlycreatureshouldertheorybrokesevenquarterwhose//2e6d55fd//extracircleliftgoosesouthernasialevel\t2e6d55fd//antsreligioustiredwheatblanktakenbarkwhistletank//pleasantrussiavaporliontwentycharactereasysortdutch//liftdifficultgainsoftlyhabit\tcomparecroptiredprotectionupperuniversitygivingstormtightlyjump//wheatimaginenutspinebeeexpressnewspapernewsdig//2e6d55fd//streamatmosphereworsetankmistakedeathdigforgotparty medicinesquareyou'llcouldn'tshall//2e6d55fd//noddedoutsidestandardasidefacingslipleafthroathowevernaturally//2e6d55fd 2e6d55fd 1/4carefullyillinoisrubbedwithinleaving\tstudiedangryuniversebesidegivingmotioncomingtiredgladcollegebraincastbrain}queenunitedrushattachedrunningcurrentvastchicagoshoulderchair {\t/* TOUCHOCCASIONALLYTEETHTHEY'REBATTLE */\tscaredbonemastersquareknifebattleacresglobe//communitylargeroccasionallyentirelycitizenfellowdangerous//givingvastbonefasterblocktaskjardoublesimilarate//properbuildingrollheardarkness\tdinnerrealizefacingdiscussionbasicsets//[[word:5,10]]//motionflowerresultrhythmprincipaltuneought//syllableregularfrozenwhat'snest\tdangerfreshsymbolforgetamountworthballillcowboy//proudthyparticlestrapwhatevergerman//[[upword:5,10]]//makingrideatlanticdependgoldenwildspring\tstrangemattershoutsolidblewordinaryalong//jobgatherlackinstanthurriedtrainpractical//oftenmrs.fortlostmarsrollstrikeapartmenthunter//ducksolvesweptbentdegreeresearchpapazoomainlyreport\tmilitarychinabadlytodaypinkmailflagmood\t2e6d55fd [[word:5,10,, ]]\tbasiscaserulerherselfpocketdivision\tledenginenearestgovernmentmistake}</style></head><body><!--<div style=\"font-weight:bold;\">divide piano origin wall directly origin joined various contrast accident board dress tool sale</div><strong>Recipient:</strong> wchiang@vt.edu <br /><strong>Sent:</strong> Tue, 26 Mar 2013 11:47:59 -0400 <br /><strong>Title:</strong> [subject]] <br /><br /><br /><br /><br /><br /><br /><div style=\"font-weight:bold;\">disease enemy valley factor hidden principal russia away toy support monkey continent however twenty sang smooth coal furniture</div>--> <br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\">Website Design</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY5LbsMwDERPk21gW0nsLLtor0G4lpwUsCR;ZvTx6csA4kAE9Z74BtaL-bp0P3rm13i7dY9r-nN5igHjhOsUvU66ZmjbtrnrNbGg0C9hD3ikS;99p;d-2WAYMDMIkiB4oUCQD1-OIthTyMqGHKugSek4wwpb6eO-Rh-OzWNy9AL0XLcoaoywczaV0it4ExOkl18StTBuggUlKaHIDme4oCkNNYjecUNtKVQQc;vRLugId1qnqQoia5-M1qgQ5X1ma9wp9bSmHaBgHfhyEs86657PnrDm8;SpP012;LTc1iMiqySnQUPFg67gJvfiPw__\">Beat the competition on the web</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY5LjoNADERPk20EdBLIchYz17AYaMhIdDefqv5w-jGSXbLl8rM;wHozX7f!mR2Oa-8ejed3jn01D8OgH3IfgdNJUXV3X1VPLyIxMt;h4a7-fu8eLzrllg2HARC-IAu-EAkE6XD6yYI8--RSKoIrxOP0KJY2FLuxrcP7YHAZLJ0DLdQuixIBxSqZQ2ocYL638kiiZYRMsyFHt6lfMDmu4oMoVVYjWckOpKcRUX8wFDWHP0aoqgkjaR6PZ6wblc6brG2NPKedo6g6l42wlnGXCWN4tMZrL-tYzw9hfLbf1CEgKSbFTUXCn9-1gZ;4D\">Bring art to the web through site design.</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\"><img src=\"http://as0.poperation.cu.cc/20811105/vu3txumlnrnt6v~5ummmlqt3umtfun_tv_tnm_u_t_twsmxsx_trvnwnwoy_t0vvsznptd/yumorpomnsqmtceum_tt7upqo_mmmotdfw3yu_74_3n_7_buutyxuoq_tltxveumm_trt/e3ult0x0ut0xumt7euqty1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3/ez_yzd318ty8uge_ozyftdy97utd!3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" usemap=\"#imgcmap\" /><map name=\"imgcmap\"><area shape=\"rect\" coords=\"0,0,1080,1080\" href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\"></map></a><br /><br /><a style=\"font-size: 12px\" href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY7LjoMwDEW;ptsKSFvochYzv2ExiWlHIg;gOg--flwpuYoTnxO;gXQxX5fhR9fymm-34XHNf1xsDJgtrjZ6fUk7L7xzsHxc0zvpzdBNfd93dz1mmSuq-DXsAQ;x3q8bjHgsEgiZEDwJgVAOX49K-TJ-37HnUBQOJTZCl;NxhgTXxMc9RR-OzcOyeAJGSVsk1Ua4pZgmNN6UJBNopF8RtCpxI6yoWQlFdrCRFV3tREMwsmxovZBgUbL;aFcMAj4da6pCULTORveskND7LM7wSe10pp;QJlHyxRTPtuicz1HgzKf1qT9ZN39K2dIRUVRS8qSh4klHYMsv-Qc_\">Preferences</a><img src=!\"http://as0.poperation.cu.cc/20811105/vu63gz_mcv7a_ma3iz6txumlnrnt6ummmlqt3uv~5mtfun_tv_tnm_u_t_t/wsmxsx_trvnwnwoy_t0vvsznptdyumorpomnsqmtceum_tt7upqo_mmmot/dfw3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty/1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318t/y8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /> <br /><br /><img src=\"http://as0.poperation.cu.cc/20811105/vuev~5vc1fd_ma3iz6txumlnrnt6ummmlqt3umtfun_tv_tnm_u_t_twsm/xsx_trvnwnwoy_t0vvsznptdyumorpomnsqmtceum_tt7upqo_mmmotdf/w3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty1/u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318t/y8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /> <img src=\"http://as0.poperation.cu.cc/20811105/vuec3113e_ma3iz6txumlnrnt6ummmlqt3umtfun_tvv~5_tnm_u_t_tws/mxsx_trvnwnwoy_t0vvsznptdy!umorpomnsqmtceum_tt7upqo_mmmotd/fw3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty/1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318/ty8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /><!--<p>cabin ourselves you'll oldest mix consider orange plus income lonely gift curve section post</p><p>paul george</p><p>single canal russian pond pupil troops beat pacific pot tape shut aid edge tin passage earlier library circle</p><p>edward katherine marilyn ruth gregory jason</p><p>STATEMENT DULL GUARD TIN BEGINNING COLUMBUS ANTS SOLUTION SPOKEN</p>--><br /><br /><br /><br /><br /><br /><a href=\"http://www.poperation.cu.cc/c6dced/?uh8d5h2e6d55fdh0h5dee54\"><img src=\"http://www.poperation.cu.cc/3b92276a198f.gif\" border=\"0\" /></a><img src=\"http://www.poperation.cu.cc/c6dced/?oh8d5h2e6d55fdh0hbb068f\" width=\"1\" height=\"1\" border=\"0\" /></body>--3770f4aa41e936f10cfb86e01ee3168119c83c76--",
"created_at": "2017-07-05 23:46:56",
"updated_at": "2017-07-05 23:46:56",
"event": {
"id": 1,
"type_id": 1,
"title": "Subject - Alice. 'And ever since that,' the.",
"description": "",
"happened_at": "2017-05-08 12:50:01",
"hash": "9a318ca3d1811dbd3aff9dcb4cc5a51f",
"created_at": "2017-05-08 12:50:01",
"updated_at": "2017-05-08 12:50:01",
"touched_at": "2017-07-05 23:46:56"
}
}
]
}Response
401Access denied.
Create NewPOST/events/{event_id}/spearphish
Create a new Spearphish Event.
