ThreatQ API (6.11.0)
Download OpenAPI specification:Download
© 2025
The API doc you are viewing is a BETA version that provides an early look at ThreatQ’s new API documentation format. At the moment, it does not cover the entire application program interface. Additional API resources, including the current standard format as well as previous versions, are available on the ThreatQ Help Center
Last Updated: 2025-07-29
The ThreatQ API is built on REST principles and uses JSON as a data interchange format.
Base URI
All URIs referenced in this document use the following base: https://hostname/api/, where hostname is replaced with the hostname or ip address of your ThreatQ instance.
Request Format
The ThreatQ API supports the following HTTP verbs:
| Verb | Description |
|---|---|
| GET | GET requests retrieve resources. |
| POST | POST requests create resources. |
| PUT | PUT requests update resources. |
| DELETE | DELETE requests delete resources. |
Response Format
All responses are returned in JSON. The response is wrapped in a top level data envelope which is an object or array depending on whether a single item or a collection is returned. If a single item is returned, the data field will be an object. If a collection is returned, the field will be an array.
Response Codes
The ThreatQ API uses HTTP status codes to indicate the status of your request.
| Code | Description |
|---|---|
| 200 | Object was retrieved successfully. |
| 201 | Object was created successfully. |
| 204 | Object(s) were successfully deleted. |
| 400 | Validation failed (usually as the result of an incorrect request) |
| 401 | Access denied (authorization access token in the header was incorrect / out of date) |
| 403 | Access forbidden (usually as the result of a bad request) |
| 404 | Object not found |
Authentication
ThreatQ uses OAuth 2.0 to authenticate end users. You must have a ThreatQ user account to retrieve an API token. The API token is required for all API requests. The token does time out; therefore, you must periodically refresh the token.
Authorization workflow
Run a GET request to retrieve your client ID using the following format: https://hostname/assets/js/config.js
Run a POST/token request to retrieve your authorization access token. See POST/token in the Authorization section of this reference for the correct format.
Include the following parameters:
- grant_type (password)
- client-id (retrieved in step 1)
Example: https://hostname/api/token?grant_type=password&client_id=ab20a55dd9ac779246210d7102a45ee37
In the request body, include your ThreatQ credentials:
- password
Enter the access token as the authorization key in the header for all subsequent api requests.
OAuth2 Authentication
You must have a ThreatQ User account to retrieve an API token. The API token is required for all requests. The
token does time out; therefore, you must periodically refresh the token.
Before authentication is attempted,
the Client ID used should be retrieved via GET to <hostname>/assets/js/config.js.
NOTE: The Authorization header can be ignored as authentication has not occurred yet.
Authorizations:
Request Body schema: application/json
| grant_type | string The grant_type you are authenticating with. |
| client_id | string Client ID retrieved from GET ` |
string User's email | |
| password | string User's password |
Responses
Request samples
- Payload
{- "grant_type": "password",
- "client_id": "ngmwzmvkntc1owe4nmy0mjuyoda0nwq1",
- "email": "fMercury@threatq.com",
- "password": "****************"
}Response samples
- 200
- 400
- 503
{- "access_token": "AbCdEfGhIjKLm",
- "token_type": "bearer",
- "expires_in": 3599,
- "refresh_token": "NoPqRsTuVwXyZ"
}List Adversaries
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Adversary
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Adversary Name |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Sad Panda"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Adversary Consume
Authorizations:
Request Body schema: application/json
Array of objects (AdversaryFillable) Related Adversaries | |
| name | string Adversary Name |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "adversaries": [
- {
- "name": "Sad Panda"
}
], - "name": "Sad Panda",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "name": "Sad Panda"
}
], - "total": 1
}Get Single Adversary
Authorizations:
path Parameters
| adversary_id required | integer Adversary ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Responses
Response samples
- 200
{- "data": {
- "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Adversary
Authorizations:
path Parameters
| adversary_id required | integer Adversary ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Adversary Name |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Sad Panda"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Attribute Search
Get attributes matching the specified search query
Authorizations:
query Parameters
| query required | string Example: query=www.threatquotient.com
|
| limit | integer Default: 30 Example: limit=10
|
| with | string Default: "all" Example: with=indicators,malware
|
Responses
Response samples
- 200
{- "data": [
- {
- "object_attribute_id": 1,
- "type": "indicator",
- "object_id": 1,
- "attribute_id": 1,
- "value": "www.threatquotient.com"
}
]
}Tag Search
Get tags matching the specified search query
Authorizations:
query Parameters
| query required | string Example: query=www.threatquotient.com
|
| limit | integer Default: 30 Example: limit=10
|
| with | string Default: "all" Example: with=indicators,malware
|
Responses
Response samples
- 200
{- "data": [
- {
- "tag_id": 1,
- "object_id": 1,
- "type": "indicator",
- "name": "www.threatquotient.com"
}
]
}Object Search
Get objects matching the specified search query
Authorizations:
query Parameters
| query required | string Example: query=www.threatquotient.com
|
| limit | integer Default: 30 Example: limit=10
|
| with | string Default: "all" Example: with=indicators,malware
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 1,
- "type": "indicator",
- "value": "www.threatquotient.com"
}
]
}List Assets
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 68,
- "value": "MacBook Pro",
- "description": "Development machine",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Assets
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Asset Value |
| description | string Description for the Asset |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "MacBook Pro",
- "description": "Development machine"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 68,
- "value": "MacBook Pro",
- "description": "Development machine",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Assets Consume
Authorizations:
Request Body schema: application/json
Array of objects (AssetsFillable) Related Assets | |
| value | string Asset Value |
| description | string Description for the Asset |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "asset": [
- {
- "value": "MacBook Pro",
- "description": "Development machine"
}
], - "value": "MacBook Pro",
- "description": "Development machine",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "MacBook Pro",
- "description": "Development machine"
}
], - "total": 1
}Get Single Assets
Authorizations:
path Parameters
| asset_id required | integer Asset ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 68,
- "value": "MacBook Pro",
- "description": "Development machine",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Assets
Authorizations:
path Parameters
| asset_id required | integer Asset ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Asset Value |
| description | string Description for the Asset |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "MacBook Pro",
- "description": "Development machine"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 68,
- "value": "MacBook Pro",
- "description": "Development machine",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Attachments (Files)
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 72,
- "type_id": 14,
- "title": "malicious.exe",
- "name": "malicious.exe",
- "hash": "701505c38aa35d0c523b6e85bced420f",
- "content_type_id": 1,
- "description": "This file is malicious...",
- "file_size": 11300,
- "path": "6/5/247ebe955ec180c8568f9bbc1dbfd4",
- "malware_locked": 1,
- "placeholder": 1,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Attachment
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| type_id | integer Attachment (File) Type ID |
| title | string Attachment (File) Title |
| name | string Attachment (File) Name |
| hash | string Attachment (File) Hash (Unique Hash of File Contents) |
| content_type_id | integer Attachment (File) Content Type ID |
| description | string Attachment (File) Description |
| file_size | integer Attachment (File) Size |
| path | string Attachment (File) Path |
| malware_locked | integer Attachment (File) is Malware Locked |
| placeholder | integer Attachment (File) is Placeholder |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "type_id": 14,
- "title": "malicious.exe",
- "name": "malicious.exe",
- "hash": "701505c38aa35d0c523b6e85bced420f",
- "content_type_id": 1,
- "description": "This file is malicious...",
- "file_size": 11300,
- "path": "6/5/247ebe955ec180c8568f9bbc1dbfd4",
- "malware_locked": 1,
- "placeholder": 1
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 72,
- "type_id": 14,
- "title": "malicious.exe",
- "name": "malicious.exe",
- "hash": "701505c38aa35d0c523b6e85bced420f",
- "content_type_id": 1,
- "description": "This file is malicious...",
- "file_size": 11300,
- "path": "6/5/247ebe955ec180c8568f9bbc1dbfd4",
- "malware_locked": 1,
- "placeholder": 1,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Get Single Attachment
Authorizations:
path Parameters
| attachment_id required | integer Attachment (File) ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Responses
Response samples
- 200
{- "data": {
- "id": 72,
- "type_id": 14,
- "title": "malicious.exe",
- "name": "malicious.exe",
- "hash": "701505c38aa35d0c523b6e85bced420f",
- "content_type_id": 1,
- "description": "This file is malicious...",
- "file_size": 11300,
- "path": "6/5/247ebe955ec180c8568f9bbc1dbfd4",
- "malware_locked": 1,
- "placeholder": 1,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Attachment
Authorizations:
path Parameters
| attachment_id required | integer Attachment (File) ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| type_id | integer Attachment (File) Type ID |
| title | string Attachment (File) Title |
| name | string Attachment (File) Name |
| hash | string Attachment (File) Hash (Unique Hash of File Contents) |
| content_type_id | integer Attachment (File) Content Type ID |
| description | string Attachment (File) Description |
| file_size | integer Attachment (File) Size |
| path | string Attachment (File) Path |
| malware_locked | integer Attachment (File) is Malware Locked |
| placeholder | integer Attachment (File) is Placeholder |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "type_id": 14,
- "title": "malicious.exe",
- "name": "malicious.exe",
- "hash": "701505c38aa35d0c523b6e85bced420f",
- "content_type_id": 1,
- "description": "This file is malicious...",
- "file_size": 11300,
- "path": "6/5/247ebe955ec180c8568f9bbc1dbfd4",
- "malware_locked": 1,
- "placeholder": 1
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 72,
- "type_id": 14,
- "title": "malicious.exe",
- "name": "malicious.exe",
- "hash": "701505c38aa35d0c523b6e85bced420f",
- "content_type_id": 1,
- "description": "This file is malicious...",
- "file_size": 11300,
- "path": "6/5/247ebe955ec180c8568f9bbc1dbfd4",
- "malware_locked": 1,
- "placeholder": 1,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Attack Pattern
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 67,
- "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Attack Pattern
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Attack Pattern Value |
| description | string Description for the Attack Pattern |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Attack Pattern Consume
Authorizations:
Request Body schema: application/json
Array of objects (AttackPatternFillable) Related Attack Pattern | |
| value | string Attack Pattern Value |
| description | string Description for the Attack Pattern |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "attack_pattern": [
- {
- "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts..."
