Victims

Victims are used to describe a specific organization or group that has been targeted or whose assets have been exploited.

Filtering Victims

This section provides the available filters which can be used when retrieving Victims from ThreatConnect.

Supported API Filters

API filters use the API filtering feature to limit the result set returned from the API.

Filter Value Type Description
add_id() int Filter Victims by ID.
add_adversary_id() int Filter Victims on associated Adversary ID.
add_campaign_id() int Filter Victims on associated Campaign ID.
add_document_id() int Filter Victims on associated Document ID.
add_email_id() int Filter Victims on associated Email ID.
add_incident_id() int Filter Victims on associated Incident ID.
add_indicator() str Filter Victims on associated Indicator.
add_owner() list or str Filter Victims on Owner.
add_security_label() str Filter Victims on applied Security Label.
add_signature_id() int Filter Victims on associated Signature ID.
add_tag() str Filter Victims on applied Tag.
add_task_id() int Filter Victims on associated Task ID.
add_threat_id() int Filter Victims on associated Threat ID.

Supported Post Filters

Post filters are applied on the results returned by the API request.

Filter Value Type Description
add_pf_name() str Filter Victims on name.
add_pf_date_added() str Filter Victims on date added.

Retrieve Victims

Retrieving a Single Victim

The example below demonstrates how to retrieve a specific Victim Resource from the ThreatConnect platform:

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# instantiate Victims object
victims = tc.victims()

owner = 'Example Community'
victim_id = 123456

# set a filter to retrieve the Victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_owner(owner)
filter1.add_id(victim_id)

try:
    # retrieve the Victim
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

try:
    # prove there is only one Victim retrieved
    assert len(victims) == 1
except AssertionError as e:
    # if the Victim doesn't exist in the given owner, raise an error
    print('AssertionError: The victim with ID {0} was not found in the "{1}" owner. '.format(victim_id, owner) +
          'Try changing the `owner` variable to the name of an owner in your instance of ThreatConnect ' +
          'and/or set the `victim_id` variable to the ID of a Victim that exists in the given owner.')
    sys.exit(1)

# if the Victim was found, print some information about it
for victim in victims:
    print(victim.id)
    print(victim.name)
    print(victim.nationality)
    print(victim.org)
    print(victim.suborg)
    print(victim.work_location)
    print(victim.weblink)
    print('')

Note

If you get an AssertionError when running this code, you likely need to change the name of the owner variable so that it is the name of an owner in your instance of ThreatConnect and/or you need to change the victim_id variable so that it is the ID of a Victim that exists in the given owner.

For details on how to retrieve victim assets, refer to the Victim Asset retrieval section.

Retrieving Multiple Victims

The example below demonstrates how to retrieve multiple Victim Resources from the ThreatConnect platform:

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# instantiate Victims object
victims = tc.victims()

owner = 'Example Community'

# set a filter to retrieve all Victims from the given owner that have the tag: 'Example'
filter1 = victims.add_filter()
filter1.add_owner(owner)
filter1.add_tag('Example')

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the retrieved Victims and print their properties
for victim in victims:
    print(victim.id)
    print(victim.name)
    print(victim.nationality)
    print(victim.org)
    print(victim.suborg)
    print(victim.work_location)
    print(victim.weblink)
    print('')

Create Victims

The example below demonstrates how to create a Victim Resource in the ThreatConnect platform:

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# instantiate Victims object
victims = tc.victims()

owner = 'Example Community'

# create a new victim named 'Robin Scherbatsky' in the given owner
victim = victims.add('Robin Scherbatsky', owner)

try:
    # create the Victim
    victim.commit()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

Note

In the prior example, no API calls are made until the commit() method is invoked.

