V 4 Apidocs

openapi: 3.0.
0
info:
title: Intel API v4
version: '4.0'
x-logo:
url: https://api.intelligence.fireeye.com/docs/images/logo-af294508.png
backgroundColor: #FFFFFF
altText: FireEye logo
contact:
url: 'https://www.fireeye.com/support/contacts.html'
email: support@fireeye.com
termsOfService: 'https://www/fireeye.com/company/legal.html'
description: The FireEye Threat Intelligence API (Intel API) provides machine-to-
machine integration with the most contextually rich threat intelligence data
available on the market today. The API provides automated access to much more than
indicators of compromise (IOCs) — IP addresses, domain names, URLs the bad
guys are using — it also provides infomation on the adversary, which further
enriches integrations. Security\nSecurity is a critical part of any API and the
FireEye Threat Intelligence API is no expection. The API provides support for a
comprehensive approach to [authentication](./docs/authentication.md) that is built
upon both HTTP Basic and OAuth2.
security:
- OAuth: []
servers:
- url: 'https://api.intelligence.fireeye.com'
description: Defines the root
tags:
- name: Authentication Endpoints
- name: Actor Endpoints
- name: Malware Endpoints
- name: Indicator Endpoints
- name: Vulnerability Endpoints
paths:
'/token':
post:
summary: Authenticate the client
security:
- BasicAuth: []
requestBody:
description: "Authentication is accomplished by making a HTTP POST request
to the `/token` endpoint, using HTTP Basic Authentication, as described in [Section
4.4 of RFC 6749](https://tools.ietf.org/html/rfc6749#section-4.4). The body of the
request must contain a string the specifies the `grant_type` of
''client_credentials''."
required: true
content:
application/x-www-form-urlencoded:
schema:
type: object
properties:
grant_type:
type: string
default: "client_credentials"
scope:
type: string
default: ""
operationId: authenticate
description: |-
FireEye Intelligence API user the [OAuth2 2.0 Authorization Framework]
(https://tools.ietf.org/html/rfc6749), specifically, the [Client Credentials Grant]
(https://tools.ietf.org/html/rfc6749#section-4.4), to grant access to the API
endpoints.
Before using an API endpoint, your client application must exchange a set
of credentials for a time-limited JSON Web Token (JWT) access token. This token is
used for all further requests to the API's endpoints to grant access.
tags:
- Authentication Endpoints
parameters:
- $ref: '#/components/parameters/parameter-accept-header'
responses:
'200':
description: OK - The request has succeeded.
content:
application/json:
schema:
type: object
properties:
access_token:
type: string
description: 'The àccess_token` will be used in the
Authorization header as a bearer token. See [Bearer Token
Usage](https://tools.ietf.org/html/rfc6750) for more details.'
token_type:
type: string
description: 'The type of the token issued as described in
[Section 7.1 of the OAuth 2 spec](https://tools.ietf.org/html/rfc6749#section-7.1).
The value is case insensitive. It will always be `bearer`.'
expires_in:
type: integer
format: int32
description: 'The èxpires_in` value indicates the lifetime of
the ''access token'' expressed in seconds. For example, the value 3600 denotes that
the access token will expire in one hour from the time the response was generated.
Unless the token has been revoked, this token may be used until it expires, which
is generally **twelve hours**. After this point, the client must reauthenticate to
receive a new token.'
required:
- access_token
- token_type
- expires_in
examples:
example: {}
headers:
Content-Type:
schema:
type: string
enum:
- application/json
description: Identifies the format of the response
required: true
'400':
description: Bad Request - The server did not understand the request
content:
application/taxii+json;version=2.1:
schema:
$ref: '#/components/schemas/error'
headers:
Content-Type:
schema:
type: string
enum:
- application/taxii+json;version=2.1
required: true
'415':
description: Unsupported Media Type- The client attempted to POST a
payload with a content type the server does not support
content:
application/taxii+json;version=2.1:
schema:
$ref: '#/components/schemas/error'
headers:
Content-Type:
schema:
type: string
required: true
'/v4/actor':
get:
summary: Returns a list of all Actors based on license level.
description: 'Provide a List of all actors. The list of actors returned will
depend upon the license level of the user. If the user has a Fremium License, only
Fremium Actors will be returned, else all actors will be returned.'
tags:
- Actor Endpoints
parameters:
- $ref: '#/components/parameters/parameter-authorization-header'
- $ref: '#/components/parameters/parameter-X-App-Name-header'
- $ref: '#/components/parameters/parameter-limit-query'
- $ref: '#/components/parameters/parameter-offset-query'
responses:
'200':
description: A JSON array containing Actor Summary Record.
content:
application/json:
schema:
type: array
description: ''
minItems: 1
uniqueItems: true
items:
type: object
required:
- id
- name
- description
- aliases
- last_updated
- target_industries
properties:
id:
type: string
minLength: 1
name:
type: string
minLength: 1
description:
type: string
minLength: 1
aliases:
type: array
uniqueItems: true
minItems: 1
items:
required:
- name
- attribution_scope
properties:
name:
type: string
minLength: 1
attribution_scope:
type: string
minLength: 1
examples:
Freemium Response:
description: Data returned will have all values for Aliases.
value:
- id: threat-actor--0ac5c1db-8ad6-54b8-b4b9-c32fc738c54a
last_updated: "2021-08-03T06:01:08.000Z"
name: APT1
description: APT1 refers to a distinct grouping of global
cyber espionage activity with a nexus to China. Based on available data, we assess
that this is a nation-state-sponsored group located in China. Specifically, we
believe that APT1 is the 2nd Bureau of the People's Liberation Army (PLA) General
Staff Department's 3rd Department, or Unit 61398. The activity is distinguished by
the use of common infrastructure and tools and a clear intent to collect
intelligence on a number of issues that may be of interest to the People's Republic
of China (PRC).
aliases: redacted
target_industries: redacted
- id: threat-actor--547739f1-8168-5768-9227-91c1b19eb325
last_updated: "2021-08-03T06:01:08.000Z"
name: APT2
description: 'APT2 is a China-nexus cyber espionage group
that has been recorded as far back as 2010. Their activity targets several
industries, including military and aerospace. APT2 engages in cyber operations
where the goal is intellectual property theft, usually focusing on the data and
projects that make an organization competitive within its field.'
aliases: redacted
target_industries: redacted
'204':
$ref: '#/components/responses/response-204'
'400':
'401':
'403':
'/v4/actor/{id}':
get:
summary: Detailed information for the actor id specified in {id}.
tags:
- Actor Endpoints
responses:
'200':
description: Ok - The request has succeeded
headers:
Accept:
schema:
type: string
description: Identifies the format of the response, e.g.
application/json
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/endpoints-actor-id-response'
'204':
'400':
'401':
'403':
operationId: get-actor-details
description: Details information about actor.
parameters:
- name: id
in: path
description: Actor Id
required: true
example: threat-actor--0ac5c1db-8ad6-54b8-b4b9-c32fc738c54a
schema:
type: string
'/v4/actor/{id}/reports':
get:
tags:
- Actor Endpoints
summary: Fetch all reports associated with the given actor
description: 'This API Endpoint will return, depending upon Users JWT Token,
all the information about a Specific Actor'
parameters:
- name: id
in: path
required: true
schema:
type: string
- in: query
name: offset
schema:
type: integer
description: 'OPTIONAL. The number of items to skip before starting to
collect the result set. If not specified, defaults to ZERO (0).'
example: 2
- in: query
name: limit
schema:
type: integer
description: 'OPTIONAL. The numbers of items to return. If not specified,
defaults to TEN (10).'
example: 20
responses:
'200':
description: Return all relevant reports associated with an actor or an
Empty array in case there are none.
content:
application/json:
schema:
description: ''
type: object
properties:
reports:
type: array
uniqueItems: true
minItems: 1
items:
required:
- id
- report_id
- report_type
- title
- published_date
- version
- attribution_scope
- intelligence_type
- audience
properties:
id:
type: string
minLength: 1
title:
type: string
minLength: 1
published_date:
type: string
minLength: 1
version:
type: string
minLength: 1
audience:
type: array
uniqueItems: true
items:
type: object
properties:
license:
type: string
minLength: 1
name:
type: string
minLength: 1
required:
- id
- name
last_updated:
type: string
minLength: 1
name:
type: string
minLength: 1
description:
type: string
minLength: 1
id:
type: string
minLength: 1
required:
- reports
- last_updated
- name
- description
- id
examples:
Freemium:
value:
reports:
- id: report--941427df-61a3-51c0-9d51-c4ca569bb677
report_id: 16-00018668
report_type: Industry Reporting
title: 'Industry Brief: Defense Industrial Base'
published_date: 'November 22, 2016 09:14:00 AM'
version: '1'
attribution_scope: confirmed
intelligence_type: "threat"
audience:
- name: "Strategic"
license: INTEL_RBI_EXEC
- id: report--c1129853-6ded-592a-acc3-661bb1feb7ec
report_id: 20-00025093
report_type: "Trends and Forecasting"
title: 'Not Too Obvious to Mention: APT and FIN Groups
Continue Extensive Use of Publicly Available Malware'
published_date: 'January 08, 2021 01:50:00 PM'
version: '1'
attribution_scope: confirmed
audience:
- name: "Strategic"
license: INTEL_RBI_EXEC
last_updated: '2021-08-03T06:01:08.000Z'
name: APT1
description: "APT1 refers to a distinct grouping of global
cyber espionage activity with a nexus to China. Based on available data, we assess
that this is a nation-state-sponsored group located in China. Specifically, we
believe that APT1 is the 2nd Bureau of the People's Liberation Army (PLA) General
Staff Department's 3rd Department, or Unit 61398. The activity is distinguished by
the use of common infrastructure and tools and a clear intent to collect
intelligence on a number of issues that may be of interest to the People's Republic
of China (PRC)."
id: threat-actor--0ac5c1db-8ad6-54b8-b4b9-c32fc738c54a
'/v4/actor/{id}/attack-pattern':
summary: Fetch all Mitre Mappings associated with the actor
get:
tags:
- Actor Endpoints
summary: Fetch all Mitre Mappings associated with the given actor
all the mitre info about a Specific Actor'
parameters:
- name: id
in: path
required: true
schema:
type: string
responses:
'200':
description: Return all relevant Mitre info associated with an actor or
an Empty array in case there are none.
content:
application/json:
schema:
$ref: '#/components/schemas/attack-pattern'
examples:
Freemium:
value:
x_mitre_is_subtechnique: false
created: "2017-05-31T21:31:25.454Z"
name: Email Collection
attack_pattern_identifier: T1114
modified: "2020-03-24T18:31:06.417Z"
description: Adversaries may target user email to collect
sensitive information. Emails may contain sensitive data, including trade secrets
or personal information, that can prove valuable to adversaries. Adversaries can
collect or forward email from mail servers or clients.
id: attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f
operationId: attack_pattern_by_actor_id
'/v4/actor/attack-pattern':
post:
summary: Search for attack patterns by associated IDs
description: Search for attack patterns by associated IDs.
tags:
- Actor Endpoints
parameters:
- $ref: '#/components/parameters/parameter-content-type-header'
responses:
'200':
description: Return all relevant Mitre info associated with a threat
actor.
content:
application/json:
schema:
$ref: '#/components/schemas/ActorAttackPatterns'
'401':
description: No authentication was provided.
'403':
description: Invalid token or token doesn't have the correct scope.
operationId: post_attack_pattern_actor_by_list
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/IDList'
examples:
actor-list:
summary: An example list of IDs to query.
