openapi: 3.0.1 info: title: IBM X-Force Threat Intelligence API Documentation description: "

Introduction

 The IBM X-Force Threat Intelligence API allows users to automate the consumption of threat intelligence from IBM X-Force Exchange, the cloud-based threat intelligence sharing platform from IBM. The offering provides access to IP and URL by category feeds, IP and URL reports, and vulnerability feeds, as well as all TAXII feeds. To access the endpoints and content below, you will need to have an active subscription to one of the following tiers:

IBM X-Force Threat Intelligence Essentials provides a foundation capability for threat detection and investigation which include enrichment for IP, URL, malware, malicious domains and early warning insights.

IBM X-Force Threat Intelligence Standard enables customers to operationalize threat intelligence for real time threat detection, prevention, and investigation. These include access to our curated, high-fidelity protection and indicator feeds which are delivered via STIX and TAXII for use within security operations for compatible applications and appliances.

IBM X-Force Threat Intelligence Premium enables proactive threat management with detailed insights into threat group, campaigns, industry, and malware insights. This is delivered via our API enabling automation workflows in security operations facilitating decisive action through detection, triage and response to security threats.

IBM X-Force Threat Intelligence offerings are charged on Active Users consuming the service and chosen subscription tier. An Active User is any user who accesses the Cloud Services in any manner directly or indirectly (for example, through a multiplexing program, device, or application server) through any means.

You can try out the API calls within this page by clicking the `Try it out!` button in each API endpoint section below, you will need to input an API Key and password in the fields at the top of this page.


Jump to API Endpoint Section here



Getting Started

 Usage requires the purchase of premium subscription by contacting your IBM sales representative. Alternatively, you can contact us through the X-Force Threat Intelligence [page.](https://www.ibm.com/products/xforce-exchange/editions)

1. Navigate to the X-Force Threat Intelligence SaaS offerings [page on the IBM website](https://www.ibm.com/products/xforce-exchange/editions)

2. After purchasing the premium subscription, login to [X-Force Exchange](https://exchange.xforce.ibmcloud.com/) and follow the steps below to generate a new API Key and Password:

     1. View your _Profile_ summary by clicking the User icon in the top right hand corner of the X-Force Exchange Home Page.

     ![User Profile](images/user-profile.png)

    2. Click the _Settings_ link in the lower left corner to view the Settings Page, then click the _API Access_ link in the settings page to view the [API details page](https://exchange.xforce.ibmcloud.com/settings/api).

     ![User Settings](images/user-settings.png)

     3. Click the _Generate_ button to create a new API Key and Password.

     ![API Generation](images/user-settings-api-gen.png)

     4. Once you generate your password, makes sure to save it, as it is only shown when the key/password is generated. When you revisit your profile again, only the key is shown.

     5. API keys and passwords do not expire. If you forget your password, you can generate a new API key/password pair.

     6. Please do not share your API key, it is specific to your ID.

     7. Our API only allow HTTPS connections that support TLS protocol version 1.2 or newer. All other connections will be rejected.


Error Handling

 The X-Force Threat Intelligence API uses conventional HTTP response codes to indicate success or failure of an API request. In general, codes in the 2xx range indicate success, codes in the 4xx range indicate an error that resulted from the provided information, and codes in the 5xx range indicate an error with our servers.

A 402 response is returned for users who have exceeded their monthly quota of records returned.


Terms of Use

 Your use of the IBM X-Force Threat Intelligence is governed by the IBM Cloud Services Agreement and the accompanying Service Description. You can find a copy of the Cloud Services Agreement by visiting [https://www.ibm.com/terms/](https://www.ibm.com/terms/), and selecting your region, then your country, then the IBM Cloud Services Agreement link. You can find a copy of the Services Description by clicking on Service Description. By using these services you agree to the terms of the IBM Cloud Services Agreement and Service Description. If you do not agree with these terms, do not use the IBM X-Force Threat Intelligence API.


Abuse

 IBM reserves the right to disable any account deemed abusing our system. Abuse-related activity includes, but is not limited to sharing accounts, bulk registrations, abuse of API calls, suspicious/malicious query parameters and accessing restricted resources. Additionally, users are expected to follow our limiting practices as outlined in the HTTP responses.

To avoid limiting errors, no more than 3,000 requests should be made in a one minute period to the IBM X-Force Threat Intelligence API.


RSS Feed

X-Force Premium Threat Intelligence is purposefully built from industry experts from a wide range of backgrounds, including former government intelligence analysts, SOC analysts and private industry consultants. The team's founding principles include strict analytics rigor, correct analysis, and reproducible assessments.

You can consume the X-Force RSS (Really Simple Syndication) feeds below to get the latest news from our researchers delivered directly to your desktop via an RSS reader or news aggregator.

[RSS Threat Intelligence Reports](https://exchange.xforce.ibmcloud.com/rss/all) - A feed of recently published threat intelligence reports.

[RSS Threat Analysis Report](https://exchange.xforce.ibmcloud.com/rss/tar) - A feed of recently published threat analysis reports.

[RSS Malware Report](https://exchange.xforce.ibmcloud.com/rss/mal) - A feed of recently published malware analysis reports.

[RSS Osint Advisory Report](https://exchange.xforce.ibmcloud.com/rss/osint) - A feed of recently published osint advisory reports.

You can opt-in to receive updates via our email subscription service by managing your email notification preferences - [Manage Settings](https://exchange.xforce.ibmcloud.com/settings/notifications), or follow the X-Force [Twitter account](https://twitter.com/xforce) to learn more on latest threats.


Ideas Portal

 Submit your ideas for new API capabilities by clicking on the [Feedback](https://ideas.ibm.com/) link in the navigation menu, selecting “X-Force Threat Intelligence” as the product topic. The link takes you to the IBM RFE (Request for Enhancement) tool. You can also vote on already submitted ideas there to improve our API.


Contact Details

 Created by X-Force API Support " contact: email: xfe@us.ibm.com servers: - url: /api tags: - name: X-Force Threat Intelligence - Collections description: |- Provides a way to share and collaborate on existing and emerging security threats. more info - name: X-Force Threat Intelligence - DNS description: |- Retrieves DNS information for domain names, URLs and IP addresses. more info - name: X-Force Threat Intelligence - Early Warning description: |- Provides deep dive on a domain, Whois info, creation date, and spam / phishing / malware ties. - name: X-Force Threat Intelligence - Internet Application Profile description: |- Returns information on IAPs for services such as Facebook, NFL.com and Instagram, among the reputable. more info - name: X-Force Threat Intelligence - IP Reputation description: |- Retrieves IP address, geolocation, risk ratings and content categorization for IP addresses and subnets. more info - name: X-Force Threat Intelligence - Malware description: |- Retrieves details on malware identified by name, family or file hash. more info - name: X-Force Threat Intelligence - Signatures description: |- Performs full-text search of the signature definitions, retrieve signature details, and more. - name: X-Force Threat Intelligence - STIX export description: Exports some objects in the STIX format. - name: X-Force Threat Intelligence - Tags description: Provides a way to connect collections and reports with buzzwords. - name: X-Force Threat Intelligence - TAXII description: |- TAXII supports STIX-formatted content, and can also transport information securely in a wide variety of formats. more info - name: X-Force Threat Intelligence - TAXII2 description: |- Exchanges cyber threat intelligence (CTI) over HTTPS, with additional flexibility in TAXII 2.0 more info - name: X-Force Threat Intelligence - URL description: |- Retrieves URL risk ratings, content categories and malware information, complementing the IP address and domain queries. more info - name: X-Force Threat Intelligence - Vulnerabilities description: |- Provides details on a vulnerability and links to relevant online documents and CVSS scoring with component breakdown. more info - name: X-Force Threat Intelligence - WHOIS description: |- Returns the WHOIS information for an IP, URL or domain. - name: X-Force Threat Intelligence - App Exchange description: |- Returns information on all the extensions or apps in IBM App Exchange. - name: X-Force Threat Intelligence - Authentication description: |- Copy and paste API key and password in the header fields above to try out all the endpoints interactively here. more info - name: X-Force Threat Intelligence - Usage description: |- Requests the number of records returned using these subscriptions. more info - name: X-Force Threat Intelligence - User description: |- Returns information about the user’s profile - name: X-Force Threat Intelligence - Version Information description: |- Returns information on the current running API version - name: X-Force Threat Intelligence - Protection Feed (Standard Tier) description: |- Provides access to the latest threat specific and actionable indicators, including Early Warning data. more info - name: X-Force Threat Intelligence - Protection Feed TAXII (Standard Tier) description: |- Offers secure transportation and interchange of threat intelligence information. more info - name: X-Force Threat Intelligence - Protection Feed TAXII2 (Standard Tier) description: |- Provides access to the latest threat specific and actionable indicators via TAXII 2.0 more info - name: X-Force Threat Intelligence - Premier Threat Intelligence Reports (Premium Tier) description: |- Retrieves Threat Intelligence Reports based on selected report type more info - name: X-Force Premier Threat Intelligence - Industries (Premium Tier) description: |- Retrieves an industry-based view of the threat landscape. more info - name: X-Force Premier Threat Intelligence - Malware Analysis (Premium Tier) description: |- Provides an in-depth description of how the malware functions, indicators of compromise, payloads, mutexes, and processes. more info - name: X-Force Premier Threat Intelligence - Threat Analysis (Premium Tier) description: |- Retrieves details of new and existing Threat Analysis reports. more info - name: X-Force Premier Threat Intelligence - OSINT Advisory (Premium Tier) description: |- Retrieves details of new and existing OSINT Advisory reports. more info - name: X-Force Premier Threat Intelligence - Threat Groups (Premium Tier) description: |- Profiles latest information about cyber threat groups tracked within IBM as an IBM X-Force Tracked Group (ITG). more info paths: /xfti: post: tags: - X-Force Threat Intelligence - Protection Feed TAXII (Standard Tier) summary: | Read TAXII Data description: |- Trusted Automated eXchange of Indicator Information version 1.1 This is the endpoint for TAXII services for X-Force Threat Intelligence - Protection Feed. TAXII message must be transmitted via this endpoint over HTTPS. Note: Depending on size, the response body for this API may have be trimmed for demo purposes. To see all records for this API please make a CURL request. #### Example: Send a HTTP POST request with a payload of the TAXII body to `https://api.xforce.ibmcloud.com/xfti` Available TAXII services are listed as follows:
TAXII Message Type Data Collection Description

Discovery Request

This message can be used to query all available TAXII services which XFE supports.

Collection Information Request

This message can be used to query all available TAXII data collections you have access.

Poll Request

xfti.c2server.ipv4

This TAXII data collection can be polled for IPv4s related to Botnet Command and Control Server.

xfti.c2server.ipv6

This TAXII data collection can be polled for IPv6s related to Botnet Command and Control Server.

xfti.c2server.url

This TAXII data collection can be polled for URLs related to Botnet Command and Control Server.

xfti.bots.ipv4

This TAXII data collection can be polled for IPv4s related to Bots.

xfti.bots.ipv6

This TAXII data collection can be polled for IPv6s related to Bots.

xfti.phishing.url

This TAXII data collection can be polled for URLs related to Phishing URLs.

xfti.anonsvcs.ipv4

This TAXII data collection can be polled for IPv4s related to Anonymization Services.

xfti.anonsvcs.ipv6

This TAXII data collection can be polled for IPv6s related to Anonymization Services.

xfti.anonsvcs.url

This TAXII data collection can be polled for URLs related to Anonymization Services.

xfti.cryptomining.ipv4

This TAXII data collection can be polled for IPv4s related to Cryptocurrency Mining.

xfti.cryptomining.ipv6

This TAXII data collection can be polled for IPv6s related to Cryptocurrency Mining.

xfti.cryptomining.url

This TAXII data collection can be polled for URLs related to Cryptocurrency Mining.

xfti.scanning.ipv4

This TAXII data collection can be polled for IPv4s related to Scanning IPs.

xfti.scanning.ipv6

This TAXII data collection can be polled for IPv6s related to Scanning IPs.

xfti.ew.url

This TAXII data collection can be polled for URLs related to Early Warning.

xfti.mw.ipv4

This TAXII data collection can be polled for IPv4s related to Malware.

xfti.mw.ipv6

This TAXII data collection can be polled for IPv6s related to Malware.

xfti.mw.url

This TAXII data collection can be polled for URLs related to Malware.

xfti.topact.url.10k

This TAXII data collection can be polled for the top hundred thousand URLs rated by activity as known by X-Force Exchange.

xfti.benign.ipv4

This TAXII data collection can be polled for IPv4s related to Benign Category.

xfti.benign.ipv6

This TAXII data collection can be polled for IPv6s related to Benign Category.