Example URI
POST /events/1/spearphish
URI Parameters
- event_id
integer(required) Example: 1Event ID
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"subject": "Duchess: 'flamingoes and mustard both bite. And the Gryphon only answered 'Come on!' cried the.",
"value": "Delivered-To: wchiang@vt.eduReceived: by 10.194.122.228 with SMTP id lv4csp119531wjb; Tue, 26 Mar 2013 08:47:55 -0700 (PDT)X-Received: by 10.229.114.209 with SMTP id f17mr3086377qcq.156.1364312874617; Tue, 26 Mar 2013 08:47:54 -0700 (PDT)Return-Path: <bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc>Received: from dagger.cc.vt.edu (dagger.cc.vt.edu. [198.82.163.114]) by mx.google.com with ESMTP id u14si4973358qct.62.2013.03.26.08.47.54; Tue, 26 Mar 2013 08:47:54 -0700 (PDT)Received-SPF: permerror (google.com: domain of bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc uses a mechanism not recognized by this client. unknown mechanisms: )) client-ip=78.128.8.128;Authentication-Results: mx.google.com; spf=permerror (google.com: domain of bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc uses a mechanism not recognized by this client. unknown mechanisms: )) smtp.mail=bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc; dkim=neutral (bad format) header.i=newsletter@poperation.cu.ccReceived: from 128.coridecer.net (EHLO smtp.poperation.cu.cc) ([78.128.8.128]) by dagger.cc.vt.edu (MOS 4.3.3-GA FastPath queued) with ESMTP id ZLG73592; Tue, 26 Mar 2013 11:47:53 -0400 (EDT)DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=poperation.cu.cc; h=From:To:Reply-To:Subject:Date:List-Unsubscribe:MIME-Version:Content-Type; i=newsletter@poperation.cu.cc; bh=56bFPMj2wk5zMFESfT4GKmBfhV0=; b=V4ZHGEXzEsnA/yByjbuxwUVJLwuEtPOLw/x3ZBqFwcFHBFenaFyQkfU4TWM4ENID6Kdk3AeQYJ0P DZSdzf64VEZYwA7UZo1ktx73qOh4z8E2r9deDKO5thGf4QUgmlgtCnlRLMOF35jrGXetgddGI1SA vVhj2v3YKFgPDwCv/Mg=DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=poperation.cu.cc; b=JufAXol2C1+Cj7IvMIUqi3MeYad+LLYFbkzPG8aC+6VhqCOMFjI8I5CoU+ri6lHeZ/wOVntprGhH Lkax0zf7Ng2VE0PPbFEjvqoaJfN+hkwO0Pt3giWJafpjJnG4d4dKQFfcQUjcY4rpeRl9amNpjHiI S8YbfhjORSNLmzbwJuo=;From: \"Website Design\" <newsletter@poperation.cu.cc>To: wchiang@vt.eduReply-To: \"Website Design\" <newsletter@poperation.cu.cc>Subject: Because not everyone's a web designer.Date: Tue, 26 Mar 2013 11:47:59 -0400List-Unsubscribe: <http://www.poperation.cu.cc/c6dced/?uh8d5h2e6d55fdh0h5dee54>MIME-Version: 1.0Content-Type: multipart/alternative; boundary=\"3770f4aa41e936f10cfb86e01ee3168119c83c76\"Message-Id: <201303261547.ZLG73592@dagger.cc.vt.edu>X-Mirapoint-Received-SPF: 78.128.8.128 smtp.poperation.cu.cc bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc 2 passX-Junkmail: UCE(51)X-Junkmail-Status: score=51/50, host=dagger.cc.vt.eduX-Junkmail-Signature-Raw: score=bulk(1), refid=str=0001.0A020203.5151A869.0089,ss=3,sh,re=0.000,fgs=0, ip=78.128.8.128, so=2011-07-25 19:15:43, dmn=2011-05-27 18:58:46, mode=single engineX-Junkmail-IWF: falseX-Gm-Spam: 1X-Gm-Spam: 1X-Gm-Spam: 1--3770f4aa41e936f10cfb86e01ee3168119c83c76Content-Type: text/plain;Your email client cannot read this email. Please view the HTML version.--3770f4aa41e936f10cfb86e01ee3168119c83c76Content-Type: text/html;<html><head><title>Because not everyone's a web designer.</title><style type=\"text/css\">fireplaceimaginejargulfartducki'dblockdrove { /* complexslightlyclimatelaterapartlocateslippedsubjectproudcondition */ universetreatedraisetoolworriedslipsugar//2e6d55fd//picturedconsistchosebasicpossiblymouthbrighttrail//2e6d55fd crowdcoffeeunusualguidewhereverborntaughtaboardourselvesproduction//eightsuggestcorrectlycreatureshouldertheorybrokesevenquarterwhose//2e6d55fd//extracircleliftgoosesouthernasialevel 2e6d55fd//antsreligioustiredwheatblanktakenbarkwhistletank//pleasantrussiavaporliontwentycharactereasysortdutch//liftdifficultgainsoftlyhabit comparecroptiredprotectionupperuniversitygivingstormtightlyjump//wheatimaginenutspinebeeexpressnewspapernewsdig//2e6d55fd//streamatmosphereworsetankmistakedeathdigforgotparty medicinesquareyou'llcouldn'tshall//2e6d55fd//noddedoutsidestandardasidefacingslipleafthroathowevernaturally//2e6d55fd 2e6d55fd 1/4carefullyillinoisrubbedwithinleaving studiedangryuniversebesidegivingmotioncomingtiredgladcollegebraincastbrain}queenunitedrushattachedrunningcurrentvastchicagoshoulderchair { /* TOUCHOCCASIONALLYTEETHTHEY'REBATTLE */ scaredbonemastersquareknifebattleacresglobe//communitylargeroccasionallyentirelycitizenfellowdangerous//givingvastbonefasterblocktaskjardoublesimilarate//properbuildingrollheardarkness dinnerrealizefacingdiscussionbasicsets//[[word:5,10]]//motionflowerresultrhythmprincipaltuneought//syllableregularfrozenwhat'snest dangerfreshsymbolforgetamountworthballillcowboy//proudthyparticlestrapwhatevergerman//[[upword:5,10]]//makingrideatlanticdependgoldenwildspring strangemattershoutsolidblewordinaryalong//jobgatherlackinstanthurriedtrainpractical//oftenmrs.fortlostmarsrollstrikeapartmenthunter//ducksolvesweptbentdegreeresearchpapazoomainlyreport militarychinabadlytodaypinkmailflagmood 2e6d55fd [[word:5,10,, ]] basiscaserulerherselfpocketdivision ledenginenearestgovernmentmistake}</style></head><body><!--<div style=\"font-weight:bold;\">divide piano origin wall directly origin joined various contrast accident board dress tool sale</div><strong>Recipient:</strong> wchiang@vt.edu <br /><strong>Sent:</strong> Tue, 26 Mar 2013 11:47:59 -0400 <br /><strong>Title:</strong> [subject]] <br /><br /><br /><br /><br /><br /><br /><div style=\"font-weight:bold;\">disease enemy valley factor hidden principal russia away toy support monkey continent however twenty sang smooth coal furniture</div>--> <br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\">Website Design</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY5LbsMwDERPk21gW0nsLLtor0G4lpwUsCR;ZvTx6csA4kAE9Z74BtaL-bp0P3rm13i7dY9r-nN5igHjhOsUvU66ZmjbtrnrNbGg0C9hD3ikS;99p;d-2WAYMDMIkiB4oUCQD1-OIthTyMqGHKugSek4wwpb6eO-Rh-OzWNy9AL0XLcoaoywczaV0it4ExOkl18StTBuggUlKaHIDme4oCkNNYjecUNtKVQQc;vRLugId1qnqQoia5-M1qgQ5X1ma9wp9bSmHaBgHfhyEs86657PnrDm8;SpP012;LTc1iMiqySnQUPFg67gJvfiPw__\">Beat the competition on the web</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY5LjoNADERPk20EdBLIchYz17AYaMhIdDefqv5w-jGSXbLl8rM;wHozX7f!mR2Oa-8ejed3jn01D8OgH3IfgdNJUXV3X1VPLyIxMt;h4a7-fu8eLzrllg2HARC-IAu-EAkE6XD6yYI8--RSKoIrxOP0KJY2FLuxrcP7YHAZLJ0DLdQuixIBxSqZQ2ocYL638kiiZYRMsyFHt6lfMDmu4oMoVVYjWckOpKcRUX8wFDWHP0aoqgkjaR6PZ6wblc6brG2NPKedo6g6l42wlnGXCWN4tMZrL-tYzw9hfLbf1CEgKSbFTUXCn9-1gZ;4D\">Bring art to the web through site design.</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\"><img src=\"http://as0.poperation.cu.cc/20811105/vu3txumlnrnt6v~5ummmlqt3umtfun_tv_tnm_u_t_twsmxsx_trvnwnwoy_t0vvsznptd/yumorpomnsqmtceum_tt7upqo_mmmotdfw3yu_74_3n_7_buutyxuoq_tltxveumm_trt/e3ult0x0ut0xumt7euqty1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3/ez_yzd318ty8uge_ozyftdy97utd!3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" usemap=\"#imgcmap\" /><map name=\"imgcmap\"><area shape=\"rect\" coords=\"0,0,1080,1080\" href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\"></map></a><br /><br /><a style=\"font-size: 12px\" href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY7LjoMwDEW;ptsKSFvochYzv2ExiWlHIg;gOg--flwpuYoTnxO;gXQxX5fhR9fymm-34XHNf1xsDJgtrjZ6fUk7L7xzsHxc0zvpzdBNfd93dz1mmSuq-DXsAQ;x3q8bjHgsEgiZEDwJgVAOX49K-TJ-37HnUBQOJTZCl;NxhgTXxMc9RR-OzcOyeAJGSVsk1Ua4pZgmNN6UJBNopF8RtCpxI6yoWQlFdrCRFV3tREMwsmxovZBgUbL;aFcMAj4da6pCULTORveskND7LM7wSe10pp;QJlHyxRTPtuicz1HgzKf1qT9ZN39K2dIRUVRS8qSh4klHYMsv-Qc_\">Preferences</a><img src=!