value:
ids:
- threat-actor--0ac5c1db-8ad6-54b8-b4b9-c32fc738c54a
- threat-actor--547739f1-8168-5768-9227-91c1b19eb325
'/v4/actor/{id}/history':
parameters:
- schema:
type: string
name: id
in: path
required: true
get:
summary: Get the actor merge history and suspected groups
tags:
- Actor Endpoints
responses:
'200':
description: OK
content:
application/json:
schema:
description: ''
type: object
properties:
id:
type: string
minLength: 1
name:
type: string
minLength: 1
history:
type: array
uniqueItems: true
minItems: 1
items:
type: object
properties:
id:
type: string
minLength: 1
name:
type: string
minLength: 1
merged:
type: string
minLength: 1
history:
type: array
uniqueItems: true
minItems: 1
items:
type: object
properties:
id:
type: string
minLength: 1
name:
type: string
minLength: 1
merged:
type: string
minLength: 1
history:
type: array
items:
type: object
required:
- id
- name
- merged
required:
- id
- name
- merged
suspected_groups:
type: array
uniqueItems: true
minItems: 1
items:
type: object
properties:
id:
type: string
minLength: 1
name:
type: string
minLength: 1
attribution_scope:
type: string
minLength: 1
applied:
type: string
minLength: 1
required:
- id
- name
- attribution_scope
- applied
required:
- id
- name
examples:
Freemium Response:
value:
name: apt35
history:
id: threat-actor--e6345d14-a19a-52a1-a2d1-f1da49f034a9
name: UNC240
merged: "2015-12-29T23:21:46Z"
history: []
suspected_groups: []
'401':
description: Unauthorized
'403':
description: Forbidden
operationId: get-actor-id-history
description: Get the actor merge history and suspected groups
'/v4/actor/vocab':
parameters:
get:
summary: Vocabulary for actors
tags:
- Actor Endpoints
responses:
'200':
description: OK
content:
application/json:
schema:
description: ''
type: object
properties:
malware:
type: array
items:
type: string
target_locations:
type: array
items:
type: string
target_industries:
type: array
items:
type: string
source_locations:
type: array
items:
type: string
required:
- malware
- target_locations
- target_industries
- source_locations
examples:
Vocab Response:
value:
malware:
- BEACON
- SOGU
- PI
- GH0ST
- EMPIRE
- HOMEUNIX
- HTRAN
- METERPRETER
- CHINACHOP
- SOGU.COOKIE
- SOGU.DEFAULT
- ZXSHELL
- ASPXSPY
- COBALT
- NETWIRE
- SAFERSING
- NJRAT
- SHORTBENCH
- WMIEXEC
- QUASARRAT
- GH0ST.4768307374
- METASPLOIT.BLOCK_REVERSE_TCP
- METASTAGE
- SQUIDGATE
- COATHOOK
- JSPRAT
- PHOTO
- SOGU.UDP
- SQUIDSLEEP
- BADLANE
- BEACON.HTTPSSTAGER
- BEACON.SMB
- GETHASHES
- HIGHNOON
- QUICKBALL
- SHORTLEASH
- SOGU.DNS
- WISEPICK
- XDOOR
- BLASTPAD
- BLINDTOAD
- BLUESTEAL
- BULLZKIT
- BULLZLINK
- COOLPANTS
- HOUDINI
- INVOKEMIMIKATZ
- KAYSLICE.V1
- ROCKETSHIP
- SEASHARPEE
target_locations:
- United States of America
- United Kingdom
- Canada
- Germany
- South Korea
- India
- France
- Japan
- Philippines
- Saudi Arabia
- Italy
- Malaysia
- Switzerland
- United Arab Emirates
- Australia
- Taiwan
- Sweden
- Turkey
- Belgium
- Denmark
- Hong Kong
- Netherlands
- Thailand
- Israel
- Poland
- Qatar
- Singapore
- Pakistan
- Russia
- Austria
- Spain
- China
- South Africa
- Ireland
- Ukraine
- Vietnam
- Mongolia
- Norway
- Chile
- Egypt
- Kazakhstan
- Mexico
- Argentina
- Belarus
- Brazil
- Costa Rica
- Georgia
- Iraq
- Jordan
- Kuwait
target_industries:
- Manufacturing
- Technology
- Financial Services
- Legal & Professional Services
- Governments
- Media & Entertainment
- Construction & Engineering
- Retail
- Telecommunications
- Transportation
- Chemicals & Materials
- Hospitality
- Aerospace & Defense
- Energy & Utilities
- Healthcare
- Civil Society & Non-Profits
- Education
- Oil & Gas
- Insurance
- Pharmaceuticals
- Automotive
- Agriculture
source_locations:
- China
- Unknown
- Iran
- Russia
- East Europe
- North Korea
- Pakistan
- India
- Palestine
- South Korea
- Colombia
- Vietnam
- Asia
- East Asia
- Kazakhstan
- South East Asia
- Ukraine
operationId: get-actor-vocab
description: Get all the vocabs for actor
'/v4/malware':
get:
summary: Get the list of Malware
description: 'Provide a List of all Malware. The list of malware returned
will depend upon the License of the user. If the user has a Fremium License, only
Fremium Malware will be returned, else all malware will be returned.'
tags:
- Malware Endpoints
parameters:
- in: query
name: offset
schema:
type: integer
example: 2
- in: query
name: limit
schema:
type: integer
example: 20
responses:
'200':
description: A JSON array containing Malware Summary Record.
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/endpoints-malware-summary-response'
examples:
Freemium Response:
description: Malware Summary data
value:
malware:
- id: malware--81f821d1-4ec9-534d-8dc7-53da47e5074a
name: 008S
last_updated: "2021-08-04T02:10:12.000Z"
description: "The 008S malware family is modular. Upon
initial infection, 008S will call out to the configured C&C to determine what
plugins should be downloaded and loaded into the malicious process. The additional
plugins extend functionality of the malware."
aliases: redacted
intel_free: false
has_yara: false
roles: redated
- id: malware--bf69c98d-74a5-5a37-92c6-1fb5a4bc8cb9
name: 1487SHELL
last_updated: "2021-08-04T02:10:12.000Z"
description: "1487 Shell is a webshell. It is capable of
using authentication, file upload and download, file modification, file system
enumeration, and command line command execution."
aliases: redacted
intel_free: false
has_yara: false
roles: redacted
attack-patterns: {}
'401':
description: Not authenticated
'403':
description: Access token does not have the required scope.
'/v4/malware/{id}':
summary: Represents an Individual Malware
description: |
This resource represents an individual Malware in the system.
Each Malware is identified by a unique ìd`.
get:
tags:
- Malware Endpoints
summary: Get all Details about a Malware
all the information about a Specific Malware'
parameters:
- name: id
in: path
description: Malware Id
required: true
example: malware--81f821d1-4ec9-534d-8dc7-53da47e5074a
schema:
type: string
responses:
'200':
description: Return the details of a Malware
content:
application/json:
schema:
$ref: '#/components/schemas/endpoints-malware-id-response'
examples:
Freemium Response:
value:
id: malware--81f821d1-4ec9-534d-8dc7-53da47e5074a
name: 008S
description: 'The 008S malware family is modular. Upon initial
infection, 008S will call out to the configured C&C to determine what plugins
should be downloaded and loaded into the malicious process. The additional plugins
extend functionality of the malware.'
lastUpdated: 2021-07-15T02:10:13.000Z
last_activity_time: 2021-07-15T02:10:13.000Z
operating_systems: ["Windows"]
inherentily_malicious: 1
aliases: redacted
capabilities: redacted
industries: []
detections:
["FE_APT_Backdoor_008S_3","FE_APT_Backdoor_008S_2","FE_APT_Backdoor_008S_1","Backdo
or.APT.008S"]
yara:
- id: "signature--b5fee77d-aca1-5bd3-91a2-b6ddd000def2"
name: "FE_APT_Backdoor_008S_3"
- id: "signature--37996758-c282-5016-8a3c-c6a6a413208a"
- id: "signature--69ee8cd5-1632-5233-aebc-de2a8db688c4"
roles: redacted
malware: []
actors:
- id: "threat-actor--f5f39f1e-a22d-549d-9cff-303c1ee493ad"
- name: "UNC794"
- country_name: "China"
- iso2: "CN"
cve: redacted
counts:
reports: 5
capabilities: 41
malware: 0
actors: 1
detections: 4
cve: 4
aliases: 2
industries: 0
intel_free: false
audience:
- name: intel_fusion
license: INTEL_RBI_FUS
- name: intel_ce
license: INTEL_CYB_ESP
- name: intel_oper
license: INTEL_RBI_OPS
- name: tlp_marking
license: green
operationId: malware_by_id
'/v4/malware/attack-pattern':
post:
summary: Get Attack Patterns by Malware ID(s)
description: |-
Gets attack patterns associated with specific pieces of malware.
Fetch attack patterns for the list of malware ids
tags:
- Malware Endpoints
parameters:
responses:
'200':
description: Return all relevant Mitre info associated with a piece of
malware.
content:
application/json:
schema:
$ref: '#/components/schemas/MalwareAttackPatterns'
examples:
Freemium Response:
description: Malware attack pattern summary
value:
- id: "malware--81f821d1-4ec9-534d-8dc7-53da47e5074a"
name: "008S"
attack-patterns: redacted
- id: "malware--bf69c98d-74a5-5a37-92c6-1fb5a4bc8cb9"
name: "1487SHELL"
'401':
'403':
operationId: post_attack_pattern_malware_by_list
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/IDList'
examples:
malware-list:
summary: An example list of IDs to query.
value:
ids:
- malware--81f821d1-4ec9-534d-8dc7-53da47e5074a
- malware--bf69c98d-74a5-5a37-92c6-1fb5a4bc8cb9
'/v4/malware/{id}/attack-pattern':
summary: Fetch all Mitre Mappings associated with the Malware
get:
tags:
- Malware Endpoints
summary: Fetch all Mitre Mappings associated with the given Malware
all the mitre info about a Specific Malware'
parameters:
- name: id
in: path
description: Malware Id
required: true
example: malware--81f821d1-4ec9-534d-8dc7-53da47e5074a/attack-pattern
schema:
type: string
responses:
'200':
description: Return all relevant Mitre info associated with an actor or
an Empty array in case there are none.
content:
application/json:
schema:
$ref: '#/components/schemas/endpoints-attack-pattern-id-response'
examples:
Freemium Response:
value:
name: 008s
operationId: attack_pattern_by_malware_id
'/v4/malware/{id}/reports':
get:
tags:
- Malware Endpoints
summary: Fetch all reports associated with the given Malware
all the information about a Specific Malware'
parameters:
- name: id
in: path
description: Malwre Id
required: true
schema:
type: string
- in: query
name: offset
schema:
type: integer
example: 2
- in: query
name: limit
schema:
type: integer
example: 20
responses:
'200':
description: Return all relevant reports associated with a Malware or an
Empty array in case there are none.
content:
application/json:
schema:
$ref: '#/components/schemas/endpoints-report-response'
examples:
Freemium Response:
value:
name: 008S
last_updated: "2021-08-04T02:10:12.000Z"
description: "The 008S malware family is modular. Upon initial
infection, 008S will call out to the configured C&C to determine what plugins
should be downloaded and loaded into the malicious process. The additional plugins
extend functionality of the malware."
reports:
- id: "20-00019837"
title: 008s Malware Overview
published_date: "September 30, 2020 10:39:00 AM"
version: '1'
- id: "15-00005590"
title: Latest Bolo Team Cyber Espionage Operations Leverage
008S Trojan, Malware Linked to Baihong Soft
published_date: "June 22, 2015 01:11:00 PM"
version: '1'
- id: "17-00006383"
title: Cyber Espionage Operation Targeting Vietnam with
ASEAN and APEC Economic-Themed Lures
published_date: "June 16, 2017 09:20:00 AM"
version: '1'
- id: "17-00010603"
title: "Cyber Espionage Indicator Roundup – Sept. 26, 2017:
New Activity from TEMP.Lapis, TEMP.Reaper, TEMP.Katar, and Chinese Actors"
published_date: "September 27, 2017 08:27:00 AM"
version: '1'
- id: "18-00003390"
title: "Cyber Espionage Indicator Roundup, Feb.27, 2018 –
New Activity from APT10, Hangover Team, TEMP.Katar, Fallout Team, APT36 (Lapis),
and Bolo Team"
published_date: "February 27, 2018 02:15:00 PM"
version: '2'
'/v4/malware/vocab':
get:
summary: Get Malware Vocabulary
description: Gets the vocabulary associated with malware.\nGets the
vocabulary associated with malware.
tags:
- Malware Endpoints
parameters:
responses:
200:
description: Vocabulary for malware
content:
application/json:
schema:
$ref: '#/components/schemas/MalwareVocab'
examples:
Vocab Response:
value:
malware_role:
- "Backdoor"
- "Downloader"
- "Dropper"
- "Credential Stealer"
- "Utility"
- "Ransomware"
- "Launcher"
- "Lightweight Backdoor"
- "Dropper - Memory Only"
- "Reconnaissance Tool"
- "Data Miner"
- "Backdoor - Webshell"
- "Keylogger"
- "Point-of-Sale Malware"
- "Tunneler"
- "Disruption Tool"
- "Privilege Escalation Tool"
- "Lateral Movement Tool"
- "Uploader"
- "Backdoor - Botnet"
- "Controller"
- "Installer"
- "Remote Exploitation Tool"
- "ATM Malware"
- "Rootkit"
- "Spambot"
- "Builder"
- "Driver"
- "Macro"
- "Sniffer"
- "Module"
- "Shellcode"
- "Cryptocurrency Miner"
- "Framework"
- "Screen Capture Tool"
- "Exploit Builder"
- "Archiver"
- "Configuration File"
- "Exploit"
- "File Infector"
malware_capabilities:
- "Create files"
- "Terminates processes"
- "Read files"
- "Encrypts data with XOR"
- "Gets common file path"
- "Creates processes"
- "Delete files"
- "Create thread"
- "Encoding capabilities"
- "Find files"
- "Open Windows registry key"
- "Capture operating system information"
- "Allocates memory"
- "Query Windows registry key values"
- "Send data"
- "Encodes using Base64"
- "Gets environmental variable value"
- "Capture disk information"
- "Anti-VM capabilities"
- "Loads data from a PE resource"
- "Capture hostname"
- "Create Windows registry key value"
- "Encrypts data with RC4"
- "Receive data"
- "Create directories"
- "Sets environmental variable"
- "Communicates using UDP"
- "Create Windows registry key"
- "Copy files"
- "Move files"
- "Communicates using HTTP"
- "Constructs mutex"
- "Reads memory"
- "Writes memory"
- "Lists processes"
- "Sets file attribute"
- "Create a named pipe"
- "Communicates using raw sockets"
- "Modify process privileges"
- "Download files"
- "Enumerate current user"
- "Deletes Windows registry keys or values"
- "Kill thread"
- "Anti-debug capabilities"
- "Calculates MD5 hashes"
- "Capture network configuration"
- "Persistence via Windows registry Run key"
- "Execute files"
- "Upload files"
- "Encrypts data with AES"
malware_os:
- "Windows"
- "Linux"
- "Mac"
- "Android"
- "Unix"
401:
403:
operationId: get_malware_vocab
'/v4/actor/{actor_id}/indicators':
get:
summary: List of Indicators for a given Actor
description: |-
Returns the list of indicators for a given Threat Actor. By default, if no
attribution is provided, indicators
associated with the Actors as well as its associated UNC groups are also
returned.
