Victims

Victims are used to describe a specific organization or group that has been targeted or whose assets have been exploited.

Retrieve Victims

Filtering Victims

When retrieving Victims from ThreatConnect, it is possible to filter the results on the following data points:

Filter Data Type Operator
name string =

Hint

The “^” character means “starts with”. For example, this character would be used to find all URL Indicators that start with http://xn-- or all Groups whose name starts with APT.

Note

The =, <, >, and ^ operators in any filters must URL encoded as follows:

Character URL Encoded Form
= %3D
< %3C
> %3E
^ %5E

The following query will return all Victims that start with “Example” (name^Example):

GET /v2/victims/?filters=name%5EExample

The following query will return all Victims whose name is “Example Organization” (name=Example Organization):

GET /v2/victims/?filters=name%3DExample%20Organization

Retrieve Multiple Victims

To retrieve multiple Victims, use the following query:

GET /v2/victims/

JSON Response:

{
  "status": "Success",
  "data": {
    "resultCount": 2,
    "victim": [
      {
        "id": "54321",
        "name": "Burton Guster",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=54321"
      },
      {
        "id": "54322",
        "name": "West Coast HR Department",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=54322"
      }
    ]
  }
}

Retrieve a Single Victim

To retrieve a single Victim, use a query in the following format:

GET /v2/victims/{victimId}

For example, if you wanted to retrieve the Victim with ID 12345, you would use the following query:

GET /v2/victims/12345

JSON Response:

{
  "status": "Success",
  "data": {
    "victim": {
      "id": "12345",
      "name": "Burton Guster",
      "description": "He also goes by 'Magic Head', 'Lavender Gooms', 'Ghee Buttersnaps', and 'Control Alt Delete' (among others).",
      "org": "Psych",
      "suborg": "Super Sniffer Department",
      "workLocation": "Santa Barbara, California",
      "nationality": "American",
      "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=12345"
    }
  }
}

Retrieve Victim Metadata

Retrieve Victim Attributes

To retrieve a Victim’s Attributes, use the following format:

GET /v2/victims/{victimId}/attributes

For example, if you wanted to retrieve the attributes on the Victim with ID 12345, you would use the following query:

GET /v2/victims/12345/attributes

JSON Response:

{
  "status": "Success",
  "data": {
    "resultCount": 2,
    "attribute": [
      {
        "id": "54321",
        "type": "Description",
        "dateAdded": "2016-07-13T17:50:17",
        "lastModified": "2017-05-02T18:40:22Z",
        "displayed": true,
        "value": "Description Example"
      },
      {
        "id": "54322",
        "type": "Source",
        "dateAdded": "2016-07-13T17:51:17",
        "lastModified": "2017-05-02T18:40:22Z",
        "displayed": true,
        "value": "Source Example"
      }
    ]
  }
}

To retrieve the Security Labels that are on an attribute, use the following format:

GET /v2/victims/{victimId}/attributes/{attributeId}/securityLabels

Here is an example query:

GET /v2/victims/12345/attributes/54321/securityLabels

JSON Response:

{
  "status": "Success",
  "data": {
    "resultCount": 1,
    "securityLabel": [
      {
        "name": "TLP Amber",
        "description": "TLP Amber information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.",
        "dateAdded": "2017-07-13T17:50:17"
      }
    ]
  }
}

Retrieve Victim Security Labels

To retrieve the Security Labels for a Victim, use a query in the following format:

GET /v2/victims/{victimId}/securityLabels

For example, the query below will retrieve all Security Labels for the Victim with ID 12345:

GET /v2/victims/12345/securityLabels

JSON Response:

{
  "status": "Success",
  "data": {
    "resultCount": 1,
    "securityLabel": [
      {
        "name": "TLP Amber",
        "description": "TLP Amber information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.",
        "dateAdded": "2017-07-13T17:50:17"
      }
    ]
  }
}

Retrieve Victim Tags

To retrieve the Tags for a Victim, use a query in the following format:

GET /v2/victims/{victimId}/tags

For example, the query below will retrieve all Tags for the Victim with ID 12345:

GET /v2/victims/12345/tags

JSON Response:

