ThreatExchange
Graph API Version

ThreatIndicator

ThreatExchange's data model is "things" and "opinions about things". ThreatIndicator is a "thing" in this model, such as a file hash, a text keyword, or an email address. ThreatExchange creates ThreatIndicator objects automatically to group multiple opinions from different Members about the same thing. As a user of ThreatExchange, you only need to manage your opinions (primarily ThreatDescriptor).

The name indicator is short for "indicator of compromise", which is a reflection of ThreatExchange's original use for cybersecurity purposes. Over time ThreatExchnage tended more towards safety and content harm sharing, where this name has made less sense.

Fields

Parameter Description Type

id

Unique identifier of the threat indicator. Automatically assigned at create time, and non-editable.

number

indicator

The value of the indicator. Non-editable after initial creation of the indicator.

string

type

The type of indicator. Non-editable after initial creation of the indicator.

List of IndicatorType

Sample Usage

Example query for a specific indicator: 788497497903212:

https://graph.facebook.com/v24.0/788497497903212/?access_token=555|aSdF123GhK

Data returned:

{
   "indicator": "facebook.com",
   "type": "DOMAIN",
   "id": "788497497903212"
}

Connections

Name Description Type

descriptors

Opinions from members about this indicator.

ThreatDescriptor

Sample Usage

Example query for descriptors related to a specific indicator: 852121234856016

https://graph.facebook.com/v24.0/852121234856016/descriptors/?access_token=555|aSdF123GhK

Data returned:

 {
   "data": [
  {
    "id": "811927545529339",
    "indicator": {
      "indicator": "test1434227164.evilevillabs.com",
      "type": "DOMAIN",
      "id": "852121234856016"
    },
    "owner": {
      "id": "588498724619612",
      "name": "Facebook CERT ThreatExchange"
    },
    "type": "DOMAIN",
    "raw_indicator": "test1434227164.evilevillabs.com",
    "description": "This is our test domain. It's harmless",
    "status": "NON_MALICIOUS"
  },
  {
    "id": "799906626794304",
    "indicator": {
      "indicator": "test1434227164.evilevillabs.com",
      "type": "DOMAIN",
      "id": "852121234856016"
    },
    "owner": {
      "id": "682796275165036",
      "name": "Facebook Site Integrity ThreatExchange"
    },
    "type": "DOMAIN",
    "raw_indicator": "test1434227164.evilevillabs.com",
    "description": "Malware command and control",
    "status": "MALICIOUS"
  }
],
"paging": {
  "cursors": {
    "before": "ODExOTI3NTQ1NTI5MzM5",
    "after": "Nzk5OTA2NjI2Nzk0MzA0"
  }
}