Skip to content

Threat Intelligence GraphQL API🔗

Query🔗

Fields🔗

Field Type Description Arguments
node Node id: ID
threatPublication ThreatPublication Retreives a publication by ID. ID: String
threatPublications ThreatPublication Searches publications for text. text: String
threatPublicationsSearch ThreatPublication Gets publications for multiple indicators. text: String
threatLatestPublications ThreatPublication Gets the latest publications from an offset with a size. from: Int, size: Int
threatIdentitiesByConfidence ThreatResult Gets identities by confidence score. confidence: Int
threatWatchlist ThreatRelationship Gets a watchlist by type. All results are considered high confidence.
Only IP and DOMAIN types are supported. FILE type has been removed from this endpoint.
Instead, use the paged endpoint threatTimsMalwareFiles for FILE types.		 type: ThreatParentType
threatTimsMalwareFiles PagedMalwareFiles Get all TIMS 2.0 Malware file hashes. All results are considered high confidence.
This is a paged service, requiring repeated queries. Total number of results can number over 750k.
For the initial query, do not provide any search parameters or set 'last_created' to null.
Subsequent queries should include the previous query's 'last_created' result from 'PagedMalwareFiles.last_created'
as the input parameter. Returns pages of 10,000 at a time, sorted by the indicators field 'created' in desc order.
The returned field 'has_more' will be false when the last page is returned.
* Note: 'created' refers to an internal field associated with the indicator, not the time the indicator was first found.
It is only used for sorting.		 last_created: String
threatIndicatorPublications ThreatReport Gets publications related to indicators. ID: String
threatPublicationsIndicators ThreatIndicator Get list of indicators related to list of publications ID: String
threatIndicatorIntelligence ThreatIndicatorIntelligence Retrieves all intelligence associated with an indicator. ID: String
threatRelationship ThreatRelationship Gets relationship by id. ID: String
threatIdentity ThreatIdentity Gets identity by id. ID: String
threatMalware ThreatMalware Gets malware by id. ID: String
threatIdentities ThreatIdentity Gets identities by confidence score. confidence: Int
threatVidIntelligence ThreatVidIntelligence Retrieves all intelligence associated with a VID. vid: String
threatIndicatorsIntelligence ThreatIndicatorIntelligence Retrieves all intelligence associated with a list of indicators. ID: String
threatRuleVidIntelligence ThreatVidIntelligence Retrieves all intelligence associated with a Rule ID. ruleID: String
threatMalwareIntelligence ThreatMalwareIntelligence Retrieves all intelligence associated with a malware. ID: String
threatIntelligence ThreatIntelligence Retrieves all intelligence based on input threat object type and filters page: ThreatPageInput, threatObjectType: ThreatFacetObject, filter: ThreatFilter
threatFacetInfo FacetInfo Retrieves facet count based on object type and filters objectType: ThreatFacetObject, facets: String, filters: ThreatFilter

ID🔗

Description: The ID scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4") or integer (such as 4) input value will be accepted as an ID.

String🔗

Description: The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.

Int🔗

Description: The Int scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.

Mutation🔗

Fields🔗

Field Type Description Arguments
indicator ThreatIndicator id: String
threatDeleteDocument Boolean threatDeleteDocument is used to delete a document by id in the configured index id: String

Boolean🔗

Description: The Boolean scalar type represents true or false.

ThreatFilter🔗

Fields🔗

Field Type Description Arguments
where ThreatWhereInput the where clause to filter by.

ThreatPageInput🔗

Fields🔗

Field Type Description Arguments
offset Int Index of first element to return.
limit Int Number of elements to return.