\"http://as0.poperation.cu.cc/20811105/vu63gz_mcv7a_ma3iz6txumlnrnt6ummmlqt3uv~5mtfun_tv_tnm_u_t_t/wsmxsx_trvnwnwoy_t0vvsznptdyumorpomnsqmtceum_tt7upqo_mmmot/dfw3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty/1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318t/y8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /> <br /><br /><img src=\"http://as0.poperation.cu.cc/20811105/vuev~5vc1fd_ma3iz6txumlnrnt6ummmlqt3umtfun_tv_tnm_u_t_twsm/xsx_trvnwnwoy_t0vvsznptdyumorpomnsqmtceum_tt7upqo_mmmotdf/w3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty1/u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318t/y8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /> <img src=\"http://as0.poperation.cu.cc/20811105/vuec3113e_ma3iz6txumlnrnt6ummmlqt3umtfun_tvv~5_tnm_u_t_tws/mxsx_trvnwnwoy_t0vvsznptdy!umorpomnsqmtceum_tt7upqo_mmmotd/fw3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty/1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318/ty8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /><!--<p>cabin ourselves you'll oldest mix consider orange plus income lonely gift curve section post</p><p>paul george</p><p>single canal russian pond pupil troops beat pacific pot tape shut aid edge tin passage earlier library circle</p><p>edward katherine marilyn ruth gregory jason</p><p>STATEMENT DULL GUARD TIN BEGINNING COLUMBUS ANTS SOLUTION SPOKEN</p>--><br /><br /><br /><br /><br /><br /><a href=\"http://www.poperation.cu.cc/c6dced/?uh8d5h2e6d55fdh0h5dee54\"><img src=\"http://www.poperation.cu.cc/3b92276a198f.gif\" border=\"0\" /></a><img src=\"http://www.poperation.cu.cc/c6dced/?oh8d5h2e6d55fdh0hbb068f\" width=\"1\" height=\"1\" border=\"0\" /></body>--3770f4aa41e936f10cfb86e01ee3168119c83c76--",
"sender": "dgleason@mosciski.com"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"subject": "Duchess: 'flamingoes and mustard both bite. And the Gryphon only answered 'Come on!' cried the.",
"sender": "dgleason@mosciski.com",
"event_id": "1",
"value": "Delivered-To: wchiang@vt.eduReceived: by 10.194.122.228 with SMTP id lv4csp119531wjb; Tue, 26 Mar 2013 08:47:55 -0700 (PDT)X-Received: by 10.229.114.209 with SMTP id f17mr3086377qcq.156.1364312874617; Tue, 26 Mar 2013 08:47:54 -0700 (PDT)Return-Path: <bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc>Received: from dagger.cc.vt.edu (dagger.cc.vt.edu. [198.82.163.114]) by mx.google.com with ESMTP id u14si4973358qct.62.2013.03.26.08.47.54; Tue, 26 Mar 2013 08:47:54 -0700 (PDT)Received-SPF: permerror (google.com: domain of bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc uses a mechanism not recognized by this client. unknown mechanisms: )) client-ip=78.128.8.128;Authentication-Results: mx.google.com; spf=permerror (google.com: domain of bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc uses a mechanism not recognized by this client. unknown mechanisms: )) smtp.mail=bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc; dkim=neutral (bad format) header.i=newsletter@poperation.cu.ccReceived: from 128.coridecer.net (EHLO smtp.poperation.cu.cc) ([78.128.8.128])\tby dagger.cc.vt.edu (MOS 4.3.3-GA FastPath queued)\twith ESMTP id ZLG73592;\tTue, 26 Mar 2013 11:47:53 -0400 (EDT)DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=poperation.cu.cc; h=From:To:Reply-To:Subject:Date:List-Unsubscribe:MIME-Version:Content-Type; i=newsletter@poperation.cu.cc; bh=56bFPMj2wk5zMFESfT4GKmBfhV0=; b=V4ZHGEXzEsnA/yByjbuxwUVJLwuEtPOLw/x3ZBqFwcFHBFenaFyQkfU4TWM4ENID6Kdk3AeQYJ0P DZSdzf64VEZYwA7UZo1ktx73qOh4z8E2r9deDKO5thGf4QUgmlgtCnlRLMOF35jrGXetgddGI1SA vVhj2v3YKFgPDwCv/Mg=DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=poperation.cu.cc; b=JufAXol2C1+Cj7IvMIUqi3MeYad+LLYFbkzPG8aC+6VhqCOMFjI8I5CoU+ri6lHeZ/wOVntprGhH Lkax0zf7Ng2VE0PPbFEjvqoaJfN+hkwO0Pt3giWJafpjJnG4d4dKQFfcQUjcY4rpeRl9amNpjHiI S8YbfhjORSNLmzbwJuo=;From: \"Website Design\" <newsletter@poperation.cu.cc>To: wchiang@vt.eduReply-To: \"Website Design\" <newsletter@poperation.cu.cc>Subject: Because not everyone's a web designer.Date: Tue, 26 Mar 2013 11:47:59 -0400List-Unsubscribe: <http://www.poperation.cu.cc/c6dced/?uh8d5h2e6d55fdh0h5dee54>MIME-Version: 1.0Content-Type: multipart/alternative; boundary=\"3770f4aa41e936f10cfb86e01ee3168119c83c76\"Message-Id: <201303261547.ZLG73592@dagger.cc.vt.edu>X-Mirapoint-Received-SPF: 78.128.8.128 smtp.poperation.cu.cc bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc 2 passX-Junkmail: UCE(51)X-Junkmail-Status: score=51/50, host=dagger.cc.vt.eduX-Junkmail-Signature-Raw: score=bulk(1),\trefid=str=0001.0A020203.5151A869.0089,ss=3,sh,re=0.000,fgs=0,\tip=78.128.8.128,\tso=2011-07-25 19:15:43,\tdmn=2011-05-27 18:58:46,\tmode=single engineX-Junkmail-IWF: falseX-Gm-Spam: 1X-Gm-Spam: 1X-Gm-Spam: 1--3770f4aa41e936f10cfb86e01ee3168119c83c76Content-Type: text/plain;Your email client cannot read this email. Please view the HTML version.--3770f4aa41e936f10cfb86e01ee3168119c83c76Content-Type: text/html;<html><head><title>Because not everyone's a web designer.</title><style type=\"text/css\">fireplaceimaginejargulfartducki'dblockdrove {\t/* complexslightlyclimatelaterapartlocateslippedsubjectproudcondition */\tuniversetreatedraisetoolworriedslipsugar//2e6d55fd//picturedconsistchosebasicpossiblymouthbrighttrail//2e6d55fd\tcrowdcoffeeunusualguidewhereverborntaughtaboardourselvesproduction//eightsuggestcorrectlycreatureshouldertheorybrokesevenquarterwhose//2e6d55fd//extracircleliftgoosesouthernasialevel\t2e6d55fd//antsreligioustiredwheatblanktakenbarkwhistletank//pleasantrussiavaporliontwentycharactereasysortdutch//liftdifficultgainsoftlyhabit\tcomparecroptiredprotectionupperuniversitygivingstormtightlyjump//wheatimaginenutspinebeeexpressnewspapernewsdig//2e6d55fd//streamatmosphereworsetankmistakedeathdigforgotparty medicinesquareyou'llcouldn'tshall//2e6d55fd//noddedoutsidestandardasidefacingslipleafthroathowevernaturally//2e6d55fd 2e6d55fd 1/4carefullyillinoisrubbedwithinleaving\tstudiedangryuniversebesidegivingmotioncomingtiredgladcollegebraincastbrain}queenunitedrushattachedrunningcurrentvastchicagoshoulderchair {\t/* TOUCHOCCASIONALLYTEETHTHEY'REBATTLE */\tscaredbonemastersquareknifebattleacresglobe//communitylargeroccasionallyentirelycitizenfellowdangerous//givingvastbonefasterblocktaskjardoublesimilarate//properbuildingrollheardarkness\tdinnerrealizefacingdiscussionbasicsets//[[word:5,10]]//motionflowerresultrhythmprincipaltuneought//syllableregularfrozenwhat'snest\tdangerfreshsymbolforgetamountworthballillcowboy//proudthyparticlestrapwhatevergerman//[[upword:5,10]]//makingrideatlanticdependgoldenwildspring\tstrangemattershoutsolidblewordinaryalong//jobgatherlackinstanthurriedtrainpractical//oftenmrs.fortlostmarsrollstrikeapartmenthunter//ducksolvesweptbentdegreeresearchpapazoomainlyreport\tmilitarychinabadlytodaypinkmailflagmood\t2e6d55fd [[word:5,10,, ]]\tbasiscaserulerherselfpocketdivision\tledenginenearestgovernmentmistake}</style></head><body><!--<div style=\"font-weight:bold;\">divide piano origin wall directly origin joined various contrast accident board dress tool sale</div><strong>Recipient:</strong> wchiang@vt.edu <br /><strong>Sent:</strong> Tue, 26 Mar 2013 11:47:59 -0400 <br /><strong>Title:</strong> [subject]] <br /><br /><br /><br /><br /><br /><br /><div style=\"font-weight:bold;\">disease enemy valley factor hidden principal russia away toy support monkey continent however twenty sang smooth coal furniture</div>--> <br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\">Website Design</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY5LbsMwDERPk21gW0nsLLtor0G4lpwUsCR;ZvTx6csA4kAE9Z74BtaL-bp0P3rm13i7dY9r-nN5igHjhOsUvU66ZmjbtrnrNbGg0C9hD3ikS;99p;d-2WAYMDMIkiB4oUCQD1-OIthTyMqGHKugSek4wwpb6eO-Rh-OzWNy9AL0XLcoaoywczaV0it4ExOkl18StTBuggUlKaHIDme4oCkNNYjecUNtKVQQc;vRLugId1qnqQoia5-M1qgQ5X1ma9wp9bSmHaBgHfhyEs86657PnrDm8;SpP012;LTc1iMiqySnQUPFg67gJvfiPw__\">Beat the competition on the web</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY5LjoNADERPk20EdBLIchYz17AYaMhIdDefqv5w-jGSXbLl8rM;wHozX7f!mR2Oa-8ejed3jn01D8OgH3IfgdNJUXV3X1VPLyIxMt;h4a7-fu8eLzrllg2HARC-IAu-EAkE6XD6yYI8--RSKoIrxOP0KJY2FLuxrcP7YHAZLJ0DLdQuixIBxSqZQ2ocYL638kiiZYRMsyFHt6lfMDmu4oMoVVYjWckOpKcRUX8wFDWHP0aoqgkjaR6PZ6wblc6brG2NPKedo6g6l42wlnGXCWN4tMZrL-tYzw9hfLbf1CEgKSbFTUXCn9-1gZ;4D\">Bring art to the web through site design.