xfti.benign.url

This TAXII data collection can be polled for URLs related to Benign Category.
For more information about TAXII, refer to https://taxii.mitre.org/. requestBody: required: true content: application/xml: schema: type: object $ref: '#/components/schemas/xfti_requests' examples: Discovery_Request: value: Collection_Information_Request: value: xfti_c2server_ipv4: value: xfti_c2server_ipv6: value: xfti_c2server_url: value: xfti_bots_ipv4: value: xfti_bots_ipv6: value: xfti_phishing_url: value: xfti_anonsvcs_ipv4: value: xfti_anonsvcs_ipv6: value: xfti_anonsvcs_url: value: xfti_cryptomining_ipv4: value: xfti_cryptomining_ipv6: value: xfti_cryptomining_url: value: xfti_scanning_ipv4: value: xfti_scanning_ipv6: value: xfti_ew_url: value: xfti_mw_ipv4: value: xfti_mw_ipv6: value: xfti_mw_url: value: xfti_topact_url_10k: value: xfti_benign_ipv4: value: xfti_benign_ipv6: value: xfti_benign_url: value: responses: 200: description: TAXII Response operationId: xfti.post /xfti/taxii2: get: tags: - X-Force Threat Intelligence - Protection Feed TAXII2 (Standard Tier) summary: Get API Root Information description: | This is the TAXII 2 root information endpoint. You can specify your response type with the "Accept" header: - TAXII 2.0: `Accept: application/vnd.oasis.taxii+json; version=2.0` or `Accept: application/vnd.oasis.taxii+json` - TAXII 2.1: `Accept: application/vnd.oasis.taxii+json; version=2.1`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/api/xfti/taxii2` ```json { "title": "IBM X-Force Exchange - X-Force Threat Intelligence - Protection Feed TAXII 2 API Root", "description": "TAXII 2 service for X-Force Exchange X-Force Threat Intelligence - Protection Feed users", "versions": [ "taxii-2.0", "taxii-2.1" ], "max_content_length": 10000000 } ```
parameters: - name: User-Agent in: header description: 'User-Agent is recommended to pass in request header for TAXII 2.1, its not mandatory. The User-Agent header is used by HTTP to identify the TAXII Client software name and version.' required: false schema: type: string responses: 200: description: Successful response content: application/vnd.oasis.taxii+json; version=2.0: schema: $ref: '#/components/schemas/Taxii_api_success' application/vnd.oasis.taxii+json; version=2.1: schema: $ref: '#/components/schemas/Taxii_api_success' 401: description: Unauthorized content: application/vnd.oasis.taxii+json; version=2.0: schema: $ref: '#/components/schemas/Taxii_api_error' /xfti/taxii2/collections: get: tags: - X-Force Threat Intelligence - Protection Feed TAXII2 (Standard Tier) summary: Get Collections description: | This is the TAXII 2 getCollections endpoint. You can specify your response type with the "Accept" header: - TAXII 2.0: `Accept: application/vnd.oasis.taxii+json; version=2.0` or `Accept: application/vnd.oasis.taxii+json` - TAXII 2.1: `Accept: application/vnd.oasis.taxii+json; version=2.1`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/api/xfti/taxii2/collections` ```json { "collections": [ { "id": "c2server_ipv4", "title": "Botnet CnC Servers - IPv4", "description": "Returns a list of IPv4 addresses that are categorized as botnet command and control servers.", "can_read": true, "can_write": false, "media_types": [ "application/vnd.oasis.stix+json; version=2.0", "application/vnd.oasis.stix+json; version=2.1" ] }, { "id": "c2server_ipv6", "title": "Botnet CnC Servers - IPv6", "description": "Returns a list of IPv6 addresses that are categorized as botnet command and control servers.", "can_read": true, "can_write": false, "media_types": [ "application/vnd.oasis.stix+json; version=2.0", "application/vnd.oasis.stix+json; version=2.1" ] } ] } ```
parameters: - name: User-Agent in: header description: 'User-Agent is recommended to pass in request header for TAXII 2.1, its not mandatory. The User-Agent header is used by HTTP to identify the TAXII Client software name and version.' required: false schema: type: string responses: 200: description: Successful response content: application/vnd.oasis.taxii+json; version=2.0: schema: $ref: '#/components/schemas/Taxii_collections_success' application/vnd.oasis.taxii+json; version=2.1: schema: $ref: '#/components/schemas/Taxii_collections_success' /xfti/taxii2/collections/{collectionID}: get: tags: - X-Force Threat Intelligence - Protection Feed TAXII2 (Standard Tier) summary: Collection metadata description: | This is the TAXII 2 endpoint to get collection metadata. You can specify your response type with the "Accept" header: - TAXII 2.0: `Accept: application/vnd.oasis.taxii+json; version=2.0` or `Accept: application/vnd.oasis.taxii+json` - TAXII 2.1: `Accept: application/vnd.oasis.taxii+json; version=2.1`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/api/xfti/taxii2/collections/c2server_ipv4` ```json { "id": "c2server_ipv4", "title": "Botnet CnC Servers - IPv4", "description": "Returns a list of IPv4 addresses that are categorized as botnet command and control servers.", "can_read": true, "can_write": false, "media_types": [ "application/vnd.oasis.stix+json; version=2.0", "application/vnd.oasis.stix+json; version=2.1" ] } ```
parameters: - name: collectionID in: path description: |- ID Of the Collection to get required: true schema: type: string - name: User-Agent in: header description: 'User-Agent is recommended to pass in request header for TAXII 2.1, its not mandatory. The User-Agent header is used by HTTP to identify the TAXII Client software name and version.' required: false schema: type: string responses: 200: description: Successful response content: application/vnd.oasis.taxii+json; version=2.0: schema: $ref: '#/components/schemas/Taxii_collections_success' application/vnd.oasis.taxii+json; version=2.1: schema: $ref: '#/components/schemas/Taxii_collections_success' /xfti/taxii2/collections/{collectionID}/objects: get: tags: - X-Force Threat Intelligence - Protection Feed TAXII2 (Standard Tier) summary: Collection objects description: | This is the TAXII 2 endpoint to get collection content objects in STIX 2.x format. You can specify your response type with the "Accept" header: - STIX 2.0: `Accept: application/vnd.oasis.stix+json; version=2.0` or `Accept: application/vnd.oasis.stix+json` - STIX 2.1: `Accept: application/vnd.oasis.stix+json; version=2.1`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/api/xfti/taxii2/collections/c2server_ipv6/objects` ```json { "spec_version": "2.0", "id": "bundle--0000000010", "type": "bundle", "x_ibm_copyright": "© Copyright IBM Corp. 2019, All Rights Reserved", "x_ibm_part_no": "D01VKZX", "x_ibm_feedcategory": "Botnet Command and Control Server", "x_ibm_feedtype": "IPv6", "x_ibm_version": "0000000010", "x_ibm_creationdate": "2019-08-27T13:10:29.51Z", "x_ibm_indicatorcount": "2", "objects": [ { "id": "indicator-ccbdc20c-5c87-44f5-6378-5457ce14e1db", "type": "indicator", "labels": [ "malicious-activity" ], "pattern": "[ipv6-addr:value = '2001:db8:1234::8']", "valid_from": "2019-08-27T13:10:29.51Z" }, { "id": "indicator-2ea2d559-ef70-14b4-84c7-cde592e07be3", "type": "indicator", "labels": [ "malicious-activity" ], "pattern": "[ipv6-addr:value = '2400:cb00:2048:1::681c:1510']", "valid_from": "2019-08-27T13:10:29.51Z" } ] } ```
parameters: - name: collectionID in: path description: |- ID Of the Collection to get required: true schema: type: string - name: User-Agent in: header description: 'User-Agent is recommended to pass in request header for TAXII 2.1, its not mandatory. The User-Agent header is used by HTTP to identify the TAXII Client software name and version.' required: false schema: type: string responses: 200: description: Successful response content: application/vnd.oasis.stix+json; version=2.0: schema: $ref: '#/components/schemas/Taxii_collections_2.0' application/vnd.oasis.stix+json; version=2.1: schema: $ref: '#/components/schemas/Taxii_collections_2.1' /xfti/anonsvcs/ipv4: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: | Anonymization Services - IPv4 description: |- Returns a list of IPv4 addresses that are categorized as anonymization services. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/anonsvcs/ipv4` ```json { "FeedCategory": "Anonymization Services", "FeedType": "IPv4", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "2", "data": ["127.0.0.1", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/anonsvcs/ipv6: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: | Anonymization Services - IPv6 description: |- Returns a list of IPv6 addresses that are categorized as anonymization services. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/anonsvcs/ipv6` ```json { "FeedCategory": "Anonymization Services", "FeedType": "IPv6", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "2", "data": ["2a03:2880:f11c:8183:abcd:b00c:0000:26de", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/anonsvcs/url: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Anonymization Services - URL description: |- Returns a list of URL addresses that are categorized as anonymization service. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/anonsvcs/url` ```json { "FeedCategory": "Anonymization Services", "FeedType": "URL", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "2", "data": ["example.com", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/c2server/ipv4: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Botnet CnC Servers - IPv4 description: |- Returns a list of IPv4 addresses that are categorized as botnet command and control servers. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/c2server/ipv4` ```json { "FeedCategory": "Botnet Command and Control Server", "FeedType": "IPv4", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "2", "data": ["127.0.0.1", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/c2server/ipv6: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Botnet CnC Servers - IPv6 description: |- Returns a list of IPv6 addresses that are categorized as botnet command and control servers. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/c2server/ipv6` ```json { "FeedCategory": "Botnet Command and Control Server", "FeedType": "IPv6", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "2", "data": ["2a03:2880:f11c:8183:abcd:b00c:0000:26de", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/c2server/url: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Botnet CnC Servers - URL description: |- Returns a list of URLs that are categorized as botnet command and control server urls. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/c2server/url` ```json { "FeedCategory": "Botnet Command and Control Server", "FeedType": "URL", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "2", "data": ["2a03:2880:f11c:8183:abcd:b00c:0000:26de", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/bots/ipv4: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Bots - IPv4 description: |- Returns a list of IPv4 addresses that are categorized as bots. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/bots/ipv4` ```json { "FeedCategory": "Bots", "FeedType": "IPv4", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "2", "data": ["127.0.0.1", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/bots/ipv6: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Bots - IPv6 description: |- Returns a list of IPv4 addresses that are categorized as bots. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/bots/ipv6` ```json { "FeedCategory": "Bots", "FeedType": "IPv6", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "3", "data": ["2a03:2880:f11c:8183:abcd:b00c:0000:26de", "2a03:2880:f11c:8183:abcd:b00c:0000:27de", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/cryptomining/ipv4: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Cryptocurrency mining - IPv4 description: |- Returns a list of IPv4 addresses that are categorized as Cryptocurrency mining. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/cryptomining/ipv4` ```json { "FeedCategory": "Crypto-Currency Mining", "FeedType": "IPv4", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "2", "data": ["127.0.0.1", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/cryptomining/ipv6: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Cryptocurrency mining - IPv6 description: |- Returns a list of IPv6 addresses that are categorized as Cryptocurrency mining hosts. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/cryptomining/ipv6` ```json { "FeedCategory": "Crypto-Currency Mining", "FeedType": "IPv6", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "3", "data": ["2a03:2880:f11c:8183:abcd:b00c:0000:26de", "2a03:2880:f11c:8183:abcd:b00c:0000:27de", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/cryptomining/url: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Cryptocurrency mining - URL description: |- Returns a list of URLs that are categorized as Cryptocurrency mining. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/cryptomining/url` ```json { "FeedCategory": "Crypto-Currency Mining", "FeedType": "URL", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "2", "data": ["example.com", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/ew/url: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Early Warning - URL description: |- Returns a list of URLs that are categorized as early warning. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/ew/url` ```json { "FeedCategory": "Early Warning", "FeedType": "URL", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "2", "data": ["example.com", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/mw/ipv4: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Malware - IPv4 description: |- Returns a list of IPv4 addresses that are categorized as malware. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/mw/ipv4` ```json { "FeedCategory": "Malware", "FeedType": "IPv4", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "2", "data": ["127.0.0.1", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/mw/ipv6: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Malware - IPv6 description: |- Returns a list of IPv6 addresses that are categorized as malware. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/mw/ipv6` ```json { "FeedCategory": "Malware", "FeedType": "IPv6", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "3", "data": ["2a03:2880:f11c:8183:abcd:b00c:0000:26de", "2a03:2880:f11c:8183:abcd:b00c:0000:27de", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/mw/url: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Malware - URL description: |- Returns a list of URLs that are categorized as malware. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/mw/url` ```json { "FeedCategory": "Malware", "FeedType": "URL", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "2", "data": ["example.com", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/phishing/url: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Phishing - URL description: |- Returns a list of URLs that are categorized as phishing. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/phishing/url` ```json { "FeedCategory": "Phishing URLs", "FeedType": "URL", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "3", "data": ["pavpal.com", "azmazon.support.com", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/scanning/ipv4: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Scanning IPs - IPv4 description: |- Returns a list of IPv4 addresses that are categorized as scanning IPs. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/scanning/ipv4` ```json { "FeedCategory": "Scanning IPs", "FeedType": "IPv4", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "2", "data": ["127.0.0.1", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/scanning/ipv6: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Scanning IPs - IPv6 description: |- Returns a list of IPv6 addresses that are categorized as scanning IPs. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/scanning/ipv6` ```json { "FeedCategory": "Scanning IPs", "FeedType": "IPv6", "Version": "0000000010", "CreationDate": "2019-08-20T07:26:00.000Z", "IndicatorCount: "3", "data": ["2a03:2880:f11c:8183:abcd:b00c:0000:26de", "2a03:2880:f11c:8183:abcd:b00c:0000:27de", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/topact/url/10k: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Top Activity - URL / 10K description: |- Returns the top ten thousand URLs rated by activity as known by X-Force Exchange. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/topact/url/10k` ```json { "FeedCategory": "Top-Volume Domains", "FeedType": "URL", "Version": "0000000010", "CreationDate": "2019-12-12T09:25:14.537Z", "IndicatorCount: "3", "data": ["pavpal.com; Communication Services,Early Warning,Botnet Command", "azmazon.support.com; Software / Hardware,Botnet Command and Control Server", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/benign/ipv4: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Benign - IPv4 description: |- Returns a list of IPv4 addresses that are categorized as benign. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/benign/ipv4` ```json { "FeedCategory": "Benign", "FeedType": "IPv4", "Version": "0000000010", "CreationDate": "2022-10-03T07:26:00.000Z", "IndicatorCount: "2", "data": ["127.0.0.1", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/benign/ipv6: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Benign - IPv6 description: |- Returns a list of IPv6 addresses that are categorized as benign. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/benign/ipv6` ```json { "FeedCategory": "Benign", "FeedType": "IPv6", "Version": "0000000010", "CreationDate": "2022-10-03T07:26:00.000Z", "IndicatorCount: "3", "data": ["2a03:2880:f11c:8183:abcd:b00c:0000:26de", "2a03:2880:f11c:8183:abcd:b00c:0000:27de", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /xfti/benign/url: get: tags: - X-Force Threat Intelligence - Protection Feed (Standard Tier) summary: Benign - URL description: |- Returns a list of URLs that are categorized as benign. You can specify your response type with the "Accept" header: - plain text: `Accept: text/plain` - comma-separated values: `Accept: text/csv` - JSON (default): `Accept: application/json`
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/xfti/benign/url` ```json { "FeedCategory": "Benign", "FeedType": "URL", "Version": "0000000010", "CreationDate": "2022-10-03T07:26:00.000Z", "IndicatorCount: "2", "data": ["example.com", "..."] } ```
