Victim Assets

Victim Assets are endpoints used to leverage a Victim and infiltrate a network.

Endpoint: /api/v3/victimAssets

Endpoint Options

Available Fields

Send the following request to retrieve a list of available fields, including the field’s name, description, and accepted data type that can be included in the body of a POST or PUT request to the /v3/victimAssets endpoint:

OPTIONS /v3/victimAssets

Hint

To include read-only fields in the response, append ?show=readonly to the end of the request URL.

Alternatively, refer to the following tables for a list of available fields that can be included in the body of a POST or PUT request to the /v3/victimAssets endpoint.

Field

Description

Type

Required for Creation?

Updatable?

Example Value(s)

accountName

The account name associated with a Network Account or Social Network Victim Asset

String

TRUE [1]

TRUE

“@johnsmith”

address

The email address associated with an Email Address Victim Asset

String

TRUE [1]

TRUE

jsmith@companyabc.com

addressType

The type of Email Address Victim Asset

String

FALSE

TRUE

“Corporate email”

associatedGroups

A list of Groups associated to the Victim Asset

Group Object

FALSE

TRUE

{“data”: [{“id”: 12345}]}

{“data”: [{“name”: “Bad Adversary”, “type”: “Adversary”}]}

networkType

The type of Network Account Victim Asset

String

FALSE

TRUE

“Company network”

phone

The phone number associated with a Phone Victim Asset

String

TRUE [1]

TRUE

“0123456789”

socialNetwork

The type of Social Account Victim Asset

String

FALSE

TRUE

“Twitter”

type [2]

The type of Victim Asset being created

String

TRUE

FALSE

“Demo Community”

securityLabels

A list of Security Labels applied to the Victim

String

FALSE

TRUE

“EmailAddress”, “NetworkAccount”, “Phone”, “SocialNetwork”, or “WebSite”

victimId

The ID of the Victim to which the Victim Asset should be added

Integer

TRUE

FALSE

1, 2, 3

website

The website address associated with a Website Victim Asset

String

TRUE [1]

TRUE

http://examplesite.com

Include Additional Fields in Responses

When creating, retrieving, or updating data, you can use the fields query parameter to include additional fields in the API response that are not included by default.

Send the following request to retrieve a list of fields you can include in responses returned from the /v3/victimAssets endpoint:

OPTIONS /v3/victimAssets/fields

Filter Results

When retrieving data, you can use the tql query parameter to filter results with ThreatConnect Query Language (TQL).

Send the following request to retrieve a list of valid TQL parameters you can use when including the tql query parameter in a request to the /v3/victimAssets endpoint:

OPTIONS /v3/victimAssets/tql

Create Victim Assets

The following example illustrates the basic format for creating a Victim Asset:

POST /v3/victimAssets
Content-Type: application/json

{
    "type": "Victim Asset type goes here",
    "victimId": 12345
    //additional fields for the selected Victim Asset type
}

For example, the following request will create a Phone Victim Asset and add it to the Victim with ID 2:

POST /v3/victimAssets
Content-Type: application/json

{
    "phone": "0123456789",
    "type": "Phone",
    "victimId": 2
}

JSON Response

{
    "data": {
        "id": 4,
        "type": "Phone",
        "victimId": 2,
        "phone": "0123456789",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
    },
    "message": "Created",
    "status": "Success"
}

Refer to the Available Fields section for a list of available fields that can be included in the body of a POST request to the /v3/victimAssets endpoint.

Retrieve Victim Assets

Retrieve All Victim Assets

Send the following request to retrieve data for all Victim Assets:

GET /v3/victimAssets

JSON Response

{
    "data": [
        {
            "id": 4,
            "type": "Phone",
            "victimId": 2,
            "phone": "0123456789",
            "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
        },
        {
            "id": 3,
            "type": "WebSite",
            "victimId": 2,
            "website": "somewebsite.com",
            "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
        },
        {...}
    ],
    "status": "Success"
}

Retrieve a Specific Victim Asset

Send a request in the following format to retrieve data for a specific Victim Asset:

GET /v3/victimAssets/{victimAssetId}

For example, the following request will retrieve data for the Victim Asset whose ID is 3:

GET /v3/victimAssets/3

JSON Response

{
    "data": {
        "id": 3,
        "type": "WebSite",
        "victimId": 2,
        "website": "somewebsite.com",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
    },
    "status": "Success"
}

Update Victim Assets

The following example illustrates the basic format for updating a Victim Asset:

PUT /v3/victimAssets/{victimAssetId}
Content-Type: application/json

{
    {updatedField}: {updatedValue}
}

For example, the following request will perform the following actions for the Victim Asset whose ID is 3:

  • Create an Incident Group named Bad Incident and associate it to the Victim Asset

  • Update the website associated with the Victim Asset

Hint

To include the associatedGroups field in the API response, append ?fields=groups to the end of the request URL.

PUT /v3/victimAssets/3
Content-Type: application/json

{
    "associatedGroups": {
        "data": [
            {
                "name": "Bad Incident",
                "type": "Incident"
            }
        ]
    },
    "website": "hackerwebsite.com"
}

JSON Response

{
    "data": {
        "id": 3,
        "type": "WebSite",
        "victimId": 2,
        "website": "hackerwebsite.com",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
    },
    "message": "Updated",
    "status": "Success"
}

Refer to the Available Fields section for a list of available fields that can be included in the body of a PUT request to the /v3/victimAssets endpoint.

Hint

When updating a Victim Asset, you can use the mode field within the associatedGroups field to associate Groups to and dissociate them from the Victim Asset. See Update an Object’s Metadata for instructions on using the mode field.

Delete Victim Assets

Send a request in the following format to delete a Victim Asset:

DELETE /v3/victimAssets/{victimAssetId}

For example, the following request will delete the Victim Asset whose ID is 1:

DELETE /v3/victimAssets/1

JSON Response

{
    "message": "Deleted",
    "status": "Success"
}

Associations

For instructions on creating and managing associations for Victim Assets, see Create and Manage Associations.