tags:
- Actor Endpoints
- Indicator Endpoints
parameters:
- required: true
schema:
type: string
in: path
description: The ID of the Threat Actor or UNC Group.
name: actor_id
- $ref: '#/components/parameters/parameter-limit-query'
- $ref: '#/components/parameters/parameter-offset-query'
responses:
'200':
description: A set of indicators associated with a given actor matching
the requested pattern.
content:
application/json:
schema:
$ref: '#/components/schemas/actor-indicator'
examples:
Freemium Response:
value:
indicator_count:
total: 83
hash: 0
url: 0
fqdn: 14
ipv4: 69
email: 0
name: APT1
indicators:
- first_seen: "2020-05-30T11:05:00.000Z"
last_seen: "2020-05-30T11:05:00.000Z"
mscore: 81
attributed_associations:
- name: APT1
type: threat-actor
id: "ipv4--b06d7e71-55b6-566a-8065-61ed770e31e7"
type: "ipv4"
value: "123.53.237.122"
'204':
'400':
'401':
'403':
post:
summary: Search Actor Indicators
description: This Endpoint accepts a set of POST parameters to filter on
Actor Indicators.
tags:
- Actor Endpoints
parameters:
- required: true
schema:
type: string
in: path
description: The ID of the Threat Actor or UNC Group.
name: actor_id
responses:
'200':
description: A set of indicators associated with a given malware
content:
application/json:
schema:
$ref: '#/components/schemas/actor-indicator'
examples:
freemium_1:
value:
id: "threat-actor--0ac5c1db-8ad6-54b8-b4b9-c32fc738c54a"
indicator_count:
total: 0
hash: 0
url: 0
fqdn: 0
ipv4: 0
email: 0
name: APT1
indicators: []
'401':
'403':
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/indicator-search-filter'
examples:
everything:
summary: An example showing all parameters.
value:
limit: 10
offset: 0
sort_by:
- first_seen
- last_seen
- value
- type
- mscore
sort_order: asc
filters:
- md5
- ipv4
- sha1
- sha256
- email
- url
- fqdn
search: 'threat-actor--0ac5c1db-8ad6-54b8-b4b9-c32fc738c54a'
attribution:
- APT1
wildcard_md5_by_actor:
summary: An example showing how to search for an actor indicator by
a wildcard with a partial MD5 hash.
value:
limit: 10
sort_by:
- first_seen
filters:
- md5
search: 'threat-actor--0ac5c1db-8ad6-54b8-b4b9-c32fc738c54a'
attribution:
- APT33
'/v4/malware/{malware_id}/indicators':
get:
summary: List of Indicators for a given Malware
description: Returns the list of Indicators for a given Malware.
tags:
- Malware Endpoints
parameters:
- required: true
schema:
type: string
in: path
description: The ID of the malware.
name: malware_id
- example: 10
schema:
type: integer
in: query
description: >-
The numbers of items to return. If not specified, defaults to TEN
(10).
name: limit
- example: 0
schema:
type: integer
in: query
description: >-
The number of items to skip before starting to collect the result set.
If not specified, defaults to ZERO (0).
name: offset
responses:
'200':
description: >-
A set of indicators associated with a given malware matching the
requested pattern.
content:
application/json:
schema:
$ref: '#/components/schemas/MalwareIndicator'
examples:
Freemium Response:
value:
indicator_count:
total: 4
hash: 0
url: 0
fqdn: 4
ipv4: 0
email: 0
name: 008S
indicators:
- first_seen: "2020-03-26T23:47:00.000Z"
last_seen: "2020-03-26T23:47:00.000Z"
mscore: 97
- name: 008S
id: "malware--81f821d1-4ec9-534d-8dc7-53da47e5074a"
type: malware
id: "fqdn--c71acb9e-f76f-522a-9778-284f0f86828c"
type: "fqdn"
value: "www.microsoft.https443.org"
'401':
'403':
operationId: get_malware_indicators
post:
summary: Malware Indicator Search
description: Searches for a particular indicator for a specific piece of
malware.
tags:
- Malware Endpoints
parameters:
- required: true
schema:
type: string
in: path
description: The ID of the malware.
name: malware_id
responses:
'200':
description: A set of indicators associated with a given malware
content:
application/json:
schema:
$ref: '#/components/schemas/MalwareIndicator'
'401':
'403':
operationId: post_malware_indicators
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/IndicatorSearchFilter'
examples:
Freemium Response:
value:
indicator_count:
total: 0
hash: 0
url: 0
fqdn: 0
ipv4: 0
email: 0
name: 008S
indicators: []
'/v4/indicator':
get:
summary: Get Indicator Context
description: Gets context about an indicator.
tags:
parameters:
- example: threat
schema:
type: string
in: query
description: >-
This parameter accepts a search term that will look for the data.
Wildcards are not supported
name: value
- example: 1619103171
schema:
type: integer
in: query
description: >-
This is the time to define the start the time range to load of the
data.
name: start_epoch
- example: 1626111718
schema:
type: integer
in: query
description: This is the time to define the end the time range to load of
the data.
name: end_epoch
- example: "gte_mscore=70"
schema:
type: string
in: query
description: >-
"greater_than_equal_mscore: define the mininum mscore to return in the
indicator response."
name: gte_mscore
- example: "exclude_osint=true"
schema:
type: string
in: query
description: >-
"Exclude OSINT indicators, by default this is false."
name: exclude_osint
- example: >-
DnF1ZXJ5VGhlbkZldGNoFQAAAAAEsN3MFjV0M1kyNEp0UVIyUk41YnBSVFB6WFEAAAAABLDd1RY1dDNZMjR
KdFFSMlJONWJ==
schema:
type: string
in: query
description: >-
This is the pointer to the next set of values to be returned and is
contained in the payload.
name: next
- example: '1000'
schema:
type: integer
in: query
description: >-
The numbers of items to return. This number cannot be greater than
1000If not specified, defaults to ONE THOUSAND (1000).
name: limit
responses:
'200':
description: Detail about indicators
content:
application/json:
schema:
$ref: '#/components/schemas/IndicatorContext'
'401':
'403':
operationId: get_indicator_context
post:
summary: Get Multiple Indicator Contexts
description: >-
Gets indicator information for multiple contexts based on the passed in
query.
tags:
parameters:
responses:
'200':
description: Detail about indicators
content:
application/json:
schema:
$ref: '#/components/schemas/IndicatorContext'
'401':
'403':
operationId: post_indicator_context
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/IndicatorSearch'
examples:
search:
summary: A search for indicators.
value:
limit: 10
offset: 0
requests:
- values:
- 192.168.0.1
'/v4/indicator/{indicator_id}':
get:
summary: Get Indicator Information
description: Detail about a specific Indicator
tags:
parameters:
- required: true
example: fqdn--be5cbd2e-d09b-566d-bd2e-491c9fd1ba2e
schema:
type: string
in: path
description: The ID of the Indicator.
name: indicator_id
responses:
'200':
description: Detail about a specific Indicator.
content:
application/json:
schema:
$ref: '#/components/schemas/indicator'
examples:
fusion_1:
value:
first_seen: '2020-01-01T00:00:00.000Z'
last_seen: '2020-01-01T00:00:00.000Z'
sources:
- first_seen: '2020-01-01T00:00:00.000+0000'
last_seen: '2020-01-01T00:00:00.000+0000'
osint: false
category: [ ]
source_name: bp_ip_pdns
mscore: 72
misp:
covid: false
eicar.com: false
majestic_million: false
alexa: false
sinkholes: false
cisco_top1000: false
microsoft: false
microsoft-office365: false
googlebot: false
microsoft-attack-simulator: false
microsoft-azure: false
rfc5735: false
tranco10k: false
dax30: false
public-dns-v4: false
public-dns-v6: false
crl-ip-hostname: false
covid-19-cyber-threat-coalition-whitelist: false
common-ioc-False-positive: false
google-gmail-sending-ips: false
google: false
cloudflare: false
moz-top500: false
tlds: false
tranco: false
university_domains: false
cisco_top20k: false
empty-hashes: false
amazon-aws: false
url-shortener: false
microsoft-office365-ip: false
microsoft-win10-connection-endpoints: false
mozilla-CA: false
microsoft-office365-cn: false
whats-my-ip: false
vpn-ipv6: false
rfc3849: false
rfc6761: false
security-provider-blogpost: false
cisco_top5k: false
public-dns-hostname: false
mozilla-IntermediateCA: false
rfc1918: false
ti-Falsepositives: false
akamai: false
bank-website: false
automated-malware-analysis: false
rfc6598: false
google-gcp: false
multicast: false
ovh-cluster: false
phone_numbers: false
fastly: false
cisco_top10k: false
second-level-tlds: false
wikimedia: false
disposable-email: false
common-contact-emails: false
vpn-ipv4: false
ipv6-linklocal: false
covid-19-krassi-whitelist: false
id: fqdn--be5cbd2e-d09b-566d-bd2e-491c9fd1ba2e
type: fqdn
value:
hostmaster.hostmaster.hostmaster.hostmaster.hostmaster.hostmaster.hostmaster.hostma
ster.hostmaster.hostmaster.hostmaster.553hefug4bj46fygyr.mail.unicredit.su
'204':
'400':
'401':
'403':
'/v4/vulnerability':
get:
summary: Get All Vulnerabilities
description: |-
Gets a list of all vulnerabilities.
tags:
- Vulnerability Endpoints
parameters:
- example: 1619103171
schema:
type: integer
in: query
description: >-
This is the time to define the start the time range to load of the
data.
name: start_epoch
- example: 1626111718
schema:
type: integer
in: query
description: This is the time to define the end the time range to load of
the data.
name: end_epoch
- example: >-
DnF1ZXJ5VGhlbkZldGNoFQAAAAAEsN3MFjV0M1kyNEp0UVIyUk41YnBSVFB6WFEAAAAABLDd1RY1dDNZMjR
KdFFSMlJONWJ==
schema:
type: string
in: query
description: >-
This is the pointer to the next set of values to be returned and is
contained in the payload.
name: next
- example: 50
schema:
type: integer
in: query
description: >-
The numbers of items to return. This number cannot be greater than
1000. If not specified, defaults to FIFTY (50).
name: limit
responses:
'200':
description: All vulnerabilities.
content:
application/json:
schema:
$ref: '#/components/schemas/vulnerability-get-all'
examples:
Response:
value:
vulnerability:
- risk_rating: "MEDIUM"
description: "A vulnerability exists within the ANGLE
component in Chrome."
cve_id: "CVE-2021-30604"
exploitation_state: "No Known"
observed_in_the_wild: false
vulnerable_cpes:
- vendor_name: "google"
technology_name: "chrome 92.0.4515.131"
cpe:
"cpe:2.3:a:google:chrome:92.0.4515.131:*:*:*:*:*:*:*"
cpe_title: "google chrome 92.0.4515.131"
- vendor_name: "freebsd"
technology_name: "freebsd 12.0"
cpe: "cpe:2.3:o:freebsd:freebsd:12.0:*:*:*:*:*:*:*"
cpe_title: "freebsd freebsd 12.0"
was_zero_day: false
publish_date: "2021-09-04T13:58:00.000Z"
sources:
- source_name: "FreeBSD Project"
source_description: "128deba6-ff56-11eb-8514-
3065ec8fd3ec"
date: "2021-08-17T17:00:00.000Z"
url: "https://vuxml.freebsd.org/freebsd/128deba6-ff56-
11eb-8514-3065ec8fd3ec.html"
unique_id: "128deba6-ff56-11eb-8514-3065ec8fd3ec"
- source_name: "openSUSE Project"
source_description: "openSUSE-SU-2021:1172-1"
date: "2021-08-21T12:00:00.000Z"
url:
"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/
thread/A6WKS2BLZ2TY63ZSCC2NAODDOSDSPKTN/"
unique_id: "openSUSE-SU-2021:1172-1"
id: "vulnerability--3d1ac31c-5405-5510-9be0-31e6519f4129"
common_vulnerability_scores:
v2.0:
access_vector: "NETWORK"
access_complexity: "MEDIUM"
authentication: "NONE"
confidentiality_impact: "COMPLETE"
integrity_impact: "COMPLETE"
availability_impact: "COMPLETE"
exploitability: "UNPROVEN"
remediation_level: "OFFICIAL_FIX"
report_confidence: "CONFIRMED"
base_score: 9.3
temporal_score: 6.9
vector_string:
"AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C"
v3.1:
attack_complexity: "LOW"
base_score: 8.8
vector_string:
"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
integrity_impact: "HIGH"
attack_vector: "NETWORK"
privileges_required: "NONE"
availability_impact: "HIGH"
temporal_score: 7.7
exploit_code_maturity: "UNPROVEN"
user_interaction: "REQUIRED"
scope: "UNCHANGED"
confidentiality_impact: "HIGH"
- risk_rating: "MEDIUM"
description: "A vulnerability exists within the printing
component in Chrome."