}
], - "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts..."
}
], - "total": 1
}Get Single Attack Pattern
Authorizations:
path Parameters
| attack_pattern_id required | integer Attack Pattern ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 67,
- "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Attack Pattern
Authorizations:
path Parameters
| attack_pattern_id required | integer Attack Pattern ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Attack Pattern Value |
| description | string Description for the Attack Pattern |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "TXXXX - Scripting",
- "description": "Adversaries may use scripts...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Campaign
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 67,
- "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Campaign
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Campaign Value |
| description | string Description for the Campaign |
| objective | string Objective for the Campaign |
| started_at | string Date the Campaign was first seen |
| ended_at | string Date the Campaign was last seen |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Campaign Consume
Authorizations:
Request Body schema: application/json
Array of objects (CampaignFillable) Related Campaign | |
| value | string Campaign Value |
| description | string Description for the Campaign |
| objective | string Objective for the Campaign |
| started_at | string Date the Campaign was first seen |
| ended_at | string Date the Campaign was last seen |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "campaign": [
- {
- "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
], - "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
], - "total": 1
}Get Single Campaign
Authorizations:
path Parameters
| campaign_id required | integer Campaign ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 67,
- "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Campaign
Authorizations:
path Parameters
| campaign_id required | integer Campaign ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Campaign Value |
| description | string Description for the Campaign |
| objective | string Objective for the Campaign |
| started_at | string Date the Campaign was first seen |
| ended_at | string Date the Campaign was last seen |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "Operation Omega",
- "description": "Campaign against systems at big box retailers...",
- "objective": "Campaign against U.S. industry...",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a Connector
There are two request options for creating a Connector:
(1) A JSON representation of the Connector definition
in the request body
(2) Resumable file upload parameters in the request body or as query path parameters for a YAML
Connector definition file
Authorizations:
path Parameters
| resumableChunkNumber required | integer (ResumableChunkNumber) Example: 1
|
| resumableChunkSize required | integer (ResumableChunkSize) Example: 4096
|
| resumableCurrentChunkSize required | integer (ResumableCurrentChunkSize) Example: 1024
|
| resumableTotalSize required | integer (ResumableTotalSize) Example: 2048
|
| resumableType required | string (ResumableType) Example: application/x-yaml
|
| resumableIdentifier required | string (ResumableIdentifier) Example: 2048-connectoryaml
|
| resumableFilename required | string (ResumableFilename) Example: connector.yaml
|
| resumableRelativePath required | string (ResumableRelativePath) Example: connector.yaml
|
| resumableTotalChunks required | integer (ResumableTotalChunks) Example: 2
|
| with | string Example: category,definition,tlp
|
Request Body schema:
| resumableChunkNumber | integer (ResumableChunkNumber) Chunk number of the data |
| resumableChunkSize | integer (ResumableChunkSize) Chunk size of the data |
| resumableCurrentChunkSize | integer (ResumableCurrentChunkSize) Current chunk size of the data |
| resumableTotalSize | integer (ResumableTotalSize) Total size of the data |
| resumableType | string (ResumableType) Type of the data |
| resumableIdentifier | string (ResumableIdentifier) Identifier of the data |
| resumableFilename | string (ResumableFilename) File name |
| resumableRelativePath | string (ResumableRelativePath) Relative path of the file |
| resumableTotalChunks | integer (ResumableTotalChunks) Total amount of chunks for the data |
| package required | string The Connector definition YAML file |
Responses
Request samples
- Payload
Response samples
- 200
{- "data": {
- "name": "Adversary Reader",
- "namespace": "threatq.adversary_reader",
- "description": "Captures Adversary and related information...",
- "custom_fields": "[{...}]",
- "frequency": 86400,
- "connector_definition_id": 1,
- "workflow_definition_id": 1,
- "indicator_status_id": 1,
- "last_import_at": "2022-08-17 00:00:00",
- "last_import_count": 100,
- "is_active": "disabled",
- "is_notifiable": false,
- "tlp_id": 1,
- "version": "1.0.0",
- "file_save_enabled": false,
- "schedule": null,
- "next_run_at": "2022-08-17 12:00:00",
- "category_id": 1,
- "definition_type": "feed",
- "gate_oauth2_client_id": 1,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Analyze Connector YAML
Analyze the connector YAML to determine if it can be uploaded
Authorizations:
path Parameters
| resumableChunkNumber required | integer (ResumableChunkNumber) Example: 1
|
| resumableChunkSize required | integer (ResumableChunkSize) Example: 4096
|
| resumableCurrentChunkSize required | integer (ResumableCurrentChunkSize) Example: 1024
|
| resumableTotalSize required | integer (ResumableTotalSize) Example: 2048
|
| resumableType required | string (ResumableType) Example: application/x-yaml
|
| resumableIdentifier required | string (ResumableIdentifier) Example: 2048-connectoryaml
|
| resumableFilename required | string (ResumableFilename) Example: connector.yaml
|
| resumableRelativePath required | string (ResumableRelativePath) Example: connector.yaml
|
| resumableTotalChunks required | integer (ResumableTotalChunks) Example: 2
|
Request Body schema: multipart/form-data
| resumableChunkNumber | integer (ResumableChunkNumber) Chunk number of the data |
| resumableChunkSize | integer (ResumableChunkSize) Chunk size of the data |
| resumableCurrentChunkSize | integer (ResumableCurrentChunkSize) Current chunk size of the data |
| resumableTotalSize | integer (ResumableTotalSize) Total size of the data |
| resumableType | string (ResumableType) Type of the data |
| resumableIdentifier | string (ResumableIdentifier) Identifier of the data |
| resumableFilename | string (ResumableFilename) File name |
| resumableRelativePath | string (ResumableRelativePath) Relative path of the file |
| resumableTotalChunks | integer (ResumableTotalChunks) Total amount of chunks for the data |
| package required | string The Connector definition YAML file |
Responses
Response samples
- 200
{- "data": {
- "definition_yaml": "Connector YAML contents...",
- "required_threatq_version": null,
- "summary": {
- "connector_name": {
- "additional_run_params": [
- "since"
], - "config": {
- "category": {
- "name": "Labs"
}, - "custom_fields": [
- {
- "type": "hr"
}
], - "description": "My connector",
- "indicator_status": "Active",
- "ingest_rules": {
- "attributes": [
- {
- "name": "Country",
- "multivalue": false
}
]
}, - "name": "connector_name",
- "namespace": "threatq.connector_name",
- "signature_status": "Active"
}, - "is_supplemental": false,
- "object_types": [
- "indicator"
], - "supports_manual": false
}
}, - "version": "1.0.0"
}
}List Course of Action
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 6274,
- "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Course of Action
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Course of Action Value |
| description | string Description for the Course of Action |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 6274,
- "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Course of Action Consume
Authorizations:
Request Body schema: application/json
Array of objects (CourseOfActionFillable) Related Course of Action | |
| value | string Course of Action Value |
| description | string Description for the Course of Action |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "course_of_action": [
- {
- "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from..."
}
], - "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from..."
}
], - "total": 1
}Get Single Course of Action
Authorizations:
path Parameters
| course_of_action_id required | integer Course of Action ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 6274,
- "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Course of Action
Authorizations:
path Parameters
| course_of_action_id required | integer Course of Action ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Course of Action Value |
| description | string Description for the Course of Action |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 6274,
- "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Events
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 54,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Event
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| type_id | integer Event Type ID |
| title | string Event Title |
| happened_at | string Date Event Occurred |
| hash | string Hash of the Event happened_at and title |
| description | string Event Description |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 54,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Event Consume
Authorizations:
Request Body schema: application/json
Array of objects (EventFillable) Related Events | |
| type_id | integer Event Type ID |
| title | string Event Title |
| happened_at | string Date Event Occurred |
| hash | string Hash of the Event happened_at and title |
| description | string Event Description |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "events": [
- {
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when..."
}
], - "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when..."
}
], - "total": 1
}Get Single Event
Authorizations:
path Parameters
| event_id required | integer Event ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Responses
Response samples
- 200
{- "data": {
- "id": 54,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Event
Authorizations:
path Parameters
| event_id required | integer Event ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| type_id | integer Event Type ID |
| title | string Event Title |
| happened_at | string Date Event Occurred |
| hash | string Hash of the Event happened_at and title |
| description | string Event Description |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 54,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a Spearphish Event
Authorizations:
path Parameters
| event_id required | integer Event ID |
Request Body schema: application/json
| subject | string Spearphish Email Subject |
| sender | string Spearphish Email Sender |
| value | string Spearphish Email Body |
Responses
Request samples
- Payload
{- "subject": "Fwd: for you ????",
- "sender": "bad-email@do-not-trust.com",
- "value": "Content-Type: text/plain; charset='utf-8'..."
