ThreatExchange
Graph API Version

/threat_indicators

This API call enables searching for indicators of compromise stored in ThreatExchange. With this call you can search for indicators by free text, type, or all in a specific time window. Combinations of these query types are also allowed.

Parameters

The following query parameters are available (bold parameters are required):

  • access_token - The key for authenticating to the API. It is a concatenation of <your-app-id>|<your-app-secret>. For example, if our app ID was 555 and our app secret aSdF123GhK, our access_token would be "555|aSdF123GhK".
  • limit - Defines the maximum size of a page of results. The maximum is 1,000.
  • text - Freeform text field with a value to search for. This can be a file hash or a string found in other fields of the objects.
  • sort_order - A given SortOrderType
  • sort_by - Sort results by RELEVANCE or by CREATE_TIME. When sorting by RELEVANCE, your query will return results sorted by similarity against your text query.
  • strict_text - When set to 'true', the API will not do approximate matching on the value in text
  • threat_type - The broad threat type the indicator is associated with (see ThreatTypes)
  • type - The type of indicators to search for (see IndicatorTypes)
  • since - Returns indicators collected after a timestamp
  • until - Returns indicators collected before a timestamp
  • fields - A list of fields to return in the response

Example query for all malicious IP addresses that are proxies:

https://graph.facebook.com/v2.7/threat_indicators?access_token=555|aSdF123GhK&type=IP_ADDRESS&text=proxy

The data returned by this API call changed in Platform version 2.4. Data returned in Platform v2.3:

{
  "data": [
    {
      "added_on": "2015-02-25T14:46:37+0000", 
      "confidence": 50, 
      "description": "Localhost IP", 
      "indicator": "127.0.0.1", 
      "severity": "INFO", 
      "share_level": "GREEN", 
      "status": "NON_MALICIOUS", 
      "type": "IP_ADDRESS", 
      "threat_types": [
        "MALICIOUS_IP"
      ], 
      "id": "804745332940593"
    }
  ], 
  "paging": {
    "cursors": {
      "before": "MA==", 
      "after": "MA=="
    }
  }
}

Data returned in Platforms v2.4 and above:

{
  "data": [
    {
      "indicator": "77.2.132.202",
      "type": "IP_ADDRESS",
      "id": "675010235935327"
    },
    ...
  ],
  "paging": {
    "cursors": {
      "before": "MAZDZD",
      "after": "MjQZD"
    },
    "next": "https://graph.facebook.com/v2.7/threat_indicators?access_token=555|1234&pretty=0&text=proxy&type=IP_ADDRESS&limit=25&after=MjQZD"
  },
}

The same query using a cURL:

curl -i -X GET \
 "https://graph.facebook.com/v2.7/threat_indicators?type=IP_ADDRESS&text=proxy&access_token=555%7C1234"

The same query in Python:

import requests
import json
import ast
import urllib

app_id = '555' # Replace this with your app ID
app_secret = '1234' # Replace this with your app secret
type_ = 'IP_ADDRESS'
text = 'proxy'

query_params = urllib.urlencode({
    'access_token' : app_id + '|' + app_secret,
    'type' : type_,
    'text' : text
    })

r = requests.get('https://graph.facebook.com/v2.7/threat_indicators?' + query_params)

print json.dumps(ast.literal_eval(r.text), sort_keys=True,indent=4,separators=(',', ': '))

The same query in Java:

import java.io.InputStream;
import java.net.URL;
import java.net.URLConnection;
import java.util.Scanner;

public class ThreatIndicators {

    public final static void main(String[] args) throws Exception {
        String url = "https://graph.facebook.com/v2.7/threat_indicators?";
        String appID = "5555"; // Replace this with your app ID
        String appSecret = "12345"; // Replace this with your app secret
        String type = "IP_ADDRESS";
        String text = "proxy";
        
        String query = String.format("access_token=%s&type=%s&text=%s",
                appID + "|" + appSecret,
                type,
                text
                );
        URLConnection connection = new URL(url + query).openConnection();
        InputStream response = connection.getInputStream();
        System.out.print(convertStreamToString(response));
        response.close();
    }
    
    static String convertStreamToString(InputStream inputStream){
        Scanner scanner = new Scanner(inputStream).useDelimiter("\\A");
        return scanner.hasNext() ? scanner.next() : "";
    }
    
}

The same query in PHP:

<?php
  $appID = "555"; // Replace this with your AppID
  $appSecret = "1234"; // Replace this with your App Secret
  $type = 'IP_ADDRESS';
  $text = 'proxy';
  $access_token = $appID . "|" . $appSecret;

  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL,
    "https://graph.facebook.com/v2.7/threat_indicators?" .
    "access_token=" . $access_token .
    "&amp;type=" . $type .
    "&amp;text=" . $text);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  $response = curl_exec($ch);
  $json = json_encode(json_decode($response), JSON_PRETTY_PRINT);
  print($json . PHP_EOL);
  curl_close($ch);
?>