responses: 200: description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/Xfti' /industries: get: tags: - X-Force Premier Threat Intelligence - Industries (Premium Tier) summary: | Get Industries description: |- Return a list of Industry Analysis Reports Access to this information is restricted to paid users. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information
Usage ```json { "rows": [ { "id": "guid:77dcb364e2527148fd086f30d455c766", "reportId": "report--31c7e4ae-246f-4c56-9849-baecae2be7d9", "created": "2021-02-19T21:48:51Z", "name": "Transportation Industry Profile", "modified": "2021-02-22T21:40:29Z", "shortDescription": "Cyber threats to the transportation industry come with added risk compared to other sectors, given the residual effect an attack has on other transportation elements and other industries. In addition, the increasing digitization of this industry is compounding the problem, as heightened use of WiFi connectivity, heavy reliance on Internet-enabled GPS navigation, and implementation of Internet of Things devices open additional avenues of attack for threat actors. \n\nAccording to IBM’s 2020 X-Force Threat Intelligence Index, the transportation industry was the third-most targeted of all industries in 2019, experiencing 10% of attacks and incidents on the top ten industries. In addition, a breach in the transportation sector costs companies around $3.58 billion per incident, based on estimates in the IBM-sponsored Ponemon Cost of a Data Breach study. The transportation industry was ranked as the tenth most costly sector for experiencing a data breach, and eleventh out of seventeen industries in terms of the amount of time needed to identify and contain a data breach, at 275 days.", "locked": false, "statement": "premium" }, { "id": "guid:0169d5f57b58c6f349e80227d411b1f1", "reportId": "report--78c2909b-4759-456d-b39c-117d7e4332b3", "created": "2021-02-19T21:48:43Z", "name": "Telecommunications Industry Profile", "modified": "2021-02-22T21:40:25Z", "shortDescription": "As a sub-industry of media, the telecommunications industry includes providers of voice, video, data and text transmissions through wired, wireless and satellite infrastructures. Cyber threats to the telecommunications industry come with added risk compared to other sectors, given that some attackers seek access to companies in this industry primarily to collect data on or attack telecom clients. Thus, telecommunications can be a popular conduit for third-party attacks.\n\nAccording to IBM’s 2020 X-Force Threat Intelligence Index, media is the fourth-most attacked industry, moving up from sixth place the year prior. In addition, a breach in the telecommunications sector costs companies around $3.01 million per incident, based on estimates in the 2020 IBM-sponsored Ponemon Cost of a Data Breach study, falling below the overall average of $3.86 million. The communications industry was ranked as the twelfth most costly sector for experiencing a data breach per record, and fifteenth longest in terms of the average time to identify and contain a data breach, at 251 days total.", "locked": false, "statement": "premium" } ], "previousPage": "/industry?limit=2&skip=0", "nextPage": "/industry?limit=2&skip=4" } ```
parameters: - name: limit in: query description: the number of returned Industry Analysis Reports, default value is 200. The limit must not be larger than `200`. schema: type: integer - name: skip in: query description: the startingpoint to retrieve entries, default value is 0 schema: type: integer responses: 200: description: Successful response. 403: description: Access denied. 404: description: Not found. /industries/{id}: get: tags: - X-Force Premier Threat Intelligence - Industries (Premium Tier) summary: | Get Industry by ID description: |- Return a Industry Analysis Report Full access to this information is restricted to paid users. Freeium users will have access to a selected set of sample reports. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information.
Usage ```json { "objects": [ { "definition_type": "statement", "definition": { "statement": "premium" }, "type": "marking-definition", "id": "marking-definition--ad05bedf-f9a0-4683-81c8-357b754769ac", "created": "2019-05-13T05:32:24.171846Z" }, { "name": "Media and Entertainment Industry Profile", "labels": [ "identity" ], "description": "# Media and Entertainment Industry Profile\n\n## Summary\n\nThe media and entertainment industry is a high-value target for cyber attackers seeking to influence public opinion, control information flows, or protect the reputation of their organization or country. In particular, Advanced Persistent Threat (APT) groups—often backed by nation-states—have acted aggressively against this industry, and some nations see negative media content as a near-existential threat to their national security. Cybercriminals are also finding attacks on media and entertainment lucrative as they hold stolen pre-aired media for ransom. IBM X-Force assesses that nation-state actors and cyber criminals will continue to pose a significant threat to the media and entertainment industry, based on the motivations of each group and their resources available for malicious cyber activity.\n\n## **ASSETS AT RISK** ##\n\nIBM's 2019 X-Force Threat Intelligence Index ranked media industry as the fifth-most likely industry to be attacked, and media ranked highest out of all industries measured in X-Force's tracking of publicly disclosed data breaches for 2018.\n\nA 2018 IBM-sponsored study by the Ponemon Institute indicates that companies in the entertainment industry had the highest average number of days to identify a cyber breach, when compared to other industries (see Figure 1). In addition, one survey of the media and entertainment industry in September 2018 found that half of firms in this industry had experienced more than two cyber attacks within the past year.\n\nIBM X-Force judges that companies in the media and entertainment industry are most at risk for the loss and leakage of forthcoming production or internal company communications, based on past attacks and the interests of known threat actors. Employee credentials, customer payment card data, and the integrity of information posted to media or entertainment sites is also at high risk for attack.\n\n## **SOURCES OF ATTACK** ##\n\n### Nation-state backed APT Groups\n\nIBM X-Force assesses that nation-state actors seeking to delete, alter, steal, or search information in media and entertainment companies pose the greatest threat to the industry because of the significant resources, time and patience they can invest in an attack. North Korean-backed hackers most likely were behind significant attacks on the industry in 2012 that sought to delete information and retaliate against content that they perceived discredited their country. Similarly, cyber attacks on a media outlet in 2014 that were traced to the Chinese government sought to search for informants that may have given reporters information about Chinese leadership. More recently, a 2018 attack on the two largest media broadcasters in Germany has been traced to a Russian nation-state hacking group.\n\n### Financially-motivated Cyber Criminals\n\nOver the past two years, however, cyber criminal groups have increasingly targeted the industry, seeking to steal television and film productions before release and hold them for ransom. One cyber criminal group that calls itself "The Dark Overlord" stole and leaked unreleased television episodes in mid-2017. Serbian officials reportedly arrested one member of the group in May 2018, but initial reports indicate the group is still in operation.\n\n### Physical and Insider Threats\n\nInadequate physical security barriers and probably unwitting insiders have contributed to some cyber attacks on the media and entertainment industry. In one attack, reporters learned from the perpetrators that unlocked doors and sympathetic employees assisted the attackers in gaining physical access to the building whose networks the group targeted. In another instance, security researchers theorize that attackers targeted a senior executive, possibly from their personal device or when they connected a company device through non-secure WiFi.\n\nSimilarly, insider threats pose a considerable threat to the media and entertainment industry. Thumb drives as gifts or personal devices connected to a corporate network can give an adversary access to sensitive data—even when the intermediary is unaware of the malicious activity they are facilitating. In addition, unauthorized individuals can gain access to company computers, servers, or wireless networks if physical security best practices are not observed, or if employees even inadvertently provide opportunities for outsiders to gain access. For example, unauthorized persons can enter a facility by closely following an employee through the door, or exploit unattended company laptops and IT equipment.\n\n### Third Parties\n\nCompanies with whom media and entertainment firms do business can provide an advantageous attack vector for malicious actors, particularly when network security practices at the target firm are robust. Several media and entertainment companies have fallen victim to attacks where a third party provided malicious actors access to the target network. In one instance, attackers infiltrated an artificial intelligence customer support vendor, and then used this access to target an online entertainment ticket sales company, stealing payment card information for thousands of customers. In another case, hackers stole multiple pre-release films from a contracted post-production audio studio and then held the films for ransom.\n\n### Phishing Attacks\n\nPhishing emails and spear-phishing—emails targeted at a specific group of people—continue to be an attack vector of choice for malicious actors, due to the relative ease of this methodology and its high success rate. As employees wade through sometimes hundreds of emails per day, it can be difficult to detect an expertly worded message based on true past correspondence with a known colleague. A global media firm suspects that a spear-phishing email was the initial attack vector for APT actors that gained access to their systems, compromising the credentials for every company employee.\n\n### Unsupported or Unpatched Systems\n\nComputer networks that use unsupported operating systems or software are vulnerable to attacks, as malicious actors have ample time to discover and exploit weaknesses in these older technologies. Once an operating system or software application reaches End of Life (EOL), the security risks associated with using that system increase significantly, as vendors no longer provide updates to patch security vulnerabilities. For example, the Windows XP operating system is no longer supported, so any device that uses this system—while it may continue to function just fine—is open to an increasing number of unaddressed vulnerabilities an attacker could exploit.\n\nIn addition, even newer software applications and operating systems require consistent updates through patching to ensure they do not contain vulnerabilities an attacker could exploit. For example, the WannaCry ransomware attacks that hit multiple companies in 2017 preyed on a known Windows vulnerability for which a patch existed. By not patching the vulnerability when the fix came out in March, organizations exposed themselves to a wave of attacks that hit the following May.\n\nOne security researcher theorized that unpatched technology led to an attack on an entertainment company in 2017, resulting in the release of materials from half a dozen television shows that had not yet aired. Patch management programs can help ensure that patches are applied in a timely manner on all systems, with as little disruption to the network as possible.\n\n## **RISK MITIGATION MEASURES** ##\n\n- Incorporate robust physical security practices into your cyber security plan, including using guards and barricades, locking doors, installing hardware locks to secure sensitive IT equipment, ensuring that only authorized personnel can enter a facility one at a time to prevent unauthorized entry, and employing perimeter fencing, video surveillance, motion detectors, alarms, and proper lighting.\n- Mitigate insider threats through thorough background checks before hiring, software solutions to detect abnormal behavior on the system, and openness to concerns reported by managers and co-workers.\n- Fortify networks against phishing attacks through frequent employee education, two-factor authentication, and banners that alert employees when an email is coming from outside an organization.\n- Disable macros, email delegates, and mail forwarding.\n- Employ intrusion detection and prevention software to provide real-time network security monitoring and management.\n- Verify the cyber security practices of third party companies before contracting to do service with them. To the extent possible, insulate company networks with sensitive information such as proprietary company data, internal communications, and customer payment card information from third-party systems.\n- Avoid using third party scripts, cascading style sheets (CSS), or html hosted on third party sites for your company's website or app—especially on pages used to collect payment card data.\n- Update and upgrade legacy technology systems, using newer operating systems and software. Implement a patch management program to assist in applying software updates quickly and in a way that does not interfere with company production.\n- Create and manage an offensive security testing program to identify vulnerabilities in your applications, networks, and hardware.\n\n# Tags\n\n```\nint.entitle.premium\n\ntrend.ind.media\n\n```\n\n## **Sources** ##\n\n"2018 Cost of a Data Breach Study: Global Overview" _Ponemon Institute_, June 2018, https://www.ibm.com/security/data-breach.\n\nBort, Julie. "How The Hackers Broke Into Sony Any Why It Could Happen To Any Company." _Business Insider_, December 19, 2014, https://www.businessinsider.com/how-the-hackers-broke-into-sony-2014-12.\n\nCox, Joseph. "After Arrest in Serbia, Netflix Hackers 'The Dark Overlord' Say They're Still Going." _Motherboard_, May 17, 2018, https://motherboard.vice.com/en\\_us/article/mbkex8/dark-overlord-arrest-serbia-netflix-hackers.\n\n"Doctrine of Information Security of the Russian Federation." Russian Ministry of Foreign Affairs, 5 December 2016, http://www.mid.ru/en/foreign\\_policy/official\\_documents/-/asset\\_publisher/CptICkB6BZ29/content/id/2563163.\n\nHuddleston, Tom. "Hackers Leaked 'Orange is the New Black' Despite Receiving $50,000 Ransom." _Fortune_, June 26, 2017, http://fortune.com/2017/06/21/hackers-leaked-orange-is-the-new-black-ransom/.\n\n"IBM Security Incidents." _IBM XFISI Data,_ 2018, https://www.ibm.com/security/resources/xforce/xfisi/.\n\n "IBM X-Force Threat Intelligence Index 2019." IBM Security, February 2019, https://www.ibm.com/security/data-breach/threat-intelligence.\n\nKlijnsma, Yonathan, and Jordan Herman. "Inside and Beyond Ticketmaster: The Many Breaches of Magecart." RiskIQ, July 9, 2018, https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/.\n\nMartin, David. "German Broadcasters Targeted By Russian Hackers." _Deutche Welle_, July 27, 2018, https://www.dw.com/en/german-broadcasters-targeted-by-russian-hackers/a-44857319.\n\nMathews, Lee. "How WannaCry Went From A Windows Bug To An International Incident." _Forbes_, May 16, 2017, https://www.forbes.com/sites/leemathews/2017/05/16/wannacry-ransomware-ms17-010/#1fe38b312609.\n\nNelson, Keith. "How Did HBO Get Hacked? A Cyber Security Expert Has Two Theories." _Digital Trends_, August 4, 2017, https://www.digitaltrends.com/movies/hbo-hack-explained/.\n\n"Over Half of Media and Entertainment Firms Experience Three or More Cyber Attacks in a 12-Month Period, Reveals Survey," _Hiscox_, September 12, 2018, https://www.hiscox.com/articles/over-half-media-and-entertainment-firms-experienced-three-or-more-cyber-attacks-over-12.\n\nPeterson, Andrea Peterson. "The Sony Pictures Hack, Explained." _The Washington Post_, December 18, 2014, https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/the-sony-pictures-hack-explained/?noredirect=on&utm\\_term=.4dfb0a063488.\n\nPerlroth, Nicole. "Hackers in China Attacked the Times for Last 4 Months." _The New York Times_, January 30, 2013, https://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html.\n\nVan Impe, Koen. "The Apache Struts 2 Vulnerability and the Importance of Patch Management." _Security Intelligence_, April 25, 2017, https://securityintelligence.com/the-apache-struts-2-vulnerability-and-the-importance-of-patch-management/.\n\nVictor, Daniel and Sheera Frenkel. "Iranian Hacker Charged in HBO Hacking That Included 'Game of Thrones' Script." _The New York Times_, November 21, 2017, https://www.nytimes.com/2017/11/21/business/hbo-hack-charges.html.\n\nWong, Julie Carrie and Olivia Solon. "Massive Ransomware Cyber-attack Hits Nearly 100 Countries Around the World." _The Guardian_, May 12, 2017, https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-ransomware-nsa-uk-nhs.\n", "published": "2019-05-13T05:32:24.172082Z", "x_com_ibm_short_description": "The media and entertainment industry is a high-value target for cyber attackers seeking to influence public opinion, control information flows, or protect the reputation of their organization or country. In particular, Advanced Persistent Threat (APT) groups—often backed by nation-states—have acted aggressively against this industry, and some nations see negative media content as a near-existential threat to their national security. Cybercriminals are also finding attacks on media and entertainment lucrative as they hold stolen pre-aired media for ransom. IBM X-Force assesses that nation-state actors and cyber criminals will continue to pose a significant threat to the media and entertainment industry, based on the motivations of each group and their resources available for malicious cyber activity.", ... ```
parameters: - name: id in: path description: ID of the Industry Analysis Report to get required: true schema: type: string responses: 200: description: Successful response. 403: description: Access denied. content: {} 404: description: Not found. content: {} /malware_analysis: get: tags: - X-Force Premier Threat Intelligence - Malware Analysis (Premium Tier) summary: | Get Malware Analysis description: |- Return a list of Malware Analysis Reports Access to this information is restricted to paid users. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information
