Victim Assets

Victim Assets are endpoints used to leverage a Victim and infiltrate a network.

Endpoint: /api/v3/victimAssets

Endpoint Options

Available Fields

Send the following request to retrieve a list of available fields, including the field’s name, description, and accepted data type that can be included in the body of a POST or PUT request to the /v3/victimAssets endpoint:

OPTIONS /v3/victimAssets

Hint

To include read-only fields in the response, append ?show=readonly to the end of the request URL.

Alternatively, refer to the following tables for a list of available fields that can be included in the body of a POST or PUT request to the /v3/victimAssets endpoint.

Field Description Type Required for Creation? Updatable? Example Value(s)
accountName The account name associated with a Network Account or Social Network Victim Asset String TRUE [1] TRUE “@johnsmith”
address The email address associated with an Email Address Victim Asset String TRUE [1] TRUE jsmith@companyabc.com
addressType The type of Email Address Victim Asset String FALSE TRUE “Corporate email”
associatedGroups A list of Groups associated to the Victim Asset Group Object FALSE TRUE
{“data”: [{“id”: 12345}]}

{“data”: [{“name”: “Bad Adversary”, “type”: “Adversary”}]}
networkType The type of Network Account Victim Asset String FALSE TRUE “Company network”
phone The phone number associated with a Phone Victim Asset String TRUE [1] TRUE “0123456789”
socialNetwork The type of Social Account Victim Asset String FALSE TRUE “Twitter”
type [2] The type of Victim Asset being created String TRUE FALSE “Demo Community”
securityLabels A list of Security Labels applied to the Victim String FALSE TRUE “EmailAddress”, “NetworkAccount”, “Phone”, “SocialNetwork”, or “WebSite”
victimId The ID of the Victim to which the Victim Asset should be added Integer TRUE FALSE 1, 2, 3
website The website address associated with a Website Victim Asset String TRUE [1] TRUE http://examplesite.com
[1](1, 2, 3, 4) This field is required only if creating a Victim Asset that matches the type listed in the Description column.
[2]

The following are accepted values for the type field:

  • EmailAddress
  • NetworkAccount
  • Phone
  • SocialNetwork
  • WebSite

Include Additional Fields in Responses

When creating, retrieving, or updating data, you can use the fields query parameter to include additional fields in the API response that are not included by default.

Send the following request to retrieve a list of fields you can include in responses returned from the /v3/victimAssets endpoint:

OPTIONS /v3/victimAssets/fields

Filter Results

When retrieving data, you can use the tql query parameter to filter results with ThreatConnect Query Language (TQL).

Send the following request to retrieve a list of valid TQL parameters you can use when including the tql query parameter in a request to the /v3/victimAssets endpoint:

OPTIONS /v3/victimAssets/tql

Create Victim Assets

The following example illustrates the basic format for creating a Victim Asset:

POST /v3/victimAssets
{
    "type": "Victim Asset type goes here",
    "victimId": 12345
    //additional fields for the selected Victim Asset type
}

For example, the following request will create a Phone Victim Asset and add it to the Victim with ID 2:

POST /v3/victimAssets
{
    "phone": "0123456789",
    "type": "Phone",
    "victimId": 2
}

JSON Response

{
    "data": {
        "id": 4,
        "type": "Phone",
        "victimId": 2,
        "phone": "0123456789",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
    },
    "message": "Created",
    "status": "Success"
}

Refer to the Available Fields section for a list of available fields that can be included in the body of a POST request to the /v3/victimAssets endpoint.

Retrieve Victim Assets

Retrieve All Victim Assets

Send the following request to retrieve data for all Victim Assets:

GET /v3/victimAssets

JSON Response

{
    "data": [
        {
            "id": 4,
            "type": "Phone",
            "victimId": 2,
            "phone": "0123456789",
            "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
        },
        {
            "id": 3,
            "type": "WebSite",
            "victimId": 2,
            "website": "somewebsite.com",
            "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
        },
        {...}
    ],
    "status": "Success"
}

Retrieve a Specific Victim Asset

Send a request in the following format to retrieve data for a specific Victim Asset:

GET /v3/victimAssets/{victimAssetId}

For example, the following request will retrieve data for the Victim Asset whose ID is 3:

GET /v3/victimAssets/3

JSON Response

{
    "data": {
        "id": 3,
        "type": "WebSite",
        "victimId": 2,
        "website": "somewebsite.com",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
    },
    "status": "Success"
}

Update Victim Assets

The following example illustrates the basic format for updating a Victim Asset:

PUT /v3/victimAssets/{victimAssetId}
{
    {updatedField}: {updatedValue}
}

For example, the following request will perform the following actions for the Victim Asset whose ID is 3:

  • Create an Incident Group named Bad Incident and associate it to the Victim Asset
  • Update the website associated with the Victim Asset

Hint

To include the associatedGroups field in the API response, append ?fields=groups to the end of the request URL.

PUT /v3/victimAssets/3
{
    "associatedGroups": {
        "data": [
            {
                "name": "Bad Incident",
                "type": "Incident"
            }
        ]
    },
    "website": "hackerwebsite.com"
}

JSON Response

{
    "data": {
        "id": 3,
        "type": "WebSite",
        "victimId": 2,
        "website": "hackerwebsite.com",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
    },
    "message": "Updated",
    "status": "Success"
}

Refer to the Available Fields section for a list of available fields that can be included in the body of a PUT request to the /v3/victimAssets endpoint.

Hint

When updating a Victim Asset, you can use the mode field within the associatedGroups field to associate Groups to and dissociate them from the Victim Asset. See Update an Object’s Metadata for instructions on using the mode field.

Delete Victim Assets

Send a request in the following format to delete a Victim Asset:

DELETE /v3/victimAssets/{victimAssetId}

For example, the following request will delete the Victim Asset whose ID is 1:

DELETE /v3/victimAssets/1

JSON Response

{
    "message": "Deleted",
    "status": "Success"
}