ThreatTag
A label which groups Malware, ThreatDescriptor, and/or MalwareFamily objects. Once objects are tagged, you can use tags to narrow your search queries in TE.
Fields
| Parameter | Description | Type |
|---|---|---|
| Unique identifier of the threat tag |
|
| The text for this tag |
|
Legal Tags
The text of tags is case insensitive, restricted to letters, numbers, underscores, and colons, and must be UTF-8 friendly. So "שלום" is a valid text, but "#example-tag" is not.
Sample Usage
Example query for a specific ThreatTag: 908180082612873
Data returned:
{
"id": "908180082612873",
"text": "evilevil"
}Example of searching for a tag by text 'evilevil'. Note that partial tag search is supported.
https://graph.facebook.com/v2.7/threat_tags/?access_token=555|aSdF123GhK&text=evilevil
Data returned:
{
"data": [
{
"id": "908180082612873",
"text": "evilevil"
}
...
]
}Connections
| Name | Description | Type |
|---|---|---|
| The objects tagged with this text. |
|
Parameters
The following query parameters are available:
tagged_since- Fetches all objects that have been tagged since this time (inclusive).tagged_until- Fetches all objects that have been tagged until this time (inclusive).
Tagged objects are returned in the order based on when the tag was applied, ascending. This timestamp is currently not exposed by the API, but is the same one used by tagged_since and tagged_until. While this API can be used to create a copy of data in ThreatExchange, the threat_updates API may be better suited for your usecase.
Sample Usage
Example of tagged objects for a specific ThreatTag: 908180082612873
https://graph.facebook.com/v2.7/908180082612873/tagged_objects/?access_token=555|aSdF123GhK
Data returned:
{
"data": [
{
"id": "1039423046092869",
"type": "THREAT_DESCRIPTOR",
"name": "test1464195852.evilevillabs.com"
},
...
]
}Example of tagged objects for a ThreatTag with the text 'ducks'
https://graph.facebook.com/v2.7/threat_tags/?access_token=555|aSdF123GhK&text=ducks&fields=id,text,tagged_objects
Data returned:
{
"data": [
{
"id": "501159930008561",
"text": "ducks"
"tagged_objects": {
"data": [
{
"id": "1162586023812794",
"type": "THREAT_DESCRIPTOR",
"name": "test1469481750.evilevillabs.com"
},
...
]
},
}
]
}Creating a New Tag
You can create a ThreatTag on-the-fly while creating a ThreatDescriptor. If the ThreatTag does not exist, a new one will be created and applied to the new ThreatDescriptor.
https://graph.facebook.com/v2.7/threat_descriptors?access_token=555|aSdF123GhK POST DATA: tags=cows,bar &type=DOMAIN &indicator=test1466722733.evilevillabs.com &description=this is an example with tags &privacy_type=VISIBLE &share_level=GREEN &status=UKNOWN
Data returned:
{
"success": true,
"id": "1162586023812794"
}To create a ThreatTag without labeling any objects, you can post to the /threat_tags endpoint explicitly:
https://graph.facebook.com/v2.7/threat_tags?access_token=555|aSdF123GhK POST DATA: text=superlongtagfortestingcreation &objects=973966502652751,898684593584287
Data returned:
{
"success": true,
"id": "1373232162693002"
}Example of updating a ThreatDescriptor with more tags. If the tag does not exist, a new one will be created and applied to this ThreatDescriptor.
https://graph.facebook.com/v2.7/1162586023812794?access_token=555|aSdF123GhK POST DATA: tags=ducks,chicken
Data returned:
{
"success": true
}Popular Tags
Here is a list of the most popular tags categorizing data related to attacks:
| Name | Description |
|---|---|
| Theft of an OAuth style or similar access token |
| A bogus IP address |
| A bot |
| Repeated attempts to access an authenticated resource |
| Any UI redressing or similar type of attack redirecting a person's clicks |
| The associated party has been compromised |
| A party which stalks another online |
| Associated with drugs |
| Sending of unsolicited email |
| Pornographic or otherwise explicit content |
| A set of tools used to take advantage of vulnerabilities |
| An account associated with no real entity, often used for abuse |
| Associated with financials, perhaps fraud |
| Infringement on the rights of an intellectual property holder |
| A malicious web app |
| A malicious name server |
| A malicious web server |
| The use of online advertising to spread malware |
| A malware-based attack |
| Interserver DNS messages are being captured, recorded, and potentially exfiltrated |
| An attempt to obtain credentials via a deceptive lure |
| Illegal replication of protected property |
| A proxy host |
| A generic type of scam |
| Port scanning to map a network |
| Systematic traversal of a network and recording of data |
| Attack where a person is social engineered into pasting malicious code into their brower's address bar or developer console |
| A person is convinced to share spammy content in exchange for a fictitious product or content |
| An attack conducted by a sophisticated actor and directed at a specific target |
| Associated with terrorist attacks or groups |
| Related to the illegal trade of arms |
| A malicious web app |
Here is a list of the most popular tags categorizing data by type:
| Name | Description |
|---|---|
| Details on a presumed bad actor (e.g. botherder, spammer) |
| The credential compromised by an attack (must be already publicly accessible) |
| For high-value victim targeting |
| A malicious advertisement |
| An API key which is being abused |
| A malicious post, image, or document |
| A malicious Internet domain |
| A malicious piece of code that injected into a another file, process, or DOM |
| A malicious IP address |
| A malicious IP address range |
| A malicious SSL certificate |
| A specific piece of Malware |
| A victim of Malware |
| An IP address known to be a proxy or VPN |
| Represents some means or pattern for detecting a threat |
| A full web request, optionally with GET query parameters |
| An Internet domain that should be treated as non-malicious |
| An IP address that should be treated as non-malicious |
| An URI that should be treated as non-malicious |