Usage ```json { "rows": [ { "id": "guid:9323d962067740902a9c589ced206e87", "reportId": "report--0e4af723-9f93-4af3-b15b-3d062a2aa144", "created": "2021-03-17T15:21:39Z", "name": "Agent Tesla, LokiBot Analysis Report (IRIS-7037)", "modified": "2021-03-17T15:21:39Z", "shortDescription": "The submitted files are grouped into two -- Agent Tesla and Loki.\n\nAgent Tesla is an infostealer type of malware that is capable of logging keystrokes, stealing credentials from different applications like browsers, mailing, messaging, ftp apps and even credentials stored in Windows Vault. All stolen data is then sent thru email using SMTP protocol.\n\nAll extracted Agent Tesla samples behaves the same as that of IRIS-7017 malware report, and only the difference in SMTP details were listed in this report.\n\nLokiBot is another malware designed to steal credentials on different applications on an infected machine such as browsers, email clients, ftp clients and file managers.", "locked": false, "statement": "premium" }, { "id": "guid:2f8a8c82beb3e83d7d3968666955bed2", "reportId": "report--0736b1db-2cac-47eb-b41b-76e3da0d9420", "created": "2021-03-02T22:02:17Z", "name": "NorthStarStager Analysis Report (IRIS-9712)", "modified": "2021-03-02T22:02:17Z", "shortDescription": "The three submitted samples were each determined to be a Trojan called **NorthStarStager**. These are .NET samples capable of privilege escalation, persistence through the registry and full Trojan functionality. An attacker using NorthStarStager can exfiltrate files, upload files and execute code arbitrarily, capture screenshots and dump registry hives for credential theft. In two of these samples, the URL for the C2 was not yet set (it was replaced with the string \"URLHERE\"), so the malware did not engage in dynamic behavior. The third sample communicated with **hxxp[://]51[.]79[.]68[.]35/** , but was redirected to **hxxps[://]www[.]clicface[.]fr/,** where it communicated over SSL.\n\n### Threat Type\n\n- Malware\n\n### Threat Group\n\n- Hive0016", "locked": false, "statement": "premium" } ], "previousPage": "/malware?limit=2&skip=0", "nextPage": "/malware?limit=2&skip=4" } ```
parameters: - name: limit in: query description: the number of returned Malware Analysis Reports, default value is 200. The limit must not be larger than `200`. schema: type: integer - name: skip in: query description: the startingpoint to retrieve entries, default value is 0 schema: type: integer responses: 200: description: Successful response. content: {} 403: description: Access denied. content: {} 404: description: Not found. content: {} /malware_analysis/{id}: get: tags: - X-Force Premier Threat Intelligence - Malware Analysis (Premium Tier) summary: | Get Malware Analysis by ID description: |- Return a Malware Analysis Report Full access to this information is restricted to paid users. Freemium users will have access to selected set of reports. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information.
Usage ```json { "objects": [ { "name": "Bad Rabbit Analysis Report", "labels": [ "malware" ], "description": "This malware is the ransomware publicly known as...", "published": "2019-06-28T12:06:11.648107Z", "x_com_ibm_short_description": "This malware is the ransomware publicly known as...", "object_refs: [...]", "type": "report", "id": "report--04c18138-a986-4ba5-bced-10fc651dd112", "created": "2019-05-13T05:38:35.794Z", ], ... ```
parameters: - name: id in: path description: ID of the Malware Analysis Report to get required: true schema: type: string responses: 200: description: Successful response. content: {} 403: description: Access denied. content: {} 404: description: Not found. content: {} x-navLabel: Get Malware Analysis by ID /reports/threatanalysis: get: tags: - X-Force Premier Threat Intelligence - Threat Analysis (Premium Tier) summary: | Get Threat analysis description: |- Return a list of Threat Analysis Reports Access to this information is restricted to paid users. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information parameters: - name: limit in: query description: the number of returned Threat Analysis Reports, default value is 200. The limit must not be larger than `200`. schema: type: integer - name: skip in: query description: the startingpoint to retrieve entries, default value is 0 schema: type: integer responses: 200: description: Successful response. content: {} 403: description: Access denied. content: {} 404: description: Not found content: {} /reports/osintadvisory: get: tags: - X-Force Premier Threat Intelligence - OSINT Advisory (Premium Tier) summary: | Get OSINT advisories description: |- Return a list of OSINT Advisory Reports Access to this information is restricted to paid users. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information *Note*: Please use [above](#/X-Force%20Premier%20Threat%20Intelligence%20-%20Threat%20Analysis/get_report_details__id_) api call `/report/details/{id}` in order to get a specific report details parameters: - name: limit in: query description: the number of returned OSINT Advisory Reports, default value is 200. The limit must not be larger than `200`. schema: type: integer - name: skip in: query description: the startingpoint to retrieve entries, default value is 0 schema: type: integer responses: 200: description: Successful response. content: {} 403: description: Access denied. content: {} 404: description: Not found content: {} /threat_groups: get: tags: - X-Force Premier Threat Intelligence - Threat Groups (Premium Tier) summary: | Get Threat Groups description: |- Return a list of Threat Group Profiles Access to this information is restricted to paid users. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information
Usage ```json { "rows": [ { "id": "guid:88b990ec38f3f4debd12f6d0c039f53e", "reportId": "report--f0010cb4-a90d-4d43-b988-c85d9ffc368a", "created": "2021-02-19T21:28:47Z", "name": "ITG14 Analysis Report", "modified": "2021-02-22T21:56:08Z", "shortDescription": "Since at least 2016, the cybercrime threat group tracked by IBM X-Force IRIS as ITG14, also known as FIN7 and Carbon Spider, has conducted illegal operations against organizations within the retail, restaurant, banking, and hospitality sectors worldwide. ITG14, which is likely based in Eastern Europe, has used a variety of techniques such as phishing, malware, and infected Microsoft Office documents to successfully compromise their targets. Three ITG14 figures were arrested in January and June 2018. In August 2018, the U.S. Department of Justice (U.S. DOJ) unsealed indictments against these ITG14 operators with 26 felony counts each ranging from conspiracy to commit wire fraud to identity theft. Despite the indictments against three ITG14 leaders, ITG14 has remained active, conducting operations throughout 2019. On a historical note, it is highly likely some members of ITG14 were previously associated with the cybercrime threat actor known as Carbanak Group, which operated from approximately 2013-2015 and also shares overlap with Hive0040 aka Cobalt Gang. While some organizations associate FIN7 and/or Cobalt Gang directly with Carbanak Group, IBM X-Force IRIS tracks these as three separate threat actors.", "locked": false, "statement": "premium" }, { "id": "guid:83e6a72ee4c9f92e2f0d9dcbc3b5c232", "reportId": "report--514ed99f-36dc-4766-930e-f6a23f68ddf8", "created": "2021-02-19T21:31:59Z", "name": "ITG01 Analysis Report", "modified": "2021-02-22T21:41:03Z", "shortDescription": "IBM’s X-Force IRIS ITG01 shares overlap with a likely Chinese state-sponsored advanced persistent threat (APT) actor APT10, which is also known as Red Apollo, POTASSIUM, MenuPass, CVNX, ChessMaster, Snake Wine, and Stone Panda. Active since at least 2006, ITG01 targets an array of commercial organizations to illegally collect sensitive and intellectual property data in support of Chinese economic goals, and Indo-Pacific regional ambitions. ITG01 specifically has interests in the technology industry with a focus on Japanese entities. To conduct campaigns ITG01 uses customized open source malware, often delivered via tailored spearphishing campaigns. In addition, to facilitate operations, ITG01 targets global Managed Service Providers (MSPs) to directly access and exfiltrate data from commercial and government entities through compromised, legitimate infrastructure. Based on ITG01’s historic support to its sponsors industrial growth, ITG01’s extensive operations, and evidence of retooling, IBM X-Force IRIS assesses with high confidence that ITG01 will continue to target high-value commercial and political entities to further Chinese strategic intentions.", "locked": false, "statement": "premium" } ], "previousPage": "/threatgroup?limit=2&skip=0", "nextPage": "/threatgroup?limit=2&skip=4" } ```
parameters: - name: limit in: query description: the number of returned Threat Group Profiles, default value is 200. The limit must not be larger than `200`. schema: type: integer - name: skip in: query description: the startingpoint to retrieve entries, default value is 0 schema: type: integer responses: 200: description: Successful response. content: {} 403: description: Access denied. content: {} 404: description: Not found. content: {} /threat_groups/{id}: get: tags: - X-Force Premier Threat Intelligence - Threat Groups (Premium Tier) summary: | Get Threat Group by ID description: | Return a Threat Group Profile Full access to this information is restricted to paid users. Freemium users will have access to selected set of reports. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information. parameters: - name: id in: path description: ID of the Threat Group Profile to get required: true schema: type: string responses: 200: description: Successful response. content: {} 403: description: Access denied. content: {} 404: description: Not found. content: {} /resolve/{input}: get: tags: - X-Force Threat Intelligence - DNS summary: | Get DNS records description: |- Returns live and passive DNS records.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/resolve/1.2.3.4` ```json { "Passive": { "query": "0x00000000000000000000ffff01020304", "records": [ { "value": "www.gamato.it", "type": "url", "recordType": "A", "last": "2017-07-13T21:23:00Z", "first": "2015-08-12T10:46:00Z" }, { "value": "horlickscreams.com", "type": "url", "recordType": "A", "last": "2017-07-13T16:01:00Z", "first": "2015-09-24T02:28:00Z" }, { "value": "statestcorp.com", "type": "url", "recordType": "A", "last": "2017-07-13T15:51:00Z", "first": "2015-08-20T03:56:00Z" }, ... ... ```
parameters: - name: input in: path description: ip or domain or url required: true schema: type: string responses: 200: description: Successful Response content: application/json: schema: $ref: '#/components/schemas/resolve' 403: description: Access Denied content: {} 404: description: Not found. content: {} /hub/extensions: get: tags: - X-Force Threat Intelligence - App Exchange summary: Get all Extensions description: |- Gets all published Extensions in App Exchange. Returns an object containing an array of all published extensions and the size of the array. #### Curl Example: ``` curl GET https://api.xforce.ibmcloud.com/hub/extensions ``` Note: Depending on size, the response body for this API may have be trimmed for demo purposes. To see all records for this API please make a CURL request.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/hub/extensions` ```json { "total": 0, "extensions": [ { "id": "string", "key": "string", "value": { "app_details": { "crypt_types": "string", "documents": { "partner_agreement": {}, "screenshots": [], "additional_doc": {}, "icons": {} }, "tags": { "content": {}, "search_tags": [], "categories": [], "ibm_security_products": [] }, "locale": { "en": {} }, "supported_language_set": [], "internetAccessRequired": "boolean", "authored_by": "string", "company_name": "string", "shared_users": [], "min_mb": 0, "support_label": "string" }, "app_versions": { "1.0.0": { "status": "string", "license": { "type": "string" }, "packaged_on": 0, "file_name": "string", "status_date": 0, "file_id": "string", "license_id": "string", "revision": 0, "compatibility": {}, "md5checksum": "string", "whats_new": "string" } } }, "downloads": 0 } ] } ```
responses: 200: description: Successful response content: application/json: schema: required: - extensions - total type: object properties: total: type: integer extensions: $ref: '#/components/schemas/extensions' example: |- { "total": 0, "extensions": [ { "id": "string", "key": "string", "value": { "app_details": { "crypt_types": "string", "documents": { "partner_agreement": {}, "screenshots": [], "additional_doc": {}, "icons": {} }, "tags": { "content": {}, "search_tags": [], "categories": [], "ibm_security_products": [] }, "locale": { "en": {} }, "supported_language_set": [], "internetAccessRequired": "boolean", "authored_by": "string", "company_name": "string", "shared_users": [], "min_mb": 0, "support_label": "string" }, "app_versions": { "1.0.0": { "status": "string", "license": { "type": "string" }, "packaged_on": 0, "file_name": "string", "status_date": 0, "file_id": "string", "license_id": "string", "revision": 0, "compatibility": {}, "md5checksum": "string", "whats_new": "string" } } }, "downloads": 0 } ] } x-navLabel: Get all Extensions /hub/extensions/brand/{brandnames}: get: tags: - X-Force Threat Intelligence - App Exchange summary: Get Extensions by Brand description: |- Gets all published Extensions by brand names (IBM Security Products). Returns an object containing an array of all published extensions and the size of the array. #### Curl Example: ``` curl -u {apikey:password} GET https://api.xforce.ibmcloud.com/hub/extensions/brand/QRADAR_APP ```
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/hub/extensions/brand/QRADAR_APP` ```json { "total": 0, "extensions": [ { "id": "string", "key": "string", "value": { "app_details": { "documents": { "partner_agreement": {}, "screenshots": [], "additional_doc": {}, "icons": {} }, "videos": [], "video_url": "https://youtu.be/LRcbYXcIsZA", "tags": { "content": {}, "search_tags": [], "categories": [], "ibm_security_products": [] }, "locale": { "en": {} }, "internetAccessRequired": "boolean", "supported_language_set": [], "authored_by": "string", "company_name": "string", "min_mb": 0, "early_access": "boolean", "support_label": "string" }, "app_versions": { "3.1.2": { "status": "string", "license": {}, "file_name": "string", "status_date": 0, "file_id": "string", "compatibility": { "QRadar": { "min": "string" } }, "md5checksum": "string", "revision": 0, "packaged_on": 0 } } }, "downloads": 0 } ] } ```
parameters: - name: brandnames in: path description: |- Name or comma separated list of names of brands. Any of below, ``` - APPLICATION_I2 - APPLICATION_MAAS360 - APPLICATION_RESILIENT - GUARDIUM_APP - IAM_APP - QRADAR_APP ``` required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: required: - extensions - total type: object properties: total: type: integer extensions: $ref: '#/components/schemas/extensions' example: |- { "total": 0, "extensions": [ { "id": "string", "key": "string", "value": { "app_details": { "documents": { "partner_agreement": {}, "screenshots": [], "additional_doc": {}, "icons": {} }, "videos": [], "video_url": "https://youtu.be/LRcbYXcIsZA", "tags": { "content": {}, "search_tags": [], "categories": [], "ibm_security_products": [] }, "locale": { "en": {} }, "internetAccessRequired": "boolean", "supported_language_set": [], "authored_by": "string", "company_name": "string", "min_mb": 0, "early_access": "boolean", "support_label": "string" }, "app_versions": { "3.1.2": { "status": "string", "license": {}, "file_name": "string", "status_date": 0, "file_id": "string", "compatibility": { "QRadar": { "min": "string" } }, "md5checksum": "string", "revision": 0, "packaged_on": 0 } } }, "downloads": 0 } ] } 400: description: Invalid Input content: application/json: schema: $ref: '#/components/schemas/ErrorModel' 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /auth/api_key: post: tags: - X-Force Threat Intelligence - Authentication summary: |- Generate API Key and Password description: |- Returns an API key and password pair, which are needed when accessing the API as an logged in user. You can generate an API key and password in your XFE user profile, or generate a new pair with this endpoint. The new credentials are in the response object. API keys and passwords do not expire. For example, the following is usage of an API key/password with curl: ``` curl -u {apikey:password} https://api.xforce.ibmcloud.com/url/cnn.com ```
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/auth/api_key` ```json { { "apiKey": "86ccd8-9451-49e0-a378-2c55e7264f", "password": "536622-a262-49b2-b982-6b5b7498b1" } } ```
requestBody: description: |- Name of API key to be generated. Note: Please replace below "string" with your API key. content: application/json: schema: $ref: '#/components/schemas/apiKeyName' required: false responses: 200: description: Object with key value as a child content: application/json: schema: $ref: '#/components/schemas/createNewKeyPair' 401: description: |- Unauthorized. Indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. content: application/json: schema: $ref: '#/components/schemas/ErrorModel' 403: description: Access denied. content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /auth/api_key/{apikey}: delete: tags: - X-Force Threat Intelligence - Authentication summary: | Revoke API Key description: |- Revoke specific API Key
Usage #### Example: Send a HTTP DELETE request to `https://api.xforce.ibmcloud.com/auth/api_key/8695ccd8-9451-49e0-a378-2cd355e7264f`
parameters: - name: apikey in: path description: API key which to be revoked required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: type: object 400: description: Invalid API key format content: application/json: schema: $ref: '#/components/schemas/ErrorModel' 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' 404: description: API key not found content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /casefiles/{collectionID}: get: tags: - X-Force Threat Intelligence - Collections summary: Get Collection by ID description: |- Returns a JSON representation of a Collection Returns details for a given Collection.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/casefiles/edfdad26fe6f46448dea71f4915087ca` ```json { "created": "2017-07-07T15:55:55.586Z", "owner": { "name": "Secure Watchman", "uuid": "http://www.ibm.com/250301A25KPO" }, "title": "Known Hostile Actors", "contents": { "wiki":