cve_id: "CVE-2021-30600"
vulnerable_cpes:
- vendor_name: "google"
technology_name: "chrome 92.0.4515.131"
cpe:
"cpe:2.3:a:google:chrome:92.0.4515.131:*:*:*:*:*:*:*"
cpe_title: "google chrome 92.0.4515.131"
- vendor_name: "opensuse"
technology_name: "backports *"
cpe:
"cpe:2.3:a:opensuse:backports:*:*:*:*:*:suse_linux_enterprise_15_sp3:*:*"
cpe_title: "opensuse backports *"
was_zero_day: false
publish_date: "2021-09-04T13:58:00.000Z"
sources:
- source_name: "FreeBSD Project"
source_description: "128deba6-ff56-11eb-8514-
3065ec8fd3ec"
date: "2021-08-17T17:00:00.000Z"
url: "https://vuxml.freebsd.org/freebsd/128deba6-ff56-
11eb-8514-3065ec8fd3ec.html"
unique_id: "128deba6-ff56-11eb-8514-3065ec8fd3ec"
- source_name: "openSUSE Project"
source_description: "openSUSE-SU-2021:1172-1"
date: "2021-08-21T12:00:00.000Z"
url:
"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/
thread/A6WKS2BLZ2TY63ZSCC2NAODDOSDSPKTN/"
unique_id: "openSUSE-SU-2021:1172-1"
id: "vulnerability--c5ec5623-b628-51d7-8909-7c329fa04c68"
v2.0:
access_vector: "NETWORK"
access_complexity: "MEDIUM"
authentication: "NONE"
confidentiality_impact: "COMPLETE"
integrity_impact: "COMPLETE"
availability_impact: "COMPLETE"
exploitability: "UNPROVEN"
base_score: 9.3
temporal_score: 6.9
vector_string:
"AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C"
v3.1:
attack_complexity: "LOW"
base_score: 8.8
vector_string:
"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
integrity_impact: "HIGH"
attack_vector: "NETWORK"
privileges_required: "NONE"
availability_impact: "HIGH"
temporal_score: 7.7
exploit_code_maturity: "UNPROVEN"
user_interaction: "REQUIRED"
scope: "UNCHANGED"
confidentiality_impact: "HIGH"
'204':
'400':
'401':
'403':
'/v4/vulnerability/{vulnerability_id}':
get:
summary: Get Vulnerability by ID
description: |-
Gets information about a specific vulnerability by ID or CVE
tags:
parameters:
- example: vulnerability--011fccb4-f75c-5eba-9bc1-73edf9c56cb5
schema:
type: string
in: path
description: The ID of the vulnerability or the CVE to retrieve.
name: vulnerability_id
required: true
responses:
'200':
description: Requested vulnerability.
content:
application/json:
schema:
$ref: '#/components/schemas/vulnerability-info'
examples:
Freemium Response:
value:
risk_rating: MEDIUM
analysis: "An attacker could exploit this vulnerability to
impersonate other users. An attacker would need to authenticate with a vulnerable
device and send it a specially crafted HTTP request. Mandiant Threat
Intelligence considers this a Medium-risk vulnerability because of the potential to
enable impersonation of an administrator, offset by the authentication required for
exploitation."
executive_summary: "An improper input validation
vulnerability exists within the web-based management interface in Cisco Small
Business WAP125 firmware 1.0.3.1 and earlier that, when exploited, allows an
authenticated attacker to remotely impersonate other users. Exploit code is not
publicly available. Mitigation options include a vendor fix."
description: "A vulnerability exists within the web-based
management interface in Small Business WAP125 firmware because it does not
properly validate data within incoming HTTP requests."
exploitation_vectors:
- "General Network Connectivity"
title: "Cisco Small Business WAP125 1.0.3.1 Web-Based
Management Interface Improper Input Validation Vulnerability"
exploitation_consequence: "Security Bypass"
cwe: "Input Validation"
cve_id: "CVE-2021-1400"
vulnerable_products: "The following vendors/products have been
reported as vulnerable:\n<ul>\n<li>Cisco Systems Inc.: WAP125 Wireless-AC
Dual Band Desktop Access Point with PoE firmware 1.0.3.1 and earlier; WAP131
Wireless-N Dual Radio Access Point with PoE 1 firmware 1.0.2.17 and earlier; WAP150
Wireless-AC/N Dual Radio Access Point with PoE firmware 1.1.2.4 and earlier; WAP351
Wireless-N Dual Radio Access Point with 5-Port Switch1 firmware 1.0.2.17 and
earlier; WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE firmware
1.1.2.4 and earlier; WAP581 Wireless-AC Dual Radio Wave 2 Access Point with 2.5GbE
LAN firmware 1.0.3.1 and earlier"
vendor_fix_references:
- url:
"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-
wap-multi-ZAfKGXhF"
name: "Cisco Small Business WAP (cisco-sa-sb-wap-multi-
ZAfKGXhF) Security Update Information"
date_of_disclosure: "2021-05-05T06:00:00.000Z"
vulnerable_cpes:
- vendor_name: cisco
technology_name: "wap125 1.0.3.1"
cpe: "cpe:2.3:o:cisco:wap125:1.0.3.1:*:*:*:*:*:*:*"
cpe_title: "cisco wap125 1.0.3.1"
was_zero_day: false
workarounds: null
publish_date: "2021-06-14T11:43:00.000Z"
available_mitigation:
- Patch
sources:
- source_name: "Cisco Systems Inc."
source_description: Oracle Critical Patch Update Advisory -
October 2012
date: "2021-05-05T16:00:00.000Z"
url:
"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-
wap-multi-ZAfKGXhF"
exploits: []
id: "vulnerability--011fccb4-f75c-5eba-9bc1-73edf9c56cb5"
v2.0:
access_vector: NETWORK
access_complexity: LOW
authentication: SINGLE
confidentiality_impact: COMPLETE
integrity_impact: COMPLETE
availability_impact: COMPLETE
exploitability: UNPROVEN
remediation_level: OFFICIAL_FIX
report_confidence: CONFIRMED
base_score: 9.0
temporal_score: 6.7
vector_string: "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C"
associated_actors: []
associated_malware: []
'204':
'400':
'401':
'403':
'/v4/vulnerability/{vulnerability_id}/{assoc_field}':
get:
summary: Get Associated Vulnerability Information by ID
description: |-
Gets an associated field by a specific vulnerability.
tags:
parameters:
- example: vulnerability--011fccb4-f75c-5eba-9bc1-73edf9c56cb5
schema:
type: string
in: path
description: The ID of the vulnerability or the CVE to retrieve.
name: vulnerability_id
required: true
- required: true
example: actors
schema:
type: string
enum:
- actors
- malware
in: path
description: The associated field to retrieve.
name: assoc_field
responses:
'200':
description: Associated field requested.
content:
application/json:
schema:
$ref: '#/components/schemas/vulnerability-assoc-fields'
examples:
Freemium Response:
value:
description: "A vulnerability exists within the web-based
management interface in Small Business WAP125 firmware because it does not
properly validate data within incoming HTTP requests."
id: "vulnerability--011fccb4-f75c-5eba-9bc1-73edf9c56cb5"
associated_actors: []
'204':
'400':
'401':
'403':
'/v4/vulnerability/vocab':
get:
summary: Get Vulnerability Vocab
description: |-
Gets the vocabulary associated with vulnerabilities.
tags:
parameters:
responses:
'200':
description: Vocabulary associated with vulnerabilities.
content:
application/json:
schema:
$ref: '#/components/schemas/vulnerability-vocab'
examples:
freemium_1:
value:
exploitation_state:
- No Known
- Available
- Confirmed
- Anticipated
- Wide
risk_rating:
- LOW
- MEDIUM
- HIGH
- CRITICAL
- NOT EVALUATED
exploitation_consequence:
- Code Execution
- Denial-of-Service (DoS)
- Information Disclosure
- Security Bypass
- Command Execution
- Data Manipulation
- Data Loss
- Sandbox Escape
- Escalation of Privileges
- Patch
- Unavailable
- Workaround
- Firewall
- Intrusion Prevention Signatures
- Anti-virus Signatures
- Web
- General Network Connectivity
- Local Access
- Email
- File Share
- Open Port
- Local Network Access
- Physical Access
'204':
'400':
'401':
'403':
components:
schemas:
TokenBody:
title: TokenBody
type: object
properties:
grant_type:
type: string
scope:
type: string
example:
grant_type: 'client_credentials'
scope: '1234'
AttackPattern:
title: AttackPattern
type: object
properties:
id:
type: string
attribution_scope:
$ref: '#/components/schemas/AttributionScope'
sub_techniques:
$ref: '#/components/schemas/AttackPattern'
error:
type: object
title: Error Message
description: 'The error message is provided by TAXII Servers in the response
body when returning an HTTP error status and contains more information describing
the error, including a human-readable title and description , an error_code and
error_id , and a details structure to capture further structured information about
the error. All of the properties are application-specific, and clients shouldn''t
assume consistent meaning across TAXII Servers even if the codes, IDs, or titles
are the same.'
ActorAttackPatterns:
title: ActorAttackPatterns
type: object
properties:
threat-actors:
type: array
items:
$ref: '#/components/schemas/AttackPatternSummary'
attack-patterns:
type: object
additionalProperties:
$ref: '#/components/schemas/AttackPatternDescription'
AttackPatternSummary:
title: AttackPatternSummary
type: object
properties:
id:
type: string
name:
type: string
attack-patterns:
type: object
type: array
items:
$ref: '#/components/schemas/AttackPattern'
AttackPatternDescription:
title: AttackPatternDescription
type: object
properties:
id:
type: string
name:
type: string
description:
type: string
attack_pattern_identifier:
type: string
created:
type: string
format: date-time
modified:
type: string
format: date-time
x_mitre_is_subtechnique:
type: boolean
AttributionScope:
title: AttributionScope
type: string
description: The confidence level attributed to this mapping.
enum:
- confirmed
- suspected
- possible
Indicator:
title: Indicator
type: object
required:
- id
- type
properties:
id:
type: string
example: fqdn--c71acb9e-f76f-522a-9778-284f0f86828c
name:
type: string
type:
$ref: '#/components/schemas/IndicatorType'
value:
type: string
first_seen:
type: string
format: date-time
last_seen:
type: string
format: date-time
mscore:
type: integer
description: ml model confidence score
minimum: 0
maximum: 100
type: array
items:
$ref: '#/components/schemas/Indicator'
sources:
type: array
items:
$ref: '#/components/schemas/IndicatorSource'
misp:
type: object
type: boolean
IndicatorContext:
title: IndicatorContext
type: object
properties:
indicators:
type: array
items:
IDList:
title: IDList
type: object
required:
- ids
properties:
ids:
type: array
items:
type: string
MalwareAttackPatterns:
title: MalwareAttackPatterns
type: object
properties:
malware:
type: array
items:
$ref: '#/components/schemas/AttackPatternSummary'
attack-patterns:
type: object
$ref: '#/components/schemas/AttackPatternDescription'
MalwareVocab:
title: MalwareVocab
type: object
properties:
malware_role:
type: array
items:
type: string
malware_capabilities:
type: array
items:
type: string
malware_os:
type: array
items:
type: string
IndicatorSearchFilter:
title: IndicatorSearchFilter
type: object
properties:
limit:
type: integer
offset:
type: integer
sort_order:
type: string
enum:
- asc
- desc
sort_by:
oneOf:
- type: string
enum:
- first_seen
- last_seen
- type
- value
- mscore
- type: array
items:
type: string
enum:
- first_seen
- last_seen
- type
- value
- mscore
filters:
oneOf:
- type: array
items:
type: string
enum:
- fqdn
- url
- email
- ipv4
- md5
- sha1
- sha256
attribution:
oneOf:
- type: string
- type: array
items:
type: string
search:
type: string
IndicatorSource:
title: IndicatorSource
type: object
properties:
source_name:
type: string
category:
type: array
items:
type: string
first_seen:
type: string
format: date-time
last_seen:
type: string
format: date-time
osint:
type: boolean
IndicatorType:
title: IndicatorType
type: string
enum:
- ipv4
- ipv6
- fqdn
- hash
- url
- md5
- sha1
- sha256
- email
- mscore
endpoints-report-response:
title: Represents list of reports present in the system.
type: object
properties:
reports:
type: array
items:
type: object
allOf:
- $ref: '#/components/schemas/object-common-properties'
- type: object
properties:
name:
type: string
description:
type: string
report_type:
type: array
items:
type: string
next:
type: string
endpoints-actor-id-response:
title: All the details for the object along with related information.
type: object
allOf:
- $ref: '#/components/schemas/actor'
- $ref: '#/components/schemas/related-all-objects'
endpoints-malware-id-response:
type: object
allOf:
- $ref: '#/components/schemas/malware-legacy'
endpoints-attack-pattern-id-response:
type: object
allOf:
- $ref: '#/components/schemas/attack-pattern'
endpoints-malware-summary-response:
title: Malware summary response.
type: object
allOf:
- $ref: '#/components/schemas/malware-legacy'
related-all-objects:
title: related objects response formatting.