ThreatWhereInput🔗

Fields🔗

Field Type Description Arguments
and ThreatWhereInput
or ThreatWhereInput
not ThreatWhereInput
threatGroup String
threatGroup_contains String
malware String
malware_contains String
tips String
tips_contains String
ta String
ta_contains String
ca String
ca_contains String
country String
country_contains String
cve String
cve_contains String
vid String
vid_contains String

ThreatIntelligence🔗

Fields🔗

Field Type Description Arguments
intel ThreatObjectIntelligence
facets Facet
total_results Int
threatObjectType ThreatFacetObject

ThreatObjectIntelligence🔗

Fields🔗

Field Type Description Arguments
malwares ThreatMalware
groups ThreatGroup
reports ThreatReport

Facet🔗

Description: Describes a facet which can be used to filter Threat Intel.

Fields🔗

Field Type Description Arguments
label String The name of the facet.
facet String The value of the facet.
searchOnly Boolean true if the facet is a search only facet.

ThreatFacetObject🔗

Description: Represents the different threat object types supported by the API.

FacetInfo🔗

Description: Describes the facet info

Fields🔗

Field Type Description Arguments
facet String The name of the facet.
fields FacetFieldInfo The fields for the facet.

FacetFieldInfo🔗

Description: Describes the details for a given facet.

Fields🔗

Field Type Description Arguments
field String The field of the facet.
count Int The count of the field.

ThreatParentType🔗

Description: Describes the indicator type as a generic.

ThreatIndicatorClass🔗

Description: Describes the specific class of the indicator.

ThreatPatternType🔗

Description: ThreatPatternType is a non-exhaustive, open vocabulary that covers common pattern languages and is intended to characterize the pattern language that the indicator pattern is expressed in.

ThreatIdentityClass🔗

Description: ThreatIdentityClass describes the type of entity that the Identity represents: whether it describes an organization, group, individual, or class.

ThreatIndustrySectors🔗

Description: Describes industrial and commercial sectors.

ThreatIndicatorType🔗

Description: ThreatIndicatorType is an open vocabulary used to categorize Indicators. It is intended to be high-level to promote consistent practices. Indicator types should not be used to capture information that can be better captured from related Malware or Attack Pattern objects.

Note

It is better to link an Indicator to a Malware object.

ThreatRelationshipType🔗

Description: Declares the relationship types that are possible.

ThreatMalwareType🔗

Description: Defines the types of malware.

ThreatCapabilities🔗

Description: Defines the capabilites of a threat.

Important

For future use. Not currently implemented.

ThreatArchitectureExecutionEnvs🔗

Description: ThreatArchitectureExecutionEnvs

Important

For future use. Not currently implemented.

ThreatImplementationLanguages🔗

Description: ThreatImplementationLanguages

Important

For future use. Not currently implemented.

ThreatObjectType🔗

Description: Defines the type of object.

PageInfo🔗

Fields🔗

Field Type Description Arguments
endCursor String
hasNextPage Boolean
startCursor String
hasPreviousPage Boolean

ThreatKillChainPhase🔗

Description: ThreatKillChainPhase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.

Fields🔗

Field Type Description Arguments
kill_chain_name String
phase_name String

ThreatHashes🔗

Description: Represents a set of hashes for threat objects.

Fields🔗

Field Type Description Arguments
MD5 String
SHA256 String

ThreatDNSInfo🔗

Description: Contains relevant DNS information when it is available.

Fields🔗

Field Type Description Arguments
Domain String
Hostname String
Subdomain String
Tld String

ThreatURLInfo🔗

Description: Contains the parsed components of a URL when it is available.

Fields🔗

Field Type Description Arguments
Query String
Scheme String
Port String
Path String
RequestURI String

ThreatVid🔗

Fields🔗

Field Type Description Arguments
ID String
Name String
Swids ThreatSwid
ThreatAnalyses ThreatAnalysis
ThreatGroups ThreatGroup

ThreatTip🔗

Description: Represents a CTU TIPS report.

Fields🔗

Field Type Description Arguments
ID String
Name String
Active Boolean
Content String
CreatedAt Time
UpdatedAt Time
Reference String

ThreatSwid🔗

Description: ThreatSwid represents an internal SWID structure.

Important

For future use. Not currently implemented.