ABOUT THIS COLLECTION:

  • This collection is gained via signature sets from major IPS/IDS vendors (including custom sigs)
  • Packet captures are analyzed in most cases and a determination is based off of the findings. Other times it is based off of the targeted IP/hosts findings.

NOTE:

I cannot publish pcaps, scripts, and other details for security reasons.

Thank you,

SW

Note from XFE-Support: Hello SW and thank you for your high contribution level. We appreciate your effort and hence we understand, that you cannot publish sensitive data. On the contrary we are not able to blind accept a request or a contribution if we do not have enough evidence which leads us to some request being rejected. If there is a possibility for your to blacken the sensitive parts of your information it could probably help in terms of our investigation. Thank you for your time and keep it up. Your XFE-Team

", "reports": [] }, "caseFileID": "edfdw54ad26fse6f46448dea71f4910ca", "links": [], "tlpColor": { "tlpColorName": "TLP_WHITE", "tlpColorCode": "white", "tlpIsUserDefined": true }, "writeable": true, "deletable": false, "nPeople": 0, "nGroups": 0, "shared": "public", "mine": false, "tags": [ "vulnerability", "scanning" ] } ```
parameters: - name: collectionID in: path description: ID Of the Collection to get required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/collection' 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /casefiles/{collectionID}/stix: get: tags: - X-Force Threat Intelligence - Collections summary: Get Collection as STIX Markup description: |- Returns a STIX representation of a Collection with Attachments
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/casefiles/edfdad26fe6f46448dea71f4915087ca/stix` ```json id="ibm:Feed-e2fe6f46g457g4448dea71f4915087ca" timestamp="2017-07-13T15:29:44.546Z" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:ttp="http://stix.mitre.org/TTP-1" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:AddressObject="http://cybox.mitre.org/objects#AddressObject-2" xmlns:URIObject="http://cybox.mitre.org/objects#URIObject-2" xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:et="http://stix.mitre.org/ExploitTarget-1" xmlns:COA="http://stix.mitre.org/CourseOfAction-1" xmlns:ibm="http://xforce.ibmcloud.com/" xmlns:tlp="http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1" xmlns:marking="http://data-marking.mitre.org/Marking-1" version="1.1.1" xsi:schemaLocation="http://cybox.mitre.org/objects#URIObject-2 Known Hostile Actors ​ABOUT THIS COLLECTION: This is a description about the collection. ```
parameters: - name: collectionID in: path description: ID Of the Collection to get required: true schema: type: string responses: 200: description: Successful response content: application/stix: example: |- 401: description: Unauthorized content: application/stix: schema: $ref: '#/components/schemas/ErrorModel' /casefiles/public: get: tags: - X-Force Threat Intelligence - Collections summary: Get public Collections description: |- Gets all public Collections that you are able to see. Returns a list of all publicly accessible Collections. #### Curl Example: ``` curl -u {apikey:password} GET https://api.xforce.ibmcloud.com/casefiles/public ```
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/casefiles/public` ```json { "casefiles": [ { "caseFileID": "a8d8de4aec901b57515f2b3", "created": "2017-07-13T03:40:01.549Z", "owner": { "name": "threatwonk", "userid": "http://www.ibm.com/1206UIN" }, "title": "Non-English Malicious SPAM", "shared": "public", "writable": false, "links": [], "tlpColor": { "tlpColorName": "TLP_WHITE", "tlpColorCode": "white", "tlpIsUserDefined": true }, "tags": [] }, { "caseFileID": "94b47190b858703eafcabaf3a3d", "created": "2017-07-12T17:15:50.850Z", "owner": { "name": "John Doe", "userid": "http://www.ibm.com/50RAWK6" }, "title": "Mexican Phishing Sites", "shared": "public", "writable": false, "links": [], "tlpColor": { "tlpColorName": "TLP_WHITE", "tlpColorCode": "white", "tlpIsUserDefined": true }, "tags": [] }, ... ... ```
responses: 200: description: Successful response content: application/json: schema: required: - casefiles type: object properties: casefiles: type: array items: $ref: '#/components/schemas/collection' 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /casefiles/shared: get: tags: - X-Force Threat Intelligence - Collections summary: Get shared Collections description: |- Gets all shared Collections that you are able to see. Returns a list of all Collections that have been shared with you.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/casefiles/shared` ```json { "casefiles": [ { "caseFileID": "682172d603dc11c9b0b54ae8f8", "created": "2015-06-17T12:28:19.589Z", "owner": { "name": "John Doe" }, ... ... ```
responses: 200: description: Successful response content: application/json: schema: required: - casefiles type: object properties: casefiles: type: array items: $ref: '#/components/schemas/collection' 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /casefiles: get: tags: - X-Force Threat Intelligence - Collections summary: Get private Collections description: |- Gets all of your Collections This endpoint returns all the Collections that you have created, whether they are shared or not.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/casefiles/` ```json { "casefiles": [ { "caseFileID": "24af9acdf2c1290450238a60c", "created": "2017-06-02T14:22:18.283Z", "owner": { "name": "John Doe", "userid": "http://www.ibm.com/50663F" }, "title": "vgnvbn", "shared": "off", "links": [], "tlpColor": { "tlpColorName": "TLP_NOT_SPECIFIED", "tlpColorCode": "NO_COLOR", "tlpIsUserDefined": true }, "tags": [] }, { "caseFileID": "f4d22ca9656bb5623433bb8687aaa", "created": "2017-05-10T08:10:48.721Z", "owner": { "name": "John Doe", "userid": "http://www.ibm.com/5036Y3F" }, "title": "test collection", "shared": "shared", "nPeople": 0, "nGroups": 0, "links": [], "tlpColor": { "tlpColorName": "TLP_GREEN", "tlpColorCode": "green", "tlpIsUserDefined": true }, "tags": [ "mal", "xftas", "threat-actor", "email" ] } ] } ```
responses: 200: description: Successful response content: application/json: schema: required: - casefiles type: object properties: casefiles: type: array items: $ref: '#/components/schemas/collection' 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /casefiles/group/{groupID}: get: tags: - X-Force Threat Intelligence - Collections summary: Get Collections by Group ID description: | Returns a list of Collections for a given Group ID. This endpoint returns a list of Collections for a given Group ID.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/casefiles/group/7077d688-8b32-4f-b68d-d657e7999` ```json { "casefiles": [ { "caseFileID": "f4d22ca965568656bb5623efd4b7bb8687aaa", "created": "2017-05-10T08:10:48.721Z", "title": "test collection", "writable": true, "owner": "http://www.ibm.com/50886B63F" }, { "caseFileID": "0fe60fa684c4dbdf2865u066a4df1e1fe86b", "created": "2017-07-13T15:41:15.271Z", "title": "dfgvbdfg", "writable": false, "owner": "http://www.ibm.com/503663F" }, ... ... ```
parameters: - name: groupID in: path description: ID of the Group to get Collections for required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/casefilesOfGroup' 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /casefiles/public/fulltext: get: tags: - X-Force Threat Intelligence - Collections summary: Search public Collections description: |- Returns a list of public Collections that were found This endpoint searches the title and wiki content of public Collections and returns the result.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/casefiles/public/fulltext?q=Advisory` ``` { "casefiles": [ { "caseFileID": "fa7aed21fbf4780b90397cd68483", "created": "2017-04-05T12:12:30.678Z", "owner": { "name": "John Doe", "userid": "http://www.ibm.com/31088T2" }, "title": "Cloud_Hopper Advisory", "shared": true, "writable": true, "links": [], "tags": [] }, { "caseFileID": "f055e638c2f8b57ee7aaacab7e", "created": "2016-06-30T22:27:55.481Z", "owner": { "name": "IBM X-Force", "userid": "http://www.ibm.com/299XM", "verified": "ibmexpert" }, "title": "Multiple Symantec A/V Vulnerabiities", "shared": true, "writable": false, "links": [], "totalVotes": 1, "tags": [ "x-force", "advisory", "vulnerability" ] }, ... ... ```
parameters: - name: q in: query description: Search term, For example, Advisory required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: required: - casefiles type: object properties: casefiles: type: array items: $ref: '#/components/schemas/shortCollection' 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /casefiles/private/fulltext: get: tags: - X-Force Threat Intelligence - Collections summary: Search private Collections description: |- Returns a list of private Collections that were found This endpoint searches the title and wiki content of private collections that were created by owner, shared with me, or shared with a group of which I am a member and returns the result
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/casefiles/private/fulltext?q=Advisory` ```json { "casefiles": [ { "caseFileID": "fa7aed21fbf4780b90397cd68483", "created": "2017-04-05T12:12:30.678Z", "owner": { "name": "John Doe", "userid": "http://www.ibm.com/31088T2" }, "title": "Cloud_Hopper Advisory", "shared": true, "writable": true, "links": [], "tags": [] }, { "caseFileID": "f055e638c2f8b57ee7aaacab7e", "created": "2016-06-30T22:27:55.481Z", "owner": { "name": "IBM X-Force", "userid": "http://www.ibm.com/299XM", "verified": "ibmexpert" }, "title": "Multiple Symantec A/V Vulnerabiities", "shared": true, "writable": false, "links": [], "totalVotes": 1, "tags": [ "x-force", "advisory", "vulnerability" ] }, { "caseFileID": "fc6538111480c82cd078401b24", "created": "2016-08-24T13:06:53.740Z", "owner": { "name": "IBM X-Force", "userid": "http://www.ibm.com/27UXM", "verified": "ibmexpert" }, "title": "Java Object Serialization vulnerability", "shared": true, "writable": false, "links": [], "tags": [ "advisory", "vulnerability" ] }, { "caseFileID": "cbe8eeec4c66f4545475231f6b", "created": "2015-09-09T17:19:09.766Z", "owner": { "name": "John Doe", "userid": "http://www.ibm.com/31CAMS" }, "title": "FS-ISAC-831-0906", "shared": true, "writable": false, "links": [], "tags": [] }, ... ... ```
parameters: - name: q in: query description: Search term, For example, Advisory required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: required: - casefiles type: object properties: casefiles: type: array items: $ref: '#/components/schemas/shortCollection' example: |- { "casefiles": [{ "caseFileID": "string", "created": "string", "owner": { "name": "string", "userid": "string", "verified": "string" }, "title": "string", "shared": "boolean", "writable": "boolean" }, { "caseFileID": "string", "created": "string", "owner": { "name": "string", "userid": "string", "verified": "string" }, "title": "string", "shared": "boolean", "writable": "boolean" }] } 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /casefiles/{casefileid}/upload: post: tags: - X-Force Threat Intelligence - Collections summary: | Upload Collection File Attachment description: |- Endpoint to initiate the upload of a file.
Usage #### Example: Send a HTTP POST request to `https://api.xforce.ibmcloud.com/casefiles/004372d1eaf640f1ee4f413cbe77/upload` ```json { "status": "success." } ```
parameters: - name: casefileid in: path description: ID of the Collection to which the file will attached required: true requestBody: content: multipart/form-data: schema: type: object properties: stix: type: string description: File you want to upload format: binary required: true responses: 200: description: Successful response content: application/json: schema: type: object properties: status: type: string 401: description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /casefiles/{casefileid}/linkedcasefiles/{linkedcasefileid}: delete: tags: - X-Force Threat Intelligence - Collections summary: | Delete Linked Collection description: |- Removes the linked Collection from the specified Collection.
Usage #### Example: Send a HTTP DELETE request to `https://api.xforce.ibmcloud.com/casefiles/00439bfb72d1eaf640f1ee4f413cbe77/linkedcasefiles/8df85114778fae0cb458` ```json { "ok": true, "id": "8df85178fae0cb458", "found": false, "collection": "00439bfbeaf640f1ee4f413cbe77", "links": [] } ```
parameters: - name: casefileid in: path description: |- ID of the Collection from which the linked Collection will be removed required: true schema: type: string - name: linkedcasefileid in: path description: ID of the linked Collection to be removed required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: type: object properties: ok: type: string id: type: string example: |- { "ok": "boolean", "id": "string" } 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /casefiles/{casefileid}/linkedcasefiles: get: tags: - X-Force Threat Intelligence - Collections summary: | Get linked Collections description: |- Gets all linked Collections that you are able to see for the specified Collection.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/casefiles/00439bfb72d1eaf640f1ee4f413cbe77/linkedcasefiles` ```json { "linkedcasefiles": [ { "created": "2017-07-13T15:41:04.753Z", "owner": { "name": "John Doe", "userid": "http://www.ibm.com/5033F" }, "title": "tete", "contents": { "wiki": null, "reports": [] }, "caseFileID": "ff62c23d4aa070a4bec27765a8b", "links": [], "tlpColor": { "tlpColorName": "TLP_NOT_SPECIFIED", "tlpColorCode": "NO_COLOR", "tlpIsUserDefined": true }, "writeable": true, "deletable": true, "shared": "off", "mine": true, "linkCreatedAt": "2017-07-14T08:36:38.760Z", "linkCreatedBy": "John Doe", "linkCreatedByUUID": "http://www.ibm.com/50363F" }, ... ... ```
parameters: - name: casefileid in: path description: ID of the Collection for which to get linked Collections required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: required: - linkedcasefiles type: object properties: linkedcasefiles: type: array items: $ref: '#/components/schemas/shortCollection' example: |- { "linkedcasefiles": [ { "caseFileID": "string", "created": "string", "owner": { "name": "string" }, "title": "string", "shared": "string", "writable": "boolean", "mine": "boolean", "links": "array" }, { "caseFileID": "string", "created": "string", "owner": { "name": "string" }, "title": "string", "shared": "string", "writable": "boolean", "mine": "boolean", "links": "array" } ] } 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' put: tags: - X-Force Threat Intelligence - Collections summary: | Add Collection link description: |- Adds a Collection link to a Collection.
Usage #### Example: Send a HTTP PUT request with below as a JSON payload to `https://api.xforce.ibmcloud.com/casefiles/00439bfb72d1eaf640f1ee4f413cbe77/linkedcasefiles` ```json { "linkTo": "d82a63679af47015986f6bbf4bbceede" } Result: { "ok": true, "id": "8df85114778fae0cb458", "found": false, "collection": "00439bfb72d1eaf640f1ee4f413cbe77", "links": [] } ```
parameters: - name: casefileid in: path description: ID of the Collection to which the link will be added required: true schema: type: string requestBody: description: ID of the Collection that will be linked. Replcae "string" with collection id (for example:"d82a63679af47015986f6bbf4bbceede") content: application/json: schema: $ref: '#/components/schemas/linkTo' required: true responses: 200: description: Successful response 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /casefiles/{casefileid}/attachments: get: tags: - X-Force Threat Intelligence - Collections summary: | Get Attachments description: |- Get all attachments for a specified Collection.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/casefiles/00439bfb72d1eaf640f1ee4f413cbe77/attachments` ```json { "attachments": [ { "id": "7d5266d56958149f39244821375bb635", "attachedTo": "00439bfb72d1eaf640f1ee4f413cbe77", "attachedBy": { "name": "John Doe": "http://www.ibm.com/50363F", "userid": "http://www.ibm.com/50363F" }, "attachedAt": "2017-07-14T08:50:41.567Z", "imported": false, "safeFile": false, "md5checksum": "d814161e45e6c254283699ff88d8eb", "sha256": "d974cf147e871ad0b7c5d95454d0449502a8b4ee79366cfef22afcc2ad4d6c", "aliasFileName": "Security-Essentials.pptx", "file": { "filename": "a5a7d5d4e71941050a", "length": 2841892, "content_type": "application/vnd.openxmlformats-officedocument.presentationml.presentation" } }, ... ... ```
parameters: - name: casefileid in: path description: ID of the Collection for which to get attachments required: true schema: type: string - name: limit in: query description: The number of returned attachments Reports, if user will not pass any value then it will return all attachments. schema: type: integer - name: skip in: query description: The starting point to retrieve entries, default value is 0. schema: type: integer responses: 200: description: Successful response content: application/json: schema: required: - attachments type: object properties: attachments: type: array items: $ref: '#/components/schemas/attachment' 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /casefiles/{casefileid}/createreports: post: tags: - X-Force Threat Intelligence - Collections summary: | Import Reports description: |- Endpoint to add reports to a casefile.
Usage #### Example: Send a HTTP POST request with a file as a payload to `https://api.xforce.ibmcloud.com/casefiles/004372d1eaf640f1ee4f413cbe77/createreports` ```json { "reportkeys": [ { "type": "IP", "value": "192.0.2.33", "wanted": true }, { "type": "URL", "value": "example.com", "wanted": true }, { "type": "MAL", "value": "MD5:e80786df667a290a818104d55a2e2a21", "wanted": true }, { "type": "VUL", "value": "CVE-2016-1009", "wanted": true } ] } ```
parameters: - name: casefileid in: path description: ID of the Collection to which reports will be attached required: true schema: type: string requestBody: description: |- Array of reports to be added to the collection. Each entry must have ``` - type:a valid report identifier (IP, URL, MAL or VUL). - value:the name of the report. Note: For MAL the hash must be prepended by the valid hashtype "MD5:", "SHA1:" or "SHA256:", for example: MD5:e80786df667a290a818104d55a2e2a21 - wanted:true ``` content: application/json: schema: $ref: '#/components/schemas/reportkeys' required: true responses: 200: description: Successful response content: application/json: schema: type: object properties: status: type: string 401: description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /casefiles/{casefileid}/attachments/{attachmentid}: get: tags: - X-Force Threat Intelligence - Collections summary: | Get Attachment by ID description: |- Get an attachment for a specified Collection by ID.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/casefiles/00439bfb72d1eaf640f1ee4f413cbe77/attachments/199644818c78874d84d0608b41c17174` ```json { "attachedTo": "00439bfb72d1eaf640f1ee4f413cbe77", "attachedBy": { "name": "John Doe", "userUniqueID": "http://www.ibm.com/50363F", "userid": "http://www.ibm.com/5033F" }, "attachedAt": "2017-07-14T08:50:30.284Z", "imported": false, "safeFile": false, "type": "attachment", "md5checksum": "ba813f46cde992c6d61aa3897e91eb7f", "sha256": "a62f9c4c0d235b226b03f37a03cbb19bcc753b050bfb2c59ed8cdba3d057195b", "aliasFileName": "20170621_190054.jpg", "id": "199644818c78874d84d0608b41c17174", "file": { "filename": "7b6d31b285b102ed76b9", "length": 785557, "content_type": "image/jpeg" } } ```
parameters: - name: casefileid in: path description: ID of the Collection for which to get attachments required: true schema: type: string - name: attachmentid in: path description: ID of the attachment to get required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/attachment' example: |- { "attachedTo": "string", "attachedBy": { "name": "string", "userUniqueID": "string" }, "attachedAt": "string", "imported": "boolean", "md5checksum": "string", "aliasFileName": "string", "id": "string", "file": { "filename": "string", "length": "integer", "content_type": "string" } } 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /casefiles/{casefileid}/attachments/{attachmentid}/{filename}: get: tags: - X-Force Threat Intelligence - Collections summary: | Get file attachment description: |- Get a file attachment for a specified Collection by ID.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/casefiles/00439bfb72d1eaf640f1ee4f413cbe77/attachments/aef6389e21fb31f82b1d53f1ba93b32d/dff940272cc63d7d5379` ```json Filetype: PNG ... ... ```
parameters: - name: casefileid in: path description: ID of the Collection for which to get attachments required: true schema: type: string - name: attachmentid in: path description: ID of the attachment to get required: true schema: type: string - name: filename in: path description: Filename to get required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: type: array items: type: number example: |- [ "ASCII characters" ] 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /url/host/early_warning: get: tags: - X-Force Threat Intelligence - Early Warning summary: | Get early warning feed. description: |- Returns the list of domains in early warning feed. Access to this information is restricted to paid users.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/url/host/early_warning` ```json { "rows": [ { "host": "modt13d4dah975n-ryb7dsrzik.stream", "type": "SUSPICIOUS", "update": "2018-09-05T12:27:00.193Z" }, { "host": "emxfructugey.com", "type": "SUSPICIOUS", "update": "2018-07-16T17:52:00.280Z" } ] } ```
parameters: - name: startDate in: query description: the start of the date range, for example, `2019-01-01T00:00:00Z`. The default value is the beginning of the feed. schema: type: string - name: endDate in: query description: the end of the date range, for example, `2019-01-01T00:00:00Z`. The default value is now. schema: type: string - name: limit in: query description: the number of returned URLs, default value is 200 when not specified. The limit must not be larger than `200`. schema: type: integer - name: skip in: query description: the number of URLs to be skipped, default value is 0. schema: type: integer responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/earlyWarning' 403: description: Access denied. content: {} 404: description: Not found. content: {} /app/: get: tags: - X-Force Threat Intelligence - Internet Application Profile summary: | Get all App Profiles description: |- Returns list of all Internet Application Profiles (IAP).