type: object
allOf:
- $ref: '#/components/schemas/iocs'
- $ref: '#/components/schemas/malwares'
- $ref: '#/components/schemas/locations'
- $ref: '#/components/schemas/industries'
- $ref: '#/components/schemas/campaigns'
- $ref: '#/components/schemas/attack-patterns'
- $ref: '#/components/schemas/actors'
- $ref: '#/components/schemas/tools'
- $ref: '#/components/schemas/softwares'
- $ref: '#/components/schemas/infrastructures'
- $ref: '#/components/schemas/vulnerabilities'
- $ref: '#/components/schemas/intrusion-sets'
- $ref: '#/components/schemas/socket-addrs'
- $ref: '#/components/schemas/network-traffics'
- $ref: '#/components/schemas/windows-registry-keys'
- $ref: '#/components/schemas/course-of-actions'
- $ref: '#/components/schemas/reports'
iocs:
type: object
properties:
iocs:
type: object
allOf:
- $ref: '#/components/schemas/indicators'
- $ref: '#/components/schemas/hashes'
- $ref: '#/components/schemas/domains'
- $ref: '#/components/schemas/urls'
- $ref: '#/components/schemas/ips'
- $ref: '#/components/schemas/emails'
malwares:
type: object
properties:
malwares:
type: array
items:
$ref: '#/components/schemas/malware-legacy'
MalwareIndicator:
title: MalwareIndicator
description: Information About Malware Indicators
type: object
required:
- id
- indicator_count
properties:
id:
type: string
name:
type: string
indicator_count:
$ref: '#/components/schemas/IndicatorCounts'
indicators:
type: array
items:
locations:
type: object
properties:
locations:
type: object
properties:
source:
type: array
items:
$ref: '#/components/schemas/location'
target:
type: array
items:
unknown:
type: array
items:
industries:
type: object
properties:
industries:
type: array
items:
$ref: '#/components/schemas/identity'
campaigns:
type: object
properties:
campaigns:
type: array
items:
$ref: '#/components/schemas/campaign'
attack-patterns:
type: object
properties:
attack-patterns:
type: object
properties:
Initial Access:
type: array
items:
Execution:
type: array
items:
Persistence:
type: array
items:
Privilege Escalation:
type: array
items:
Defense Evasion:
type: array
items:
Credential Access:
type: array
items:
Discovery:
type: array
items:
Lateral Movement:
type: array
items:
Collection:
type: array
items:
Exfiltration:
type: array
items:
Command and Control:
type: array
items:
Impact:
type: array
items:
actors:
type: object
properties:
actors:
type: array
items:
$ref: '#/components/schemas/actor'
tools:
type: object
properties:
tools:
type: array
items:
$ref: '#/components/schemas/tool'
softwares:
type: object
properties:
softwares:
type: array
items:
$ref: '#/components/schemas/software'
infrastructures:
type: object
properties:
infrastructures:
type: array
items:
$ref: '#/components/schemas/infrastructure'
vulnerabilities:
type: object
properties:
cve:
type: array
items:
$ref: '#/components/schemas/vulnerability'
intrusion-sets:
type: object
properties:
intrusion-sets:
type: array
items:
$ref: '#/components/schemas/intrusion-set'
socket-addrs:
type: object
properties:
socket-addrs:
type: array
items:
$ref: '#/components/schemas/socket-addr'
network-traffics:
type: object
properties:
network-traffics:
type: array
items:
$ref: '#/components/schemas/network-traffic'
windows-registry-keys:
type: object
properties:
windows-registry-keys:
type: array
items:
$ref: '#/components/schemas/windows-registry-key'
course-of-actions:
type: object
properties:
course-of-actions:
type: array
items:
$ref: '#/components/schemas/course-of-action'
reports:
type: object
properties:
reports:
type: array
items:
$ref: '#/components/schemas/report'
indicators:
type: object
properties:
indicators:
type: array
items:
$ref: '#/components/schemas/indicator-legacy'
hashes:
type: object
properties:
hashes:
type: array
items:
$ref: '#/components/schemas/file'
domains:
type: object
properties:
domains:
type: array
items:
$ref: '#/components/schemas/domain'
urls:
type: object
properties:
urls:
type: array
items:
$ref: '#/components/schemas/url'
ips:
type: object
properties:
ips:
type: array
items:
$ref: '#/components/schemas/ipv4'
emails:
type: object
properties:
emails:
type: array
items:
$ref: '#/components/schemas/email'
indicator-legacy:
type: object
allOf:
- $ref: '#/components/schemas/indicator-specific-properties'
indicator:
type: object
required:
- id
- type
properties:
id:
type: string
example: fqdn--c71acb9e-f76f-522a-9778-284f0f86828c
name:
type: string
type:
$ref: '#/components/schemas/indicator-type'
value:
type: string
first_seen:
type: string
format: date-time
last_seen:
type: string
format: date-time
mscore:
type: integer
description: ml model confidence score
minimum: 0
maximum: 100
type: array
items:
sources:
type: array
items:
$ref: '#/components/schemas/indicator-source'
vt_last_analysis_stats:
type: object
properties:
malicious:
type: integer
undetected:
type: integer
suspicious:
type: integer
harmless:
type: integer
timeout:
type: integer
misp:
type: object
type: boolean
indicator-type:
type: string
enum:
- ipv4
- ipv6
- fqdn
- hash
- url
- md5
- sha1
- sha256
- email
- mscore
indicator-source:
type: object
properties:
source_name:
type: string
category:
type: array
items:
type: string
first_seen:
type: string
format: date-time
last_seen:
type: string
format: date-time
osint:
type: boolean
indicator-counts:
type: object
properties:
total:
type: integer
hash:
type: integer
url:
type: integer
fqdn:
type: integer
ipv4:
type: integer
email:
type: integer
IndicatorCounts:
title: IndicatorCounts
type: object
properties:
total:
type: integer
hash:
type: integer
url:
type: integer
fqdn:
type: integer
ipv4:
type: integer
email:
type: integer
IndicatorSearch:
title: IndicatorSearch
type: object
properties:
limit:
type: integer
offset:
type: integer
requests:
type: array
items:
type: object
properties:
values:
type: array
description: a wildcard search query to search indicator values
items:
type: string
actor-indicator:
description: Information About Actor Indicators
type: object
required:
- id
- indicator_count
properties:
id:
type: string
example: threat-actor--bf9da649-f617-5464-9442-93e69cb80aa9
name:
type: string
indicator_count:
$ref: '#/components/schemas/indicator-counts'
indicators:
type: array
items:
indicator-search-filter:
type: object
properties:
limit:
type: integer
offset:
type: integer
sort_order:
type: string
enum:
- asc
- desc
sort_by:
oneOf:
- type: string
enum:
- first_seen
- last_seen
- type
- value
- mscore
- type: array
items:
type: string
enum:
- first_seen
- last_seen
- type
- value
- mscore
filters:
oneOf:
- type: string
enum:
- fqdn
- url
- email
- ipv4
- md5
- sha1
- sha256
- type: array
items:
type: string
enum:
- fqdn
- url
- email
- ipv4
- md5
- sha1
- sha256
attribution:
oneOf:
- type: string
- type: array
items:
type: string
search:
type: string
vulnerability-get-all:
description: Get all vulnerabilities.
type: object
properties:
vulnerability:
type: array
items:
type: object
properties:
id:
type: string
was_zero_day:
type: boolean
description:
type: string
nullable: true
cve_id:
type: string
risk_rating:
type: string
nullable: true
observed_in_the_wild:
type: boolean
exploitation_state:
type: string
nullable: true
publish_date:
type: string
format: date-time
sources:
type: array
items:
type: object
properties:
date:
type: string
url:
type: string
source_name:
type: string
source_description:
type: string
unique_id:
type: string
vulnerable_cpes:
type: array
items:
type: object
properties:
cpe:
type: string
technology_name:
type: string
cpe_title:
type: string
vendor_name:
type: string
type: object
properties:
v2.0:
type: object
properties:
access_complexity:
type: string
temporal_score:
type: number
confidentiality_impact:
type: string
report_confidence:
type: string
base_score:
type: number
access_vector:
type: string
vector_string:
type: string
integrity_impact:
type: string
availability_impact:
type: string
remediation_level:
type: string
authentication:
type: string
exploitability:
type: string
v3.1:
type: object
properties:
attack_complexity:
type: string
base_score:
type: number
vector_string:
type: string
integrity_impact:
type: string
report_confidence:
type: string
attack_vector:
type: string
privileges_required:
type: string
type: string
temporal_score:
type: number
exploit_code_maturity:
type: string
user_interaction:
type: string
scope:
type: string
type: string
remediation_level:
type: string
total_count:
type: string
next:
type: string
vulnerability-info:
description: Information about a vulnerability.
type: object
properties:
id:
type: string
title:
type: string
type: array
items:
type: string
was_zero_day:
type: boolean
analysis:
type: string
nullable: true
description:
type: string
nullable: true
executive_summary:
type: string
cve_id:
type: string
ease_of_attack:
type: string
risk_rating:
type: string
observed_in_the_wild:
type: boolean
type: string
cwe:
type: string
exploitation_state:
type: string
nullable: true
date_of_disclosure:
type: string
format: date-time
publish_date:
type: string
format: date-time
vulnerability_type:
type: string
vulnerable_products:
type: string
mitigation_notes:
type: string
workarounds:
type: string
type: array
items:
type: string
sources:
type: array
items:
type: object
properties:
url:
type: string
sensitive:
type: boolean
source_name:
type: string
exploits:
type: array
items:
type: object
properties:
exploit_url:
type: string
replication_url:
type: string
name:
type: string
release_date:
type: string
format: date-time
description:
type: string
reliability:
type: string
file_size:
type: integer
md5:
type: string
vulnerable_cpes:
type: array
items:
type: object
properties:
cpe:
type: string
technology_name:
type: string
cpe_title:
type: string
vendor_name:
type: string
vendor_fix_references:
type: array
items:
type: object
properties:
url:
type: string
name:
type: string
type: object
properties:
v2.0:
type: object
properties:
access_complexity:
type: string
temporal_score:
type: number
type: string
report_confidence:
type: string
base_score:
type: number
access_vector:
type: string
vector_string:
type: string
integrity_impact:
type: string
type: string
remediation_level:
type: string
authentication:
type: string
exploitability:
type: string
associated_actors:
type: array
items:
$ref: '#/components/schemas/actor-dashboard'
associated_malware:
type: array
items:
$ref: '#/components/schemas/malware-dashboard'
vulnerability-assoc-fields:
type: object
properties:
id:
type: string
associated_actors:
type: array
items:
$ref: '#/components/schemas/actor-dashboard'
associated_malware:
type: array
items:
$ref: '#/components/schemas/malware-dashboard'
vulnerability-vocab:
type: object
properties:
type: array
items:
type: string
exploitation_state:
type: array
items:
type: string
type: array
items:
type: string
type: array
items:
type: string
risk_rating:
type: array
items:
type: string
primary-object:
description: A set of properties common to many objects.
type: object
required:
- id
- name
properties:
id:
type: string
name:
type: string
description:
type: string
created:
type: string
format: date-time
last_updated:
type: string
format: date-time
last_activity_time:
type: string
format: date-time
attribution-scope:
type: string
description: The confidence level attributed to this mapping.
