Victim Assets¶
Victim Assets are endpoints used to leverage a Victim and infiltrate a network.
Endpoint: /api/v3/victimAssets
Available Fields¶
You can retrieve a list of available fields for the /v3/victimAssets endpoint, including the field’s name, description, and accepted data type, by using the following query:
OPTIONS /v3/victimAssets
Note
To view all fields, including read-only fields, include the ?show=readonly query parameter.
Alternatively, refer to the following tables for a list of available fields that can be included in the body of a POST or PUT request for the victimAssets object.
| Field | Description | Type | Required for Creation? | Updatable? | Example value(s) |
|---|---|---|---|---|---|
| accountName | The account name associated with a Network Account or Social Network Victim Asset | String | TRUE* | TRUE | “@johnsmith” |
| address | The email address associated with a Email Address Victim Asset | String | TRUE* | TRUE | “jsmith@companyabc.com” |
| addressType | The type of Email Address Victim Asset | String | FALSE | TRUE | “Corporate email” |
| associatedGroups | A list of Groups associated to the Victim Asset | String | FALSE | TRUE | {“data”: [{“id”: 12345}]}, {“data”: [{“name”: “Bad Adversary”, “type”: “Adversary”}]} |
| networkType | The type of Network Account Victim Asset | String | FALSE | TRUE | “Company network” |
| phone | The phone number associated with a Phone Victim Asset | String | TRUE* | TRUE | “0123456789” |
| socialNetwork | The type of Social Account Victim Asset | String | FALSE | TRUE | “Twitter” |
| type | The type of Victim Asset being created | String | TRUE | FALSE | “Demo Community” |
| securityLabels | A list of Security Labels applied to the Victim | String | FALSE | TRUE | “EmailAddress”, “NetworkAccount”, “Phone”, “SocialNetwork”, or “WebSite” |
| victimId | The ID of the Victim to which the Victim Asset should be added | Integer | TRUE | FALSE | 1, 2, 3 |
| website | The website address associated with a Website Victim Asset | String | TRUE* | TRUE | “http://examplesite.com” |
Note
*This field is required if creating a Victim Asset that matches the type listed in the Description column.
Available values for the type field include:
EmailAddressNetworkAccountPhoneSocialNetworkWebSite
Create Victim Assets¶
The basic format for creating a Victim Asset is:
POST /v3/victimAssets/
{
"type": "Victim Asset type goes here",
"victimId": 12345
//additional fields for the selected Victim Asset type
}
Refer to the Available Fields section for a list of available fields that can included in the body of a POST request for the victimAssets object.
For example, the following query will create a Phone Victim Asset and add it to the Victim with ID 2:
POST /v3/victimAssets/
{
"phone": "0123456789",
"type": "Phone",
"victimId": 2
}
JSON Response
{
"data": {
"id": 4,
"type": "Phone",
"victimId": 2,
"phone": "0123456789"
},
"message": "Created",
"status": "Success"
}
Retrieve Victim Assets¶
Retrieve All Victim Assets¶
To retrieve all Victim Assets, use the following query:
GET /v3/victimAssets/
JSON Response
{
"data": [{
"id": 4,
"type": "Phone",
"victimId": 2,
"phone": "0123456789"
}, {
"id": 3,
"type": "WebSite",
"victimId": 2,
"website": "somewebsite.com"
}, {
"id": 2,
"type": "EmailAddress",
"victimId": 2,
"address": "[email protected]",
"addressType": "Corporate email",
}, {
"id": 1,
"type": "EmailAddress"
"victimId": 1,
"address": "[email protected]"
}],
"status": "Success"
}
Retrieve a Single Victim Asset¶
To retrieve a specific Victim, use a query in the following format:
GET /v3/victimAssets/{victimAssetId}
For example, the following query will return information about the Victim Asset with ID 3:
GET /v3/victimAssets/3
JSON Response
{
"data": {
"id": 3,
"type": "WebSite",
"victimId": 2,
"website": "somewebsite.com"
},
"status": "Success"
}
Request Additional Fields¶
To request additional fields not automatically provided with each returned object, refer to Include Additional Fields for Returned Objects.
Filter Results¶
To filter returned objects using ThreatConnect Query Language (TQL), refer to Filter Results with TQL.
Update Victim Assets¶
The basic format for updating a Victim Asset is:
PUT /v3/victimAssets/{victimAssetId}
{
{updatedField}: {updatedValue}
}
Refer to the Available Fields section for a list of available fields that can included in the body of a PUT request for the victimAssets object.
Note
When updating a Victim, you can use the mode field to add or remove the following metadata:
associatedGroups
See Update an Object’s Metadata for instructions on using the mode field.
For example, the following query will complete the following actions for a Victim Asset with ID 3:
- Associate the
Bad IncidentGroup to the Victim Asset - Update the Victim Asset’s name.
PUT /v3/victimAssets/3
{
"associatedGroups": {"data": [{"name": "Bad Incident", "type": "Incident"}]},
"name": "hackerwebsite.com"
}
JSON Response
{
"data": {
"id": 3,
"type": "WebSite",
"victimId": 2
"website": "hackerwebsite.com"
},
"message": "Updated",
"status": "Success"
}
Delete Victim Assets¶
The basic format for deleting a Victim Asset is:
DELETE /v3/victimAssets/{victimAssetId}
For example, the following query will delete the Victim Asset with ID 1:
DELETE /v3/victimAssets/1
JSON Response
{
"message": "Deleted",
"status": "Success"
}