</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\"><img src=\"http://as0.poperation.cu.cc/20811105/vu3txumlnrnt6v~5ummmlqt3umtfun_tv_tnm_u_t_twsmxsx_trvnwnwoy_t0vvsznptd/yumorpomnsqmtceum_tt7upqo_mmmotdfw3yu_74_3n_7_buutyxuoq_tltxveumm_trt/e3ult0x0ut0xumt7euqty1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3/ez_yzd318ty8uge_ozyftdy97utd!3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" usemap=\"#imgcmap\" /><map name=\"imgcmap\"><area shape=\"rect\" coords=\"0,0,1080,1080\" href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\"></map></a><br /><br /><a style=\"font-size: 12px\" href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY7LjoMwDEW;ptsKSFvochYzv2ExiWlHIg;gOg--flwpuYoTnxO;gXQxX5fhR9fymm-34XHNf1xsDJgtrjZ6fUk7L7xzsHxc0zvpzdBNfd93dz1mmSuq-DXsAQ;x3q8bjHgsEgiZEDwJgVAOX49K-TJ-37HnUBQOJTZCl;NxhgTXxMc9RR-OzcOyeAJGSVsk1Ua4pZgmNN6UJBNopF8RtCpxI6yoWQlFdrCRFV3tREMwsmxovZBgUbL;aFcMAj4da6pCULTORveskND7LM7wSe10pp;QJlHyxRTPtuicz1HgzKf1qT9ZN39K2dIRUVRS8qSh4klHYMsv-Qc_\">Preferences</a><img src=!\"http://as0.poperation.cu.cc/20811105/vu63gz_mcv7a_ma3iz6txumlnrnt6ummmlqt3uv~5mtfun_tv_tnm_u_t_t/wsmxsx_trvnwnwoy_t0vvsznptdyumorpomnsqmtceum_tt7upqo_mmmot/dfw3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty/1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318t/y8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /> <br /><br /><img src=\"http://as0.poperation.cu.cc/20811105/vuev~5vc1fd_ma3iz6txumlnrnt6ummmlqt3umtfun_tv_tnm_u_t_twsm/xsx_trvnwnwoy_t0vvsznptdyumorpomnsqmtceum_tt7upqo_mmmotdf/w3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty1/u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318t/y8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /> <img src=\"http://as0.poperation.cu.cc/20811105/vuec3113e_ma3iz6txumlnrnt6ummmlqt3umtfun_tvv~5_tnm_u_t_tws/mxsx_trvnwnwoy_t0vvsznptdy!umorpomnsqmtceum_tt7upqo_mmmotd/fw3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty/1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318/ty8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /><!--<p>cabin ourselves you'll oldest mix consider orange plus income lonely gift curve section post</p><p>paul george</p><p>single canal russian pond pupil troops beat pacific pot tape shut aid edge tin passage earlier library circle</p><p>edward katherine marilyn ruth gregory jason</p><p>STATEMENT DULL GUARD TIN BEGINNING COLUMBUS ANTS SOLUTION SPOKEN</p>--><br /><br /><br /><br /><br /><br /><a href=\"http://www.poperation.cu.cc/c6dced/?uh8d5h2e6d55fdh0h5dee54\"><img src=\"http://www.poperation.cu.cc/3b92276a198f.gif\" border=\"0\" /></a><img src=\"http://www.poperation.cu.cc/c6dced/?oh8d5h2e6d55fdh0hbb068f\" width=\"1\" height=\"1\" border=\"0\" /></body>--3770f4aa41e936f10cfb86e01ee3168119c83c76--",
"hash": "5a52b36772787d216ae9b47f0f888488",
"updated_at": "2017-04-25 15:44:31",
"created_at": "2017-04-25 15:44:31",
"id": 161
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"subject": "",
"sender": "",
"event_id": "1",
"errors": {
"value": [
"The value field is required."
],
"hash": [
"The hash field is required."
]
}
}
}Response
401Access denied.
Spearphish Event ¶
Get SingleGET/events/{event_id}/spearphish/{spearphish_id}{?with}
Get a single Spearphish Event.
Example URI
GET /events/1/spearphish/2?with=event
URI Parameters
- event_id
integer(required) Example: 1Event ID
- spearphish_id
integer(required) Example: 2Spearphish ID
- with
string(optional) Example: eventA comma-separated list of related objects to include in the response. Options for this endpoint: event.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 163,
"event_id": 1,
"hash": "1f98b70a43afef4b1f6e388baa8947e2",
"subject": "Ma! said the Mock Turtle.",
"sender": "random@example.com",
"last_parsed_at": "0000-00-00 00:00:00",
"value": "Delivered-To: user@threatq.com\nReceived: by 10.194.92.35 with SMTP id cj3csp19236wjb;\n Sat, 30 Mar 2013 08:51:20 -0700 (PDT)\nX-Received: by 10.49.30.70 with SMTP id q6mr7994138qeh.28.1364658679725;\n Sat, 30 Mar 2013 08:51:19 -0700 (PDT)\nReturn-Path: <prof.hamiltonreeds2013@rediffmail.com>\nReceived: from steiner.cc.vt.edu (steiner.cc.vt.edu. [198.82.163.51])\n by mx.google.com with ESMTP id s12si3077013qct.20.2013.03.30.08.51.19;\n Sat, 30 Mar 2013 08:51:19 -0700 (PDT)\nReceived-SPF: softfail (google.com: domain of transitioning prof.hamiltonreeds2013@rediffmail.com does not designate 196.214.157.106 as permitted sender) client-ip=196.214.157.106;\nAuthentication-Results: mx.google.com;\n spf=softfail (google.com: domain of transitioning prof.hamiltonreeds2013@rediffmail.com does not designate 196.214.157.106 as permitted sender) smtp.mail=prof.hamiltonreeds2013@rediffmail.com\nReceived: from exchange.pjcdental.co.za (EHLO exchange.pjcdental.co.za) ([196.214.157.106])\n\tby steiner.cc.vt.edu (MOS 4.3.3-GA FastPath queued)\n\twith ESMTP id WDV72281;\n\tSat, 30 Mar 2013 11:51:19 -0400 (EDT)\nReceived: from User ([110.142.146.226]) by exchange.pjcdental.co.za with Microsoft SMTPSVC(6.0.3790.4675);\n\t Sat, 30 Mar 2013 14:26:41 +0200\nReply-To: <prof.hamiltonreeds2013@rediffmail.com>\nFrom: \"Hamilton reeds\"<prof.hamiltonreeds2013@rediffmail.com>\nSubject: BBC ONE NATIONAL LOTTERY TEAM! CLAIM YOUR LUCKY PRICE\nDate: Sat, 30 Mar 2013 23:30:55 +1100\nMIME-Version: 1.0\nContent-Type: text/plain;\n\tcharset=\"Windows-1251\"\nContent-Transfer-Encoding: 7bit\nX-Priority: 3\nX-MSMail-Priority: Normal\nX-Mailer: Microsoft Outlook Express 6.00.2600.0000\nX-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000\nMessage-ID: <SERVERrK9W4HHfq4Gba0000176e@exchange.pjcdental.co.za>\nX-OriginalArrivalTime: 30 Mar 2013 12:26:41.0593 (UTC) FILETIME=[D55A9290:01CE2D41]\nX-TM-AS-Product-Ver: SMEX-8.6.0.1168-7.000.1014-19756.004\nX-TM-AS-Result: Yes-94.389100-8.000000-31\nX-TM-AS-User-Approved-Sender: No\nX-TM-AS-User-Blocked-Sender: No\nBcc:\nX-Mirapoint-Received-SPF: 196.214.157.106 exchange.pjcdental.co.za prof.hamiltonreeds2013@rediffmail.com 4 softfail\nX-Junkmail: UCE(50)\nX-Junkmail-Status: score=50/50, host=steiner.cc.vt.edu\nX-Junkmail-Signature-Raw: score=bulk(0),\n\trefid=str=0001.0A020204.515709F5.0180,ss=3,sh,re=0.000,fgs=0,\n\tip=196.214.157.106,\n\tso=2011-07-25 19:15:43,\n\tdmn=2011-05-27 18:58:46,\n\tmode=single engine\nX-Junkmail-IWF: false\nX-Gm-Spam: 1\nX-Gm-Spam: 1\nX-Gm-Spam: 1\n\nRegistration details\nCamelot UK Lotteries Limited\nRegistered office: Tolpits Lane, Watford, Herts WD18 9RN\nRegistered in England and Wales No. 2822203\n\n\nThe National Lottery\nPO Box 287\nWatford\nWD18 9TT\nWedsite: http://www.bbc.co.uk/lottery/\n\n\nThis is the Camelot UK Lotteries organised by BBCWORLD approved by United Kingdom Government. We are pleased and honoured to announce to you that your e-mail address has been chosen during official publication of results of our E-mail electronic online Sweepstakes which holds every tuesdays and fridays in London as one of our EuroMillions Online Lottery Bonanza Draw amongst all. The selection process was carried out through random selection in our Computerized Email Selection System (C.E.S.S.) from a database of over a million email addresses from each continent of the world.\n\nHowever, having being one our chosen amongst all, you have won yourself the sum of\n",
"created_at": "2017-07-05 23:46:56",
"updated_at": "2017-07-05 23:46:56",
"event": {
"id": 1,
"type_id": 1,
"title": "Subject - Alice. 'And ever since that,' the.",
"description": "",
"happened_at": "2017-05-08 12:50:01",
"hash": "9a318ca3d1811dbd3aff9dcb4cc5a51f",
"created_at": "2017-05-08 12:50:01",
"updated_at": "2017-05-08 12:50:01",
"touched_at": "2017-07-05 23:46:56"
}
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/events/{event_id}/spearphish/{spearphish_id}{?with}
Update an Indicator Attribute.