enum:
- confirmed
- suspected
- possible
alias:
type: object
properties:
name:
type: string
attribution_scope:
$ref: '#/components/schemas/attribution-scope'
industry:
type: object
properties:
id:
type: string
name:
type: string
malware:
type: object
properties:
id:
type: string
name:
type: string
attribution_scope:
source:
type: object
properties:
region:
$ref: '#/components/schemas/source-location'
sub_region:
$ref: '#/components/schemas/source-location'
country:
$ref: '#/components/schemas/country'
source-location:
type: object
properties:
id:
type: string
name:
type: string
attribution_scope:
target:
type: object
properties:
id:
type: string
name:
type: string
iso2:
type: string
capability:
type: object
properties:
name:
type: string
description:
type: string
country:
type: object
properties:
id:
type: string
name:
type: string
iso2:
type: string
actor-dashboard:
allOf:
- $ref: '#/components/schemas/primary-object'
- type: object
properties:
aliases:
oneOf:
- type: array
items:
$ref: '#/components/schemas/alias'
target_industries:
oneOf:
- type: array
items:
$ref: '#/components/schemas/industry'
malware:
oneOf:
- type: array
items:
$ref: '#/components/schemas/malware'
target_locations:
type: array
items:
$ref: '#/components/schemas/source'
source_locations:
type: array
items:
$ref: '#/components/schemas/target'
malware-dashboard:
allOf:
- $ref: '#/components/schemas/primary-object'
- type: object
properties:
operating_systems:
type: array
items:
type: string
aliases:
oneOf:
- type: array
items:
$ref: '#/components/schemas/alias'
capabilities:
oneOf:
- type: array
items:
$ref: '#/components/schemas/capability'
target_industries:
oneOf:
- type: array
items:
$ref: '#/components/schemas/industry'
roles:
oneOf:
- type: array
items:
type: string
has_yara:
type: boolean
file:
type: object
allOf:
- $ref: '#/components/schemas/file-specific-properties'
domain:
type: object
allOf:
- $ref: '#/components/schemas/domain-specific-properties'
url:
type: object
allOf:
- $ref: '#/components/schemas/url-specific-properties'
ipv4:
type: object
allOf:
- $ref: '#/components/schemas/ipv4-specific-properties'
email:
type: object
allOf:
- $ref: '#/components/schemas/email-specific-properties'
malware-legacy:
type: object
allOf:
- $ref: '#/components/schemas/malware-specific-properties'
location:
type: object
allOf:
- $ref: '#/components/schemas/location-specific-properties'
identity:
type: object
allOf:
- $ref: '#/components/schemas/identity-specific-properties'
campaign:
type: object
allOf:
- $ref: '#/components/schemas/campaign-specific-properties'
attack-pattern:
type: object
allOf:
- $ref: '#/components/schemas/attack-pattern-specific-properties'
actor:
type: object
allOf:
- $ref: '#/components/schemas/actor-specific-properties'
tool:
type: object
allOf:
- $ref: '#/components/schemas/tool-specific-properties'
software:
type: object
allOf:
- $ref: '#/components/schemas/software-specific-properties'
infrastructure:
type: object
allOf:
- $ref: '#/components/schemas/infrastructure-specific-properties'
vulnerability:
type: object
allOf:
- $ref: '#/components/schemas/vulnerability-specific-properties'
intrusion-set:
type: object
allOf:
- $ref: '#/components/schemas/intrusion-set-specific-properties'
socket-addr:
type: object
allOf:
- $ref: '#/components/schemas/socket-addr-specific-properties'
network-traffic:
type: object
allOf:
- $ref: '#/components/schemas/network-traffic-specific-properties'
windows-registry-key:
type: object
allOf:
- $ref: '#/components/schemas/windows-registry-key-specific-properties'
course-of-action:
type: object
allOf:
- $ref: '#/components/schemas/course-of-action-specific-properties'
report:
type: object
allOf:
- $ref: '#/components/schemas/report-specific-properties'
object-common-properties:
type: object
properties:
id:
type: string
created:
type: string
modified:
type: string
location-specific-properties:
type: object
properties:
name:
type: string
city:
type: string
iso_country_code_2:
type: string
iso_country_code_3:
type: array
items:
type: string
indicator-specific-properties:
type: object
properties:
pattern:
type: string
labels:
type: array
items:
type: string
confidence:
type: integer
malware-specific-properties:
type: object
properties:
description:
type: string
name:
type: string
malware_types:
type: array
items:
type: string
is_family:
type: boolean
label:
type: string
labels:
type: array
items:
type: string
file-specific-properties:
type: object
properties:
name:
type: string
hashes:
type: object
properties:
SHA-256:
type: string
SHA-1:
type: string
MD5:
type: string
full_path:
type: string
size:
type: integer
url-specific-properties:
type: object
properties:
description:
type: string
value:
type: string
ipv4-specific-properties:
type: object
properties:
description:
type: string
value:
type: string
email-specific-properties:
type: object
properties:
from:
type: string
to:
type: array
items:
type: string
received_lines:
type: array
items:
type: string
label:
type: string
subject:
type: string
domain-specific-properties:
type: object
properties:
description:
type: string
value:
type: string
software-specific-properties:
type: object
properties:
name:
type: string
tool-specific-properties:
type: object
properties:
description:
type: string
label:
type: string
labels:
type: array
items:
type: string
tool_types:
type: array
items:
type: string
name:
type: string
attack-pattern-specific-properties:
type: object
properties:
description:
type: string
label:
type: string
labels:
type: array
items:
type: string
attack_pattern_identifier:
type: string
tactic_name:
type: string
name:
type: string
identity-specific-properties:
type: object
properties:
name:
type: string
industry_sectors:
type: array
items:
type: string
infrastructure-specific-properties:
type: object
properties:
name:
type: integer
observable_details:
type: array
items:
type: string
labels:
type: array
items:
type: string
intrusion-set-specific-properties:
type: object
properties:
description:
type: string
labels:
type: array
items:
type: string
name:
type: string
socket-addr-specific-properties:
type: object
properties:
hostname:
type: string
ip_address:
type: string
port:
type: integer
campaign-specific-properties:
type: object
properties:
description:
type: string
label:
type: string
name:
type: string
network-traffic-specific-properties:
type: object
properties:
dst_port:
type: integer
protocols:
type: array
items:
type: string
windows-registry-key-specific-properties:
type: object
properties:
description:
type: string
hive:
type: string
key:
type: string
course-of-action-specific-properties:
type: object
properties:
description:
type: string
name:
type: string
actor-specific-properties:
type: object
properties:
name:
type: string
aliases:
type: array
items:
type: string
description:
type: string
label:
type: string
labels:
type: array
items:
type: string
confidence:
type: integer
vulnerability-specific-properties:
type: object
properties:
name:
type: string
description:
type: string
labels:
type: array
items:
type: string
confidence:
type: integer
report-specific-properties:
type: object
properties:
name:
type: string
description:
type: string
labels:
type: array
items:
type: string
metadata:
type: object
properties:
risk_rating:
type: array
items:
type: string
motivation:
type: array
items:
type: string
report_type:
type: array
items:
type: string
affected_industries:
type: array
items:
type: string
ttp:
type: array
items:
type: string
intended_effect:
type: array
items:
type: string
targeted_information:
type: array
items:
type: string
bad-request-error:
title: Bad request, request parameters invalid
type: object
example:
title: Invalid request parameter(s)
description: This error is caused when the application tries to access data
providing invalid request parameters.
error_id: 'BAD-REQUEST'
error_code: 'BAD-REQUEST-400'
http_status: '400'
bad-request-error-explore-vocab:
title: Bad request, request payload contains more than 5 vocab_keys.
type: object
example:
title: Request payload contains more than 5 vocab_keys
description: This error occurs when more than 5 vocab_keys are passed in
request payload.
error_id: 'BAD-REQUEST'
error_code: 'BAD-REQUEST-400'
http_status: '400'
auth-error:
title: Authentication required
type: object
example:
title: Authentication required, valid authentication token or credentials
required
description: This error is caused when the application tries to access data
without providing authentication credentials
error_id: 'AUTH-REQUIRED'
error_code: 'NO-AUTH-401'
http_status: '401'
supported-auth-mechanism:
Bearer: Valid access token
basic: Valid username password
forbidden-error:
title: Server refuses to authorize the client request.
type: object
example:
title: HTTP/1.1 403 Forbidden
description: This error is caused when the application tries to access the
unauthorized data
error_id: 'FORBIDDEN'
error_code: 'FORBIDDEN-403'
http_status: '403'
request-payload-too-large:
title: Request Payload Too Large
type: object
example:
title: Request payload too large
description: This error occurs when more than 1000 keywords are passed in
request payload.
error_id: 'PAYLOAD-TOO-LARGE'
error_code: 'PAYLOAD-TOO-LARGE-413'
http_status: '413'
no-content:
title: No content.
type: object
example:
message: 'No data found'
enum-related-values:
type: string
enum: [actor, ioc, indicator, file, domain, url, ip, email, report, malware,
industry, attack-pattern, location, tool, course-of-action, socket-addr, network-
traffic, windows-registry-key, campaign, software, intrusion-set, infrastructure,
cve, news]
enum-trend-actor-related-values:
type: string
enum: [malware, cve, region_target, targeting_industries]
enum-trend-malware-related-values:
type: string
enum: [actor, cve, industry]
enum-trend-region-related-values:
type: string
enum: [malware, malware_inbound, malware_outbound, cve, cve_inbound,
cve_outbound, region, region_source, region_target, industry, targeted_industries,
targeting_industries, actor, actors_targeting, actors_located]
common_context:
properties:
name:
type: string
example: Not_Attributed
analysis_conclusion:
$ref: '#/components/schemas/analysis_conclusion'
labels:
type: array
items:
type: string
is_family:
type: boolean
description:
type: string
ip_context:
$ref: '#/components/schemas/ip-context'
hash_context:
$ref: '#/components/schemas/hash-context'
fqdn_context:
$ref: '#/components/schemas/fqdn-context'
email_context:
$ref: '#/components/schemas/email-context'
url_context:
$ref: '#/components/schemas/url-context'
signature_id_context:
$ref: '#/components/schemas/signature-id-context'
signature_context:
$ref: '#/components/schemas/signature-context'
additionalProperties: False
required:
- type
- id
- name
- analysis_conclusion
ip-context:
title: ip
properties:
meta:
type: object
properties:
copyright:
type: string
example:
version: 2.2
copyright: Copyright 2019 FireEye Corp
data:
type: object
type: object
allOf:
- $ref: '#/components/schemas/common_context'
properties:
type:
type: string
example: ipaddr-characterization
id:
type: string
example: ipaddr-characterization--1d8671aa-ac51-356f-aca4-
8e14d26e152e
summary:
type: string
description: 'Source: TSAPI'
example: BISCUIT communicates by a custom protocol, which is then
encrypted using SSL. Once installed, BISCUIT will attempt to beacon to its command
and control (C&C) servers approximately every 10 or 30 minutes. It will beacon to
its primary server first, followed by a secondary server. All communication is
encrypted with SSL (OpenSSL 0.9.8i). Some variants of BISCUIT appear to have the
ability to enumerate information about any Smart Cards that are attached to this
system. The malware can provide information to attackers that includes (but may not
be limited to) the Smart Card Service Provider Module (SCSPM) version, Smart Card
readers attached to the system, and any Smart Cards that are currently inserted
into the system.
location:
type: object
allOf:
- $ref: '#/components/schemas/context-location'
current_asn:
type: string
description: 'Source: Baleen'
example: AS17621 China Unicom Shanghai network
asn:
type: object
properties:
type:
type: string
number:
type: number
id:
type: string
assertions:
type: array
items:
$ref: '#/components/schemas/assertions'
network_subnet:
type: object
properties:
name:
type: string
example: 103.117.20.0/24
prefix:
type: string
example: 24
type:
type: string
example: network-subnet
id:
type: string
example: network-subnet--758704cb-a039-4aeb-a72f-eb00d24e48d5
base_address:
type: string
example: 103.117.20.0
threat_details:
type: object
properties:
exploit_targets:
type: object
properties:
vulnerabilities:
type: array
items:
allOf:
- $ref: '#/components/schemas/context-vulnerabilities'
attack_patterns:
type: array
items:
allOf:
- $ref: '#/components/schemas/attack_patterns'
relationships:
description: 'Source: TEL'
type: array
items:
$ref: '#/components/schemas/relationships'
findings:
type: array
items:
$ref: '#/components/schemas/findings_tel'
type: object
properties:
roles:
type: array
items:
allOf:
- $ref: '#/components/schemas/roles'
identities:
type: array
items:
allOf:
- $ref: '#/components/schemas/identities'
relationships:
type: array
items:
allOf:
- $ref: '#/components/schemas/relationships'
malware_families:
type: array
items:
allOf:
- $ref: '#/components/schemas/malware_families'
threat_actors:
type: array
items:
allOf:
- $ref: '#/components/schemas/threat_actors'
adversary_infrastructure:
type: array
items:
allOf:
- $ref: '#/components/schemas/adversary_infrastructure'
external_references:
description: 'Source: Baleen, TSAPI'
type: array
items:
allOf:
- $ref: '#/components/schemas/external_references'
hash-context:
title: hash
properties:
meta:
type: object
properties:
copyright:
type: string
example:
version: 2.2
copyright: Copyright 2019 FireEye Corp.
data:
type: object
type: object
allOf:
properties:
type:
type: string
example: malware-summary
id:
type: string
example: malware-summary--5214e952-2fda-37f5-8435-c08b33104c5d
detection_conclusion:
type: string
example: malicious
risk_level:
description: 'Source: ATI'
type: string
example: Medium
risk_summary:
type: string
example: "This threat is detected through static or behavioral
heuristic analysis. It is likely that this threat exhibits known traits of
suspicious behaviors and features, or shares code similarities with malware. This
binary has been observed in attacks against the following industries: Service
Provider and Financial Services. This binary has been observed in attacks against
the following countries: Hong Kong and Japan."