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/app/` ```json { "canonicalNames": [ "\"virgin america", "@ wiki", "@creatorz", "@nifty", "@paint", "&frankly", "1-2-sports", "1&1 smartdrive", "1&1 webmail", "10000ft", "101domain", "115", ... ... ] } ```
responses: 200: description: Successful response content: application/json: schema: type: object properties: canonicalNames: type: array items: type: string 403: description: Access denied. content: {} 404: description: Not found. content: {} 429: description: ratelimit content: {} /apps/fulltext: get: tags: - X-Force Threat Intelligence - Internet Application Profile summary: | Search App Profiles description: |- Returns list of all Internet Application Profiles (IAP) associated with the search term.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/apps/fulltext?q=social` ```json { "applications": [ { "canonicalName": "social blade", "name": "Social Blade", "description": "A compiler of data from YouTube, Twitch, and Instagram to make statistical graphs and charts", "id": 3517, "score": 0.4 }, { "canonicalName": "unified social", "name": "Unified Social", "description": "A platform that delivers software and services to connect marketing data sets and optimize investments", "id": 4411, "score": 0.3 }, { "canonicalName": "social studio", "name": "Social Studio", "description": "a social media solution that helps companies track and analyze conversations across social networks", "id": 8668, "score": 0.3 }, ... ... ```
parameters: - name: q in: query description: Search term, For example, TestApp for Social Networking required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/applicationList' 403: description: Access denied. content: {} 404: description: Not found. content: {} /app/{appname}: get: tags: - X-Force Threat Intelligence - Internet Application Profile summary: | Get App Profile by Name description: |- Returns the Internet Application Profiles (IAP) that needs to be fetched.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/apps/TestApp for Social Networking` ```json { "application": { "canonicalName": "testapp for social networking", "name": "TestApp for Social Networking", "description": "Entry is for testing purposes only", "actionDescriptions": { "Write/Post/Chat": "An action that requires the input of plain text (via keyboard or from clipboard). Not included: An upload of a file", "Stream/Download": "Listen to an audio stream, watch a video stream, view or save an email attachment or download a file. Not included: View a profile or a post in a social network, view a picture on an image hoster, read the text of an email, view a document in an online collaboration tool", "Share": "Share a document, share an audio or video stream, upload a file, attach a file to an email", "Start App": "Start an App within a Web Application that supports third party Apps" }, "categories": { "Social Networking": true }, "categoryDescriptions": { "Social Networking": "This category contains Web portals that provide a virtual community to find and connect to people interested in a particular shared subject. The sites enable their members to publish profiles including personal data / media and provide interpersonal communication channels. Business Networking sites are not listed here but in their own category." }, "id": 207, "actions": { "Write/Post/Chat": true, "Stream/Download": true, "Share": true, "Start App": true }, "rlfs": { "insecure communication": { "value": 7, "description": "Limited parts of this application are provided over an unencrypted connection" }, "upload possible": { "value": 100, "description": "The application supports file uploading, which bears a risk of data leakage" }, "malware": { "value": 100, "description": "A significant number of URLs host malware" } }, "score": 1.5, "baseurl": "http://www.xforce-security.com/policy-check/url/testpage77.htm", "urls": [] }, "tags": [] } ```
parameters: - name: appname in: path description: Search term, For example, TestApp for Social Networking required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/longApp' 403: description: Access denied. content: {} 404: description: Not found. content: {} /ipr: get: tags: - X-Force Threat Intelligence - IP Reputation summary: | Get IPs by Category description: |- Return a list of IPs according to the category and date range. Access to this information is restricted to paid users. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/ipr?category=Spam` ```json { "category": "Spam", "rows": [ { "ip": "223.180.27.129", "created": "2017-07-14T09:37:00Z", "score": 2.9 }, { "ip": "217.172.114.243", "created": "2017-07-14T09:37:00Z", "score": 2.9 }, { "ip": "212.227.24.9", "created": "2017-07-14T09:37:00Z", "score": 4.3 }, { "ip": "212.83.178.230", "created": "2017-07-14T09:37:00Z", "score": 5.7 }, { "ip": "202.154.228.172", "created": "2017-07-14T09:37:00Z", "score": 2.9 }, ... ... ```
parameters: - name: category in: query description: |- categories for IPs, For example, ``` - Spam - Anonymisation Services - Scanning IPs - Dynamic IPs - Malware - Bots - Botnet Command and Control Server - Cryptocurrency Mining ``` required: true schema: type: string - name: startDate in: query description: the start of the date range for searching, For example, `2016-01-01T00:00:00Z`. schema: type: string - name: endDate in: query description: the end of the date range for searching, For example, `2016-01-01T00:00:00Z`. If not specified, the query will return the newest IPs. schema: type: string - name: descending in: query description: the order of returned IPs according to the created date and ips, default value is true schema: type: string - name: limit in: query description: the number of returned IPs, default value is 200 when not specified. The limit must not be larger than `10000`. schema: type: integer - name: skip in: query description: the number of IPs to be skipped while searching. schema: type: integer responses: 200: description: |- Successful response. The attribute `rows` contains the IPs that are in the specified category and date range. The attribute `nextPage` contains the query to retrieve the subsequent IPs later in time. Analogously, the attribute `previousPage` contains the query to retrieve the ones earlier in time. content: application/json: schema: $ref: '#/components/schemas/iprCategory' example: category: Spam rows: - ip: string created: string score: integer nextPage: string previousPage: string 403: description: Access denied. content: {} 404: description: Not found. content: {} /ipr/{ip}: get: tags: - X-Force Threat Intelligence - IP Reputation summary: | Get IP Report description: |- Returns the IP report for the entered IP. parameters: - name: ip in: path description: |- ip addresses in all valid formats For example, ``` 1.2.3.4 216.137.61.0x08 0270.0254.0153.0362 0xB8.0xAC.0x6B.0xF2 0xB8AC6BF2 184.0xAC.0153.0xf2 0x11112222333344445555666677778888 ::127.0.0.1 ::fFff:127.0.0.1 1:2:3:4:5:6:7:8 1:2:3:4::6:7:8 0x00010002000300040005000600070008 2001:DB8:1234:ABCD::75 ``` required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/ipr' 403: description: Access denied. content: {} 404: description: Not found. content: {} /ipr/history/{ip}: get: tags: - X-Force Threat Intelligence - IP Reputation summary: | Get IP Reputation description: |- Returns the IP reputation report for the entered IP. parameters: - name: ip in: path description: |- ip addresses in all valid formats For example, ``` 1.2.3.4 216.137.61.0x08 0270.0254.0153.0362 0xB8.0xAC.0x6B.0xF2 0xB8AC6BF2 184.0xAC.0153.0xf2 0x11112222333344445555666677778888 ::127.0.0.1 ::fFff:127.0.0.1 1:2:3:4:5:6:7:8 1:2:3:4::6:7:8 0x00010002000300040005000600070008 2001:DB8:1234:ABCD::75 ``` required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: required: - ip type: object properties: ip: $ref: '#/components/schemas/ipv4oripv6' history: type: array items: $ref: '#/components/schemas/ip' 403: description: Access denied. content: {} 404: description: Not found. content: {} /ipr/malware/{ip}: get: tags: - X-Force Threat Intelligence - IP Reputation summary: | Get Malware for IP description: |- Returns the malware associated with the entered IP.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/ipr/malware/186.167.248.148` ```json { "malware": [ { "type": "SPM", "md5": "A1E89815F872CA691F942CFAABD872C4", "domain": "cleverdoughcakes.com", "firstseen": "2016-12-16T17:45:00Z", "lastseen": "2016-12-16T17:45:00Z", "ip": "0x00000000000000000000ffffbaa7f894", "count": 1, "filepath": "user8796750.zip", "uri": "file://user8796750.zip", "first": "2016-12-16T17:45:00Z", "last": "2016-12-16T17:45:00Z", "origin": "SPM", "family": [ "Spam Zero-Day" ] }, { "type": "SPM", "md5": "5219CC74CABDBA8AB8D68A9B6FE74C25", "domain": "empoweringtransitions.com", "firstseen": "2016-12-16T11:30:00Z", "lastseen": "2016-12-16T11:30:00Z", "ip": "0x00000000000000000000ffffbaa7f894", "count": 1, "filepath": "user7697761.zip", "uri": "file://user7697761.zip", "first": "2016-12-16T11:30:00Z", "last": "2016-12-16T11:30:00Z", "origin": "SPM", "family": [ "Spam Zero-Day" ] }, ... ... ```
parameters: - name: ip in: path description: |- ip addresses in all valid formats For example, ``` 1.2.3.4 216.137.61.0x08 0270.0254.0153.0362 0xB8.0xAC.0x6B.0xF2 0xB8AC6BF2 184.0xAC.0153.0xf2 0x11112222333344445555666677778888 ::127.0.0.1 ::fFff:127.0.0.1 1:2:3:4:5:6:7:8 1:2:3:4::6:7:8 0x00010002000300040005000600070008 2001:DB8:1234:ABCD::75 ``` required: true schema: type: string responses: 200: description: 'Successful response, JSON object of malware with structure { malware: [ ] }' content: application/json: schema: $ref: '#/components/schemas/iprMalware' 403: description: Access denied. content: {} 404: description: Not found. content: {} /ipr/asn/{asn}: get: tags: - X-Force Threat Intelligence - IP Reputation summary: | Get networks for ASN description: |- Returns all networks that are assigned to an Autonomous System Number
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/ipr/asn/1` ```json {"networks": [ "45.6.172.0/22", "91.202.166.0/24", "94.31.44.0/24", "176.52.166.0/23", "198.22.130.0/24", "202.63.238.0/24", "210.57.82.0/24" ] } ```
parameters: - name: asn in: path description: |- A valid ASN number ``` ASN1 ASN5387 ``` required: true schema: type: string responses: 200: description: 'Successful response, JSON object of networks with structure { networks: [ ] }' content: application/json: schema: $ref: '#/components/schemas/iprAsn' 403: description: Access denied. content: {} 404: description: Not found. content: {} x-navLabel: Get networks for ASN /ipr/deltas: get: tags: - X-Force Threat Intelligence - IP Reputation summary: | Get IP Reputation updates (Deltas) description: |- The Delta API provides the data as a bulk download ("base content") for each category supported, followed by periodic downloads of content updates ("deltas") for the category. New base content for each category is created daily (every twenty-four hours), and a new delta pull for each category every 15 minutes. Note: If you already have a pull_id it can be used to fetch delta information only. If not, leave it empty, Delta API will return base content along with pull_id which can be used on next request to fetch delta information only. For more details, refer to the XFE [FAQ](https://exchange.xforce.ibmcloud.com/faq) page
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/ipr/deltas?category=Malware` ```json { "data": [ { "created": "2023-04-11T19:47:00Z", "ip": "1.1.1.1", "score": "4.2" }, { "created": "2022-03-28T05:35:00Z", "ip": "1.117.117.202", "score": "4.3" }, { "created": "2022-03-03T09:48:00Z", "ip": "1.234.2.232", "score": "4.3" }, { "created": "2022-04-07T14:33:00Z", "ip": "1.247.0.147", "score": "1.4" }, ... ... ], "pullID": 1681729345300, "createdAt": "2023-04-17T11:13:05.5Z" } ```
parameters: - name: category in: query description: |- categories for IPs, For example, ``` - Spam - Anonymisation Services - Scanning IPs - Dynamic IPs - Malware - Bots - Botnet Command and Control Server - Cryptocurrency Mining ``` required: true schema: type: string - name: pull_id in: query description: |- schema: type: integer responses: 200: description: OK - Success with an appropriate response payload. content: application/json: schema: type: object properties: data: type: array items: $ref: '#/components/schemas/urlDeltasItem' pullID: type: integer createdAt: type: string 401: description: Unauthorized - Your requests do not properly include credentials. Retries will not help unless the request format you send changes. 402: description: Payment Required - Your credentials are valid, but the request you made requires a higher level of license. Retries will not help; the account associated with the credentials must be updated, or a different set of (properly authorized) credentials used. 403: description: Forbidden - Your credentials are not valid. Retries will not help. Get a set of valid credentials. 404: description: Not found. 410: description: Gone - The pull ID has expired and become useless. Score data from that base content cannot be updated any further. Discard all retained score data and pull IDs for the category. Start a new "shadow" database and pull chain for the category by downloading new base content and deltas. 500: description: Server Error - These errors are usually temporary, but indicate problems in XFE itself. /ipr/categories: get: tags: - X-Force Threat Intelligence - IP Reputation summary: | Get IPR category list description: |- Return a list of IP categories provided by XFE.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/ipr/categories` ```json [ { "name": "Spam", "description": "This category lists IP addresses that were seen sending out spam." }, { "name": "Anonymisation Services", "description": "This category contains IP addresses of Web proxies (websites that allow the user to anonymously view websites). Furthermore, IP addresses are listed that can be used directly to surf anonymously (e.g. by adding them to the browser configuration)." }, { "name": "Scanning IPs", "description": "These IPs have been identified as illegally scanning networks for vulnerabilities." }, { "name": "Dynamic IPs", "description": "This category contains IP addresses of dialup hosts and DSL lines." }, .... .... ] ```
responses: 200: description: |- Successful response. content: application/json: schema: $ref: '#/components/schemas/iprurlCategories' 404: description: Not found. content: {} /malware/{filehash}: get: tags: - X-Force Threat Intelligence - Malware summary: | Get Malware for File Hash description: |- Returns a malware report for the given file hash, For example, md5, sha1 and sha256.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/malware/474B9CCF5AB9D72CA8A333889BBB34F0` ```json { "malware": { "origins": { "emails": {}, "CnCServers": { "rows": [ { "type": "CnC", "md5": "474B9CCF5AB9D72CA8A333889BBB34F0", "domain": "pc-guard.net", "firstseen": "2014-10-20T23:19:00Z", "lastseen": "2014-10-20T23:19:00Z", "ip": "61.255.239.86", "count": 483, "schema": "http", "filepath": "v.html", "origin": "CnC", "uri": "http://pc-guard.net/v.html" } ], "count": 1 }, "downloadServers": {}, "subjects": {}, "external": { "detectionCoverage": 44, "family": [ "heuristic", "trojan" ] } }, "type": "md5", "md5": "0x474B9CCF5AB9D72CA8A333889BBB34F0", "hash": "0x474B9CCF5AB9D72CA8A333889BBB34F0", "created": "2014-10-20T23:19:00Z", "family": [ "tsunami" ], "familyMembers": { "tsunami": { "count": 61 } }, "risk": "high" }, "tags": [] } ```
parameters: - name: filehash in: path description: The file hash of the malware, For example, 474B9CCF5AB9D72CA8A333889BBB34F0 required: true schema: pattern: '[0-9A-Fa-f]{32}' type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/malwareLong' 403: description: Access denied. content: {} 404: description: Not found. content: {} /malware/family/{family}: get: tags: - X-Force Threat Intelligence - Malware summary: | Get Malware for Family description: |- Returns the malware associated with the entered family.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/malware/family/tsunami` ```json { "firstseen": "2012-01-27T00:19:00Z", "malware": [ { "type": "md5", "created": "2014-10-20T23:19:00Z", "family": [ "tsunami" ], "md5": "474B9CCF5AB9D72CA8A333889BBB34F0" }, { "type": "md5", "created": "2014-09-25T23:20:00Z", "family": [ "tsunami" ], "md5": "81414A962240B525A5764B587E71F322" }, { "type": "md5", "created": "2014-05-22T11:17:00Z", "family": [ "tsunami" ], "md5": "834E90F01DFD01D39824F86D43FDF620" }, { "type": "md5", "created": "2014-03-11T21:49:00Z", "family": [ "tsunami" ], "md5": "7980B6E54EB9088791DE2785B289122F" }, ... ... ```
parameters: - name: family in: path description: The malware family, For example, tsunami required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/extentedMalwareFamily' 403: description: Access denied. content: {} 404: description: Not found. content: {} /malware/familyext/{family}: get: tags: - X-Force Threat Intelligence - Malware summary: | Wildcard search Malware family description: | Returns the malware associated with the entered family using wildcard search.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/malware/familyext/Adware` ```json { "firstseen": "2004-12-05T05:15:00Z", "malware": [ { "type": "md5", "created": "2006-04-21T12:31:00Z", "family": [ "ADWARE/ZangoMediaGateway.A" ], "mimetype": "exe", "md5": "285E20874D7225FA91A5F62E97EC1108" }, { "type": "md5", "created": "2005-04-26T07:54:00Z", "family": [ "ADWARE/Whenu.R" ], "mimetype": "exe", "md5": "5B5562A938D7ECA47D2B7A6D19430BAD" }, { "type": "md5", "created": "2005-10-24T16:03:00Z", "family": [ "ADWARE/WhenU.F.29" ], "mimetype": "exe", "md5": "4AE965B011532D54FD08C69B39E3392B" }, ... ... ```
parameters: - name: family in: path description: 'A search term, for example: Adw*' required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/malwareFamily' 403: description: Access denied. content: {} 404: description: Not found. content: {} x-navLabel: Wildcard search Malware family /reports/{reportType}: get: tags: - X-Force Threat Intelligence - Premier Threat Intelligence Reports (Premium Tier) summary: | Get premier threat intelligence reports by selected report type description: |- Return premium threat intelligence reports Full access to this information is restricted to paid users. Freemium users will have access to selected set of reports. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information.
Usage ```json [ { "id": "guid:6dfb4b1d41f35991bf8e86bee0e7b59b", "reportId": "report--1d54f766-cd59-4d7e-aef9-9e34f7ea9da8", "created": "2020-08-22T03:00:44Z", "name": "Retail Industry Profile", "type": "industry", "o_type": "industry", "modified": "2023-08-31T17:29:54Z", "published": "2020-08-22T03:00:44Z", "shortDescription": "According to the 2023 IBM X-Force Threat Intelligence Index, the retail industry–along with wholesale–is the fifth most-attacked of all industries and made up 8.7% of total attacks and incidents for the top ten industries in 2022—up from 7.3% the year prior. X-Force assesses that threat actors will continue to target the retail industry for Business Email Compromise (BEC) campaigns, ransomware, and stealing data through trojans and backdoors.According to the 2023 IBM-sponsored Ponemon Cost of a Data Breach study, the retail industry is fourteenth most costly for a data breach, at $2.96 million per breach, on average—coming in below the overall average of $4.45 million. The cost of a data breach in the retail industry often can extend for several years, given new regulations in place and the fact that customer data is often involved. One US retail outlet that was breached back in 2014 paid an additional $1.5 million settlement in 2019 to cover an attack from five years prior.", "locked": false, "statement": "premium" }, ... ] ```
parameters: - name: reportType in: path description: |- Type of report to get. Examples of available report types ``` - threatanalysis - osintadvisory - malware - industry - threatgroup ``` required: true schema: type: string - name: added_after in: query description: to get reports created after specified date, For example, `2022-10-12`. If not specified, the query will return the newest IPs. schema: type: string - name: added_before in: query description: to get reports created before specified date, For example, `2023-01-10`. schema: type: string - name: limit in: query description: the number of returned Malware Analysis Reports, default value is 200. The limit must not be larger than `200`. schema: type: integer - name: skip in: query description: the startingpoint to retrieve entries, default value is 0 schema: type: integer responses: 200: description: Successful response. content: application/json: schema: $ref: '#/components/schemas/threat_intelligence' 403: description: Access denied. content: {} 404: description: Not found. content: {} /report/details/{id}: get: tags: - X-Force Threat Intelligence - Premier Threat Intelligence Reports (Premium Tier) summary: | Get Premier Threat Intelligence Reports by ID description: |- Return a detailed Threat Intelligence Report for a provided ID Full access to this information is restricted to paid users. Freemium users will have access to selected set of reports. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information.
Usage ```json { "objects": [ { "name": "Bad Rabbit Analysis Report", "labels": [ "malware" ], "description": "This malware is the ransomware publicly known as...", "published": "2019-06-28T12:06:11.648107Z", "x_com_ibm_short_description": "This malware is the ransomware publicly known as...", "object_refs: [...]", "type": "report", "id": "report--04c18138-a986-4ba5-bced-10fc651dd112", "created": "2019-05-13T05:38:35.794Z", "modified": "2019-05-13T05:38:35.794Z", }, { "name": "140b88bfebe9d8ecc037f061543958a2", "labels": [ "" ], ... ```
parameters: - name: id in: path description: ID of the Threat Intelligence Report to get required: true schema: type: string responses: 200: description: Successful response. content: application/json: schema: $ref: '#/components/schemas/threat_intelligence_by_id' 403: description: Access denied. content: {} 404: description: Not found. content: {} /signatures/{input}: get: tags: - X-Force Threat Intelligence - Signatures summary: | Get PAM Signature description: |- Returns the signature details associated with the entered pamID or pamName.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/signatures/HTTP_ManageEngine_StatusUpdate_DotDot` ```json { "type": "PAM", "pamid": 2116305, "releaseDate": "2015-03-10T00:00:00Z", "shortDesc": "ManageEngine Desktop Central MSP code execution", "pamName": "HTTP_ManageEngine_StatusUpdate_DotDot", "description": "