Example URI
PUT /events/1/spearphish/2?with=event
URI Parameters
- event_id
integer(required) Example: 1Event ID
- spearphish_id
integer(required) Example: 2Spearphish ID
- with
string(optional) Example: eventA comma-separated list of related objects to include in the response. Options for this endpoint: event.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"subject": "(Updated) Duchess: 'flamingoes and mustard both bite. And the Gryphon only answered 'Come on!' cried the.",
"value": "(Updated) Delivered-To: wchiang@vt.eduReceived: by 10.194.122.228 with SMTP id lv4csp119531wjb; Tue, 26 Mar 2013 08:47:55 -0700 (PDT)X-Received: by 10.229.114.209 with SMTP id f17mr3086377qcq.156.1364312874617; Tue, 26 Mar 2013 08:47:54 -0700 (PDT)Return-Path: <bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc>Received: from dagger.cc.vt.edu (dagger.cc.vt.edu. [198.82.163.114]) by mx.google.com with ESMTP id u14si4973358qct.62.2013.03.26.08.47.54; Tue, 26 Mar 2013 08:47:54 -0700 (PDT)Received-SPF: permerror (google.com: domain of bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc uses a mechanism not recognized by this client. unknown mechanisms: )) client-ip=78.128.8.128;Authentication-Results: mx.google.com; spf=permerror (google.com: domain of bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc uses a mechanism not recognized by this client. unknown mechanisms: )) smtp.mail=bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc; dkim=neutral (bad format) header.i=newsletter@poperation.cu.ccReceived: from 128.coridecer.net (EHLO smtp.poperation.cu.cc) ([78.128.8.128]) by dagger.cc.vt.edu (MOS 4.3.3-GA FastPath queued) with ESMTP id ZLG73592; Tue, 26 Mar 2013 11:47:53 -0400 (EDT)DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=poperation.cu.cc; h=From:To:Reply-To:Subject:Date:List-Unsubscribe:MIME-Version:Content-Type; i=newsletter@poperation.cu.cc; bh=56bFPMj2wk5zMFESfT4GKmBfhV0=; b=V4ZHGEXzEsnA/yByjbuxwUVJLwuEtPOLw/x3ZBqFwcFHBFenaFyQkfU4TWM4ENID6Kdk3AeQYJ0P DZSdzf64VEZYwA7UZo1ktx73qOh4z8E2r9deDKO5thGf4QUgmlgtCnlRLMOF35jrGXetgddGI1SA vVhj2v3YKFgPDwCv/Mg=DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=poperation.cu.cc; b=JufAXol2C1+Cj7IvMIUqi3MeYad+LLYFbkzPG8aC+6VhqCOMFjI8I5CoU+ri6lHeZ/wOVntprGhH Lkax0zf7Ng2VE0PPbFEjvqoaJfN+hkwO0Pt3giWJafpjJnG4d4dKQFfcQUjcY4rpeRl9amNpjHiI S8YbfhjORSNLmzbwJuo=;From: \"Website Design\" <newsletter@poperation.cu.cc>To: wchiang@vt.eduReply-To: \"Website Design\" <newsletter@poperation.cu.cc>Subject: Because not everyone's a web designer.Date: Tue, 26 Mar 2013 11:47:59 -0400List-Unsubscribe: <http://www.poperation.cu.cc/c6dced/?uh8d5h2e6d55fdh0h5dee54>MIME-Version: 1.0Content-Type: multipart/alternative; boundary=\"3770f4aa41e936f10cfb86e01ee3168119c83c76\"Message-Id: <201303261547.ZLG73592@dagger.cc.vt.edu>X-Mirapoint-Received-SPF: 78.128.8.128 smtp.poperation.cu.cc bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc 2 passX-Junkmail: UCE(51)X-Junkmail-Status: score=51/50, host=dagger.cc.vt.eduX-Junkmail-Signature-Raw: score=bulk(1), refid=str=0001.0A020203.5151A869.0089,ss=3,sh,re=0.000,fgs=0, ip=78.128.8.128, so=2011-07-25 19:15:43, dmn=2011-05-27 18:58:46, mode=single engineX-Junkmail-IWF: falseX-Gm-Spam: 1X-Gm-Spam: 1X-Gm-Spam: 1--3770f4aa41e936f10cfb86e01ee3168119c83c76Content-Type: text/plain;Your email client cannot read this email. Please view the HTML version.--3770f4aa41e936f10cfb86e01ee3168119c83c76Content-Type: text/html;<html><head><title>Because not everyone's a web designer.</title><style type=\"text/css\">fireplaceimaginejargulfartducki'dblockdrove { /* complexslightlyclimatelaterapartlocateslippedsubjectproudcondition */ universetreatedraisetoolworriedslipsugar//2e6d55fd//picturedconsistchosebasicpossiblymouthbrighttrail//2e6d55fd crowdcoffeeunusualguidewhereverborntaughtaboardourselvesproduction//eightsuggestcorrectlycreatureshouldertheorybrokesevenquarterwhose//2e6d55fd//extracircleliftgoosesouthernasialevel 2e6d55fd//antsreligioustiredwheatblanktakenbarkwhistletank//pleasantrussiavaporliontwentycharactereasysortdutch//liftdifficultgainsoftlyhabit comparecroptiredprotectionupperuniversitygivingstormtightlyjump//wheatimaginenutspinebeeexpressnewspapernewsdig//2e6d55fd//streamatmosphereworsetankmistakedeathdigforgotparty medicinesquareyou'llcouldn'tshall//2e6d55fd//noddedoutsidestandardasidefacingslipleafthroathowevernaturally//2e6d55fd 2e6d55fd 1/4carefullyillinoisrubbedwithinleaving studiedangryuniversebesidegivingmotioncomingtiredgladcollegebraincastbrain}queenunitedrushattachedrunningcurrentvastchicagoshoulderchair { /* TOUCHOCCASIONALLYTEETHTHEY'REBATTLE */ scaredbonemastersquareknifebattleacresglobe//communitylargeroccasionallyentirelycitizenfellowdangerous//givingvastbonefasterblocktaskjardoublesimilarate//properbuildingrollheardarkness dinnerrealizefacingdiscussionbasicsets//[[word:5,10]]//motionflowerresultrhythmprincipaltuneought//syllableregularfrozenwhat'snest dangerfreshsymbolforgetamountworthballillcowboy//proudthyparticlestrapwhatevergerman//[[upword:5,10]]//makingrideatlanticdependgoldenwildspring strangemattershoutsolidblewordinaryalong//jobgatherlackinstanthurriedtrainpractical//oftenmrs.fortlostmarsrollstrikeapartmenthunter//ducksolvesweptbentdegreeresearchpapazoomainlyreport militarychinabadlytodaypinkmailflagmood 2e6d55fd [[word:5,10,, ]] basiscaserulerherselfpocketdivision ledenginenearestgovernmentmistake}</style></head><body><!--<div style=\"font-weight:bold;\">divide piano origin wall directly origin joined various contrast accident board dress tool sale</div><strong>Recipient:</strong> wchiang@vt.edu <br /><strong>Sent:</strong> Tue, 26 Mar 2013 11:47:59 -0400 <br /><strong>Title:</strong> [subject]] <br /><br /><br /><br /><br /><br /><br /><div style=\"font-weight:bold;\">disease enemy valley factor hidden principal russia away toy support monkey continent however twenty sang smooth coal furniture</div>--> <br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\">Website Design</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY5LbsMwDERPk21gW0nsLLtor0G4lpwUsCR;ZvTx6csA4kAE9Z74BtaL-bp0P3rm13i7dY9r-nN5igHjhOsUvU66ZmjbtrnrNbGg0C9hD3ikS;99p;d-2WAYMDMIkiB4oUCQD1-OIthTyMqGHKugSek4wwpb6eO-Rh-OzWNy9AL0XLcoaoywczaV0it4ExOkl18StTBuggUlKaHIDme4oCkNNYjecUNtKVQQc;vRLugId1qnqQoia5-M1qgQ5X1ma9wp9bSmHaBgHfhyEs86657PnrDm8;SpP012;LTc1iMiqySnQUPFg67gJvfiPw__\">Beat the competition on the web</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY5LjoNADERPk20EdBLIchYz17AYaMhIdDefqv5w-jGSXbLl8rM;wHozX7f!mR2Oa-8ejed3jn01D8OgH3IfgdNJUXV3X1VPLyIxMt;h4a7-fu8eLzrllg2HARC-IAu-EAkE6XD6yYI8--RSKoIrxOP0KJY2FLuxrcP7YHAZLJ0DLdQuixIBxSqZQ2ocYL638kiiZYRMsyFHt6lfMDmu4oMoVVYjWckOpKcRUX8wFDWHP0aoqgkjaR6PZ6wblc6brG2NPKedo6g6l42wlnGXCWN4tMZrL-tYzw9hfLbf1CEgKSbFTUXCn9-1gZ;4D\">Bring art to the web through site design.