Fields🔗

Field Type Description Arguments
Id String
type ThreatObjectType
Author String
CreatedAt Time
EngineGroupName String
FileName String
Priority Int
PriorityValue String
Revision Int
Swid Int
SwidName String
Text String

ThreatSwidInput🔗

Fields🔗

Field Type Description Arguments
Id String
Author String
CreatedAt Time
EngineGroupName String
FileName String
Priority Int
PriorityValue String
Revision Int
Swid Int
SwidName String
Text String

ThreatGroupInput🔗

Fields🔗

Field Type Description Arguments
name String
Objectives String
Aliases String
Tools String
Motivation String
IntendedEffect String
TargetSectors String
Description String
ActiveSince Time
LastKnownActivity Time
tags String

ThreatGroup🔗

Description: Represents a threat group.

Fields🔗

Field Type Description Arguments
type ThreatObjectType
spec_version String
id String
sharing_id String
name String
Objectives String
Aliases String
Tools String
Motivation String
IntendedEffect String
TargetSectors String
Description String
ActiveSince Time
LastKnownActivity Time
tags String
groupTag String
malwareTag String
vidTag String
reportTag String
countryTag String
cveTag String

Country🔗

Fields🔗

Field Type Description Arguments
id String
type ThreatObjectType
country_name String
country_code String
geopoint Float
region String
country_name_official String
country_name_alternatives String
country_code_alpha3 String
country_code_numeric3 String
capitals String
subregion String

Float🔗

Description: The Float scalar type represents signed double-precision fractional values as specified by IEEE 754.

CVE🔗

Fields🔗

Field Type Description Arguments
id String
type ThreatObjectType
cve_number String

XdrEventFilter🔗

Fields🔗

Field Type Description Arguments
id String
type ThreatObjectType
label String
name String
description String
id_string String
event_type String
visibility String
result_visibility String
severity_float Float
confidence_float Float
enabled Boolean
create_alert Boolean
tags String
related_attack String
endpoint_platforms String
references_list ReferenceList
event_filters EventFilter

EventFilter🔗

Fields🔗

Field Type Description Arguments
key_string String
pattern String
is_case_sensitive Boolean
is_inverted Boolean
test_should String
test_should_not String

ReferenceList🔗

Fields🔗

Field Type Description Arguments
description String
url String

AttackTactic🔗

Fields🔗

Field Type Description Arguments
id String
attack_tactic_id String
type ThreatObjectType
label String
name String
description String
author String
creation_date Time
modified_date Time
references String
related_attack String

AttackTechnique🔗

Fields🔗

Field Type Description Arguments
id String
attack_technique_id String
type ThreatObjectType
label String
name String
description String
author String
creation_date Time
modified_date Time
references String
related_attack String
related_capec String

RedCloakWatchList🔗

Fields🔗

Field Type Description Arguments
id String
type ThreatObjectType
label String
name String
description String
classification String
confidence_value String
created_by String
last_modified_by String
creation_time Time
criteria String
doc_type String
enabled Boolean
endpoint_platform String
countermeasure_visibility Int
resources String
tag String
domains String
allowed_domains String
day String

RedCloakInspectorRule🔗

Fields🔗

Field Type Description Arguments
id String
label String
type ThreatObjectType
name String
description String
rule_type String
rule String
threat_groups String
active Boolean
classification String
resources String
tags String

RedCloakYaraRule🔗

Fields🔗

Field Type Description Arguments
id String
label String
type ThreatObjectType
yara_id String
event_description String
author String
metadata String
metadata_ver String
strings String
condition String
threat_group String
rule_severity String
tlp String
mss String

TaegisYaraRule🔗

Fields🔗

Field Type Description Arguments
id String
label String
type ThreatObjectType
event_description String
author String
name String
classification String
yara_id String
attack_categories String
severity_float Float
confidence_float Float
active Boolean
creation_date Time
modified_date Time
taegis_alert_visibility String
taegis_create_alert Boolean
metadata_ver String

ThreatAnalysis🔗

Description: Represents a threat analysis report.