This event detects HTTP requests that upload arbitrary files on vulnerable versions of ManageEngine. This may lead to remote code execution.

", "priority": 3, "category": "Suspicious Activity", "products_containing": [ { "prodname": "IBM Security Network Protection", "prodversion": "XPU 35.030", "releasedate": "2015-03-10T00:00:00Z" }, { "prodname": "IBM Security Host Protection for Servers (Unix)", "prodversion": "35.030", "releasedate": "2015-03-10T00:00:00Z" }, { "prodname": "Virtual Server Protection for Vmware", "prodversion": "XPU 35.030", "releasedate": "2015-03-10T00:00:00Z" }, { "prodname": "Proventia Server IPS for Linux technology", "prodversion": "35.030", "releasedate": "2015-03-10T00:00:00Z" }, { "prodname": "Proventia Network IPS", "prodversion": "XPU 35.030", "releasedate": "2015-03-10T00:00:00Z" }, { "prodname": "IBM Security Host Protection for Desktops", "prodversion": "3110", "releasedate": "2015-03-10T00:00:00Z" }, { "prodname": "Proventia Network MFS", "prodversion": "XPU 35.030", "releasedate": "2015-03-10T00:00:00Z" }, { "prodname": "IBM Security Host Protection for Servers (Windows)", "prodversion": "3110", "releasedate": "2015-03-10T00:00:00Z" }, { "prodname": "RealSecure Server Sensor", "prodversion": "XPU 35.030", "releasedate": "2015-03-10T00:00:00Z" } ], "protects_against": { "reported": "2014-08-31T00:00:00Z", "risk_level": 10, "title": "ManageEngine Desktop Central MSP code execution", "xfdbid": 99887 }, "covers": { "total_rows": 1, "rows": [ { "reported": "2014-08-31T00:00:00Z", "risk_level": 10, "title": "ManageEngine Desktop Central MSP code execution", "xfdbid": 99887 } ] } } ```
parameters: - name: input in: path description: can be a pamID, e.g. 2116305
or a pamName, e.g. HTTP_ManageEngine_StatusUpdate_DotDot required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/signature' 403: description: Access denied. content: {} 404: description: Not found. content: {} /signatures/fulltext: get: tags: - X-Force Threat Intelligence - Signatures summary: | Search Signatures description: |- Returns list of all signatures associated with the search term.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/signatures/fulltext?q=HTTP` ```json { "total_rows": 1127, "bookmark": "g1AAAAJjeJzLYWBg4MhgTmFQTUlKzi9KdUhJstDLTMrVrUjLL0pONTAw1EvOyS9NScwr0ctLLckBKmdKZEiS____f1YGk5v9Y1-RA0CxJAYGZikSjUlSAGm0h5vUvaEBYhIjK6pJ5gRNcgBpjIebxPULahJTMqpJJgRNSgBprIebZMagAPWdP4km5bEASYYGIAU0bD7ENOY1MHc9QTXNlDjTFkBM2w827dGk_zDT5pJl2gGIafchpt3ewAD16QGyfPoAYtp_qGmiULcxu2QBABJuwEo", "rows": [ { "type": "PAM", "priority": "3", "pamid": "2104405", "releaseDate": "2017-05-23T00:00:00Z", "shortDesc": "HTTP EXE file transfer detected", "pamName": "HTTP_XorEncoded_Executable_Transfer" }, { "type": "PAM", "priority": "3", "pamid": "2104390", "releaseDate": "2017-04-11T00:00:00Z", "shortDesc": "Invoke-Kerberoast exploitation tool detected", "pamName": "HTTP_Kerberoast_Detected" }, { "type": "PAM", "priority": "2", "pamid": "2110282", "releaseDate": "2017-03-14T00:00:00Z", "shortDesc": "HTTP SQL \"WAITFORDELAY\" statement usage", "pamName": "HTTP_SQL_Sleep" }, { "type": "PAM", "priority": "3", "pamid": "2116450", "releaseDate": "2016-11-22T00:00:00Z", "shortDesc": "Apache Subversion mod_dav_svn buffer overflow", "pamName": "HTTP_Subversion_ContentLength_Overflow" }, ... ... ```
parameters: - name: q in: query description: Search term, For example, ManageEngine required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: type: object properties: total_rows: minimum: 0 type: integer bookmark: type: string rows: type: array items: $ref: '#/components/schemas/signatureShort' 403: description: Access denied. content: {} 404: description: Not found. content: {} /signatures/xpu/{xpu}: get: tags: - X-Force Threat Intelligence - Signatures summary: | Get by XPU description: |- Returns list of all signatures associated with the entered XPU.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/signatures/xpu/XPU%2035.062` ```json { "rows": [ { "priority": 3, "pamid": 2114633, "releaseDate": "2015-06-25T00:00:00Z", "shortDesc": "Adobe Flash Player buffer overflow", "pamName": "Flv_Audio_Heap_Overflow", "category": "Unauthorized Access Attempt", "xfdbid": 104002 }, { "priority": 3, "pamid": 2114634, "releaseDate": "2015-06-25T00:00:00Z", "shortDesc": "Adobe Flash Player code execution", "pamName": "Swf_Audio_Heap_Overflow", "category": "Unauthorized Access Attempt", "xfdbid": 102264 } ] } ```
parameters: - name: xpu in: path description: 'Search term, For example, : XPU 35.062' required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: type: object properties: rows: type: array items: $ref: '#/components/schemas/signatureShort' 403: description: Access denied. content: {} 404: description: Not found. content: {} /signatures/xpu/directory: get: tags: - X-Force Threat Intelligence - Signatures summary: | Get list of all XPU's description: |- Returns list of all XPU's
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/signatures/xpu/directory` ```json [ { "xpu": "XPU 5.3", "releaseDate": "2002-09-17T00:00:00Z", "signatureCount": 11 }, { "xpu": "XPU 3707.11150", "releaseDate": "2017-07-12T00:00:00Z", "signatureCount": 1 }, { "xpu": "XPU 3707.07115", "releaseDate": "2017-07-11T00:00:00Z", "signatureCount": 17 }, { "xpu": "XPU 3706.23004", "releaseDate": "2017-06-27T00:00:00Z", "signatureCount": 3 }, { "xpu": "XPU 3706.16183", "releaseDate": "2017-06-20T00:00:00Z", "signatureCount": 3 }, { "xpu": "XPU 3706.09145", "releaseDate": "2017-06-13T00:00:00Z", "signatureCount": 34 }, { "xpu": "XPU 37.056", "releaseDate": "2017-05-26T00:00:00Z", "signatureCount": 1 }, { "xpu": "XPU 37.055", "releaseDate": "2017-05-23T00:00:00Z", "signatureCount": 8 }, ... ... ```
responses: 200: description: Successful response content: application/json: schema: type: array items: type: object properties: xpu: type: string releaseDate: type: string signatureCount: type: integer 403: description: Access denied. content: {} /tags/search: get: tags: - X-Force Threat Intelligence - Tags summary: | Tag Search description: |- Returns a list of tagged collections and reports. The tags will be parsed out from the query parameter. A tag has the structure '#example'. Note: Depending on size, the response body for this API may have be trimmed for demo purposes. To see all records for this API please make a CURL request. parameters: - name: q in: query description: Query text. Tags will be parsed from the text. required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/tagSearch' 401: description: Unauthorized. content: {} 404: description: Not found. content: {} /taxii: post: tags: - X-Force Threat Intelligence - TAXII summary: | Read/Write TAXII Data description: | Trusted Automated eXchange of Indicator Information version 1.1 This is the single endpoint for TAXII services. TAXII message must be transmitted via this endpoint over HTTPS.
Usage #### Example: Send a HTTP POST request with a payload of the TAXII body to `https://api.xforce.ibmcloud.com/taxii` ```json For example, Discovery - will consume 0 records of your total API record usage. Data collection - will consume 0 records of your total API record usage. IPR - will consume 1 record of your total API record usage. URL - will consume 1 record of your total API record usage. All Public Collections - will consume 1 - x records of your total API record usage for each public collection it finds. All Public Collections I follow - will consume 1 - x records of your total API record usage for each collection you follow. Public Collection - will consume 1 record of your total API record usage. Vulnerability - will consume 1 - x records of your total API record usage for each vulnerability returned in the collection. Inbox Message - will consume 0 records of your total API record usage. ```
Available TAXII services are listed as follows:

Note: Please replace the example parameter values in the request body with the one of your interest
TAXII Message Type Data Collection Description

Discovery Request

This message can be used to query all available TAXII services which XFE supports.

Collection Information Request

This message can be used to query all available TAXII data collections you have access.

Poll Request

xfe.botnets

This TAXII data collection can be polled for all botnets.

xfe.default

This TAXII data collection can be polled for XFE default feed. Included with Threat Intelligence for IBM QRadar app.

xfe.collections.public

This TAXII data collection can be polled for XFE public collections. Included with Threat Intelligence for IBM QRadar app.

The result can be restricted to specific XFE collection by ID. Included with Threat Intelligence for IBM QRadar app.

Example Collection ID:

xfe.collections.following

This TAXII data collection can be polled for XFE collections you are following. Included with Threat Intelligence for IBM QRadar app.

xfe.collections.advisory

This TAXII data collection can be polled for XFE public advisories. Included with Threat Intelligence for IBM QRadar app.

xfe.threat_analysis

This TAXII data collection can be polled for XFE threat analysis collections. Full information is restricted to paid users.

xfe.osint_advisory

This TAXII data collection can be polled for XFE osint advisory collections. Full information is restricted to paid users.

xfe.industries

This TAXII data collection can be polled for XFE industries collections. Full information is restricted to paid users.

xfe.malware_analysis

This TAXII data collection can be polled for XFE Malware Analyses collections. Full information is restricted to paid users.

xfe.threat_groups

This TAXII data collection can be polled for XFE threat groups collections. Full information is restricted to paid users.

xfe.threats

This TAXII data collection can be polled for XFE threats collections. Full information is restricted to paid users.

xfe.early_warning.hosts

This TAXII data collection can be polled for all Early Warning hosts. Restricted to paid users.

xfe.early_warning.threats

This TAXII data collection can be polled for all Early Warning threats. Restricted to paid users.

xfe.collectionById.{collectionId}

This type of TAXII data collections is used to poll one XFE collection you have access. A full list may be retrieved first using TAXII Collection Information Request.

Example Collection ID:

xfe.ipr

This TAXII data collection is used to query IP reputation report. You should set constraint to the IP address to query.

Example IP:

xfe.ipr.{category}

This kind of TAXII data collections can be polled for XFE IP reputation report in specific category. You should query for categories with access using TAXII Collection Information Request. Restricted to paid users. Included with Threat Intelligence for IBM QRadar app.

Following are available options:

xfe.url

This TAXII data collection can be polled for XFE URL report. You should set constraint to the URL to query.

Example URL:

xfe.url.{category}

This set of TAXII data collections can be polled for XFE URL report in specific category. You should query for categories with access using TAXII Collection Information Request. Restricted to paid users. Included with Threat Intelligence for IBM QRadar app.

Following are available options:

xfe.vulnerabilities

This TAXII data collection can be polled for XFE vulnerabilities information. You should set constraint to the vulnerability to query.

Example:

Inbox Message

xfe.collectionInbox.{collectionId}

Inbox message against this set of TAXII data collection is used to modify XFE collection of specific collection ID. You should query for collection inboxes with access using TAXII Collection Information Request.