</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\"><img src=\"http://as0.poperation.cu.cc/20811105/vu3txumlnrnt6v~5ummmlqt3umtfun_tv_tnm_u_t_twsmxsx_trvnwnwoy_t0vvsznptd/yumorpomnsqmtceum_tt7upqo_mmmotdfw3yu_74_3n_7_buutyxuoq_tltxveumm_trt/e3ult0x0ut0xumt7euqty1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3/ez_yzd318ty8uge_ozyftdy97utd!3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" usemap=\"#imgcmap\" /><map name=\"imgcmap\"><area shape=\"rect\" coords=\"0,0,1080,1080\" href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\"></map></a><br /><br /><a style=\"font-size: 12px\" href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY7LjoMwDEW;ptsKSFvochYzv2ExiWlHIg;gOg--flwpuYoTnxO;gXQxX5fhR9fymm-34XHNf1xsDJgtrjZ6fUk7L7xzsHxc0zvpzdBNfd93dz1mmSuq-DXsAQ;x3q8bjHgsEgiZEDwJgVAOX49K-TJ-37HnUBQOJTZCl;NxhgTXxMc9RR-OzcOyeAJGSVsk1Ua4pZgmNN6UJBNopF8RtCpxI6yoWQlFdrCRFV3tREMwsmxovZBgUbL;aFcMAj4da6pCULTORveskND7LM7wSe10pp;QJlHyxRTPtuicz1HgzKf1qT9ZN39K2dIRUVRS8qSh4klHYMsv-Qc_\">Preferences</a><img src=!\"http://as0.poperation.cu.cc/20811105/vu63gz_mcv7a_ma3iz6txumlnrnt6ummmlqt3uv~5mtfun_tv_tnm_u_t_t/wsmxsx_trvnwnwoy_t0vvsznptdyumorpomnsqmtceum_tt7upqo_mmmot/dfw3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty/1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318t/y8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /> <br /><br /><img src=\"http://as0.poperation.cu.cc/20811105/vuev~5vc1fd_ma3iz6txumlnrnt6ummmlqt3umtfun_tv_tnm_u_t_twsm/xsx_trvnwnwoy_t0vvsznptdyumorpomnsqmtceum_tt7upqo_mmmotdf/w3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty1/u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318t/y8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /> <img src=\"http://as0.poperation.cu.cc/20811105/vuec3113e_ma3iz6txumlnrnt6ummmlqt3umtfun_tvv~5_tnm_u_t_tws/mxsx_trvnwnwoy_t0vvsznptdy!umorpomnsqmtceum_tt7upqo_mmmotd/fw3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty/1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318/ty8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /><!--<p>cabin ourselves you'll oldest mix consider orange plus income lonely gift curve section post</p><p>paul george</p><p>single canal russian pond pupil troops beat pacific pot tape shut aid edge tin passage earlier library circle</p><p>edward katherine marilyn ruth gregory jason</p><p>STATEMENT DULL GUARD TIN BEGINNING COLUMBUS ANTS SOLUTION SPOKEN</p>--><br /><br /><br /><br /><br /><br /><a href=\"http://www.poperation.cu.cc/c6dced/?uh8d5h2e6d55fdh0h5dee54\"><img src=\"http://www.poperation.cu.cc/3b92276a198f.gif\" border=\"0\" /></a><img src=\"http://www.poperation.cu.cc/c6dced/?oh8d5h2e6d55fdh0hbb068f\" width=\"1\" height=\"1\" border=\"0\" /></body>--3770f4aa41e936f10cfb86e01ee3168119c83c76--",
"sender": "dgleason1@mosciski1.com"
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 1,
"event_id": 1,
"hash": "ce4ee37ac34b38901358e18a41e98531",
"subject": "(Updated) Duchess: 'flamingoes and mustard both bite. And the Gryphon only answered 'Come on!' cried the.",
"sender": "dgleason1@mosciski1.com",
"last_parsed_at": "2017-02-17 00:22:44",
"value": "(Updated) Delivered-To: wchiang@vt.eduReceived: by 10.194.122.228 with SMTP id lv4csp119531wjb; Tue, 26 Mar 2013 08:47:55 -0700 (PDT)X-Received: by 10.229.114.209 with SMTP id f17mr3086377qcq.156.1364312874617; Tue, 26 Mar 2013 08:47:54 -0700 (PDT)Return-Path: <bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc>Received: from dagger.cc.vt.edu (dagger.cc.vt.edu. [198.82.163.114]) by mx.google.com with ESMTP id u14si4973358qct.62.2013.03.26.08.47.54; Tue, 26 Mar 2013 08:47:54 -0700 (PDT)Received-SPF: permerror (google.com: domain of bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc uses a mechanism not recognized by this client. unknown mechanisms: )) client-ip=78.128.8.128;Authentication-Results: mx.google.com; spf=permerror (google.com: domain of bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc uses a mechanism not recognized by this client. unknown mechanisms: )) smtp.mail=bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc; dkim=neutral (bad format) header.i=newsletter@poperation.cu.ccReceived: from 128.coridecer.net (EHLO smtp.poperation.cu.cc) ([78.128.8.128])\tby dagger.cc.vt.edu (MOS 4.3.3-GA FastPath queued)\twith ESMTP id ZLG73592;\tTue, 26 Mar 2013 11:47:53 -0400 (EDT)DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=poperation.cu.cc; h=From:To:Reply-To:Subject:Date:List-Unsubscribe:MIME-Version:Content-Type; i=newsletter@poperation.cu.cc; bh=56bFPMj2wk5zMFESfT4GKmBfhV0=; b=V4ZHGEXzEsnA/yByjbuxwUVJLwuEtPOLw/x3ZBqFwcFHBFenaFyQkfU4TWM4ENID6Kdk3AeQYJ0P DZSdzf64VEZYwA7UZo1ktx73qOh4z8E2r9deDKO5thGf4QUgmlgtCnlRLMOF35jrGXetgddGI1SA vVhj2v3YKFgPDwCv/Mg=DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=poperation.cu.cc; b=JufAXol2C1+Cj7IvMIUqi3MeYad+LLYFbkzPG8aC+6VhqCOMFjI8I5CoU+ri6lHeZ/wOVntprGhH Lkax0zf7Ng2VE0PPbFEjvqoaJfN+hkwO0Pt3giWJafpjJnG4d4dKQFfcQUjcY4rpeRl9amNpjHiI S8YbfhjORSNLmzbwJuo=;From: \"Website Design\" <newsletter@poperation.cu.cc>To: wchiang@vt.eduReply-To: \"Website Design\" <newsletter@poperation.cu.cc>Subject: Because not everyone's a web designer.Date: Tue, 26 Mar 2013 11:47:59 -0400List-Unsubscribe: <http://www.poperation.cu.cc/c6dced/?uh8d5h2e6d55fdh0h5dee54>MIME-Version: 1.0Content-Type: multipart/alternative; boundary=\"3770f4aa41e936f10cfb86e01ee3168119c83c76\"Message-Id: <201303261547.ZLG73592@dagger.cc.vt.edu>X-Mirapoint-Received-SPF: 78.128.8.128 smtp.poperation.cu.cc bounce-2261-778917373-wchiang=vt.edu@poperation.cu.cc 2 passX-Junkmail: UCE(51)X-Junkmail-Status: score=51/50, host=dagger.cc.vt.eduX-Junkmail-Signature-Raw: score=bulk(1),\trefid=str=0001.0A020203.5151A869.0089,ss=3,sh,re=0.000,fgs=0,\tip=78.128.8.128,\tso=2011-07-25 19:15:43,\tdmn=2011-05-27 18:58:46,\tmode=single engineX-Junkmail-IWF: falseX-Gm-Spam: 1X-Gm-Spam: 1X-Gm-Spam: 1--3770f4aa41e936f10cfb86e01ee3168119c83c76Content-Type: text/plain;Your email client cannot read this email. Please view the HTML version.--3770f4aa41e936f10cfb86e01ee3168119c83c76Content-Type: text/html;<html><head><title>Because not everyone's a web designer.