Fields🔗

Field Type Description Arguments
id String
Name String
Content String
CreatedAt Time
PublicationDate Time
TLP String
Reference String
ReportID String

ThreatIdentity🔗

Description: Commonly represents a source of threat data.

Fields🔗

Field Type Description Arguments
type ThreatObjectType
spec_version String
id String
sharing_id String
name String
description String
created Time
modified Time
roles String
identity_class ThreatIdentityClass
sectors ThreatIndustrySectors
contact_information String
natural_key String
download_URL String
internal Boolean
confidence Int
reason String
label String
tags String

ThreatIndicator🔗

Description: Represents an indicator of compromise.

Fields🔗

Field Type Description Arguments
type ThreatObjectType
spec_version String
id String
sharing_id String
name String
description String
created Time
modified Time
indicator_types ThreatIndicatorType
pattern String
pattern_type ThreatPatternType
pattern_version String
mitre_attack_categories String
valid_from Time
valid_until Time
kill_chain_phases ThreatKillChainPhase
score Int
original_indicator String
indicator_class ThreatIndicatorClass
ipv4 String
label String
dns ThreatDNSInfo
whois ThreatWhois
url_info ThreatURLInfo
tags String
location ThreatLocation
noResults Boolean

ThreatLocation🔗

Description: ThreatLocation provides geolocation longitude and latitude coordinates as an indicator. Provided when available.

Fields🔗

Field Type Description Arguments
Longitude Float
Latitude Float

ThreatRelationshipInput🔗

Fields🔗

Field Type Description Arguments
type ThreatObjectType
source_sharing_id String
target_sharing_id String
description String
src_desc String
tgt_desc String
mitre_attack_categories String
relationship_type ThreatRelationshipType
source_ref String
target_ref String
confidence Int
indicator_class ThreatIndicatorClass
tags String
source_internal Boolean
reference String
start_time Time
stop_time Time

PagedMalwareFiles🔗

Fields🔗

Field Type Description Arguments
files TimsMalwareFile
last_created String The last created time of the last TimsMalwareFile. Include this in the next query
has_more Boolean There are remaining TimsMalwareFiles that will be returned in subsequent queries.

TimsMalwareFile🔗

Description: File hash retrieved from TIMS Malware.

Fields🔗

Field Type Description Arguments
file_hash String
information_source String
threat_description String
confidence Int
source_internal Boolean

ThreatRelationship🔗

Description: Represents the relationship between objects in the system.

Fields🔗

Field Type Description Arguments
type ThreatObjectType
spec_version String
id String
sharing_id String
source_sharing_id String
target_sharing_id String
created Time
modified Time
description String
src_desc String
tgt_desc String
mitre_attack_categories String
relationship_type ThreatRelationshipType
source_ref String
target_ref String
confidence Int
indicator_class ThreatIndicatorClass
label String
tags String
start_time Time
stop_time Time
source_internal Boolean
reference String

ThreatMalware🔗

Description: Provides available information about malware.

Fields🔗

Field Type Description Arguments
type ThreatObjectType
spec_version String
id String
sharing_id String
name String
description String
created Time
modified Time
malware_types ThreatMalwareType
family String
aliases String
kill_chain_phases ThreatKillChainPhase
first_seen Time
last_seen Time
operating_system_refs String
architecture_execution_envs ThreatArchitectureExecutionEnvs
implementation_languages ThreatImplementationLanguages
capabilities ThreatCapabilities
sample_refs String
label String
tags String
public_summary String
solution String
technical_details String
groupTag String
malwareTag String
vidTag String
reportTag String
countryTag String
cveTag String

ThreatTags🔗

Fields🔗

Field Type Description Arguments
groupTag String
malwareTag String
vidTag String
reportTag String
countryTag String
cveTag String

ThreatWhois🔗

Description: Provides any available whois information about an indicator.