Update Victims

The example below demonstrates how to update a Victim Resource in the ThreatConnect platform:

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# instantiate Victims object
victims = tc.victims()

owner = 'Example Community'

# create a Victim object with the name: 'Updated Victim'
victim = victims.add('Updated Victim', owner)

# set the id of the new Victim object to that of an existing Victim
victim.set_id(123456)

# you can update the Victim metadata as described here: https://docs.threatconnect.com/en/latest/python/python_sdk.html#group-metadata

try:
    # this will change the name of the Victim with id 123456 to: 'Updated Victim'
    victim.commit()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

Note

In the prior example, no API calls are made until the commit() method is invoked.

Delete Victims

The example below demonstrates how to delete a Victim Resource from the ThreatConnect platform:

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# instantiate Victims object
victims = tc.victims()

owner = 'Example Community'

# create an empty Victim object
victim = victims.add('', owner)

# set the id of the empty Victim object to the id of an existing Victim to delete
victim.set_id(123456)

try:
    # delete the Victim
    victim.delete()
except RuntimeError as e:
    print(e)
    sys.exit(1)

Note

In the prior example, no API calls are made until the delete() method is invoked.

Victim Metadata

Victim Associations

Retrieve Victim Associations

The code snippet below demonstrates how to view Groups and Indicators which are associated with a given Victim in ThreatConnect. This example assumes there is a Victim with an ID of 123456 in the target owner. To test this code snippet, change the victim_id variable.

Note

It is not possible to associate an Indicator directly with a Victim in ThreatConnect. The code below returns Indicators that share a Group association with the given Victim. In the image below, the Victim and Indicator are not directly associated, but are both associated with the same Group. Therefore, the Indicator would be returned when iterating through victim.indicator_associations.

Victim to Indicator Associations
# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# define the ID of the victim we would like to retrieve
victim_id = 123456

# create a victims object
victims = tc.victims()

# set a filter to retrieve the victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(victim_id)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.name)

    # iterate through all associated groups
    for associated_group in victim.group_associations:
        # print details about the associated group
        print(associated_group.id)
        print(associated_group.name)
        print(associated_group.resource_type)
        print(associated_group.owner_name)
        print(associated_group.date_added)
        print(associated_group.weblink)
        print('')

    # iterate through all associated indicators
    for associated_indicator in victim.indicator_associations:
        # print details about the associated indicator
        print(associated_indicator.id)
        print(associated_indicator.indicator)
        print(associated_indicator.type)
        print(associated_indicator.description)
        print(associated_indicator.owner_name)
        print(associated_indicator.rating)
        print(associated_indicator.confidence)
        print(associated_indicator.date_added)
        print(associated_indicator.last_modified)
        print(associated_indicator.weblink)
        print('')

Note

When the group_associations and indicator_associations properties are referenced, an API request is immediately invoked.

Create Victim Associations

The code snippet below demonstrates how to create an association between a Victim and another Group in ThreatConnect. This example assumes there is a Victim with an ID of 123456 and an Incident with an ID of 654321 in the target owner. To test this code snippet, change the victim_id and incident_id variables.

from threatconnect.Config.ResourceType import ResourceType

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# define the ID of the victim we would like to retrieve
victim_id = 123456
# define the ID of the incident we would like to associate with the victim
incident_id = 654321

# create a victims object
victims = tc.victims()

# set a filter to retrieve the victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(victim_id)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.name)

    # create an association between this victim and the incident
    victim.associate_group(ResourceType.INCIDENTS, incident_id)

    # commit the changes to ThreatConnect
    victim.commit()

Note

In the prior example, no API calls are made until the commit() method is invoked.

Delete Victim Associations

The code snippet below demonstrates how to remove an association between a Victim and another Group. This example assumes there is a Victim with an ID of 123456 and an Incident with an ID of 654321 in the target owner. To test this code snippet, change the victim_id and incident_id variables.

from threatconnect.Config.ResourceType import ResourceType

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# define the ID of the victim we would like to retrieve
victim_id = 123456
# define the ID of the incident we would like to disassociate from the victim
incident_id = 654321

# create a victims object
victims = tc.victims()

# set a filter to retrieve the victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(victim_id)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.name)

    # remove the association between this victim and the incident
    victim.disassociate_group(ResourceType.INCIDENTS, incident_id)

    # commit the changes to ThreatConnect
    victim.commit()

Note

In the prior example, no API calls are made until the commit() method is invoked.