}Response samples
- 201
{- "data": {
- "id": 1,
- "event_id": 54,
- "hash": "dd829f2f1ce7a37b01c0cdb6adae8496",
- "last_parsed_at": "2020-01-24 20:21:51",
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "subject": "Fwd: for you ????",
- "sender": "bad-email@do-not-trust.com",
- "value": "Content-Type: text/plain; charset='utf-8'..."
}
}Get a Single Spearphish Event
Authorizations:
path Parameters
| event_id required | integer Event ID |
| spearphish_id required | integer Spearphish ID |
query Parameters
| with | string Example: with=event
|
Responses
Response samples
- 200
{- "data": {
- "event": {
- "id": 54,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}, - "id": 1,
- "event_id": 54,
- "hash": "dd829f2f1ce7a37b01c0cdb6adae8496",
- "last_parsed_at": "2020-01-24 20:21:51",
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "subject": "Fwd: for you ????",
- "sender": "bad-email@do-not-trust.com",
- "value": "Content-Type: text/plain; charset='utf-8'..."
}
}Update a Spearphish Event
Authorizations:
path Parameters
| event_id required | integer Event ID |
| spearphish_id required | integer Spearphish ID |
query Parameters
| with | string Example: with=event
|
Request Body schema: application/json
| subject | string Spearphish Email Subject |
| sender | string Spearphish Email Sender |
| value | string Spearphish Email Body |
Responses
Request samples
- Payload
{- "subject": "Fwd: for you ????",
- "sender": "bad-email@do-not-trust.com",
- "value": "Content-Type: text/plain; charset='utf-8'..."
}Response samples
- 201
{- "data": {
- "event": {
- "id": 54,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}, - "id": 1,
- "event_id": 54,
- "hash": "dd829f2f1ce7a37b01c0cdb6adae8496",
- "last_parsed_at": "2020-01-24 20:21:51",
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "subject": "Fwd: for you ????",
- "sender": "bad-email@do-not-trust.com",
- "value": "Content-Type: text/plain; charset='utf-8'..."
}
}List Spearphish Events
Authorizations:
path Parameters
| event_id required | integer Event ID |
query Parameters
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
| sort | string Example: sort=id,created_at
|
| with | string Example: with=event
|
Responses
Response samples
- 200
{- "data": [
- {
- "event": {
- "id": 54,
- "type_id": 1,
- "title": "Fwd: for you ????",
- "happened_at": "2019-12-18 16:57:00",
- "hash": "02f0897a6516236de8bc4c958d2803ca",
- "description": "This Event was observed when...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}, - "id": 1,
- "event_id": 54,
- "hash": "dd829f2f1ce7a37b01c0cdb6adae8496",
- "last_parsed_at": "2020-01-24 20:21:51",
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "subject": "Fwd: for you ????",
- "sender": "bad-email@do-not-trust.com",
- "value": "Content-Type: text/plain; charset='utf-8'..."
}
], - "total": 1
}List Exploit Target
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 139,
- "value": "Weakness - CWE-89",
- "description": "Improper String Handling",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Exploit Target
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Exploit Target Value |
| description | string Description for the Exploit Target |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Weakness - CWE-89",
- "description": "Improper String Handling"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 139,
- "value": "Weakness - CWE-89",
- "description": "Improper String Handling",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Exploit Target Consume
Authorizations:
Request Body schema: application/json
Array of objects (ExploitTargetFillable) Related Exploit Target | |
| value | string Exploit Target Value |
| description | string Description for the Exploit Target |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "exploit_target": [
- {
- "value": "Weakness - CWE-89",
- "description": "Improper String Handling"
}
], - "value": "Weakness - CWE-89",
- "description": "Improper String Handling",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "Weakness - CWE-89",
- "description": "Improper String Handling"
}
], - "total": 1
}Get Single Exploit Target
Authorizations:
path Parameters
| exploit_target_id required | integer Exploit Target ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 139,
- "value": "Weakness - CWE-89",
- "description": "Improper String Handling",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Exploit Target
Authorizations:
path Parameters
| exploit_target_id required | integer Exploit Target ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Exploit Target Value |
| description | string Description for the Exploit Target |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Weakness - CWE-89",
- "description": "Improper String Handling"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 139,
- "value": "Weakness - CWE-89",
- "description": "Improper String Handling",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Identity
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 67,
- "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Identity
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Identity Value |
| description | string Description for the Identity |
| contact_information | string Contact Information for the Identity |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Identity Consume
Authorizations:
Request Body schema: application/json
Array of objects (IdentityFillable) Related Identity | |
| value | string Identity Value |
| description | string Description for the Identity |
| contact_information | string Contact Information for the Identity |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "identity": [
- {
- "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com"
}
], - "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com"
}
], - "total": 1
}Get Single Identity
Authorizations:
path Parameters
| identity_id required | integer Identity ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 67,
- "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Identity
Authorizations:
path Parameters
| identity_id required | integer Identity ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Identity Value |
| description | string Description for the Identity |
| contact_information | string Contact Information for the Identity |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "Disco Team",
- "description": "Disco Team is the name of an organized threat actor...",
- "contact_information": "disco-team@stealthemail.com",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Incident
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 67,
- "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Incident
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Incident Value |
| description | string Description for the Incident |
| started_at | string Incident First Seen Date |
| ended_at | string Incident Last Seen Date |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Incident Consume
Authorizations:
Request Body schema: application/json
Array of objects (IncidentFillable) Related Incident | |
| value | string Incident Value |
| description | string Description for the Incident |
| started_at | string Incident First Seen Date |
| ended_at | string Incident Last Seen Date |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "incident": [
- {
- "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
], - "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
], - "total": 1
}Get Single Incident
Authorizations:
path Parameters
| incident_id required | integer Incident ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 67,
- "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Incident
Authorizations:
path Parameters
| incident_id required | integer Incident ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Incident Value |
| description | string Description for the Incident |
| started_at | string Incident First Seen Date |
| ended_at | string Incident Last Seen Date |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "Malware on Systems 3,4,7",
- "description": "Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.",
- "started_at": "2019-02-28 15:59:24",
- "ended_at": "2020-05-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Indicators
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Indicator
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| type_id | integer Indicator Type ID |
| status_id | integer Indicator Status ID |
| class | string Indicator Class - Options include: host, network |
| value | string Indicator Value |
| description | string Indicator Description |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Indicator Consume
Authorizations:
Request Body schema: application/json
Array of objects (IndicatorFillable) Related Indicators | |
| type_id | integer Indicator Type ID |
| status_id | integer Indicator Status ID |
| class | string Indicator Class - Options include: host, network |
| value | string Indicator Value |
| description | string Indicator Description |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "indicators": [
- {
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation."
}
], - "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation."
}
], - "total": 1
}Get Single Indicator
Authorizations:
path Parameters
| indicator_id required | integer Indicator ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Responses
Response samples
- 200
{- "data": {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Indicator
Authorizations:
path Parameters
| indicator_id required | integer Indicator ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| type_id | integer Indicator Type ID |
| status_id | integer Indicator Status ID |
| class | string Indicator Class - Options include: host, network |
| value | string Indicator Value |
| description | string Indicator Description |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Intrusion Set
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 67,
- "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Intrusion Set
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Intrusion Set Value |
| description | string Description for the Intrusion Set |
| started_at | string Date the Intrusion Set was first seen |
| ended_at | string Date the Intrusion Set was last seen |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Intrusion Set Consume
Authorizations:
Request Body schema: application/json
Array of objects (IntrusionSetFillable) Related Intrusion Set | |
| value | string Intrusion Set Value |
| description | string Description for the Intrusion Set |
| started_at | string Date the Intrusion Set was first seen |
| ended_at | string Date the Intrusion Set was last seen |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "intrusion_set": [
- {
- "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13"
}
], - "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13"
}
], - "total": 1
}Get Single Intrusion Set
Authorizations:
path Parameters
| intrusion_set_id required | integer Intrusion Set ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 67,
- "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Intrusion Set
Authorizations:
path Parameters
| intrusion_set_id required | integer Intrusion Set ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Intrusion Set Value |
| description | string Description for the Intrusion Set |
| started_at | string Date the Intrusion Set was first seen |
| ended_at | string Date the Intrusion Set was last seen |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 67,
- "value": "APT BPP",
- "description": "An advanced persistent threat that seeks to disrupt...",
- "started_at": "2016-01-08 15:59:24",
- "ended_at": "2016-07-13 05:46:13",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Investigations
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 939,
- "name": "My Investigation",
- "status_id": 1,
- "priority_id": 2,
- "description": "Need to determine whether...",
- "data": "NOT SURE THIS IS USED BY THE UI ANYMORE (IF EVER)",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Investigation
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Investigation Name |
| status_id | integer Investigation Status ID |
| priority_id | integer Investigation Priority ID |
| description | string Investigation Description |
| data | string Investigation Data |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "My Investigation",
- "status_id": 1,
- "priority_id": 2,
- "description": "Need to determine whether...",
- "data": "NOT SURE THIS IS USED BY THE UI ANYMORE (IF EVER)"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 939,
- "name": "My Investigation",
- "status_id": 1,
- "priority_id": 2,
- "description": "Need to determine whether...",
- "data": "NOT SURE THIS IS USED BY THE UI ANYMORE (IF EVER)",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Get Single Investigation
Authorizations:
path Parameters
| investigation_id required | integer Investigation ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Responses
Response samples
- 200
{- "data": {
- "id": 939,
- "name": "My Investigation",
- "status_id": 1,
- "priority_id": 2,
- "description": "Need to determine whether...",
- "data": "NOT SURE THIS IS USED BY THE UI ANYMORE (IF EVER)",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Investigation
Authorizations:
path Parameters
| investigation_id required | integer Investigation ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Investigation Name |
| status_id | integer Investigation Status ID |
| priority_id | integer Investigation Priority ID |
| description | string Investigation Description |
| data | string Investigation Data |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "My Investigation",
- "status_id": 1,
- "priority_id": 2,
- "description": "Need to determine whether...",
- "data": "NOT SURE THIS IS USED BY THE UI ANYMORE (IF EVER)"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 939,
- "name": "My Investigation",
- "status_id": 1,
- "priority_id": 2,
- "description": "Need to determine whether...",
- "data": "NOT SURE THIS IS USED BY THE UI ANYMORE (IF EVER)",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Malware
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 211,
- "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Malware
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Malware Value |
| description | string Description for the Malware |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 211,
- "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Malware Consume
Authorizations:
Request Body schema: application/json
Array of objects (MalwareFillable) Related Malware | |
| value | string Malware Value |
| description | string Description for the Malware |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "malware": [
- {
- "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after..."