{
  "status": "Success",
  "data": {
    "resultCount": 1,
    "tag": [
      {
        "name": "Nation State",
        "webLink": "https://app.threatconnect.com/auth/tags/tag.xhtml?tag=Nation+State&owner=Common+Community"
      }
    ]
  }
}

Retrieve Victim Associations

Group to Victim Associations

To view Groups associated with a given Victim, use a query in the following format:

GET /v2/victims/{victimId}/groups

For example, the query below will retrieve all of the Groups associated with the Victim with ID 12345:

GET /v2/victims/12345/groups

JSON Response:

{
  "status": "Success",
  "data": {
    "resultCount": 1,
    "group": [
      {
        "id": "54321",
        "name": "Associated Incident",
        "type": "Incident",
        "ownerName": "Example Organization",
        "dateAdded": "2017-07-13T17:50:17",
        "webLink": "https://app.threatconnect.com/auth/incident/incident.xhtml?incident=54321"
      }
    ]
  }
}

You can also find associated Groups of a given type using the following format:

GET /v2/victims/{victimId}/groups/{associatedGroupType}

Replace {associatedGroupType} with one of the following Group types:

  • adversaries
  • campaigns
  • documents
  • emails
  • incidents
  • signatures
  • threats

For example, we could use the following query to find all Incidents associated with the Victim with ID 12345:

GET /v2/victims/12345/groups/incidents

We can also drill down even further by adding the ID of an associated Victim to the end of the query like:

GET /v2/victims/12345/groups/incidents/54321

Where 54321 is the ID of an Incident associated with Victim 12345.

Indicator to Victim Associations

Note

It is not possible to associate an Indicator directly with a Victim in ThreatConnect. The query described in this section returns Indicators that share a Group association with the given Victim. In the image below, the Victim and Indicator are not directly associated, but are both associated with the same Group. Therefore, the Indicator would be returned when querying for Indicator associations from the Victim.

Victim to Indicator Associations

To view Indicators sharing a Group association with the given Victim, use a query in the following format:

GET /v2/victims/{victimId}/indicators

For example, the query below will retrieve all of the Indicators associated with the Victim with ID 12345:

GET /v2/victims/12345/indicators

JSON Response:

{
  "status": "Success",
  "data": {
    "resultCount": 1,
    "indicator": [
      {
        "id": "54321",
        "ownerName": "Example Organization",
        "type": "Address",
        "dateAdded": "2016-07-13T17:50:17",
        "lastModified": "2017-05-01T21:32:54Z",
        "rating": 3.0,
        "confidence": 55,
        "threatAssessRating": 3.0,
        "threatAssessConfidence": 55.0,
        "webLink": "https://app.threatconnect.com/auth/indicators/details/address.xhtml?address=0.0.0.0&owner=Example+Organization",
        "summary": "0.0.0.0"
      }
    ]
  }
}

You can also find associated Indicators of a given type using the following format:

GET /v2/victims/{victimId}/indicators/{associatedIndicatorType}

For example, we could use the following query to find all Address Indicators associated with the Victim with ID 12345:

GET /v2/victims/12345/indicators/addresses

Retrieve a Victim’s Assets

To view Victim Assets associated with a given Victim, use a query in the following format:

GET /v2/victims/{victimId}/victimAssets

For example, the query below will retrieve all of the Victim Assets associated with the Victim with ID 12345:

GET /v2/victims/12345/victimAssets

JSON Response:

{
  "status": "Success",
  "data": {
    "resultCount": 2,
    "victimAsset": [
      {
        "id": "54321",
        "name": "bad@badguys.com",
        "type": "EmailAddress",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=123"
      },
      {
        "id": "54322",
        "name": "nobody@gmail.com",
        "type": "EmailAddress",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=123"
      }
    ]
  }
}

You can also find associated Victim Assets of a given type using the following format:

GET /v2/victims/{victimId}/victimAssets/{victimAssetType}

The available Victim Asset types are:

  • emailAddresses
  • networkAccounts
  • phoneNumbers
  • socialNetworks
  • webSites

For example, we could use the following query to find all Victim Assets that are Email Addresses which are associated with the Victim with ID 12345:

GET /v2/victims/12345/victimAssets/emailAddresses

We can also drill down even further by adding the ID of an associated Victim Asset to the end of the query like:

GET /v2/victims/12345/victimAssets/emailAddresses/54321

Where 54321 is the ID of a Victim Asset associated with Victim 12345.