Victim Attributes

Retrieve Victim Attributes

The code snippet below demonstrates how to retrieve the attributes from a Victim. This example assumes there is a Victim with an ID of 123456 in the target owner. To test this code snippet, change the victim_id variable to the ID of a victim in your owner.

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# define the ID of the victim we would like to retrieve
victim_id = 123456

# create a victims object
victims = tc.victims()

# set a filter to retrieve the victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(victim_id)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.name)

    # load the victim's attributes
    victim.load_attributes()

    for attribute in victim.attributes:
        print(attribute.id)
        print(attribute.type)
        print(attribute.value)
        print(attribute.date_added)
        print(attribute.last_modified)
        print(attribute.displayed)
        print('')

Create Victim Attributes

The code snippet below demonstrates how to create an attribute on a Victim. This example assumes there is a Victim with an ID of 123456 in the target owner. To test this code snippet, change the victim_id variable to the ID of a victim in your owner.

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# define the ID of the victim we would like to retrieve
victim_id = 123456

# create a victims object
victims = tc.victims()

# set a filter to retrieve the victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(victim_id)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.name)

    # add a description attribute that is displayed at the top of the victim's page in ThreatConnect
    victim.add_attribute('Description', 'Description Example', True)

    # add a description attribute that is not displayed at the top of the victim's page in ThreatConnect
    victim.add_attribute('Description', 'Description Example')

    # commit the changes
    victim.commit()

Note

In the prior example, no API calls are made until the commit() method is invoked.

Update Victim Attributes

The code snippet below demonstrates how to update a Victim’s attribute. This example assumes there is a Victim with an ID of 123456 in the target owner. To test this code snippet, change the victim_id variable to the ID of a victim in your owner.

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# define the ID of the victim we would like to retrieve
victim_id = 123456

# create a victims object
victims = tc.victims()

# set a filter to retrieve the victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(victim_id)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.name)

    # load the victim's attributes
    victim.load_attributes()

    # iterate through the victim's attributes
    for attribute in victim.attributes:
        print(attribute.id)

        # if the current attribute is a description attribute, update the value of the description
        if attribute.type == 'Description':
            victim.update_attribute(attribute.id, 'Updated Description')

    # commit the changes
    victim.commit()

Note

In the prior example, no API calls are made until the commit() method is invoked.

Delete Victim Attributes

The code snippet below demonstrates how to delete a Victim’s attribute. This example assumes there is a Victim with an ID of 123456 in the target owner. To test this code snippet, change the victim_id variable to the ID of a victim in your owner.

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# define the ID of the victim we would like to retrieve
victim_id = 123456

# create a victims object
victims = tc.victims()

# set a filter to retrieve the victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(victim_id)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.name)

    # load the victim's attributes
    victim.load_attributes()

    # iterate through the victim's attributes
    for attribute in victim.attributes:
        print(attribute.id)

        # if the current attribute is a description attribute, delete it
        if attribute.type == 'Description':
            victim.delete_attribute(attribute.id)

    # commit the changes
    victim.commit()

Note

In the prior example, no API calls are made until the commit() method is invoked.

Victim Security Labels

Retrieve Victim Security Labels

The code snippet below demonstrates how to retrieve the security label from a Victim. This example assumes there is a Victim with an ID of 123456 in the target owner. To test this code snippet, change the victim_id variable to the ID of a victim in your owner.

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# define the ID of the victim we would like to retrieve
victim_id = 123456

# create a victims object
victims = tc.victims()

# set a filter to retrieve the victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(victim_id)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.name)

    # load the victim's security label
    victim.load_security_label()

    # if this victim has a security label, print some information about the sec. label
    if victim.security_label is not None:
        print(victim.security_label.name)
        print(victim.security_label.description)
        print(victim.security_label.date_added)
        print('')

Warning

Currently, the ThreatConnect Python SDK does not support multiple security labels. If a Victim has multiple security labels, the Python SDK will only return one of them.