samples:
type: array
items:
allOf:
- $ref: '#/components/schemas/samples'
aliases:
type: array
items:
allOf:
- $ref: '#/components/schemas/aliases'
kill_chain_phases:
type: array
items:
allOf:
- $ref: '#/components/schemas/kill_chain_phases'
sample_metadata:
type: object
items:
$ref: '#/components/schemas/sample_metadata'
assertions:
type: array
items:
threat_details:
type: object
properties:
av_classifications:
type: array
items:
allOf:
- $ref: '#/components/schemas/av_classifications_first'
- $ref: '#/components/schemas/av_classifications_second'
capabilities:
type: array
items:
allOf:
- $ref: '#/components/schemas/capabilities'
attack_patterns:
type: array
items:
allOf:
signatures:
type: array
items:
allOf:
- $ref: '#/components/schemas/signatures'
exploit_targets:
type: object
properties:
vulnerabilities:
type: array
items:
allOf:
type: object
properties:
roles:
type: array
items:
allOf:
identities:
type: array
items:
allOf:
relationships:
type: array
items:
allOf:
malware_families:
type: array
items:
allOf:
threat_actors:
description: 'Source: TSAPI, Baleen'
type: array
items:
allOf:
codes:
type: array
items:
allOf:
- $ref: '#/components/schemas/codes'
type: array
items:
allOf:
sighting_summary:
type: object
items:
$ref: '#/components/schemas/sighting_summary'
third_party_context:
type: object
properties:
av_results:
type: array
items:
allOf:
- $ref: '#/components/schemas/av_results'
type: array
items:
allOf:
fqdn-context:
title: fqdn
properties:
meta:
type: object
properties:
copyright:
type: string
example:
version: 2.2
data:
type: object
type: object
allOf:
properties:
type:
type: string
example: domain-summary
id:
type: string
example: domain-summary--1d5920f4-b44b-37a8-82bd-77c4f0536f5a
summary:
type: string
resolves_to:
type: array
items:
allOf:
- $ref: '#/components/schemas/nslookup'
name_servers:
type: array
items:
type: object
properties:
type:
type: string
example: domain-name
base_domain:
type: object
properties:
type:
type: string
example: domain-name
id:
type: string
example: domain-name--01adb336-af00-4a6d-bc74-
be088364e3d8
value:
type: string
example: google.com
value:
type: string
example: ns1.google.com
id:
type: string
example: domain-name--a77a7ee2-a3e9-49f9-a20d-8581f978ffec
threat_details:
type: object
properties:
exploit_targets:
type: object
properties:
vulnerabilities:
type: array
items:
allOf:
relationships:
type: array
items:
$ref: '#/components/schemas/relationships'
findings:
type: array
items:
$ref: '#/components/schemas/findings_tel'
assertions:
type: array
items:
type: object
properties:
roles:
type: array
items:
allOf:
identities:
type: array
items:
allOf:
relationships:
type: array
items:
allOf:
malware_families:
type: array
items:
allOf:
threat_actors:
type: array
items:
allOf:
type: array
items:
allOf:
type: array
items:
allOf:
signature-context:
title: signature
properties:
meta:
type: object
properties:
copyright:
type: string
example:
version: 2.2
data:
type: object
type: object
allOf:
properties:
type:
type: string
example: signature
id:
type: string
example: signature--383c53be-44d2-3cb8-829b-7638a8f6ada9
risk_level:
type: string
risk_summary:
description: 'Source: ATI, TSAPI'
type: string
aliases:
type: array
items:
allOf:
kill_chain_phases:
type: array
items:
allOf:
sample_metadata:
type: object
items:
is_signature_bucket:
description: 'Source: iTRAX'
type: boolean
availability:
type: string
targeted_threat_probability:
type: number
created:
type: string
modified:
type: string
threat_details:
type: object
properties:
attack_patterns:
type: array
items:
allOf:
exploit_targets:
type: object
properties:
vulnerabilities:
type: array
items:
allOf:
sighting_summary:
type: object
items:
type: object
properties:
malware_families:
type: array
items:
allOf:
threat_actors:
type: array
items:
allOf:
type: array
items:
allOf:
signature-id-context:
title: signature-id
properties:
meta:
type: object
properties:
copyright:
type: string
example:
version: 2.2
data:
type: object
type: object
allOf:
properties:
type:
type: string
example: signature-id
id:
type: string
example: signature-id--6c865db6-d3c1-3d4c-b50e-317e29c97b60
risk_level:
type: string
risk_summary:
description: 'Source: ATI, TSAPI'
type: string
aliases:
type: array
items:
allOf:
kill_chain_phases:
type: array
items:
allOf:
sample_metadata:
type: object
items:
threat_details:
type: object
properties:
exploit_targets:
type: object
properties:
vulnerabilities:
type: array
items:
allOf:
type: array
items:
allOf:
sighting_summary:
type: object
items:
email-context:
title: email
properties:
meta:
type: object
properties:
copyright:
type: string
example:
version: 2.2
data:
type: object
type: object
allOf:
properties:
type:
type: string
example: email-summary
id:
type: string
example: email-summary--b5716cac-70b8-3ebb-800f-8197d3eafde2
summary:
type: string
threat_details:
type: object
properties:
exploit_targets:
type: object
properties:
vulnerabilities:
type: array
items:
allOf:
assertions:
type: array
items:
type: object
properties:
roles:
type: array
items:
allOf:
malware_families:
type: array
items:
allOf:
threat_actors:
type: array
items:
allOf:
type: array
items:
allOf:
url-context:
title: url
properties:
meta:
type: object
properties:
copyright:
type: string
example:
version: 2.2
data:
type: object
type: object
allOf:
properties:
type:
type: string
example: url-summary
id:
type: string
example: url-summary--90e0e1a0-65e2-36e7-bda3-702479ca9d41
summary:
type: string
resolves_to:
type: array
items:
allOf:
- $ref: '#/components/schemas/resolves_to'
threat_details:
type: object
properties:
av_classifications:
type: array
items:
allOf:
- $ref: '#/components/schemas/av_classifications_first'
- $ref: '#/components/schemas/av_classifications_second'
findings:
type: array
items:
allOf:
- $ref: '#/components/schemas/findings_gc'
type: object
properties:
malware_families:
type: array
items:
allOf:
threat_actors:
type: array
items:
allOf:
third_party_context:
type: object
properties:
av_results:
type: array
items:
allOf:
- $ref: '#/components/schemas/av_results'
type: array
items:
allOf:
findings_tel:
type: object
properties:
type:
type: string
example: finding
extensions:
type: object
properties:
average-ttl:
type: object
properties:
average-ttl:
type: number
example: 1.00390625
id:
type: string
example: finding--00799a7c-207d-4f04-9472-f4e132688b08
statement:
type: string
example: ASN Ranking
nslookup:
type: object
properties:
type:
type: string
id:
type: string
current_asn:
type: string
location:
type: object
items:
$ref: '#/components/schemas/context-location'
sighting_summary:
type: object
properties:
first_seen:
type: string
format: date-time
example: 2014-01-01
last_seen:
type: string
format: date-time
example: 2015-10-01
count:
type: integer
example: 2900
timeline:
type: object
properties:
2014-01-01:
type: integer
example: 233
2015-08-01:
type: integer
example: 20
2014-08-01:
type: integer
example: 47
2014-12-01:
type: integer
example: 256
segmentations:
type: array
items:
properties:
segment:
type: string
example: industry
subsegments:
type: array
items:
properties:
name:
type: string
example: Other
count:
type: number
example: 1
timeline:
type: object
properties:
2016-05-01:
type: integer
example: 1
av_results:
type: object
properties:
product:
type: string
example: External products
scanned:
type: string
format: date-time
example: 2017-01-08T18:37:58.000000Z
total_malicious:
type: number
example: 53
total_scanned:
type: number
example: 55
required:
- product
- total_malicious
- total_scanned
codes:
type: object
properties:
type:
type: string
example: code
id:
type: string
example: code--bec25b29-e700-3308-9d98-40c6d3745dec
name:
type: string
example: beyondexec
description:
type: string
example: beyondexec overview
required:
- type
- id
signatures:
type: object
properties:
signature_type:
type: string
name:
type: string
example: Trojan.Sality.FEC3
description:
type: string
attack_patterns:
type: object
properties:
type:
type: string
example: attack-pattern
id:
type: string
example: attack-pattern--bb42967a-b5c1-3ee7-a97a-320180c74a00
name:
type: string
example: netops.ssl.cert
title:
type: string
example: netops.ssl.cert
description:
type: string
example: Use of an X-509 certificate for SSL. May apply to the actual
certificate or the IP:Port pair used to serve the certificate
required:
- type
- id
av_classifications_first:
type: object
properties:
id:
type: string
example: av-results-type--dfdfb738-58ef-39c9-819b-65de3ec37c2d
av_vendor:
type: string
example: third-party-1
av_product:
type: string
example: external product
total_malicious:
type: number
example: 55
total_scanned:
type: number
example: 53
first_seen:
type: string
example: 2017-01-08T18:37:58.000000Z
required:
- id
- av_vendor
- av_product
- total_malicious
- total_scanned
av_classifications_second:
type: object
properties:
id:
type: string
example: av-results-type--eb9072b8-00c5-3132-80cb-8bf453ddf091
av_vendor:
type: string
example: VirusTotal
av_product:
type: string
example: Bkav
av_version:
type: string
example: 1.3.0.8455
engine_version:
type: string
example: 2
definition:
type: string
submitted:
type: string
scanned:
type: string
example: 2017-01-07
classification_name:
type: string
example: W32.CrypticB.Trojan
is_detected:
type: boolean
example: true
required:
- id
- av_vendor
- av_product
- is_detected
capabilities:
type: object
properties:
type:
type: string
example: capability
id:
type: string
example: capability--5eb9692b-dabf-3bdc-89c2-e9e7ad78ff53
name:
type: string
example: svc.create
description:
type: string
example: Capable of creating a service or daemon, or uses APIs associated
with service or daemon creation.
required:
- type
- id
sample_metadata:
type: object
description: 'Source: Baleen, ATI'
properties:
type:
type: string
example: PDF document, version 1.1
id:
type: string
hashes:
type: object
properties:
sha256:
type: string
example:
5b9d0d0cf3c657bcf306dba66f74eba50d0d221268776a6d184a8da04314ad36
sha1:
type: string
example: 725b561e0c91987066676353dfc61a3a4de9de4e
size:
type: number
example: 4426
name:
type: string
example: CVE-2008
mime_type:
type: string
example: application/x-dosexec
findings_gc:
type: object
description: 'Source: Global Cache'
properties:
type:
type: string
example: findings
statement:
type: string
example: Phish.LIVE.DTI.URL
extensions:
type: object
properties:
phishtank:
type: object
items:
$ref: '#/components/schemas/phishtank'
phishtank:
type: object
properties:
url:
type: string
example: http://190.107.177.91/~otecaye/chs/
online:
type: string
example: yes
target:
type: string
example: JPMorgan Chase and Co.
details:
type: array
items:
type: object
properties:
rir:
type: string
example: lacnic
country:
type: string
example: CL
cidr_block:
type: string
example: 190.107.177.0/24
ip_address:
type: string
example: 190.107.177.91
detail_time:
type: string
example: 2019-04-30T13:00:24+00:00
announcing_network:
type: string
example: 265813
phish_id:
type: string
example: 6028550
verified:
type: string
example: yes
submission_time:
type: string
example: 2019-04-30T12:58:57+00:00
phish_detail_url:
type: string
example: http://www.phishtank.com/phish_detail.php?phish_id\u003d6028550
verification_time:
type: string
example: 2019-04-30T13:26:18+00:00
resolves_to:
type: object
description: 'Source: Global Cache'
properties:
type:
type: string
example: ipaddr-characterization
ip_address:
type: string
example: 190.107.177.91
current_asn:
type: string
example: 265831
location:
type: object
properties:
region:
type: string
example: lacnic
country:
type: string
example: CL
samples:
type: object
description: 'Source: FAUDE'
properties:
type:
type: string
example: file
hashes:
type: object
properties:
sha256:
type: string
example:
649f06c85b1b9a6ed1d257c21a103e6aa09480706719d86bfb10436654a0b517
MD5:
type: string
example: f7e53e0e3cc7a1fb324fafc73497e527
name:
type: string
example: 138994_1557905923_exe
mime_type:
type: string
example: application/x-executable
kill_chain_phases:
type: object
properties:
kill_chain_name:
type: string
example: generic-attack-lifecycle
phase_name:
type: string
example: delivery
description:
type: array
items:
type: string
example: Web link
required:
- kill_chain_name
- phase_name
- description
context-location:
type: object
properties:
city:
type: string
example: Yukon
region:
type: string
example: Central
country:
type: string
example: CN
asn:
type: string
example: As1621 Quality Technology
context-vulnerabilities:
type: object
properties:
type:
type: string
example: vulnerability
id:
type: string
example: vulnerability--2ad7aa58-0fc3-3382-b3ce-aca1b4f22919
vulnerability_id:
type: string
example: CVE-2017-11882
description:
type: string
example: Detected as containing an exploit of CVE-2017-11882. Microsoft
Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office
2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary
code in the context of the current user by failing to properly handle objects in
memory, aka \"Microsoft Office Memory Corruption Vulnerability\". This CVE ID is
unique from CVE-2017-11884.
url:
type: string
example: https://nvd.nist.gov/vuln/detail/CVE-2017-11882
affectedProducts:
type: array
items:
type: string
remediation:
type: object
items:
$ref: '#/components/schemas/remediation'
required:
- type
- vulnerability_id
remediation:
type: object
properties:
url:
type: string
example: some url
description:
type: string
example:
roles:
type: object
properties:
type:
type: string
example: role
id:
type: string
example: role--dc1d71bb-b5c4-32a5-a936-db79ef10c19f
name:
type: string
example: log
description:
type: string
description: A file used to log any type of data, such as keystrokes, the
output of system commands, or program exceptions.
required:
- type
- id
identities:
type: object
properties:
type:
type: string
example: identity
id:
type: string
example: identity--5dd25cd9-b717-31a8-8d64-edeff8f6356a
identity_class:
type: string
example: Organization
name:
type: string
example: anonine
required:
- type
- id
relationships:
type: object
properties:
type:
type: string
example: relationship
id:
type: string
example: relationship--1a552c80-d7e6-3409-9cbc-15b9c2789eef
source_ref:
type: string
example: identity--5dd25cd9-b717-31a8-8d64-edeff8f6356a
target_ref:
type: string
example: role--56c2183a-4549-31d1-86ee-e2d267c86b0b
relationship_type:
type: string
example: plays-role
required:
- type
- id
- source_ref
- target_ref
- relationship_type
malware_families:
type: object
description: 'Source: TSAPI, iTRAX'
properties:
labels:
type: array
items:
type: string
example: Backdoor
name:
type: object
properties:
value:
type: string
example: NetWire
source:
type: string
example: fireeye-intel
aliases:
type: array
items:
allOf:
description:
type: string
example: NETWIRE is a commercially available remote access tool (RAT)
capable of stealing a large number of account details, keylogged data, system
information, screen captures, remote shell, downloads, reverse proxy and more. It
has previously been sold in various underground venues and is currently available
at worldwiredlabs.com. Due to its commercial availability, NetWire can be used by
anyone.