Victim to Victim Associations

Note

It is not possible to associate one Victim directly with another in ThreatConnect. The query described in this section returns Victims which are associated with (or ‘through’) the same Group(s). In the image below, the two Victims are not directly associated, but are both associated with the same Group. Therefore, Victim B would be returned when querying for Victim associations from Victim A.

Victim to Victim Associations

To view Victims sharing a Group association with the given Victim, use a query in the following format:

GET /v2/victims/{victimId}/victims

For example, the query below will retrieve all of the Victims associated with the Victim with ID 12345:

GET /v2/victims/12345/victims

JSON Response:

{
  "status": "Success",
  "data": {
    "resultCount": 1,
    "victim": [
      {
        "id": "54321",
        "name": "Bad Guy",
        "org": "Example Organization",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=54321"
      }
    ]
  }
}

We can also drill down even further by adding the ID of an associated Victim to the end of the query like:

GET /v2/victims/12345/victims/54321

Where 54321 is the ID of a Victim associated with Victim 12345.

Create Victims

To create a Victim, the most basic format is:

POST /v2/victims/
Content-type: application/json; charset=utf-8

{
  // add fields here...
}

When creating a Victim, you can also add any of the fields listed below:

Valid Fields Required
name TRUE
description FALSE
org FALSE
suborg FALSE
workLocation FALSE
nationality FALSE

By way of example, the query below will create a Victim in the default owner:

POST /v2/victims/
Content-type: application/json; charset=utf-8

{
  "name": "Example Victim",
  "description": "This victim got hacked.",
  "org": "Test Org",
  "suborg": "HR Department",
  "workLocation": "Washington D.C.",
  "nationality": "American",
}

JSON Response:

{
  "status": "Success",
  "data": {
    "victim": {
      "id": "54321",
      "name": "Example Victim",
      "description": "This victim got hacked.",
      "org": "Test Org",
      "suborg": "HR Department",
      "workLocation": "Washington D.C.",
      "nationality": "American",
      "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=54321"
    }
  }
}

Create Victim Assets

To create Victim Assets, use a query in the following format:

POST /v2/victims/{victimId}/victimAssets/{victimAssetType}
Content-type: application/json; charset=utf-8

{
  // add fields here...
}

The available Victim Asset types are:

  • emailAddresses
  • networkAccounts
  • phoneNumbers
  • socialNetworks
  • webSites

When creating a Victim Asset, there are certain fields that are required as detailed below:

Asset Type Valid Fields Required for Asset Creation Required for Asset Update
emailAddresses address TRUE TRUE
  addressType FALSE FALSE
networkAccounts account TRUE TRUE
  network FALSE FALSE
phoneNumbers phoneType TRUE TRUE
socialNetworks account TRUE TRUE
  network FALSE FALSE
webSites webSite TRUE TRUE

For example, if you wanted to add a network account Victim Asset to a Victim with ID 12345, you would use the following query:

POST /v2/victims/12345/victimAssets/networkAccounts
Content-type: application/json; charset=utf-8

{
  "account": "John Doe",
  "network": "Active Directory"
}

In the case of networkAccounts or socialNetworks, the account specifies the value of the actual account and the network provides a classification for the network itself.

JSON Response:

{
  "status": "Success",
  "data": {
    "victimNetworkAccount": {
      "id": 398,
      "type": "NetworkAccount",
      "webLink": "https://sandbox.threatconnect.com/auth/victim/victim.xhtml?victim=12345",
      "account": "John Doe",
      "network": "Active Directory"
    }
  }
}

Create Victim Metadata

Create Victim Attributes

To add an Attribute to a Victim, use the following format:

POST /v2/victims/{victimId}/attributes
Content-type: application/json; charset=utf-8

{
  "type" : {attributeType},
  "value" : "Test Attribute",
  "displayed" : true
}

For example, if you wanted to add a Description attribute to the Victim with ID 12345, you would use the following query:

POST /v2/victims/12345/attributes
Content-type: application/json; charset=utf-8

{
  "type" : "Description",
  "value" : "Test Description",
  "displayed" : true
}

JSON Response:

{
  "status": "Success",
  "data": {
    "attribute": {
      "id": "54321",
      "type": "Description",
      "dateAdded": "2017-07-13T17:50:17",
      "lastModified": "2017-07-13T17:50:17",
      "displayed": true,
      "value": "Test Description"
    }
  }
}

To add a Security Label to an attribute, use the following format where {securityLabel} is replaced with the name of a Security Label that already exists in the owner:

POST /v2/victims/{victimId}/attributes/{attributeId}/securityLabels/{securityLabel}

For example, the query below will add a TLP Amber Security Label to the attribute on the Victim:

POST /v2/victims/12345/attributes/54321/securityLabels/TLP%20Amber

Note

In order to add a Security Label to an attribute, the Security Label must already exist. The query above will not create a new Security Label. If you specify a Security Label that does not exist, it will return an error.

Create Victim Security Labels

To add a Security Label to a Victim, use the following format where {securityLabel} is replaced with the name of a Security Label that already exists in the owner:

POST /v2/victims/{victimId}/securityLabels/{securityLabel}

For example, the query below will add a TLP Amber Security Label to the Victim with ID 12345:

POST /v2/victims/12345/securityLabels/TLP%20Amber

JSON Response:

{
  "apiCalls": 1,
  "resultCount": 0,
  "status": "Success"
}

Note

In order to add a Security Label to a Victim, the Security Label must already exist. The query above will not create a new Security Label. If you specify a Security Label that does not exist, it will return an error.

Create Victim Tags

To add a tag to a Victim, use the following format where {tagName} is replaced with the name of the tag you wish to add to the Victim:

POST /v2/victims/{victimId}/tags/{tagName}

For example, the query below will add the Nation State tag to the Victim with ID 12345:

POST /v2/victims/12345/tags/Nation%20State

JSON Response:

{
  "apiCalls": 1,
  "resultCount": 0,
  "status": "Success"
}

Note

The length of a tag is limited to 128 characters.

Create Victim Associations

Associate Group to Victim

To associate a Victim with a Group, use a query in the following format:

POST /v2/victims/{victimId}/groups/{associatedGroupType}/{associatedGroupId}

Replace {associatedGroupType} with one of the following Group types:

  • adversaries
  • campaigns
  • documents
  • emails
  • incidents
  • signatures
  • threats

For example, the query below will associate a Victim with ID 12345 with an Incident with the ID 54321:

POST /v2/victims/12345/groups/incidents/54321

JSON Response:

{
  "status": "Success"
}

Warning

In order to associate a Victim with any item, that Victim must have at least one Victim Asset.

Update Victims

To update a Victim, the basic format is:

PUT /v2/victims/{victimId}
{
  {updatedField}: {updatedValue}
}

When updating a Victim, you can change any of the fields below in addition to the required name field:

Valid Fields Required
name TRUE
description FALSE
org FALSE
suborg FALSE
workLocation FALSE
nationality FALSE

By way of example, the query below will update the name of a Victim with ID 12345:

PUT /v2/victims/12345
{
  "name": "New Victim Name",
}

JSON Response:

{
  "status": "Success",
  "data": {
    "victim": {
      "id": 54321,
      "name": "New Victim Name",
      "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=54321"
    }
  }
}

Update Victim Assets

To update a Victim’s Assets, use a query in the following format:

PUT /v2/victims/{victimId}/victimAssets/{victimAssetType}/{victimAssetId}
{
  // add fields here...
}

The available Victim Asset types are:

  • emailAddresses
  • networkAccounts
  • phoneNumbers
  • socialNetworks
  • webSites

When updating a Victim Asset, there are certain fields that are required as detailed below:

Asset Type Valid Fields Required for Asset Creation Required for Asset Update
emailAddresses address TRUE TRUE
  addressType FALSE FALSE
networkAccounts account TRUE TRUE
  network FALSE FALSE
phoneNumbers phoneType TRUE TRUE
socialNetworks account TRUE TRUE
  network FALSE FALSE
webSites webSite TRUE TRUE

For example, if you wanted to update an existing network account Victim Asset on a Victim with ID 12345, you would use the following query:

PUT /v2/victims/12345/victimAssets/networkAccounts
{
  "account": "Jane Doe"
}

JSON Response:

