Victim Assets¶
Victim Assets are endpoints used to leverage a Victim and infiltrate a network.
Endpoint: /api/v3/victimAssets
Endpoint Options¶
Available Fields¶
Send the following request to retrieve a list of available fields, including the field’s name, description, and accepted data type that can be included in the body of a POST or PUT request to the /v3/victimAssets endpoint:
OPTIONS /v3/victimAssets
Hint
To include read-only fields in the response, append ?show=readonly to the end of the request URL.
Alternatively, refer to the following tables for a list of available fields that can be included in the body of a POST or PUT request to the /v3/victimAssets endpoint.
| Field | Description | Type | Required for Creation? | Updatable? | Example Value(s) |
|---|---|---|---|---|---|
| accountName | The account name associated with a Network Account or Social Network Victim Asset | String | TRUE [1] | TRUE | “@johnsmith” |
| address | The email address associated with an Email Address Victim Asset | String | TRUE [1] | TRUE | “jsmith@companyabc.com” |
| addressType | The type of Email Address Victim Asset | String | FALSE | TRUE | “Corporate email” |
| associatedGroups | A list of Groups associated to the Victim Asset | Group Object | FALSE | TRUE | {“data”: [{“id”: 12345}]}
{“data”: [{“name”: “Bad Adversary”, “type”: “Adversary”}]}
|
| networkType | The type of Network Account Victim Asset | String | FALSE | TRUE | “Company network” |
| phone | The phone number associated with a Phone Victim Asset | String | TRUE [1] | TRUE | “0123456789” |
| socialNetwork | The type of Social Account Victim Asset | String | FALSE | TRUE | “Twitter” |
| type [2] | The type of Victim Asset being created | String | TRUE | FALSE | “Demo Community” |
| securityLabels | A list of Security Labels applied to the Victim | String | FALSE | TRUE | “EmailAddress”, “NetworkAccount”, “Phone”, “SocialNetwork”, or “WebSite” |
| victimId | The ID of the Victim to which the Victim Asset should be added | Integer | TRUE | FALSE | 1, 2, 3 |
| website | The website address associated with a Website Victim Asset | String | TRUE [1] | TRUE | “http://examplesite.com” |
| [1] | (1, 2, 3, 4) This field is required only if creating a Victim Asset that matches the type listed in the Description column. |
| [2] | The following are accepted values for the
|
Include Additional Fields in Responses¶
When creating, retrieving, or updating data, you can use the fields query parameter to include additional fields in the API response that are not included by default.
Send the following request to retrieve a list of fields you can include in responses returned from the /v3/victimAssets endpoint:
OPTIONS /v3/victimAssets/fields
Filter Results¶
When retrieving data, you can use the tql query parameter to filter results with ThreatConnect Query Language (TQL).
Send the following request to retrieve a list of valid TQL parameters you can use when including the tql query parameter in a request to the /v3/victimAssets endpoint:
OPTIONS /v3/victimAssets/tql
Create Victim Assets¶
The following example illustrates the basic format for creating a Victim Asset:
POST /v3/victimAssets
{
"type": "Victim Asset type goes here",
"victimId": 12345
//additional fields for the selected Victim Asset type
}
For example, the following request will create a Phone Victim Asset and add it to the Victim with ID 2:
POST /v3/victimAssets
{
"phone": "0123456789",
"type": "Phone",
"victimId": 2
}
JSON Response
{
"data": {
"id": 4,
"type": "Phone",
"victimId": 2,
"phone": "0123456789",
"webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
},
"message": "Created",
"status": "Success"
}
Refer to the Available Fields section for a list of available fields that can be included in the body of a POST request to the /v3/victimAssets endpoint.
Retrieve Victim Assets¶
Retrieve All Victim Assets¶
Send the following request to retrieve data for all Victim Assets:
GET /v3/victimAssets
JSON Response
{
"data": [
{
"id": 4,
"type": "Phone",
"victimId": 2,
"phone": "0123456789",
"webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
},
{
"id": 3,
"type": "WebSite",
"victimId": 2,
"website": "somewebsite.com",
"webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
},
{...}
],
"status": "Success"
}
Retrieve a Specific Victim Asset¶
Send a request in the following format to retrieve data for a specific Victim Asset:
GET /v3/victimAssets/{victimAssetId}
For example, the following request will retrieve data for the Victim Asset whose ID is 3:
GET /v3/victimAssets/3
JSON Response
{
"data": {
"id": 3,
"type": "WebSite",
"victimId": 2,
"website": "somewebsite.com",
"webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
},
"status": "Success"
}
Update Victim Assets¶
The following example illustrates the basic format for updating a Victim Asset:
PUT /v3/victimAssets/{victimAssetId}
{
{updatedField}: {updatedValue}
}
For example, the following request will perform the following actions for the Victim Asset whose ID is 3:
- Create an Incident Group named Bad Incident and associate it to the Victim Asset
- Update the website associated with the Victim Asset
Hint
To include the associatedGroups field in the API response, append ?fields=groups to the end of the request URL.
PUT /v3/victimAssets/3
{
"associatedGroups": {
"data": [
{
"name": "Bad Incident",
"type": "Incident"
}
]
},
"website": "hackerwebsite.com"
}
JSON Response
{
"data": {
"id": 3,
"type": "WebSite",
"victimId": 2,
"website": "hackerwebsite.com",
"webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
},
"message": "Updated",
"status": "Success"
}
Refer to the Available Fields section for a list of available fields that can be included in the body of a PUT request to the /v3/victimAssets endpoint.
Hint
When updating a Victim Asset, you can use the mode field within the associatedGroups field to associate Groups to and dissociate them from the Victim Asset. See Update an Object’s Metadata for instructions on using the mode field.
Delete Victim Assets¶
Send a request in the following format to delete a Victim Asset:
DELETE /v3/victimAssets/{victimAssetId}
For example, the following request will delete the Victim Asset whose ID is 1:
DELETE /v3/victimAssets/1
JSON Response
{
"message": "Deleted",
"status": "Success"
}