Create Victim Security Labels

The code snippet below demonstrates how to add a security label to a Victim. This example assumes there is a Victim with an ID of 123456 in the target owner. To test this code snippet, change the victim_id variable to the ID of a victim in your owner.

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# define the ID of the victim we would like to retrieve
victim_id = 123456

# create a victims object
victims = tc.victims()

# set a filter to retrieve the victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(victim_id)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.name)

    # add the 'TLP Green' label to the victim
    victim.add_security_label('TLP Green')

    # commit the victim with the new security label to ThreatConnect
    victim.commit()

Note

In the prior example, no API calls are made until the commit() method is invoked.

Delete Victim Security Labels

The code snippet below demonstrates how to delete a security label from a Victim. This example assumes there is a Victim with an ID of 123456 in the target owner. To test this code snippet, change the victim_id variable to the ID of a victim in your owner.

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# define the ID of the victim we would like to retrieve
victim_id = 123456

# create a victims object
victims = tc.victims()

# set a filter to retrieve the victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(victim_id)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.name)

    # remove the 'TLP Green' label from the victim
    victim.delete_security_label('TLP Green')

    # commit the victim with the removed security label to ThreatConnect
    victim.commit()

Note

In the prior example, no API calls are made until the commit() method is invoked.

Victim Tags

Retrieve Victim Tags

The code snippet below demonstrates how to retrieve the tags from an Incident. This example assumes there is a Victim with an ID of 123456 in the target owner. To test this code snippet, change the victim_id variable to the ID of a victim in your owner.

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# define the ID of the victim we would like to retrieve
victim_id = 123456

# create a victims object
victims = tc.victims()

# set a filter to retrieve the victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(victim_id)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.name)

    # load the victim's tags
    victim.load_tags()

    # print details about each tag on the victim
    for tag in victim.tags:
        print(tag.name)
        print(tag.weblink)
        print('')

Create Victim Tags

The code snippet below demonstrates how to add a tag to a Victim. This example assumes there is a Victim with an ID of 123456 in the target owner. To test this code snippet, change the victim_id variable to the ID of a victim in your owner.

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# define the ID of the victim we would like to retrieve
victim_id = 123456

# create a victims object
victims = tc.victims()

# set a filter to retrieve the victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(victim_id)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.name)

    # add the 'Test' tag to the victim
    victim.add_tag('Test')

    # commit the victim with the new tag to ThreatConnect
    victim.commit()

Note

In the prior example, no API calls are made until the commit() method is invoked.

Delete Victim Tags

The code snippet below demonstrates how to delete a tag from a Victim. This example assumes there is a Victim with an ID of 123456 in the target owner. To test this code snippet, change the victim_id variable to the ID of a victim in your owner.

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# define the ID of the victim we would like to retrieve
victim_id = 123456

# create a victims object
victims = tc.victims()

# set a filter to retrieve the victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(victim_id)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.name)

    # remove the 'Test' tag from the victim
    victim.delete_tag('Test')

    # commit the victim with the removed tag to ThreatConnect
    victim.commit()

Note

In the prior example, no API calls are made until the commit() method is invoked.

Victim Assets

Victim Assets are accounts, infrastructure, and equipment that are used by the victim and targeted or exploited by an Adversary Threat. These include email accounts, social network accounts, network accounts, phones, or web sites. They can be associated to an incident, email, or threat as a targeted asset within ThreatConnect.

