Victim Assets

Victim Assets are endpoints used to leverage a Victim and infiltrate a network.

Endpoint: /api/v3/victimAssets

Endpoint Options

Available Fields

Send the following request to retrieve a list of available fields, including the field’s name, description, and accepted data type that can be included in the body of a POST or PUT request to the /v3/victimAssets endpoint:

OPTIONS /v3/victimAssets

Hint

To include read-only fields in the response, append ?show=readonly to the end of the request URL.

Alternatively, refer to the following tables for a list of available fields that can be included in the body of a POST or PUT request to the /v3/victimAssets endpoint.

Field	Description	Type	Required for Creation?	Updatable?	Example Value(s)
accountName	The account name associated with a Network Account or Social Network Victim Asset	String	TRUE [1]	TRUE	“@johnsmith”
address	The email address associated with an Email Address Victim Asset	String	TRUE [1]	TRUE	“jsmith@companyabc.com”
addressType	The type of Email Address Victim Asset	String	FALSE	TRUE	“Corporate email”
associatedGroups	A list of Groups associated to the Victim Asset	Group Object	FALSE	TRUE	{“data”: [{“id”: 12345}]} {“data”: [{“name”: “Bad Adversary”, “type”: “Adversary”}]}
networkType	The type of Network Account Victim Asset	String	FALSE	TRUE	“Company network”
phone	The phone number associated with a Phone Victim Asset	String	TRUE [1]	TRUE	“0123456789”
socialNetwork	The type of Social Account Victim Asset	String	FALSE	TRUE	“Twitter”
type [2]	The type of Victim Asset being created	String	TRUE	FALSE	“Demo Community”
securityLabels	A list of Security Labels applied to the Victim	String	FALSE	TRUE	“EmailAddress”, “NetworkAccount”, “Phone”, “SocialNetwork”, or “WebSite”
victimId	The ID of the Victim to which the Victim Asset should be added	Integer	TRUE	FALSE	1, 2, 3
website	The website address associated with a Website Victim Asset	String	TRUE [1]	TRUE	“http://examplesite.com”

[1] (1,2,3,4)

This field is required only if creating a Victim Asset that matches the type listed in the Description column.

[2]

The following are accepted values for the type field:

• EmailAddress

• NetworkAccount

• Phone

• SocialNetwork

• WebSite

Include Additional Fields in Responses

When creating, retrieving, or updating data, you can use the fields query parameter to include additional fields in the API response that are not included by default.

Send the following request to retrieve a list of fields you can include in responses returned from the /v3/victimAssets endpoint:

OPTIONS /v3/victimAssets/fields

Filter Results

When retrieving data, you can use the tql query parameter to filter results with ThreatConnect Query Language (TQL).

Send the following request to retrieve a list of valid TQL parameters you can use when including the tql query parameter in a request to the /v3/victimAssets endpoint:

OPTIONS /v3/victimAssets/tql

Create Victim Assets

The following example illustrates the basic format for creating a Victim Asset:

POST /v3/victimAssets
{
    "type": "Victim Asset type goes here",
    "victimId": 12345
    //additional fields for the selected Victim Asset type
}

For example, the following request will create a Phone Victim Asset and add it to the Victim with ID 2:

POST /v3/victimAssets
{
    "phone": "0123456789",
    "type": "Phone",
    "victimId": 2
}

JSON Response

{
    "data": {
        "id": 4,
        "type": "Phone",
        "victimId": 2,
        "phone": "0123456789",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
    },
    "message": "Created",
    "status": "Success"
}

Refer to the Available Fields section for a list of available fields that can be included in the body of a POST request to the /v3/victimAssets endpoint.

Retrieve Victim Assets

Retrieve All Victim Assets

Send the following request to retrieve data for all Victim Assets:

GET /v3/victimAssets

JSON Response

{
    "data": [
        {
            "id": 4,
            "type": "Phone",
            "victimId": 2,
            "phone": "0123456789",
            "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
        },
        {
            "id": 3,
            "type": "WebSite",
            "victimId": 2,
            "website": "somewebsite.com",
            "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
        },
        {...}
    ],
    "status": "Success"
}

Retrieve a Specific Victim Asset

Send a request in the following format to retrieve data for a specific Victim Asset:

GET /v3/victimAssets/{victimAssetId}

For example, the following request will retrieve data for the Victim Asset whose ID is 3:

GET /v3/victimAssets/3

JSON Response

{
    "data": {
        "id": 3,
        "type": "WebSite",
        "victimId": 2,
        "website": "somewebsite.com",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
    },
    "status": "Success"
}

Update Victim Assets

The following example illustrates the basic format for updating a Victim Asset:

PUT /v3/victimAssets/{victimAssetId}
{
    {updatedField}: {updatedValue}
}

For example, the following request will perform the following actions for the Victim Asset whose ID is 3:

• Create an Incident Group named Bad Incident and associate it to the Victim Asset

• Update the website associated with the Victim Asset

Hint

To include the associatedGroups field in the API response, append ?fields=groups to the end of the request URL.

PUT /v3/victimAssets/3
{
    "associatedGroups": {
        "data": [
            {
                "name": "Bad Incident",
                "type": "Incident"
            }
        ]
    },
    "website": "hackerwebsite.com"
}

JSON Response

{
    "data": {
        "id": 3,
        "type": "WebSite",
        "victimId": 2,
        "website": "hackerwebsite.com",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
    },
    "message": "Updated",
    "status": "Success"
}

Refer to the Available Fields section for a list of available fields that can be included in the body of a PUT request to the /v3/victimAssets endpoint.

Hint

When updating a Victim Asset, you can use the mode field within the associatedGroups field to associate Groups to and dissociate them from the Victim Asset. See Update an Object’s Metadata for instructions on using the mode field.

Delete Victim Assets

Send a request in the following format to delete a Victim Asset:

DELETE /v3/victimAssets/{victimAssetId}

For example, the following request will delete the Victim Asset whose ID is 1:

DELETE /v3/victimAssets/1

JSON Response

{
    "message": "Deleted",
    "status": "Success"
}

Associations

For instructions on creating and managing associations for Victim Assets, see Create and Manage Associations.