{
  "status": "Success",
  "data": {
    "victimNetworkAccount": {
      "id": 398,
      "type": "NetworkAccount",
      "webLink": "https://sandbox.threatconnect.com/auth/victim/victim.xhtml?victim=12345",
      "account": "Jane Doe",
      "network": "Active Directory"
    }
  }
}

Update Victim Metadata

Update Victim Attributes

To update a Victim’s attribute, use the following format:

PUT /v2/victims/{victimId}/attributes/{attributeId}
{
  {updatedField}: {updatedValue}
}

When updating attributes, you can change the following fields:

Updatable Attribute Fields Required
value TRUE
displayed FALSE
source FALSE

For example, if you wanted to update the value of an attribute with ID 54321 on the Victim with ID 12345, you would use the following query:

PUT /v2/victims/12345/attributes/54321
{
  "value": "New attribute value."
}

JSON Response:

{
  "status": "Success",
  "data": {
    "attribute": {
      "id": "54321",
      "type": "Description",
      "dateAdded": "2017-07-13T17:50:17",
      "lastModified": "2017-07-19T15:54:12Z",
      "displayed": true,
      "value": "New attribute value."
    }
  }
}

Delete Victims

To delete a Victim, the most basic format is:

DELETE /v2/victims/{victimId}

By way of example, the query below will delete the Victim with ID 12345:

DELETE /v2/victims/12345

JSON Response:

{
    "apiCalls": 1,
    "resultCount": 0,
    "status": "Success"
}

Delete Victim Assets

To delete a Victim’s Asset, use a query in the following format:

DELETE /v2/victims/{victimId}/victimAssets/{victimAssetType}/{victimAssetId}

For example, the query below will delete the email address Victim Asset with ID 54321 from the Victim with ID 12345:

DELETE /v2/victims/12345/victimAssets/emailAddresses/54321

JSON Response:

{
  "status": "Success"
}

Delete Victim Metadata

Delete Victim Attributes

To delete an attribute from a Victim, use the following format:

DELETE /v2/victims/{victimId}/attributes/{attributeId}

For example, if you wanted to delete the attribute with ID 54321 from the Victim with ID 12345, you would use the following query:

DELETE /v2/victims/12345/attributes/54321

JSON Response:

{
  "apiCalls": 1,
  "resultCount": 0,
  "status": "Success"
}

To delete a Security Label from an attribute, use the following format where {securityLabel} is replaced with the name of a Security Label that already exists in the owner:

DELETE /v2/victims/{victimId}/attributes/{attributeId}/securityLabels/{securityLabel}

For example, the query below will remove the TLP Amber Security Label from the attribute with ID 54321 on the Victim:

DELETE /v2/victims/12345/attributes/54321/securityLabels/TLP%20Amber

Delete Victim Security Labels

To delete a Security Label from a Victim, use the following format where {securityLabel} is replaced with the name of a Security Label:

DELETE /v2/victims/{victimId}/securityLabels/{securityLabel}

For example, the query below will delete the TLP Amber Security Label to the Victim with ID 12345:

DELETE /v2/victims/12345/securityLabels/TLP%20Amber

JSON Response:

{
  "apiCalls": 1,
  "resultCount": 0,
  "status": "Success"
}

Delete Victim Tags

To delete a tag from a Victim, use the following format where {tagName} is replaced with the name of the tag you wish to remove from the Victim:

DELETE /v2/victims/{victimId}/tags/{tagName}

For example, the query below will delete the Nation State tag to the Victim with ID 12345:

DELETE /v2/victims/12345/tags/Nation%20State

JSON Response:

{
  "apiCalls": 1,
  "resultCount": 0,
  "status": "Success"
}

Delete/Disassociate Victim Associations

Disassociate Group from Victim

To disassociate a Victim from a Group, use a query in the following format:

DELETE /v2/victims/{victimId}/groups/{associatedGroupType}/{associatedGroupId}

Replace {associatedGroupType} with one of the following Group types:

  • adversaries
  • campaigns
  • documents
  • emails
  • incidents
  • signatures
  • threats

For example, the query below will disassociate a Victim with ID 12345 from an Incident with the ID 54321:

DELETE /v2/victims/12345/groups/incidents/54321

JSON Response:

{
  "apiCalls": 1,
  "resultCount": 0,
  "status": "Success"
}