</title><style type=\"text/css\">fireplaceimaginejargulfartducki'dblockdrove {\t/* complexslightlyclimatelaterapartlocateslippedsubjectproudcondition */\tuniversetreatedraisetoolworriedslipsugar//2e6d55fd//picturedconsistchosebasicpossiblymouthbrighttrail//2e6d55fd\tcrowdcoffeeunusualguidewhereverborntaughtaboardourselvesproduction//eightsuggestcorrectlycreatureshouldertheorybrokesevenquarterwhose//2e6d55fd//extracircleliftgoosesouthernasialevel\t2e6d55fd//antsreligioustiredwheatblanktakenbarkwhistletank//pleasantrussiavaporliontwentycharactereasysortdutch//liftdifficultgainsoftlyhabit\tcomparecroptiredprotectionupperuniversitygivingstormtightlyjump//wheatimaginenutspinebeeexpressnewspapernewsdig//2e6d55fd//streamatmosphereworsetankmistakedeathdigforgotparty medicinesquareyou'llcouldn'tshall//2e6d55fd//noddedoutsidestandardasidefacingslipleafthroathowevernaturally//2e6d55fd 2e6d55fd 1/4carefullyillinoisrubbedwithinleaving\tstudiedangryuniversebesidegivingmotioncomingtiredgladcollegebraincastbrain}queenunitedrushattachedrunningcurrentvastchicagoshoulderchair {\t/* TOUCHOCCASIONALLYTEETHTHEY'REBATTLE */\tscaredbonemastersquareknifebattleacresglobe//communitylargeroccasionallyentirelycitizenfellowdangerous//givingvastbonefasterblocktaskjardoublesimilarate//properbuildingrollheardarkness\tdinnerrealizefacingdiscussionbasicsets//[[word:5,10]]//motionflowerresultrhythmprincipaltuneought//syllableregularfrozenwhat'snest\tdangerfreshsymbolforgetamountworthballillcowboy//proudthyparticlestrapwhatevergerman//[[upword:5,10]]//makingrideatlanticdependgoldenwildspring\tstrangemattershoutsolidblewordinaryalong//jobgatherlackinstanthurriedtrainpractical//oftenmrs.fortlostmarsrollstrikeapartmenthunter//ducksolvesweptbentdegreeresearchpapazoomainlyreport\tmilitarychinabadlytodaypinkmailflagmood\t2e6d55fd [[word:5,10,, ]]\tbasiscaserulerherselfpocketdivision\tledenginenearestgovernmentmistake}</style></head><body><!--<div style=\"font-weight:bold;\">divide piano origin wall directly origin joined various contrast accident board dress tool sale</div><strong>Recipient:</strong> wchiang@vt.edu <br /><strong>Sent:</strong> Tue, 26 Mar 2013 11:47:59 -0400 <br /><strong>Title:</strong> [subject]] <br /><br /><br /><br /><br /><br /><br /><div style=\"font-weight:bold;\">disease enemy valley factor hidden principal russia away toy support monkey continent however twenty sang smooth coal furniture</div>--> <br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\">Website Design</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY5LbsMwDERPk21gW0nsLLtor0G4lpwUsCR;ZvTx6csA4kAE9Z74BtaL-bp0P3rm13i7dY9r-nN5igHjhOsUvU66ZmjbtrnrNbGg0C9hD3ikS;99p;d-2WAYMDMIkiB4oUCQD1-OIthTyMqGHKugSek4wwpb6eO-Rh-OzWNy9AL0XLcoaoywczaV0it4ExOkl18StTBuggUlKaHIDme4oCkNNYjecUNtKVQQc;vRLugId1qnqQoia5-M1qgQ5X1ma9wp9bSmHaBgHfhyEs86657PnrDm8;SpP012;LTc1iMiqySnQUPFg67gJvfiPw__\">Beat the competition on the web</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY5LjoNADERPk20EdBLIchYz17AYaMhIdDefqv5w-jGSXbLl8rM;wHozX7f!mR2Oa-8ejed3jn01D8OgH3IfgdNJUXV3X1VPLyIxMt;h4a7-fu8eLzrllg2HARC-IAu-EAkE6XD6yYI8--RSKoIrxOP0KJY2FLuxrcP7YHAZLJ0DLdQuixIBxSqZQ2ocYL638kiiZYRMsyFHt6lfMDmu4oMoVVYjWckOpKcRUX8wFDWHP0aoqgkjaR6PZ6wblc6brG2NPKedo6g6l42wlnGXCWN4tMZrL-tYzw9hfLbf1CEgKSbFTUXCn9-1gZ;4D\">Bring art to the web through site design.</a><br /><br /><a href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\"><img src=\"http://as0.poperation.cu.cc/20811105/vu3txumlnrnt6v~5ummmlqt3umtfun_tv_tnm_u_t_twsmxsx_trvnwnwoy_t0vvsznptd/yumorpomnsqmtceum_tt7upqo_mmmotdfw3yu_74_3n_7_buutyxuoq_tltxveumm_trt/e3ult0x0ut0xumt7euqty1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3/ez_yzd318ty8uge_ozyftdy97utd!3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" usemap=\"#imgcmap\" /><map name=\"imgcmap\"><area shape=\"rect\" coords=\"0,0,1080,1080\" href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFVDLjoMwDPyaXisgbaHHPez-hsVCoCuRhMdMHnz9GskexfbMxPIHWG;m69b8aExz;3g0r3v8s2kIHv2A-xCcTpqqq-u6euozMiPTLX73eNE5t2yIt;b7aegw0QuiwDuhQJCOS52PLNijTz6FIqhiPE6;Yix0YV-D88fmMFg6AVrlc92CqHPAOCVTKO1DjJdWfkmUzLAJFuSoCifKxw5ruKDKFRWI1nJDqSnEVF-2CxrCnqMllK9YiKStaDR7FVE-ZxqNPaWco6k7lI6zlXCW6y666rslRnNR3;rTMPZXyW09ApKapNgpqHGnK9jBzvwH\"></map></a><br /><br /><a style=\"font-size: 12px\" href=\"http://poperation.cu.cc/c6dced/?kh8d5h2e6d55fdh0hfcd377hFY7LjoMwDEW;ptsKSFvochYzv2ExiWlHIg;gOg--flwpuYoTnxO;gXQxX5fhR9fymm-34XHNf1xsDJgtrjZ6fUk7L7xzsHxc0zvpzdBNfd93dz1mmSuq-DXsAQ;x3q8bjHgsEgiZEDwJgVAOX49K-TJ-37HnUBQOJTZCl;NxhgTXxMc9RR-OzcOyeAJGSVsk1Ua4pZgmNN6UJBNopF8RtCpxI6yoWQlFdrCRFV3tREMwsmxovZBgUbL;aFcMAj4da6pCULTORveskND7LM7wSe10pp;QJlHyxRTPtuicz1HgzKf1qT9ZN39K2dIRUVRS8qSh4klHYMsv-Qc_\">Preferences</a><img src=!\"http://as0.poperation.cu.cc/20811105/vu63gz_mcv7a_ma3iz6txumlnrnt6ummmlqt3uv~5mtfun_tv_tnm_u_t_t/wsmxsx_trvnwnwoy_t0vvsznptdyumorpomnsqmtceum_tt7upqo_mmmot/dfw3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty/1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318t/y8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /> <br /><br /><img src=\"http://as0.poperation.cu.cc/20811105/vuev~5vc1fd_ma3iz6txumlnrnt6ummmlqt3umtfun_tv_tnm_u_t_twsm/xsx_trvnwnwoy_t0vvsznptdyumorpomnsqmtceum_tt7upqo_mmmotdf/w3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty1/u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318t/y8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu.jpg\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /> <img src=\"http://as0.poperation.cu.cc/20811105/vuec3113e_ma3iz6txumlnrnt6ummmlqt3umtfun_tvv~5_tnm_u_t_tws/mxsx_trvnwnwoy_t0vvsznptdy!umorpomnsqmtceum_tt7upqo_mmmotd/fw3yu_74_3n_7_buutyxuoq_tltxveumm_trte3ult0x0ut0xut7euqty/1u_utf1um_tlt2utezdeuteutyutw2utv3utvaut0u_hzwd3ez_yzd318/ty8uge_ozyftdy97utd3aut09ultcdautd3uqpsotw3utwv8utweut80utecegu\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" align=\"left\" hspace=\"0\" vspace=\"0\" /><!--<p>cabin ourselves you'll oldest mix consider orange plus income lonely gift curve section post</p><p>paul george</p><p>single canal russian pond pupil troops beat pacific pot tape shut aid edge tin passage earlier library circle</p><p>edward katherine marilyn ruth gregory jason</p><p>STATEMENT DULL GUARD TIN BEGINNING COLUMBUS ANTS SOLUTION SPOKEN</p>--><br /><br /><br /><br /><br /><br /><a href=\"http://www.poperation.cu.cc/c6dced/?uh8d5h2e6d55fdh0h5dee54\"><img src=\"http://www.poperation.cu.cc/3b92276a198f.gif\" border=\"0\" /></a><img src=\"http://www.poperation.cu.cc/c6dced/?oh8d5h2e6d55fdh0hbb068f\" width=\"1\" height=\"1\" border=\"0\" /></body>--3770f4aa41e936f10cfb86e01ee3168119c83c76--",
"created_at": "2017-04-25 15:02:44",
"updated_at": "2017-04-25 18:50:59"
}
}Response
401Access denied.