availability:
type: string
example: Publicly Available
targeted_threat_probability:
type: number
example: 30
created:
type: string
example: 2017-06-14T21:25:00.000000Z
modified:
type: string
example: 2019-02-06T10:26:19.000000Z
required:
- name
threat_actors:
type: object
description: 'Source: Baleen. TSAPI'
properties:
labels:
type: array
items:
type: string
example: unknown
name:
type: string
example: Tailgater
description:
type: string
aliases:
type: array
items:
allOf:
created:
type: string
example: 2017-02-02T23:35:00.000000Z
modified:
type: string
example: 2017-02-02T23:35:00.000000Z
required:
- name
type: object
properties:
type:
type: string
example: infrastructure
id:
type: string
example: infrastructure--04d90fa7-71ad-3b1f-86ec-ad8d25e6d2e0
name:
type: string
example: DNS root server
required:
- type
- id
- name
aliases:
type: object
description: 'Source: TSAPI, ATI'
properties:
value:
type: string
example: NetWire RAT
source:
type: string
required:
- value
- source
analysis_conclusion:
type: string
description: 'Source: Baleen, TSAPI, ATI'
enum: [benign, malicious, suspicious, indeterminate]
required:
- description
assertions:
type: object
properties:
id:
type: string
example: assertion--d6ff2feb-bbef-308b-8e58-f468d9f042d9
statement:
type: string
example: Is in alexa10k
description:
type: string
example:
type: object
properties:
title:
type: string
example: Tailgater Actor Overview
source:
type: string
description:
type: string
example: Details for external references.
external_id:
type: string
example: 17-00001218
url:
type: string
example: https://intelligence.fireeye.com/reports/17-00001218
required:
- source
- title
- url
- external_id
securitySchemes:
BasicAuth:
type: http
scheme: basic
OAuth:
type: oauth2
description: |
FireEye's Intel API uses the [OAuth 2.0 Authorization
Framework](https://tools.ietf.org/html/rfc6749), with the [client credentials]
(https://tools.ietf.org/html/rfc6749#section-4.4) grant to access API endpoints.
Use the public key and private key client credentials to authenticate and receive a
time-limited access token. This is accomplished by making a POST request to the
Intel API /token endpoint, using HTTP Basic Authentication, as described in
[Section 4.4 of RFC 6749](https://tools.ietf.org/html/rfc6749#section-4.4).
If successful, the API responds with a JSON body containing the

access_token, the token_type, and the expiration time expressed in seconds. Unless
the token has been revoked, it may be used until it expires (generally 12 hours),
at which point the client must authenticate to receive a new token.
flows:
clientCredentials:
tokenUrl: https://api.intelligence.fireeye.com/token
scopes:
read: Grant read-only access.
parameters:
parameter-accept-header:
schema:
type: string
default: application/json
in: header
name: Accept
description: Specifies the format in which the client would like the
response.
required: true
parameter-content-type-header:
schema:
type: string
in: header
name: Content-Type
description: Indicates the original media type of the resource.
required: true
parameter-authorization-header:
schema:
type: string
in: header
name: Authorization
description: Access token to all the FireEye Intelligence API endpoints.
required: false
parameter-X-App-Name-header:
schema:
type: string
in: header
name: X-App-Name
description: The FireEye Intel API uses the header variable X-App-Name for
customers and partners to set a user-agent on all of their API calls. This
mandatory field is typically a combination of the customer or partners organization
name, its application name, and its version. A typical customer X-App-Name would be
'indicators.script.xyzcompany.v1.0' or similar. The X-App-Name for customers
should, at a minimum, have the calling organization name and, for partners, it is
required to have the company product name and version of the integration for
troubleshooting purposes.
required: false
parameter-entities-accept-header:
schema:
type: string
example: application/json, application/gzip
in: header
name: Accept
response.
parameter-news-accept-header:
schema:
type: string
in: header
name: Accept
response. application/pdf and text/html is also supported when report_id is
specified in the request parameter.
parameter-news-id-accept-header:
schema:
type: string
example: application/json, application/pdf, text/html
in: header
name: Accept
response.
parameter-api-root-path:
schema:
type: string
name: api-root
in: path
description: Application root.
required: true
parameter-id-path:
schema:
type: string
name: id
in: path
description: Object id for which details are requested.
required: true
parameter-cve-id-path:
schema:
type: string
name: id
in: path
description: Id for which details are requested where id can be cve
identifier or vulnerability object id.
required: true
parameter-related-path:
schema:
$ref: '#/components/schemas/enum-related-values'
name: related
in: path
description: Related parameter to filter specific response block.
required: true
parameter-news-related-path:
schema:
type: string
name: related
in: path
description: Related parameter to give only related reports for news analysis
report.
required: true
parameter-trend-actor-related-path:
schema:
$ref: '#/components/schemas/enum-trend-actor-related-values'
name: related
in: path
required: true
parameter-trend-malware-related-path:
schema:
$ref: '#/components/schemas/enum-trend-malware-related-values'
name: related
in: path
required: true
parameter-trend-region-related-path:
schema:
$ref: '#/components/schemas/enum-trend-region-related-values'
name: related
in: path
required: true
parameter-name-query:
schema:
type: string
in: query
name: name
description: This will list all the objects matching(substring match) with
the queried name.
parameter-added-after-query:
schema:
type: string
in: query
name: added_after
description: This will list all the objects added after queried date. The
supported data format is '%Y-%m-%dT%H:%M:%S.%fZ' along with epoch time.
parameter-sort-by-query:
schema:
type: string
in: query
name: sort_by
description: This will sort objects by field specified in the sort_by. The
supported fields are name, created and modified. The default sorting is by modified
if sort_by query paramter is not specified.
parameter-order-by-query:
schema:
type: string
in: query
name: order_by
description: This will arrange all objects in order specified in the order_by
field. The supported values in order_by field are "asc" and "desc". The default
order is ascending if order_by query paramter is not specified.
parameter-limit-query:
schema:
type: string
in: query
name: limit
description: Limit parameter specifies the number of objects to be return in
response.
parameter-offset-query:
schema:
type: integer
in: query
name: offset
parameter-next-query:
schema:
type: string
in: query
name: next
description: This is the pagination parameter used to retrieve next set of
objects specified in limit parameter otherwise default 500 objects or in last
iteration remaining all objects.
parameter-type-ioc-query:
schema:
type: string
in: query
name: type
description: This will list all the iocs matching(substring match) for the
type specified. Values for type are - indicator, file, domain, url, ip and email.
parameter-type-query:
schema:
type: string
in: query
name: type
description: This will list all the reports matching(substring match) for the
type specified.
parameter-report_id-query:
schema:
type: string
in: query
name: report_id
description: This will list all the reports matching(substring match) for the
report_id specified.
parameter-value-query:
schema:
type: string
in: query
name: value
description: This will list all the objects matching(substring match) with
the queried value.
parameter-title-query:
schema:
type: string
in: query
name: title
description: This will list all the news analysis reports matching(substring
match) with the queried title.
parameter-media_comment-query:
schema:
type: string
in: query
name: media_comment
match) with the queried media_comment.
parameter-media_outlet-query:
schema:
type: string
in: query
name: media_outlet
match) with the queried media_outlet.
parameter-judgment-query:
schema:
type: string
in: query
name: judgment
match) with the queried judgment.
parameter-analyst_comment-query:
schema:
type: string
in: query
name: analyst_comment
match) with the queried analyst_comment.
parameter-related_reports.title-query:
schema:
type: string
in: query
name: related_reports.title
description: This will list all reports for news analysis where title of
related reports matches(substring match) with the queried related_reports.title.
parameter-related_reports.report_id-query:
schema:
type: string
in: query
name: related_reports.report_id
description: This will list all reports for news analysis where report_id of
related reports matches with the queried related_reports.report_id.
parameter-entities-match.type-query:
schema:
type: string
in: query
name: match.type
description: This will list all entities matching with the queried
match.type.
parameter-start_date-query:
schema:
type: string
in: query
name: start_date
description: Starting date of the requested time window of trending stat of a
collection type.
parameter-end_date-query:
schema:
type: string
in: query
name: end_date
description: End date of the requested time window of trending stat of a
collection type.
parameter-industry_sector-query:
schema:
type: string
in: query
name: industry_sector
description: Specifies filtering criteria in terms of industry sector for
trending stat of a collection type.
parameter-region-query:
schema:
type: string
in: query
name: region
description: Specifies filtering criteria in terms of geographical region
(ISO Country code 2 or any of [North America, Americas, MENA, Gulf Cooperation
Council, Africa, Europe, Middle-East]) for trending stat of a collection type.
parameter-count-query:
schema:
type: string
in: query
name: count
description: If count value is 'true' it will return count of related objects
specified by the related parameter.
parameter-trend-actor-start_date-query:
schema:
type: string
in: query
name: start_date
description: Represents earliest date of actor’s activity time period. When
only start date is given, it will give list of actors where start_date falls in the
range of actor’s activity recorded.
parameter-trend-actor-end_date-query:
schema:
type: string
in: query
name: end_date
description: Represents most recent date of actor’s activity time period.
When provided with start_date it would be exact match of start_date and end_date.
parameter-trend-actor-confidence-query:
schema:
type: string
in: query
name: confidence
description: Applies to confidence of the recent activity observed for an
actor. (activity_observation.recent).
parameter-trend-actor-metric_confidence-query:
schema:
type: string
in: query
name: metric_confidence
description: Applies to all the associated object’s metrics confidence. It is
used to filter actors by specified confidence level of the associated/related
metrics data.
parameter-trend-actor-name-query:
schema:
type: string
in: query
name: name
description: To get actor name exactly matching by the given name.
parameter-trend-actor-id-metric_confidence-query:
schema:
type: string
in: query
name: metric_confidence
description: Applies to all the associated object’s metrics confidence. It is
used to filter associated/related metrics data of an actor by specified confidence
level.
parameter-trend-actor-related-start_date-query:
schema:
type: string
in: query
name: start_date
description: Represents start date of metrics of related objects. When only
start date is given, it will give list of related objects where start_date falls in
the range of metrics start_date and end_date period.
parameter-trend-actor-related-end_date-query:
schema:
type: string
in: query
name: end_date
description: Represents end date of metrics of related objects. When provided
with start_date it would be exact match of start_date and end_date.
parameter-trend-actor-related-confidence-query:
schema:
type: string
in: query
name: confidence
description: Applies to confidence of related object’s metrics. Used to
filter related objects by specific confidence level of the metrics.
parameter-trend-region-start_date-query:
schema:
type: string
in: query
name: start_date
description: Represents earliest date of region’s activity time period. When
only start date is given, it will give list of regions where start_date falls in
the range of region’s activity recorded.
parameter-trend-region-end_date-query:
schema:
type: string
in: query
name: end_date
description: Represents most recent date of region’s activity time period.
When provided with start_date it would be exact match of start_date and end_date.
parameter-trend-region-name-query:
schema:
type: string
in: query
name: name
description: To get region name exactly matching by the given name.
parameter-yara-malware-id-query:
schema:
type: string
in: query
name: malware_id
description: Returns yara signature objects which are related with specified
malware id.
parameter-yara-actor-id-query:
schema:
type: string
in: query
name: actor_id
actor id.
parameter-yara-malware-name-query:
schema:
type: string
in: query
name: malware_name
malware name.
parameter-yara-actor-name-query:
schema:
type: string
in: query
name: actor_name
actor name.
parameter-yara-hash-query:
schema:
type: string
in: query
name: hash
hash value.
parameter-yara-count-query:
schema:
type: string
in: query
name: count
description: If count value is 'true' it will return count of yara signature
objects which are related with object specified by the other query parameter.
parameter-length-query:
schema:
type: integer
in: query
name: limit
description: Specifies the maximum number of objects to include in a page. If
not specified, the default value is 50. Maximum value is 1000.
responses:
response-204:
description: No content
content:
application/json:
schema:
$ref: '#/components/schemas/no-content'
response-400:
description: Bad request - Accept header supplied is invalid.
headers:
Content-Type:
schema:
type: string
description: Accept header is invalid.
content:
application/json:
schema:
$ref: '#/components/schemas/bad-request-error'
response-400-explore-vocab:
description: Bad request - Accept header supplied is invalid or request body
contains more than 5 vocab_keys.
headers:
Content-Type:
schema:
type: string
description: Accept header is invalid or request payload contains more
than 5 vocab_keys.
content:
application/json:
schema:
anyOf:
- $ref: '#/components/schemas/bad-request-error'
- $ref: '#/components/schemas/bad-request-error-explore-vocab'
response-401:
description: Unauthorized - The client needs to authenticate or the
credentials supplied are invalid.
headers:
Content-Type:
schema:
type: string
description: Authentication token is missing or invalid OR access
key/secret key is invalid.
content:
application/json:
schema:
$ref: '#/components/schemas/auth-error'
response-403:
description: Forbidden - The client does not have access to this endpoint
data
headers:
Content-Type:
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/forbidden-error'
response-413:
description: Request Payload Too Large - More than 1000 keywords are passed
in request payload.
headers:
Content-Type:
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/request-payload-too-large'

V 4 Apidocs

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

V 4 Apidocs

Uploaded by

Copyright:

Available Formats

openapi: 3.0.

If successful, the API responds with a JSON body containing the

You might also like