}
], - "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after..."
}
], - "total": 1
}Get Single Malware
Authorizations:
path Parameters
| malware_id required | integer Malware ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 211,
- "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Malware
Authorizations:
path Parameters
| malware_id required | integer Malware ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Malware Value |
| description | string Description for the Malware |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 211,
- "value": "x4z9arb backdoor",
- "description": "This malware attempts to download remote files after...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Report
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 1213,
- "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Report
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Report Value |
| description | string Description for the Report |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 1213,
- "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Report Consume
Authorizations:
Request Body schema: application/json
Array of objects (ReportFillable) Related Report | |
| value | string Report Value |
| description | string Description for the Report |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "report": [
- {
- "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage..."
}
], - "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage..."
}
], - "total": 1
}Get Single Report
Authorizations:
path Parameters
| report_id required | integer Report ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 1213,
- "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Report
Authorizations:
path Parameters
| report_id required | integer Report ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Report Value |
| description | string Description for the Report |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 1213,
- "value": "Critical Vulnerability in Log4j Java Library",
- "description": "A zero-day remote code execution vulnerability in Apache Log4j may leverage...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Response samples
- 200
{- "data": {
- "attributes": [
- {
- "value": "High",
- "score": 8,
- "id": 1,
- "name": "Confidence"
}
], - "indicator_types": [
- {
- "id": 1,
- "score": 3
}
], - "sources": [
- {
- "id": 1,
- "score": 6
}
], - "relations": [
- {
- "object_id": 54,
- "object_type": 54,
- "score": 6
}
], - "score_config_hash": "9f22dd6061fbc45452bfeca3d2d6819cd610f024"
}
}Create a Score Range
Authorizations:
Request Body schema: application/json
| name | string Score Range Name |
| min_value | integer Lower Bound of the Score Range |
| max_value | integer Upper Bound of the Score Range |
Responses
Request samples
- Payload
{- "name": "High Risk",
- "min_value": 8,
- "max_value": 10
}Response samples
- 201
{- "data": {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "High Risk",
- "min_value": 8,
- "max_value": 10
}
}Get a Single Score Range
Authorizations:
path Parameters
| score_range_id required | integer Score Range ID |
Responses
Response samples
- 200
{- "data": {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "High Risk",
- "min_value": 8,
- "max_value": 10
}
}Update a Score Range
Authorizations:
path Parameters
| score_range_id required | integer Score Range ID |
Request Body schema: application/json
| name | string Score Range Name |
| min_value | integer Lower Bound of the Score Range |
| max_value | integer Upper Bound of the Score Range |
Responses
Request samples
- Payload
{- "name": "High Risk",
- "min_value": 8,
- "max_value": 10
}Response samples
- 201
{- "data": {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "High Risk",
- "min_value": 8,
- "max_value": 10
}
}List Score Ranges
Authorizations:
query Parameters
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
| sort | string Example: sort=id,created_at
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "High Risk",
- "min_value": 8,
- "max_value": 10
}
], - "total": 1
}List Data Collections
Get a listing of data collection the current user has sharing permissions for
Authorizations:
query Parameters
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
| sort | string Example: sort=id,created_at
|
| with | string Example: with=dashboards,tqxFeeds,workflowDefinitions
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 1,
- "hash": "9548a377155bd3fa13b2a16649c6eb88",
- "name": "My Data Collection",
- "json": {
- "ui_query": {
- "columns": {
- "indicators": [
- "author"
]
}, - "criteria": {
- "matchType": [
- {
- "": "+and"
}
], - "items": [
- {
- "": {
- "key": "mentions",
- "value": "www.threatquotient.com",
- "set_id": 0
}
}
]
}, - "filters": {
- "created_at": [
- {
- "startDate": "2022-08-01 00:00:00",
- "endDate": "2022-08-31 23:59:99",
- "interval": null,
- "type": "is between",
- "set_id": 0
}
]
}, - "objects": {
- "current": "indicators",
- "selected": [
- {
- "": "indicators"
}
]
}, - "filter_sets": [
- {
- "id": 0,
- "operator": "or",
- "isNegated": false,
- "expanded": true
}
]
}, - "api_query": {
- "criteria": {
- "+and": [
- {
- "+or": [
- {
- "mentions": null
}
]
}
]
}, - "filters": {
- "+and": [
- {
- "+or": [
- {
- "created_at": null
}
]
}
]
}
}
}, - "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Create Data Collection
Create a data collection
Authorizations:
Request Body schema: application/json
| name | string Name of the data collection |
object (SearchJson) JSON representation of the advanced search query |
Responses
Request samples
- Payload
{- "name": "My Data Collection",
- "json": {
- "ui_query": {
- "columns": {
- "indicators": [
- "author"
]
}, - "criteria": {
- "matchType": [
- {
- "": "+and"
}
], - "items": [
- {
- "": {
- "key": "mentions",
- "value": "www.threatquotient.com",
- "set_id": 0
}
}
]
}, - "filters": {
- "created_at": [
- {
- "startDate": "2022-08-01 00:00:00",
- "endDate": "2022-08-31 23:59:99",
- "interval": null,
- "type": "is between",
- "set_id": 0
}
]
}, - "objects": {
- "current": "indicators",
- "selected": [
- {
- "": "indicators"
}
]
}, - "filter_sets": [
- {
- "id": 0,
- "operator": "or",
- "isNegated": false,
- "expanded": true
}
]
}, - "api_query": {
- "criteria": {
- "+and": [
- {
- "+or": [
- {
- "mentions": "www.threatquotient.com"
}
]
}
]
}, - "filters": {
- "+and": [
- {
- "+or": [
- {
- "created_at": {
- "+gt": "2022-08-01 00:00:00"
}
}
]
}
]
}
}
}
}Response samples
- 200
{- "data": {
- "id": 1,
- "hash": "9548a377155bd3fa13b2a16649c6eb88",
- "name": "My Data Collection",
- "json": {
- "ui_query": {
- "columns": {
- "indicators": [
- "author"
]
}, - "criteria": {
- "matchType": [
- {
- "": "+and"
}
], - "items": [
- {
- "": {
- "key": "mentions",
- "value": "www.threatquotient.com",
- "set_id": 0
}
}
]
}, - "filters": {
- "created_at": [
- {
- "startDate": "2022-08-01 00:00:00",
- "endDate": "2022-08-31 23:59:99",
- "interval": null,
- "type": "is between",
- "set_id": 0
}
]
}, - "objects": {
- "current": "indicators",
- "selected": [
- {
- "": "indicators"
}
]
}, - "filter_sets": [
- {
- "id": 0,
- "operator": "or",
- "isNegated": false,
- "expanded": true
}
]
}, - "api_query": {
- "criteria": {
- "+and": [
- {
- "+or": [
- {
- "mentions": "www.threatquotient.com"
}
]
}
]
}, - "filters": {
- "+and": [
- {
- "+or": [
- {
- "created_at": {
- "+gt": null
}
}
]
}
]
}
}
}, - "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Get Data Collection
Get a single data collection that the user has sharing permissions for
Authorizations:
path Parameters
| hash required | string Example: 9548a377155bd3fa13b2a16649c6eb88
|
query Parameters
| id | integer Example: id=1
|
| name | string Example: name=My Data Collection
|
| hash | string Example: hash=9548a377155bd3fa13b2a16649c6eb88
|
| created_at | string Example: created_at=2022-08-01 00:00:00
|
| updated_at | string Example: updated_at=2022-08-01 00:00:00
|
string or integer
| |
| fields | string Enum: "[FIELD]" "[RELATIONSHIP].[FIELD]" Example: fields=id,created_at,[RELATIONSHIP].id,[RELATIONSHIP].created_at
|
| sort | string Example: sort=id,created_at
|
| with | string Example: with=dashboards,tqxFeeds,workflowDefinitions
|
Responses
Response samples
- 200
{- "data": {
- "id": 1,
- "hash": "9548a377155bd3fa13b2a16649c6eb88",
- "name": "My Data Collection",
- "json": {
- "ui_query": {
- "columns": {
- "indicators": [
- "author"
]
}, - "criteria": {
- "matchType": [
- {
- "": "+and"
}
], - "items": [
- {
- "": {
- "key": "mentions",
- "value": "www.threatquotient.com",
- "set_id": 0
}
}
]
}, - "filters": {
- "created_at": [
- {
- "startDate": "2022-08-01 00:00:00",
- "endDate": "2022-08-31 23:59:99",
- "interval": null,
- "type": "is between",
- "set_id": 0
}
]
}, - "objects": {
- "current": "indicators",
- "selected": [
- {
- "": "indicators"
}
]
}, - "filter_sets": [
- {
- "id": 0,
- "operator": "or",
- "isNegated": false,
- "expanded": true
}
]
}, - "api_query": {
- "criteria": {
- "+and": [
- {
- "+or": [
- {
- "mentions": "www.threatquotient.com"
}
]
}
]
}, - "filters": {
- "+and": [
- {
- "+or": [
- {
- "created_at": {
- "+gt": null
}
}
]
}
]
}
}
}, - "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Update Data Collection
Update a data collection
Authorizations:
path Parameters
| hash required | string Example: 9548a377155bd3fa13b2a16649c6eb88
|
Request Body schema: application/json
| name | string Name of the data collection |
object (SearchJson) JSON representation of the advanced search query |
Responses
Request samples
- Payload
{- "name": "My Data Collection",
- "json": {
- "ui_query": {
- "columns": {
- "indicators": [
- "author"
]
}, - "criteria": {
- "matchType": [
- {
- "": "+and"
}
], - "items": [
- {
- "": {
- "key": "mentions",
- "value": "www.threatquotient.com",
- "set_id": 0
}
}
]
}, - "filters": {
- "created_at": [
- {
- "startDate": "2022-08-01 00:00:00",
- "endDate": "2022-08-31 23:59:99",
- "interval": null,
- "type": "is between",
- "set_id": 0
}
]
}, - "objects": {
- "current": "indicators",
- "selected": [
- {
- "": "indicators"
}
]
}, - "filter_sets": [
- {
- "id": 0,
- "operator": "or",
- "isNegated": false,
- "expanded": true
}
]
}, - "api_query": {
- "criteria": {
- "+and": [
- {
- "+or": [
- {
- "mentions": "www.threatquotient.com"
}
]
}
]
}, - "filters": {
- "+and": [
- {
- "+or": [
- {
- "created_at": {
- "+gt": "2022-08-01 00:00:00"
}
}
]
}
]
}
}
}
}Response samples
- 200
{- "data": {
- "id": 1,
- "hash": "9548a377155bd3fa13b2a16649c6eb88",
- "name": "My Data Collection",
- "json": {
- "ui_query": {
- "columns": {
- "indicators": [
- "author"