Response
404Object not found.
Tlp ¶
TLP List ¶
Get ListGET/tlp{?limit,offset,sort}
Get a list of TLPs.
Example URI
GET /tlp?limit=500&offset=100&sort=id
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 4,
"data": [
{
"id": 1,
"name": "RED",
"description": "Red",
"value": 0,
"user_editable": "N",
"created_at": "2017-03-21 14:56:15",
"updated_at": "2017-03-21 14:56:15"
},
{
"id": 2,
"name": "AMBER",
"description": "Amber",
"value": 1,
"user_editable": "N",
"created_at": "2017-03-21 14:56:15",
"updated_at": "2017-03-21 14:56:15"
},
{
"id": 3,
"name": "GREEN",
"description": "Green",
"value": 2,
"user_editable": "N",
"created_at": "2017-03-21 14:56:15",
"updated_at": "2017-03-21 14:56:15"
},
{
"id": 4,
"name": "WHITE",
"description": "White",
"value": 3,
"user_editable": "N",
"created_at": "2017-03-21 14:56:15",
"updated_at": "2017-03-21 14:56:15"
}
]
}Response
401Access denied.
TLP ¶
Get SingleGET/tlp/{tlp_id}
Get a single TLP.
Example URI
GET /tlp/1
URI Parameters
- tlp_id
integer(required) Example: 1TLP ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 1,
"name": "RED",
"description": "Red",
"value": 0,
"user_editable": "N",
"created_at": "2017-04-27 14:43:47",
"updated_at": "2017-04-27 14:43:47"
}
}Response
401Access denied.
Response
404Object not found.
Whitelist ¶
Whitelist List ¶
Get ListGET/whitelist/rules{?limit,offset,sort,with}
Get a list of Whitelist Rules.
Example URI
GET /whitelist/rules?limit=500&offset=100&sort=id&with=type
URI Parameters
- limit
integer(optional) Example: 500The maximum number of records to retrieve.
- offset
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
- sort
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
- with
string(optional) Example: typeA comma-separated list of related objects to include in the response. Options for this endpoint: type.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"total": 2,
"data": [
{
"id": 1,
"type_id": 8,
"status_id": 0,
"rule": "threatq.com",
"enabled": "N",
"created_at": "2017-07-05 02:01:44",
"updated_at": "2017-07-05 02:01:44",
"type": {
"id": 8,
"name": "FQDN",
"class": "network",
"score": null,
"wildcard_matching": "Y",
"created_at": "2017-07-05 01:04:22",
"updated_at": "2017-07-05 01:04:22"
}
},
{
"id": 1,
"type_id": 11,
"status_id": 0,
"rule": "37.139.40.0/21",
"enabled": "N",
"created_at": "2017-07-05 02:01:44",
"updated_at": "2017-07-05 02:01:44",
"type": {
"id": 8,
"name": "IP Address",
"class": "network",
"score": null,
"wildcard_matching": "Y",
"created_at": "2017-07-05 01:04:22",
"updated_at": "2017-07-05 01:04:22"
}
}
]
}Response
401Access denied.
Create NewPOST/whitelist/rules
Create a new Whitelist Rule.
Example URI
POST /whitelist/rules
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"rule": "<body onload=alert('Alert means failure!')>",
"type_id": 19
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"status_id": 0,
"rule": "<body onload=alert('Alert means failure!')>",
"type_id": 19,
"updated_at": "2017-04-27 19:32:53",
"created_at": "2017-04-27 19:32:53",
"id": 3,
"updated_count": 0
}
}Response
400Validation failed.
Headers
Content-Type: application/jsonBody
{
"data": {
"status_id": 0,
"errors": {
"type_id": [
"The type id field is required."
],
"rule": [
"The rule field is required."
]
}
}
}Response
401Access denied.
Whitelist Count ¶
Whitelist CountGET/whitelist/rules/count{?rule,type_id}
Get a count of the number of indicators affected by a Whitelist Rule.
Example URI
GET /whitelist/rules/count?rule=37.139.40.0/21&type_id=1
URI Parameters
- rule
string(required) Example: 37.139.40.0/21Whitelist Rule
- type_id
integer(required) Example: 1Indicator Type ID
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"count": 1
}Response
401Access denied.
Whitelist Rule ¶
Get SingleGET/whitelist/rules/{whitelist_rule_id}{?with}
Get a single Whitelist Rule.
Example URI
GET /whitelist/rules/1?with=type
URI Parameters
- whitelist_rule_id
integer(required) Example: 1Whitelist Rule ID
- with
string(optional) Example: typeA comma-separated list of related objects to include in the response. Options for this endpoint: type.
Request
Headers
Authorization: Bearer <access_token>Response
200Object(s) retrieved successfully.
Body
{
"data": {
"id": 4,
"type_id": 7,
"status_id": 0,
"rule": "threatq.com",
"enabled": "Y",
"created_at": "2017-04-27 19:36:24",
"updated_at": "2017-04-27 19:36:24"
}
}Response
401Access denied.
Response
404Object not found.
UpdatePUT/whitelist/rules/{whitelist_rule_id}{?with}
Update a Whitelist Rule.
Example URI
PUT /whitelist/rules/1?with=type
URI Parameters
- whitelist_rule_id
integer(required) Example: 1Whitelist Rule ID
- with
string(optional) Example: typeA comma-separated list of related objects to include in the response. Options for this endpoint: type.
Request
Headers
Content-Type: application/json
Authorization: Bearer <access_token>Body
{
"rule": "<body onload=alert('Alert means danger!')>",
"type_id": 19
}Response
201Object was created successfully.
Headers
Content-Type: application/jsonBody
{
"data": {
"id": 5,
"type_id": 19,
"status_id": 0,
"rule": "<body onload=alert('Alert means danger!')>",
"enabled": "N",
"created_at": "2017-07-05 02:30:12",
"updated_at": "2017-07-05 02:30:13",
"updated_count": 0,
"type": {
"id": 19,
"name": "SHA-512",
"class": "host",
"score": null,
"wildcard_matching": "N",
"created_at": "2017-07-05 02:16:35",
"updated_at": "2017-07-05 02:16:35"
}
}
}Response
401Access denied.
Response
404Object not found.
DeleteDELETE/whitelist/rules/{whitelist_rule_id}
Delete a Whitelist Rule.
Example URI
DELETE /whitelist/rules/1
URI Parameters
- whitelist_rule_id
integer(required) Example: 1Whitelist Rule ID
Request
Headers
Authorization: Bearer <access_token>Response
204Object(s) were successfully deleted.
Response
401Access denied.
Response
404Object not found.
Import Indicator Comment List ¶
/imports/{import_id}/indicators/{import_indicator_id}/comments{?limit,offset,sort}Get a list of Import Indicator Comments.
Example URI
integer(required) Example: 1Import ID
integer(required) Example: 2Import Indicator ID
integer(optional) Example: 500The maximum number of records to retrieve.
integer(optional) Example: 100Designate the record that will appear first in your retrieved list.
string(optional) Example: idDesignate the field(s) you want to use to sort the retrieved list. You can prepend each field with a minus sign (-) to reverse the sorting order. This string can be a list of comma-separated values.
Headers
Authorization: Bearer <access_token>200Object(s) retrieved successfully.
Body
{ "total": 2, "data": [ { "id": 1, "import_indicator_id": 178, "value": "This is a comment." }, { "id": 2, "import_indicator_id": 178, "value": "This is another comment." } ] }401Access denied.
/imports/{import_id}/indicators/{import_indicator_id}/commentsCreate a new Import Indicator Comment.
Example URI
integer(required) Example: 1Import ID
integer(required) Example: 2Import Indicator ID
Headers
Content-Type: application/jsonAuthorization: Bearer <access_token>
Body
{ "value": "This is a comment." }200Object(s) retrieved successfully.
Body
{ "data": { "value": "This is a comment.", "import_indicator_id": 178, "id": 1 } }400Validation failed.
Headers
Content-Type: application/jsonBody
{ "data": { "errors": { "value": [ "The value field is required." ] } } }401Access denied.