Fields🔗

Field Type Description Arguments
DomainName String
RegistrarName String
ContactEmail String
WhoisServer String
NameServers String
CreatedDate String
UpdatedDate String
ExpiresDate String
StandardRegCreatedDate String
StandardRegUpdatedDate String
StandardRegExpiresDate String
Status String
AuditAuditUpdatedDate String
RegistrantEmail String
RegistrantName String
RegistrantOrganization String
RegistrantStreet1 String
RegistrantCity String
RegistrantState String
RegistrantPostalCode String
RegistrantCountry String
RegistrantFax String
RegistrantTelephone String
AdministrativeContactEmail String
AdministrativeContactName String
AdministrativeContactOrganization String
AdministrativeContactStreet1 String
AdministrativeContactCity String
AdministrativeContactState String
AdministrativeContactPostalCode String
AdministrativeContactCountry String
AdministrativeContactFax String
AdministrativeContactTelephone String

ThreatHashesInput🔗

Fields🔗

Field Type Description Arguments
MD5 String
SHA256 String

ThreatIdentityInput🔗

Fields🔗

Field Type Description Arguments
name String
description String
roles String
identity_class ThreatIdentityClass
sectors ThreatIndustrySectors
contact_information String
natural_key String
download_URL String
internal Boolean
confidence Int
reason String

ThreatIndicatorInput🔗

Fields🔗

Field Type Description Arguments
name String
description String
indicator_types ThreatIndicatorType
pattern String
pattern_type ThreatPatternType
pattern_version String
valid_from Time
valid_until Time
kill_chain_phases ThreatKillChainPhaseInput
score Int

ThreatKillChainPhaseInput🔗

Fields🔗

Field Type Description Arguments
kill_chain_name String
phase_name String

ThreatResult🔗

Time🔗

Node🔗

Fields🔗

Field Type Description Arguments
id ID

ThreatAdvisory🔗

Description: Represents a CTU threat advisory report.

Fields🔗

Field Type Description Arguments
id ID
Name String
Content String
CreatedAt Time
PublicationDate Time
TLP String
Reference String
ReportID String

ThreatPublication🔗

Description: Represents a publication about a threat.

Fields🔗

Field Type Description Arguments
id ID
Type String
Name String
Description String
Published Time
Content String
TLP String
VID String
ReportID String
Reference String
Category String
Language String

ThreatReportInput🔗

Fields🔗

Field Type Description Arguments
id ID
name String
description String
created Time
modified Time
published Time
object_refs String
content String
tags String

ThreatReport🔗

Fields🔗

Field Type Description Arguments
type ThreatObjectType
spec_version String
id ID
name String
description String
created Time
modified Time
published Time
object_refs String
content String
sharing_id String
tags String
groupTag String
malwareTag String
vidTag String
reportTag String
countryTag String
cveTag String

ThreatIndicatorIntelligence🔗

Fields🔗

Field Type Description Arguments
indicator ThreatIndicator
identities ThreatIdentityRelationship
reports ThreatReportRelationship
malware ThreatMalwareRelationship
groups ThreatGroupRelationship

ThreatVidIntelligence🔗

Fields🔗

Field Type Description Arguments
vid String
reports ThreatReportRelationship
malware ThreatMalwareRelationship
groups ThreatGroupRelationship

ThreatMalwareIntelligence🔗

Fields🔗

Field Type Description Arguments
malware ThreatMalware
groups ThreatGroup
reports ThreatReport

ThreatIdentityRelationship🔗

Fields🔗

Field Type Description Arguments
identity ThreatIdentity
relationship ThreatRelationship

ThreatReportRelationship🔗

Fields🔗

Field Type Description Arguments
report ThreatReport
relationship ThreatRelationship

ThreatMalwareRelationship🔗

Fields🔗

Field Type Description Arguments
malware ThreatMalware
relationship ThreatRelationship

ThreatGroupRelationship🔗

Fields🔗

Field Type Description Arguments
group ThreatGroup
relationship ThreatRelationship