]
}, - "criteria": {
- "matchType": [
- {
- "": "+and"
}
], - "items": [
- {
- "": {
- "key": "mentions",
- "value": "www.threatquotient.com",
- "set_id": 0
}
}
]
}, - "filters": {
- "created_at": [
- {
- "startDate": "2022-08-01 00:00:00",
- "endDate": "2022-08-31 23:59:99",
- "interval": null,
- "type": "is between",
- "set_id": 0
}
]
}, - "objects": {
- "current": "indicators",
- "selected": [
- {
- "": "indicators"
}
]
}, - "filter_sets": [
- {
- "id": 0,
- "operator": "or",
- "isNegated": false,
- "expanded": true
}
]
}, - "api_query": {
- "criteria": {
- "+and": [
- {
- "+or": [
- {
- "mentions": "www.threatquotient.com"
}
]
}
]
}, - "filters": {
- "+and": [
- {
- "+or": [
- {
- "created_at": {
- "+gt": null
}
}
]
}
]
}
}
}, - "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}List Signatures
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 221,
- "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Signature
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Signature Name |
| hash | string Signature Hash (Unique Hash of Signature Name) |
| value | string Signature Value |
| type_id | integer Signature Type ID |
| status_id | integer Signature Status ID |
| description | string Signature Description |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 221,
- "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Signature Consume
Authorizations:
Request Body schema: application/json
Array of objects (SignatureFillable) Related Signatures | |
| name | string Signature Name |
| hash | string Signature Hash (Unique Hash of Signature Name) |
| value | string Signature Value |
| type_id | integer Signature Type ID |
| status_id | integer Signature Status ID |
| description | string Signature Description |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "signatures": [
- {
- "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description..."
}
], - "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description..."
}
], - "total": 1
}Get Single Signature
Authorizations:
path Parameters
| signature_id required | integer Signature ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Responses
Response samples
- 200
{- "data": {
- "id": 221,
- "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Signature
Authorizations:
path Parameters
| signature_id required | integer Signature ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Signature Name |
| hash | string Signature Hash (Unique Hash of Signature Name) |
| value | string Signature Value |
| type_id | integer Signature Type ID |
| status_id | integer Signature Status ID |
| description | string Signature Description |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 221,
- "name": "ET EXPLOIT Arkeia full remote...",
- "hash": "737309fe355ef23e1c03a5e98bc364b5",
- "value": "alert tcp $EXTERNAL_NET any -> $HOME...",
- "type_id": 2,
- "status_id": 5,
- "description": "Signature Description...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Get a Single Source
Authorizations:
path Parameters
| source_id required | integer Source ID |
Responses
Response samples
- 200
{- "data": {
- "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Update a Source
/**
Authorizations:
path Parameters
| source_id required | integer Source ID |
Request Body schema: application/json
| score | integer Source Score - Ranges from -10 to 10 |
| default_tlp_id | integer Source Default TLP ID - the TLP that should be assigned for the Source if none is provided |
| type | string Source Type - Options include: clients, connectors (Feeds), other_sources, plugins, or users |
| reference_id | integer Source Reference ID - points to related Client, Connector (Feed), Other Source, Plugin, or User |
| name | string Source Name |
Responses
Request samples
- Payload
{- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ"
}Response samples
- 201
{- "data": {
- "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}List Sources
Authorizations:
query Parameters
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
| sort | string Example: sort=id,created_at
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}List Tags
Authorizations:
query Parameters
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
| sort | string Example: sort=id,created_at
|
| with | string Example: with=adversaries,indicators,course_of_action
|
| with_DUPLICATES_PREVIOUS_NAME | string Example: with_DUPLICATES_PREVIOUS_NAME=objects
|
Responses
Response samples
- 200
{- "data": [
- {
- "adversaries": [
- {
- "pivot": {
- "tag_id": 1,
- "object_id": 54,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "indicators": [
- {
- "pivot": {
- "tag_id": 1,
- "object_id": 54,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "course_of_action": [
- {
- "pivot": {
- "tag_id": 1,
- "object_id": 54,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "id": 6274,
- "value": "TXXXX - Account Discovery Mitigation",
- "description": "Prevent administrator accounts from...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "id": 81,
- "name": "Ominous"
}
], - "total": 1
}List Tasks
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 373,
- "name": "Task #1",
- "status_id": 1,
- "priority": "Medium",
- "description": "Need to determine whether...",
- "assignee_source_id": 12,
- "due_at": "2020-03-05 12:00:00",
- "completed_at": "2020-03-04 12:00:00",
- "creator_source_id": 2,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Task
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Name of the Task |
| status_id | integer Status ID for the Task (Statuses include To Do, In Progress, Review, and Done) |
| priority | string Priority of the Task (Options: Low, Medium, and High) |
| description | string Description for the Task |
| assignee_source_id | integer Assignee Source ID (Source ID for the User the Task is assigned to) |
| due_at | string Date the Task is due for completion |
| completed_at | string Date the Task was completed |
| creator_source_id | integer Creator Source ID - Source ID of User, Feed, or other means that brought the object into the system |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Task #1",
- "status_id": 1,
- "priority": "Medium",
- "description": "Need to determine whether...",
- "assignee_source_id": 12,
- "due_at": "2020-03-05 12:00:00",
- "completed_at": "2020-03-04 12:00:00",
- "creator_source_id": 2
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 373,
- "name": "Task #1",
- "status_id": 1,
- "priority": "Medium",
- "description": "Need to determine whether...",
- "assignee_source_id": 12,
- "due_at": "2020-03-05 12:00:00",
- "completed_at": "2020-03-04 12:00:00",
- "creator_source_id": 2,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Get Single Task
Authorizations:
path Parameters
| task_id required | integer Task ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Responses
Response samples
- 200
{- "data": {
- "id": 373,
- "name": "Task #1",
- "status_id": 1,
- "priority": "Medium",
- "description": "Need to determine whether...",
- "assignee_source_id": 12,
- "due_at": "2020-03-05 12:00:00",
- "completed_at": "2020-03-04 12:00:00",
- "creator_source_id": 2,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Task
Authorizations:
path Parameters
| task_id required | integer Task ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,description
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| name | string Name of the Task |
| status_id | integer Status ID for the Task (Statuses include To Do, In Progress, Review, and Done) |
| priority | string Priority of the Task (Options: Low, Medium, and High) |
| description | string Description for the Task |
| assignee_source_id | integer Assignee Source ID (Source ID for the User the Task is assigned to) |
| due_at | string Date the Task is due for completion |
| completed_at | string Date the Task was completed |
| creator_source_id | integer Creator Source ID - Source ID of User, Feed, or other means that brought the object into the system |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Task #1",
- "status_id": 1,
- "priority": "Medium",
- "description": "Need to determine whether...",
- "assignee_source_id": 12,
- "due_at": "2020-03-05 12:00:00",
- "completed_at": "2020-03-04 12:00:00",
- "creator_source_id": 2
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 373,
- "name": "Task #1",
- "status_id": 1,
- "priority": "Medium",
- "description": "Need to determine whether...",
- "assignee_source_id": 12,
- "due_at": "2020-03-05 12:00:00",
- "completed_at": "2020-03-04 12:00:00",
- "creator_source_id": 2,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a TLP
Authorizations:
Request Body schema: application/json
| name | string TLP Name |
| description | string TLP Description |
| value | integer TLP Value used for hierarchy comparisons |
| user_editable | string Determines whether the TLP record can be updated by a User |
Responses
Request samples
- Payload
{- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}Response samples
- 201
{- "data": {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}
}Response samples
- 200
{- "data": {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}
}Update a TLP
Authorizations:
path Parameters
| tlp_id required | integer TLP ID |
Request Body schema: application/json
| name | string TLP Name |
| description | string TLP Description |
| value | integer TLP Value used for hierarchy comparisons |
| user_editable | string Determines whether the TLP record can be updated by a User |
Responses
Request samples
- Payload
{- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}Response samples
- 200
{- "data": {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}
}List TLPs
Authorizations:
query Parameters
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
| sort | string Example: sort=id,created_at
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}
], - "total": 1
}List Tool
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 4781,
- "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Tool
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Tool Value |
| description | string Description for the Tool |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 4781,
- "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Tool Consume
Authorizations:
Request Body schema: application/json
Array of objects (ToolFillable) Related Tool | |
| value | string Tool Value |
| description | string Description for the Tool |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "tool": [
- {
- "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot..."
