/threat_indicators

This API call enables searching for samples of indicators of compromise stored in ThreatExchange. With this call you can search for indicators by free text, type, or all in a specific time window. Combinations of these query types are also allowed.

Parameters

The following query parameters are available (bold parameters are required):

• access_token - The key for authenticating to the API. It is a concatenation of <your-app-id>|<your-app-secret>. For example, if our app ID was 555 and our app secret aSdF123GhK, our access_token would be "555|aSdF123GhK".
• limit - Defines the maximum size of a page of results. The maximum is 1,000.
• text - Freeform text field with a value to search for. This can be a file hash or a string found in other fields of the objects.
• sort_order - A given SortOrderType
• sort_by - Sort results by RELEVANCE or by CREATE_TIME. When sorting by RELEVANCE, your query will return results sorted by similarity against your text query.
• strict_text - When set to 'true', the API will not do approximate matching on the value in text
• threat_type - The broad threat type the indicator is associated with (see ThreatTypes)
• type - The type of indicators to search for (see IndicatorTypes)
• since - Returns indicators collected after a timestamp
• until - Returns indicators collected before a timestamp
• fields - A list of fields to return in the response

Example query for all malicious IP addresses that are proxies:

# You can swap the version used by replacing v24.0 with a different version.
curl -G \
  -d 'access_token=<ACCESS_TOKEN>' \
  -d type=IP_ADDRESS \
  -d text=proxy \
  "https://graph.facebook.com/v24.0/threat_indicators"
  
Open In Graph API Explorer

{
  "data": [
    {
      "indicator": "77.2.132.202",
      "type": "IP_ADDRESS",
      "id": "675010235935327"
    },
    ...
  ],
  "paging": {
    "cursors": {
      "before": "MAZDZD",
      "after": "MjQZD"
    },
    "next": "https://graph.facebook.com/v24.0/threat_indicators[...]"
  },
}