Retrieve Victim Assets

The example below demonstrates how to pull all Assets for the current Victim Resource from the ThreatConnect platform:

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# instantiate Victims object
victims = tc.victims()

# set a filter to retrieve the Victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(123456)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.id)
    print(victim.name)

    # retrieve the assets from ThreatConnect
    victim.load_assets()

    # iterate through the Victim's assets
    for asset in victim.assets:
        print(asset.id)
        print(asset.name)
        print(asset.type)
        print(asset.weblink)
        print('')

Create Victim Assets

The example below demonstrates how to create Victim Assets for an existing Victim with an ID of 123456:

from threatconnect.Config.ResourceType import ResourceType

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# instantiate Victims object
victims = tc.victims()

# set a filter to retrieve the victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(123456)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    # add email address asset to Victim
    asset = VictimAssetObject(ResourceType.VICTIM_EMAIL_ADDRESSES)
    asset.set_address('victim@example.com')
    asset.set_address_type('Personal')
    victim.add_asset(asset)

    # add network account asset to Victim
    asset = VictimAssetObject(ResourceType.VICTIM_NETWORK_ACCOUNTS)
    asset.set_account('victim')
    asset.set_network('victimsareus Active Directory')
    victim.add_asset(asset)

    # add phone asset to Victim
    asset = VictimAssetObject(ResourceType.VICTIM_PHONES)
    asset.set_phone_type('555-555-5555')
    victim.add_asset(asset)

    # add social network asset to Victim
    asset = VictimAssetObject(ResourceType.VICTIM_SOCIAL_NETWORKS)
    asset.set_account('@victim')
    asset.set_network('Twitter')
    victim.add_asset(asset)

    # add website asset to Victim
    asset = VictimAssetObject(ResourceType.VICTIM_WEBSITES)
    asset.set_website('www.example.com')
    victim.add_asset(asset)

    try:
        # commit the Victim with the new Victim Assets
        victim.commit()
    except RuntimeError as e:
        print('Error: {0}'.format(e))
        sys.exit(1)

Note

In the prior example, no API calls are made until the commit() method is invoked.

Update Victim Assets

The example below demonstrates how to update the Victim Assets of an existing Victim with an ID of 123456:

from threatconnect.Config.ResourceType import ResourceType

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# instantiate Victims object
victims = tc.victims()

# set a filter to retrieve the Victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(123456)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.id)
    print(victim.name)

    # retrieve the assets from ThreatConnect
    victim.load_assets()

    # iterate through the Victim's assets
    for asset in victim.assets:
        # if the asset is an email address asset, update it
        if asset.type == 'EmailAddress':
            # create a new Victim asset object
            new_asset = VictimAssetObject(ResourceType.VICTIM_EMAIL_ADDRESSES)
            new_asset.set_address('victim2@example.com')
            new_asset.set_address_type('Personal')

            # update the existing asset with the new one
            victim.update(asset.id, new_asset)

    try:
        # commit the Victim with the updated Victim Asset
        victim.commit()
    except RuntimeError as e:
        print('Error: {0}'.format(e))
        sys.exit(1)

Note

In the prior example, no API calls are made until the commit() method is invoked.

Delete Victim Assets

The example below demonstrates how to delete Victim Assets from an existing Victim with an ID of 123456:

# replace the line below with the standard, TC script heading described here:
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
...

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)

# instantiate Victims object
victims = tc.victims()

# set a filter to retrieve the Victim with the id: 123456
filter1 = victims.add_filter()
filter1.add_id(123456)

try:
    # retrieve the Victims
    victims.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))
    sys.exit(1)

# iterate through the Victims
for victim in victims:
    print(victim.id)
    print(victim.name)

    # retrieve the assets from ThreatConnect
    victim.load_assets()

    # iterate through the Victim's assets
    for asset in victim.assets:
        # if the asset is a phone number asset, delete it
        if asset.type == 'Phone':
            victim.delete(asset.id, asset)

    try:
        # commit the Victim with the Victim Asset(s) deleted
        victim.commit()
    except RuntimeError as e:
        print('Error: {0}'.format(e))
        sys.exit(1)

Note

In the prior example, no API calls are made until the commit() method is invoked.