}
], - "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot..."
}
], - "total": 1
}Get Single Tool
Authorizations:
path Parameters
| tool_id required | integer Tool ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 4781,
- "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Tool
Authorizations:
path Parameters
| tool_id required | integer Tool ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Tool Value |
| description | string Description for the Tool |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 4781,
- "value": "Ping",
- "description": "Ping is an operating system utility commonly used to troubleshoot...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List TTP
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 5120,
- "value": "Malware",
- "description": "PIVY Variant",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) TTP
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string TTP Value |
| description | string Description for the TTP |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Malware",
- "description": "PIVY Variant"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 5120,
- "value": "Malware",
- "description": "PIVY Variant",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}TTP Consume
Authorizations:
Request Body schema: application/json
Array of objects (TTPFillable) Related TTP | |
| value | string TTP Value |
| description | string Description for the TTP |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "ttp": [
- {
- "value": "Malware",
- "description": "PIVY Variant"
}
], - "value": "Malware",
- "description": "PIVY Variant",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "Malware",
- "description": "PIVY Variant"
}
], - "total": 1
}Get Single TTP
Authorizations:
path Parameters
| ttp_id required | integer TTP ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 5120,
- "value": "Malware",
- "description": "PIVY Variant",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) TTP
Authorizations:
path Parameters
| ttp_id required | integer TTP ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string TTP Value |
| description | string Description for the TTP |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "Malware",
- "description": "PIVY Variant"
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 5120,
- "value": "Malware",
- "description": "PIVY Variant",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}List Vulnerability
Authorizations:
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 7177,
- "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a(n) Vulnerability
Authorizations:
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Vulnerability Value |
| description | string Description for the Vulnerability |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 7177,
- "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Vulnerability Consume
Authorizations:
Request Body schema: application/json
Array of objects (VulnerabilityFillable) Related Vulnerability | |
| value | string Vulnerability Value |
| description | string Description for the Vulnerability |
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
object (TLPName) | |
| <object_code> | Array of integers Relate objects of other types by providing a list of IDs. Replace the |
Responses
Request samples
- Payload
[- {
- "vulnerability": [
- {
- "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation..."
}
], - "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation...",
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "tlp": {
- "name": "WHITE"
}, - "<object_code>": [
- 2
]
}
]Response samples
- 201
{- "data": [
- {
- "id": 1,
- "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation..."
}
], - "total": 1
}Get Single Vulnerability
Authorizations:
path Parameters
| vulnerability_id required | integer Vulnerability ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Responses
Response samples
- 200
{- "data": {
- "id": 7177,
- "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Update a(n) Vulnerability
Authorizations:
path Parameters
| vulnerability_id required | integer Vulnerability ID |
query Parameters
| with | Array of strings Example: with=adversaries,comments,sources
|
Request Body schema: application/json
Array of objects (AttributeBasics) | |
Array of objects or objects (SourceBasics) | |
| value | string Vulnerability Value |
| description | string Description for the Vulnerability |
Responses
Request samples
- Payload
[- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation..."
}
]Response samples
- 200
{- "data": [
- {
- "attributes": [
- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "id": 7177,
- "value": "CVE-2016-1234",
- "description": "Stack-based buffer overflow in the glob implementation...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a Whitelist Rule
Authorizations:
Request Body schema: application/json
| type_id | integer Indicator Type ID |
| status_id | integer Indicator Status ID |
| rule | string Whitelist Rule Value |
| enabled | string Determines whether the Whitelist Rule is being actively applied |
Responses
Request samples
- Payload
{- "type_id": 11,
- "status_id": 2,
- "rule": "*.threatq.com",
- "enabled": "Y"
}Response samples
- 201
{- "data": {
- "updated_count": 3,
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "type_id": 11,
- "status_id": 2,
- "rule": "*.threatq.com",
- "enabled": "Y"
}
}Get a Single Whitelist Rule
Authorizations:
path Parameters
| whitelist_rule_id required | integer Whitelist Rule ID |
query Parameters
| with | string Example: with=type
|
Responses
Response samples
- 200
{- "data": {
- "type": {
- "id": 1,
- "wildcard_matching": "Y",
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "FQDN",
- "class": "network",
- "score": 3
}, - "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "type_id": 11,
- "status_id": 2,
- "rule": "*.threatq.com",
- "enabled": "Y"
}
}Update a Whitelist Rule
Authorizations:
path Parameters
| whitelist_rule_id required | integer Whitelist Rule ID |
query Parameters
| with | string Example: with=type
|
Request Body schema: application/json
| type_id | integer Indicator Type ID |
| status_id | integer Indicator Status ID |
| rule | string Whitelist Rule Value |
| enabled | string Determines whether the Whitelist Rule is being actively applied |
Responses
Request samples
- Payload
{- "type_id": 11,
- "status_id": 2,
- "rule": "*.threatq.com",
- "enabled": "Y"
}Response samples
- 201
{- "data": {
- "type": {
- "id": 1,
- "wildcard_matching": "Y",
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "FQDN",
- "class": "network",
- "score": 3
}, - "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "type_id": 11,
- "status_id": 2,
- "rule": "*.threatq.com",
- "enabled": "Y"
}
}List Whitelist Rules
Authorizations:
query Parameters
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
| sort | string Example: sort=id,created_at
|
| with | string Example: with=type
|
Responses
Response samples
- 200
{- "data": [
- {
- "type": {
- "id": 1,
- "wildcard_matching": "Y",
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "FQDN",
- "class": "network",
- "score": 3
}, - "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "type_id": 11,
- "status_id": 2,
- "rule": "*.threatq.com",
- "enabled": "Y"
}
], - "total": 1
}List Attributes for an Object Type by Attribute ID
This path can be used for any object type installed on the system.
Examples:
Indicator Attributes by Attribute ID: /indicators/:indicator_id/attributes/:attribute_id
Attack Pattern Attributes by Attribute ID: /attack_pattern/:attack_pattern_id/attributes/:attribute_id
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| attribute_id | integer Example: 5 Attribute ID - if not provided, the |
query Parameters
| id | integer Example: id=14,22 Attribute ID. Can be used in lieu of path |
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "id": 11,
- "indicators": [
- {
- "id": 15
}
], - "attribute_id": 7,
- "<object_type>_id": 517,
- "name": "Confidence",
- "value": "High"
}
]
}List Attributes for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Attributes: /indicators/:indicator_id/attributes
Attack Pattern Attributes: /attack_pattern/:attack_pattern_id/attributes
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
query Parameters
| with | Array of strings Example: with=sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "sources": [
- {
- "id": 42,
- "tlp_id": 1,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17",
- "pivot": {
- "id": 11,
- "<object_code>_attribute_id": 8,
- "source_id": 42,
- "creator_source_id": 2
}
}
], - "id": 8,
- "attribute_id": 7,
- "<object_type>_id": 517,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Create One or More Attributes for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
Request Body schema: application/json
Array of objects or objects (SourceBasics) | |
| attribute_id | integer Attribute ID - the ID for the Attribute Key |
| <object_type>_id | integer Object Type ID - |
| name | string Attribute Name |
| value | string Attribute Value |
Responses
Request samples
- Payload
[- {
- "sources": [
- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
], - "attribute_id": 7,
- "<object_type>_id": 517,
- "name": "Confidence",
- "value": "High"
}
]Response samples
- 201
{- "data": [
- {
- "sources": [
- {
- "id": 42,
- "tlp_id": 1,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17",
- "pivot": {
- "id": 11,
- "<object_code>_attribute_id": 8,
- "source_id": 42,
- "creator_source_id": 2
}
}
], - "id": 8,
- "attribute_id": 7,
- "<object_type>_id": 517,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Get a Single Attribute for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_attribute_id required | integer Example: 3 The ID of the Attribute record for the specified Object Type |
query Parameters
| with | Array of strings Example: with=sources
|
Responses
Response samples
- 200
{- "data": [
- {
- "sources": [
- {
- "id": 42,
- "tlp_id": 1,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17",
- "pivot": {
- "id": 11,
- "<object_code>_attribute_id": 8,
- "source_id": 42,
- "creator_source_id": 2
}
}
], - "id": 8,
- "attribute_id": 7,
- "<object_type>_id": 517,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
]
}Update an Attribute for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_attribute_id required | integer Example: 3 The ID of the Attribute record for the specified Object Type |
Request Body schema: application/json
| tlp_id | integer Source TLP ID |
| value | string Attribute Value |
Responses
Request samples
- Payload
[- {
- "value": "High",
- "tlp_id": 3
}
]Response samples
- 200
{- "data": [
- {
- "attribute": {
- "id": 1,
- "name": "Confidence",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "id": 8,
- "attribute_id": 7,
- "<object_type>_id": 517,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
]
}Delete an Attribute for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_attribute_id required | integer Example: 3 The ID of the Attribute record for the specified Object Type |
Responses
(Short) Get a Single Comment for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_comment_id required | integer The ID of the Comment record for the specified Object Type |
query Parameters
| with | Array of strings Example: with=indicator,sources
|
Responses
Response samples
- 200
{- "data": {
- "sources": [
- {
- "pivot": {
- "id": 81,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "indicator": [
- {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "id": 39,
- "<object_type>_id": 517,
- "creator_source_id": 2,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}(Short) Update a Comment for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_comment_id required | integer The ID of the Comment record for the specified Object Type |
Request Body schema: application/json
| value | string Comment value |
Responses
Request samples
- Payload
{- "value": "There's something odd happening..."
}Response samples
- 201
{- "data": [
- {
- "sources": [
- {
- "pivot": {
- "id": 81,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "id": 39,
- "<object_type>_id": 517,
- "creator_source_id": 2,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
]
}(Short) Delete a Comment for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_comment_id required | integer The ID of the Comment record for the specified Object Type |
Responses
List Comments for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
query Parameters
| with | Array of strings Example: with=indicator,sources
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "sources": [
- {
- "pivot": {
- "id": 81,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "indicator": [
- {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "id": 39,
- "<object_type>_id": 517,
- "creator_source_id": 2,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Create a Comment for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
Request Body schema: application/json
| value | string Comment value |
Responses
Request samples
- Payload
[- {
- "value": "There's something odd happening..."
}
]Response samples
- 201
{- "data": [
- {
- "sources": [
- {
- "pivot": {
- "id": 81,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "id": 39,
- "<object_type>_id": 517,
- "creator_source_id": 2,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
]
}Get a Single Comment for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_comment_id required | integer The ID of the Comment record for the specified Object Type |
query Parameters
| with | Array of strings Example: with=indicator,sources
|
Responses
Response samples
- 200
{- "data": {
- "sources": [
- {
- "pivot": {
- "id": 81,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "indicator": [
- {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "id": 39,
- "<object_type>_id": 517,
- "creator_source_id": 2,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Update a Comment for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_comment_id required | integer The ID of the Comment record for the specified Object Type |
Request Body schema: application/json
| value | string Comment value |
Responses
Request samples
- Payload
{- "value": "There's something odd happening..."
}Response samples
- 201
{- "data": [
- {
- "sources": [
- {
- "pivot": {
- "id": 81,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "id": 39,
- "<object_type>_id": 517,
- "creator_source_id": 2,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
]
}Delete a Comment for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_comment_id required | integer The ID of the Comment record for the specified Object Type |
Responses
List all Entries in a User's Watchlist for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Watchlist: /indicators/watchlist
Attack Pattern Watchlist: /attack_pattern/watchlist
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
Responses
Response samples
- 200
{- "data": [
- {
- "indicator": {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}, - "id": 39,
- "user_id": 42,
- "object_type": "indicator",
- "object_id": 54,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Bulk Add Entries to a User's Watchlist for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Watchlist: /indicators/:indicator_id/watchlist
Attack Pattern Watchlist: /attack_pattern/:attack_pattern_id/watchlist
Authorizations:
Request Body schema: application/json
| object_ids | Array of integers |
Responses
Request samples
- Payload
{- "object_ids": [
- 2
]
}Response samples
- 200
{- "data": [
- {
- "id": 39,
- "user_id": 42,
- "object_type": "indicator",
- "object_id": 54,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
]
}Get a Single Entry in a User's Watchlist for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Watchlist: /indicators/:indicator_id/watchlist
Attack Pattern Watchlist: /attack_pattern/:attack_pattern_id/watchlist
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
query Parameters
| with | Array of strings Example: with=indicator
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "indicator": {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}, - "id": 39,
- "user_id": 42,
- "object_type": "indicator",
- "object_id": 54,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Add an Entry to a User's Watchlist for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
Responses
Response samples
- 201
{- "data": {
- "id": 39,
- "user_id": 42,
- "object_type": "indicator",
- "object_id": 54,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Remove an Entry from a User's Watchlist for an Object Type
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_watchlist_id required | integer Example: 12 The ID of the Watchlist entry for the specified Object Type |
Responses
Update an Attribute Source for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Attribute Sources:
/indicators/:indicator_id/attributes/:indicator_attribute_id/sources/:indicator_attribute_source_id
Attack Pattern Sources:
/attack_pattern/:attack_pattern_id/attributes/:attack_pattern_attribute_id/sources/:attack_pattern_attribute_source_id
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_attribute_id required | integer Example: 3 The ID of the Attribute record for the specified Object Type |
| object_type_attribute_source_id required | integer Example: 5 The ID of the Attribute Source record for the specified Object Type |
Request Body schema: application/json
| tlp_id | integer Source TLP ID |
Responses
Request samples
- Payload
{- "tlp": {
- "name": "WHITE"
}
}Response samples
- 200
{- "data": [
- {
- "id": 42,
- "tlp_id": 1,
- "<object_type>_attribute_id": 7,
- "source_id": 42,
- "creator_source_id": 2,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17"
}
]
}Remove an Attribute Source for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Attribute Sources:
/indicators/:indicator_id/attributes/:indicator_attribute_id/sources/:indicator_attribute_source_id
Attack Pattern Sources:
/attack_pattern/:attack_pattern_id/attributes/:attack_pattern_attribute_id/sources/:attack_pattern_attribute_source_id
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_attribute_id required | integer Example: 3 The ID of the Attribute record for the specified Object Type |
| object_type_attribute_source_id required | integer Example: 5 The ID of the Attribute Source record for the specified Object Type |
Responses
List Relation Counts for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Sources: /indicators/:indicator_id/relation-counts
Attack Pattern Sources: /attack_pattern/:attack_pattern_id/relation-counts
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
Responses
Response samples
- 200
{- "data": {
- "indicators": 51,
- "adversaries": 2,
- "events": 7,
- "attachments": 11,
- "signatures": 3,
- "investigations": 6,
- "attack_pattern": 17,
- "campaign": 1,
- "course_of_action": 3,
- "exploit_target": 4,
- "identity": 2,
- "incident": 512,
- "intrusion_set": 5,
- "malware": 13,
- "report": 3,
- "tool": 2,
- "ttp": 10,
- "vulnerability": 11
}
}List Sources for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Sources: /indicators/:indicator_id/sources
Attack Pattern Sources: /attack_pattern/:attack_pattern_id/sources
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
query Parameters
| with | Array of strings Example: with=indicator,tlp
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "tlp": [
- {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}
], - "indicator": [
- {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "id": 39,
- "tlp_id": 1,
- "<object_type>_id": 517,
- "source_id": 42,
- "creator_source_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17"
}
], - "total": 1
}Create a Source for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Sources: /indicators/:indicator_id/sources
Attack Pattern Sources: /attack_pattern/:attack_pattern_id/sources
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
Request Body schema: application/json
| tlp_id | integer Source TLP ID |
| name | string Source Name |
Responses
Request samples
- Payload
[- {
- "tlp_id": 3,
- "name": "ThreatQ"
}
]Response samples
- 201
{- "data": [
- {
- "id": 39,
- "tlp_id": 1,
- "<object_type>_id": 517,
- "source_id": 42,
- "creator_source_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17"
}
], - "total": 1
}Get a Single Source for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Sources: /indicators/:indicator_id/sources/:indicator_source_id
Attack Pattern Sources: /attack_pattern/:attack_pattern_id/sources/:attack_pattern_source_id
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_source_id required | integer Example: 7 The ID of the Source record for the specified Object Type |
query Parameters
| with | Array of strings Example: with=indicator,tlp
|
Responses
Response samples
- 200
{- "data": {
- "tlp": [
- {
- "id": 1,
- "created_at": "2020-05-01 02:35:16",
- "updated_at": "2020-05-03 04:27:51",
- "name": "WHITE",
- "description": "Disclosure is not limited.",
- "value": 3,
- "user_editable": "N"
}
], - "indicator": [
- {
- "id": 54,
- "hash": "4aba5ab07a3bda558d5d725a09d93ba6",
- "last_detected_at": "2020-02-28 13:42:51",
- "expires_at": "2020-04-01 03:17:23",
- "expired_at": null,
- "expired_needs_calc": "N",
- "expires_calculated_at": "2020-02-28 18:36:24",
- "type_id": 11,
- "status_id": 2,
- "class": "network",
- "value": "www.danger-doom.com",
- "description": "Website encountered during incident investigation.",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "id": 39,
- "tlp_id": 1,
- "<object_type>_id": 517,
- "source_id": 42,
- "creator_source_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17"
}
}Update a Source for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Sources: /indicators/:indicator_id/sources/:indicator_source_id
Attack Pattern Sources: /attack_pattern/:attack_pattern_id/sources/:attack_pattern_source_id
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_source_id required | integer Example: 7 The ID of the Source record for the specified Object Type |
Request Body schema: application/json
| tlp_id | integer Source TLP ID |
Responses
Request samples
- Payload
{- "tlp": {
- "name": "WHITE"
}
}Response samples
- 200
{- "data": [
- {
- "id": 39,
- "tlp_id": 1,
- "<object_type>_id": 517,
- "source_id": 42,
- "creator_source_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "published_at": "2017-01-13 15:28:17"
}
]
}Delete a Source for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Sources: /indicators/:indicator_id/sources/:indicator_source_id
Attack Pattern Sources: /attack_pattern/:attack_pattern_id/sources/:attack_pattern_source_id
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
| object_type_source_id required | integer Example: 7 The ID of the Source record for the specified Object Type |
Responses
Generate a Summary PDF for an Object Type
This path can be used for any object type installed on the system.
Examples:
Indicator Summary PDF: /indicators/:indicator_id/summary
Attack Pattern Summary PDF: /attack_pattern/:attack_pattern_id/summary
Authorizations:
path Parameters
| object_type required | string Example: indicators The collection identifier for the Object Type whose context you would like to retrieve. Options include:
adversaries, attachments, attack_pattern, campaign, course_of_action, event, exploit_target, identity, incident,
indicators, intrustion_set, malware, report, signature, tool, ttp, and vulnerability. If you have any additional custom
objects installed on your system, use the value for the |
| object_type_id required | integer Example: 6 The ID for the record of the specified Object Type whose context you would like to retrieve |
query Parameters
| limit | integer Example: limit=10
|
Responses
List Relationships for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
Indicators related to an Adversary: /adversaries/:adversary_id/indicators
Indicators related to an Indicator: /indicators/:indicator_id/indicators
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
query Parameters
| with | Array of strings Example: with=sources,pivot.attributes
|
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "sources": [
- {
- "name": "ThreatQ"
}
], - "pivot": {
- "attributes": [
- {
- "id": 11,
- "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "id": 11,
- "name": "Integration",
- "type": "connectors",
- "pivot": {
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}
], - "comments": [
- {
- "source": {
- "id": 21,
- "name": "Analyst",
- "type": "users",
- "reference_id": 2
}, - "id": 4,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "id": "2542",
- "src_type": "indicator",
- "src_object_id": 1,
- "dest_type": "adversary",
- "dest_object_id": 1,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17",
- "deleted_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Create a Relationship for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
Relate Indicators to an Adversary: /adversaries/:adversary_id/indicators
Relate Indicators to an Indicator: /indicators/:indicator_id/indicators
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
Request Body schema: application/json
| id | integer Destination Object ID - the ID for the object you would like to create a relationship with. |
Responses
Request samples
- Payload
[- {
- "id": 3
}
]Response samples
- 200
{- "data": [
- {
- "pivot": {
- "id": 10,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
], - "total": 1
}Get a Single Relationship for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
Indicator related to an Adversary: /adversaries/:adversary_id/indicators/:object_link_id
Indicator related to an Indicator: /indicators/:indicator_id/indicators/:object_link_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
query Parameters
| with | Array of strings Example: with=sources,pivot.attributes
|
Responses
Response samples
- 200
{- "data": {
- "pivot": {
- "attributes": [
- {
- "id": 11,
- "name": "Confidence",
- "value": "High"
}
], - "sources": [
- {
- "id": 11,
- "name": "Integration",
- "type": "connectors",
- "pivot": {
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}
], - "comments": [
- {
- "source": {
- "id": 21,
- "name": "Analyst",
- "type": "users",
- "reference_id": 2
}, - "id": 4,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "id": "2542",
- "src_type": "indicator",
- "src_object_id": 1,
- "dest_type": "adversary",
- "dest_object_id": 1,
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "sources": [
- {
- "name": "ThreatQ"
}
], - "id": 54,
- "name": "Sad Panda",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16",
- "touched_at": "2021-11-13 15:28:17"
}
}Remove a Relationship for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
Indicator related to an Adversary: /adversaries/:adversary_id/indicators/:object_link_id
Indicator related to an Indicator: /indicators/:indicator_id/indicators/:object_link_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
Responses
List Relationship Attributes for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
Attributes for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/attributes
Attributes for an
Indicator / Indicator relationship: /indicators/:indicator_id/indicators/:object_link_id/attributes
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
query Parameters
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "attribute": {
- "id": 1,
- "name": "Confidence",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "object_link_id": 120,
- "id": 11,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Create a Relationship Attribute for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
Attributes for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/attributes
Attributes for an
Indicator / Indicator relationship: /indicators/:indicator_id/indicators/:object_link_id/attributes
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
Request Body schema: application/json
| name | string Attribute Name |
| value | string Attribute Value |
Responses
Request samples
- Payload
{- "name": "Confidence",
- "value": "High"
}Response samples
- 201
{- "object_link_id": 120,
- "id": 11,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}Get a Single Relationship Attribute for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
An Attribute for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/attributes/:object_link_attribute_id
An Attribute for an Indicator / Indicator relationship:
/indicators/:indicator_id/indicators/:object_link_id/attributes/:object_link_attribute_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
| object_link_attribute_id required | integer Example: 3 Object Link Attribute ID |
Responses
Response samples
- 200
{- "data": {
- "attribute": {
- "id": 1,
- "name": "Confidence",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}, - "object_link_id": 120,
- "id": 11,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Update a Relationship Attribute for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
An Attribute for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/attributes/:object_link_attribute_id
An Attribute for an Indicator / Indicator relationship:
/indicators/:indicator_id/indicators/:object_link_id/attributes/:object_link_attribute_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
| object_link_attribute_id required | integer Example: 3 Object Link Attribute ID |
Request Body schema: application/json
| value | string Attribute Value |
Responses
Request samples
- Payload
{- "value": "High"
}Response samples
- 200
{- "data": {
- "object_link_id": 120,
- "id": 11,
- "name": "Confidence",
- "value": "High",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Remove a Relationship Attribute for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
An Attribute for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/attributes/:object_link_attribute_id
An Attribute for an Indicator / Indicator relationship:
/indicators/:indicator_id/indicators/:object_link_id/attributes/:object_link_attribute_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
| object_link_attribute_id required | integer Example: 3 Object Link Attribute ID |
Responses
List Relationship Comments for an Object Type
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
query Parameters
| sort | string Example: sort=id,created_at
|
| limit | integer Example: limit=10
|
| offset | integer Example: offset=50
|
Responses
Response samples
- 200
{- "data": [
- {
- "sources": [
- {
- "pivot": {
- "id": 21,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "object_link_id": 4,
- "creator_source_id": 2,
- "id": 4,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "total": 1
}Create a Relationship Comment for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
Comments for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/comments
Comments for an
Indicator / Indicator relationship: /indicators/:indicator_id/indicators/:object_link_id/comments
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
Request Body schema: application/json
| value | string Comment value |
Responses
Request samples
- Payload
{- "value": "There's something odd happening..."
}Response samples
- 201
{- "data": {
- "sources": [
- {
- "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "object_link_id": 4,
- "creator_source_id": 2,
- "id": 4,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Get a Single Relationship Comment for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
A Comment for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/comments/:object_link_comment_id
An Comment for an Indicator / Indicator relationship:
/indicators/:indicator_id/indicators/:object_link_id/comments/:object_link_comment_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
| object_link_comment_id required | integer Example: 4 Object Link Comment ID |
Responses
Response samples
- 200
{- "data": {
- "sources": [
- {
- "id": 2,
- "name": "ThreatQ"
}
], - "object_link_id": 4,
- "creator_source_id": 2,
- "id": 4,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Update a Relationship Comment for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
A Comment for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/comments/:object_link_comment_id
An Attribute for an Indicator / Indicator relationship:
/indicators/:indicator_id/indicators/:object_link_id/comments/:object_link_comment_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
| object_link_comment_id required | integer Example: 4 Object Link Comment ID |
Request Body schema: application/json
| value | string Comment value |
Responses
Request samples
- Payload
{- "value": "There's something odd happening..."
}Response samples
- 200
{- "data": {
- "sources": [
- {
- "pivot": {
- "id": 21,
- "creator_source_id": 2
}, - "id": 1,
- "expire_days": 12,
- "expires_needs_calc": "N",
- "score": 6,
- "default_tlp_id": 3,
- "type": "other_sources",
- "reference_id": 2,
- "name": "ThreatQ",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
], - "object_link_id": 4,
- "creator_source_id": 2,
- "id": 4,
- "value": "There's something odd happening...",
- "created_at": "2021-07-29 13:58:03",
- "updated_at": "2022-04-12 08:32:16"
}
}Remove a Relationship Comment for an Object Type
This path can be used for any combination of objects installed on the system.
Examples:
A Comment for an Indicator / Adversary relationship:
/adversaries/:adversary_id/indicators/:object_link_id/comments/:object_link_comment_id
A Comment for an Indicator / Indicator relationship:
/indicators/:indicator_id/indicators/:object_link_id/comments/:object_link_comment_id
Authorizations:
path Parameters
| src_object_collection required | string Example: indicators Source Object collection - the object type collection whose relationships you would like
to retrieve. Options include: adversaries, attachments, attack_pattern, campaign, course_of_action, event,
exploit_target, identity, incident, indicators, intrustion_set, malware, report, signature, tool, ttp,
and vulnerability. If you have any additional custom objects installed on your system, use the |
| src_object_id required | integer Example: 2 Source Object ID - the ID of the object whose relationships you would like to retrieve |
| dest_object_collection required | string Example: adversaries Destination Object collection - the collection for an object type that may have relationships
associated with the Source Object collection. Options include: adversaries, attachments, attack_pattern,
campaign, course_of_action, event, exploit_target, identity, incident, indicators, intrustion_set, malware,
report, signature, tool, ttp, and vulnerability. If you have any additional custom objects installed on your
system, use the |
| object_link_id required | integer Example: 3 Object Link ID - the ID of the relationship record |
| object_link_comment_id required | integer Example: 4 Object Link Comment ID |