Example Collection ID:

For more information about TAXII, refer to https://taxii.mitre.org/. requestBody: required: true content: application/xml: schema: type: object $ref: '#/components/schemas/taxii_requests' examples: Discovery_Request: value: Collection_Information_Request: value: xfe_botnets: value: xfe_default: value: xfe_collections_public: value: 2017-12-10T00:00:00.000Z2017-12-12T00:00:00.000Z xfe_collection_by_id: value: ** /@id case_insensitive_string 7ac6c4578facafa0de50b72e7bf8f8c4 xfe_collections_following: value: xfe_collections_advisory: value: 2017-12-10T00:00:00.000Z2017-12-12T00:00:00.000Z xfe_threat_analysis: value: 2017-12-10T00:00:00.000Z2017-12-12T00:00:00.000Z xfe_osint_advisory: value: 2017-12-10T00:00:00.000Z2017-12-12T00:00:00.000Z xfe_industries: value: 2017-12-10T00:00:00.000Z2017-12-12T00:00:00.000Z xfe_malware_analyses: value: 2017-12-10T00:00:00.000Z2017-12-12T00:00:00.000Z xfe_threat_groups: value: 2017-12-10T00:00:00.000Z2017-12-12T00:00:00.000Z xfe_threats: value: 2017-12-10T00:00:00.000Z2017-12-12T00:00:00.000Z xfe_early_warning_hosts: value: xfe_early_warning_threats: value: 2021-10-20T10:20:59.406Z2021-10-21T10:20:59.406Z xfe_collectionById_{collectionId}: value: xfe_ipr: value: 2017-05-13T00:00:00.000Z 2017-05-12T00:00:00.000Z ** /@id case_insensitive_string 1.2.3.4 xfe_ipr_{category}: value: 2017-05-10T00:00:00.000Z2017-05-12T00:00:00.000Z xfe_url: value: 2017-05-10T00:00:00.000Z 2017-05-12T00:00:00.000Z ** /@id case_insensitive_string http://www.cnn.com xfe_url_{category}: value: 2017-05-10T00:00:00.000Z2017-05-12T00:00:00.000Z xfe.vulnerabilities: value: 2017-05-10T00:00:00.000Z 2017-05-12T00:00:00.000Z ** /@id case_insensitive_string CVE-2013-3893 xfe_collectionInbox_{collectionId}: value: xfe.collectionInbox.c7341384a62c2bb30058dd974b3c4ed4 1.2.3.4 responses: 200: description: TAXII Response operationId: taxii.post /taxii2: get: tags: - X-Force Threat Intelligence - TAXII2 summary: Get API Root Information description: |- Returns api root resource contains general information about the API Root. Returns information contains title, description, TAXII versions and maximum size of the content body. #### Curl Example: ``` curl -u {apikey:password} -H "Accept: application/vnd.oasis.taxii+json; version=2.0" https://api.xforce.ibmcloud.com/taxii2 ```
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/taxii2` ```json { "title":"IBM X-Force Exchange TAXII 2 API Root", "description":"TAXII 2 service for X-Force Exchange user", "versions":[ "taxii-2.0" ], "max_content_length":10000000 } ```
parameters: - name: User-Agent in: header description: 'User-Agent is recommended to pass in request header for TAXII 2.1, its not mandatory. The User-Agent header is used by HTTP to identify the TAXII Client software name and version.' required: false schema: type: string responses: 200: description: Successful response content: application/vnd.oasis.taxii+json; version=2.0: example: |- { "title":"IBM X-Force Exchange TAXII 2 API Root", "description":"TAXII 2 service for X-Force Exchange user", "versions":[ "taxii-2.0" ], "max_content_length":10000000 } application/vnd.oasis.taxii+json; version=2.1: example: |- { "title":"IBM X-Force Exchange TAXII 2 API Root", "description":"TAXII 2 service for X-Force Exchange user", "versions":[ "application/taxii+json;version=2.1" ], "max_content_length":10000000 } 401: description: Unauthorized content: application/vnd.oasis.taxii+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' /taxii2/discovery: get: tags: - X-Force Threat Intelligence - TAXII2 summary: Get Server Discovery Resource description: |- Returns a discovery resource contains information about a TAXII Server. Returns a list of available api roots. #### Curl Example: ``` curl -u {apikey:password} -H "Accept: application/vnd.oasis.taxii+json; version=2.0" https://api.xforce.ibmcloud.com/api/taxii2/discovery ```
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/api/taxii2/discovery` ```json { "title":"IBM X-Force Exchange TAXII 2 Server", "description":"IBM X-Force Exchange TAXII 2 server contains 2 API Roots", "contact":"please contact your IBM sales representative", "default":"https://api.xforce.ibmcloud.com/taxii2", "api_roots":[ "https://api.xforce.ibmcloud.com/taxii2", "https://api.xforce.ibmcloud.com/xfti" ] } ```
parameters: - name: User-Agent in: header description: 'User-Agent is recommended to pass in request header for TAXII 2.1, its not mandatory. The User-Agent header is used by HTTP to identify the TAXII Client software name and version.' required: false schema: type: string responses: 200: description: Successful response content: application/vnd.oasis.taxii+json; version=2.0: example: |- { "title": "IBM X-Force Exchange TAXII 2 Server", "description": "IBM X-Force Exchange TAXII 2 server contains 2 API Roots", "contact": "please contact your IBM sales representative", "default": "https://api.xforce.ibmcloud.com/taxii2", "api_roots":[ "https://api.xforce.ibmcloud.com/taxii2", "https://api.xforce.ibmcloud.com/xfti" ] } 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModelForTaxii' /taxii2/collections: get: tags: - X-Force Threat Intelligence - TAXII2 summary: Get Collections description: |- Returns general information about all accessiable collections. Returns a list of public/private/shared collection resources which users have the access. #### Curl Example: ``` curl -u {apikey:password} -H "Accept: application/vnd.oasis.taxii+json; version=2.0" https://api.xforce.ibmcloud.com/taxii2/collections ```
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/taxii2/collections` ```json { "collections": [ { "id": "public", "title": "XFE Public Collections", "can_read": true, "can_write": false, "media_types": [ "application/vnd.oasis.stix+json; version=2.0" ] }, { "id": "d4ff8286-b4ed-38f7-0520-4cbfcf8216fa", "title": "My Private Collection", "description": "This is a private collection", "can_read": true, "can_write": true, "media_types": [ "application/vnd.oasis.stix+json; version=2.0" ] } ] } ```
parameters: - name: User-Agent in: header description: 'User-Agent is recommended to pass in request header for TAXII 2.1, its not mandatory. The User-Agent header is used by HTTP to identify the TAXII Client software name and version.' required: false schema: type: string responses: 200: description: Successful response content: application/vnd.oasis.taxii+json; version=2.0: example: |- { "collections": [ { "id": "public", "title": "XFE Public Collections", "can_read": true, "can_write": false, "media_types": [ "application/vnd.oasis.stix+json; version=2.0" ] }, { "id": "d4ff8286-b4ed-38f7-0520-4cbfcf8216fa", "title": "My Private Collection", "description": "This is a private collection", "can_read": true, "can_write": true, "media_types": [ "application/vnd.oasis.stix+json; version=2.0" ] } ] } application/vnd.oasis.taxii+json; version=2.1: example: |- { "collections": [ { "id": "public", "title": "XFE Public Collections", "can_read": true, "can_write": false, "media_types": [ "application/vnd.oasis.stix+json; version=2.1" ] }, { "id": "d4ff8286-b4ed-38f7-0520-4cbfcf8216fa", "title": "My Private Collection", "description": "This is a private collection", "can_read": true, "can_write": true, "media_types": [ "application/vnd.oasis.stix+json; version=2.1" ] } ] } 401: description: Unauthorized content: application/vnd.oasis.taxii+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' /taxii2/collections/{collectionID}: get: tags: - X-Force Threat Intelligence - TAXII2 summary: Get Collection by ID description: |- Returns information for a specific collection. Returns general information about the collection, such as id, title, description, can_read, can_write and media_types. {collectionID} must be in UUID format or 'public'. For example: d4ff8286-b4ed-38f7-0520-4cbfcf8216fa. Collection ID 'public' is an pseudo-collection that contains objects for all public collections. #### Curl Example: ``` curl -u {apikey:password} -H "Accept: application/vnd.oasis.taxii+json; version=2.0" https://api.xforce.ibmcloud.com/taxii2/collections/d4ff8286-b4ed-38f7-0520-4cbfcf8216fa ```
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/taxii2/collections/d4ff8286-b4ed-38f7-0520-4cbfcf8216fa` ```json { "id": "d4ff8286-b4ed-38f7-0520-4cbfcf8216fa", "title": "My Private Collection", "description": "This is my private collection.", "can_read": true, "can_write": true, "media_types":[ "application/vnd.oasis.stix+json; version=2.0" ] } ```
parameters: - name: collectionID in: path description: 'ID Of the Collection to get. For example: 08731219-f663-e444-dc82-4f6aac9b5aae, early_warning_hosts, early_warning_threats' required: true schema: type: string - name: User-Agent in: header description: 'User-Agent is recommended to pass in request header for TAXII 2.1, its not mandatory. The User-Agent header is used by HTTP to identify the TAXII Client software name and version.' required: false schema: type: string responses: 200: description: Successful response content: application/vnd.oasis.taxii+json; version=2.0: example: |- { "id": "08731219-f663-e444-dc82-4f6aac9b5aae", "title": "Casefile Preview TestFileCase", "description": "xfetest2Contents", "can_read": true, "can_write": false, "media_types":[ "application/vnd.oasis.stix+json; version=2.0" ] } application/vnd.oasis.taxii+json; version=2.1: example: |- { "id": "08731219-f663-e444-dc82-4f6aac9b5aae", "title": "Casefile Preview TestFileCase", "description": "xfetest2Contents", "can_read": true, "can_write": false, "media_types":[ "application/vnd.oasis.stix+json; version=2.1" ] } 401: description: Unauthorized content: application/vnd.oasis.taxii+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' 403: description: The client does not have access to get the collection content: application/vnd.oasis.taxii+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' 404: description: The collection cannot be found content: application/vnd.oasis.taxii+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' /taxii2/collections/{collectionID}/objects: get: tags: - X-Force Threat Intelligence - TAXII2 summary: Get Objects by Collection ID description: |- Returns objects information from a collection. Retrive all avaiable objects in a Collection. {collectionID} must be in UUID format. For example: d4ff8286-b4ed-38f7-0520-4cbfcf8216fa. #### Curl Example: ``` curl -u {apikey:password} -H "Accept: application/vnd.oasis.stix+json; version=2.0" https://api.xforce.ibmcloud.com/taxii2/collections/d4ff8286-b4ed-38f7-0520-4cbfcf8216fa/objects ```
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/taxii2/collections/d4ff8286-b4ed-38f7-0520-4cbfcf8216fa/objects` ```json { "spec_version": "2.0", "type": "bundle", "id": "bundle--f7704a07-1b04-494c-ae9c-1fb210e71230", "objects":[ { "id": "indicator--785e77ae-c9e5-7035-bfab-c5a633302fd7", "type": "indicator", "created": "2002-05-08T14:29:00.000Z", "modified": "2002-05-08T14:29:00.000Z", "labels":["xfe-malware-risk-high", "exploit-kit", "trojan", "virus"], "name": "File hash indicator for md5 hash 785e77aec9e57035bfabc5a633302fd7", "description": "File hash indicator for md5 hash 785e77aec9e57035bfabc5a633302fd7", "pattern": "[ file:hashes.MD5 = '785e77aec9e57035bfabc5a633302fd7' ]", "valid_from": "2002-05-08T14:29:00.000Z" }, { "id": "indicator--c4aa6818-6ae3-4f4e-afd7-25cc391da5d6", "type": "indicator", "created": "2012-03-22T07:26:00.000Z", "modified": "2018-01-31T08:10:00.000Z", "labels":["anomalous-activity", "xfe-threat-score-4.3"], "name": "IP Report for IP address 1.2.3.4", "description": "At least one of the websites that is hosted on this IP address contains content of the aforementioned category.", "pattern": "[ ipv4-addr:value = '1.2.3.4' ]", "valid_from": "2018-01-31T08:10:00.000Z" } ] } ```
parameters: - name: collectionID in: path description: 'ID Of the Collection to get. For example: 08731219-f663-e444-dc82-4f6aac9b5aae, early_warning_hosts, early_warning_threats' required: true schema: type: string - name: added_after in: query description: 'Filter the result set to only include the items added after the specified time. For example: 2019-04-29T10:07:38.165Z' schema: type: string - name: added_before in: query description: 'Filter the result set to only include the items added before the specified time. For example: 2019-04-29T10:07:38.165Z' schema: type: string - name: User-Agent in: header description: 'User-Agent is recommended to pass in request header for TAXII 2.1, its not mandatory. The User-Agent header is used by HTTP to identify the TAXII Client software name and version.' required: false schema: type: string responses: 200: description: Successful response content: ["application/vnd.oasis.stix+json; version=2.0","application/vnd.oasis.taxii+json; version=2.0"]: example: |- { "spec_version": "2.0", "type": "bundle", "id": "bundle--f7704a07-1b04-494c-ae9c-1fb210e71230", "objects":[ { "id": "indicator--785e77ae-c9e5-7035-bfab-c5a633302fd7", "type": "indicator", "created": "2002-05-08T14:29:00.000Z", "modified": "2002-05-08T14:29:00.000Z", "labels":["xfe-malware-risk-high", "exploit-kit", "trojan", "virus"], "name": "File hash indicator for md5 hash 785e77aec9e57035bfabc5a633302fd7", "description": "File hash indicator for md5 hash 785e77aec9e57035bfabc5a633302fd7", "pattern": "[ file:hashes.MD5 = '785e77aec9e57035bfabc5a633302fd7' ]", "valid_from": "2002-05-08T14:29:00.000Z" }, { "id": "indicator--c4aa6818-6ae3-4f4e-afd7-25cc391da5d6", "type": "indicator", "created": "2012-03-22T07:26:00.000Z", "modified": "2018-01-31T08:10:00.000Z", "labels":["anomalous-activity", "xfe-threat-score-4.3"], "name": "IP Report for IP address 1.2.3.4", "description": "At least one of the websites that is hosted on this IP address contains content of the aforementioned category.", "pattern": "[ ipv4-addr:value = '1.2.3.4' OR url:value = 'folderfile.net' ]", "valid_from": "2018-01-31T08:10:00.000Z" } ] } ["application/vnd.oasis.stix+json; version=2.1","application/vnd.oasis.taxii+json; version=2.1"]: example: |- { "objects":[ { "id": "indicator--785e77ae-c9e5-7035-bfab-c5a633302fd7", "type": "indicator", "created": "2002-05-08T14:29:00.000Z", "modified": "2002-05-08T14:29:00.000Z", "labels":["xfe-malware-risk-high", "exploit-kit", "trojan", "virus"], "name": "File hash indicator for md5 hash 785e77aec9e57035bfabc5a633302fd7", "description": "File hash indicator for md5 hash 785e77aec9e57035bfabc5a633302fd7", "pattern": "[ file:hashes.MD5 = '785e77aec9e57035bfabc5a633302fd7' ]", "valid_from": "2002-05-08T14:29:00.000Z" }, { "id": "indicator--c4aa6818-6ae3-4f4e-afd7-25cc391da5d6", "type": "indicator", "created": "2012-03-22T07:26:00.000Z", "modified": "2018-01-31T08:10:00.000Z", "labels":["anomalous-activity", "xfe-threat-score-4.3"], "name": "IP Report for IP address 1.2.3.4", "description": "At least one of the websites that is hosted on this IP address contains content of the aforementioned category.", "pattern": "[ ipv4-addr:value = '1.2.3.4' OR url:value = 'folderfile.net' ]", "valid_from": "2018-01-31T08:10:00.000Z" } ] } 401: description: Unauthorized content: application/vnd.oasis.stix+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' 403: description: The client does not have access to get the collection content: application/vnd.oasis.stix+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' 404: description: The collection cannot be found content: application/vnd.oasis.stix+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' 406: description: No acceptable type specified content: application/vnd.oasis.stix+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' /taxii2/collections/{collectionID}/objects/{objectID}: get: tags: - X-Force Threat Intelligence - TAXII2 summary: Get Object by Object ID description: |- Returns an object from a Collection by object id. Returns general information for the specific object in one collection. #### Curl Example: ``` curl -u {apikey:password} -H "Accept: application/vnd.oasis.stix+json; version=2.0" https://api.xforce.ibmcloud.com/taxii2/collections/d4ff8286-b4ed-38f7-0520-4cbfcf8216fa/objects/indicator--4387a7a4-67d4-33d5-58fb-59bfad9c17a3 ```
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/taxii2/collections/d4ff8286-b4ed-38f7-0520-4cbfcf8216fa/objects/indicator--4387a7a4-67d4-33d5-58fb-59bfad9c17a3` ```json { "spec_version": "2.0", "type": "bundle", "id": "bundle--f7704a07-1b04-494c-ae9c-1fb210e71230" "objects": [ { "id": "indicator--785e77ae-c9e5-7035-bfab-c5a633302fd7", "type": "indicator", "created": "2002-05-08T14:29:00.000Z", "modified": "2002-05-08T14:29:00.000Z", "labels": [ "xfe-malware-risk-high", "exploit-kit", "trojan", "virus" ], "name": "File hash indicator for md5 hash 785e77aec9e57035bfabc5a633302fd7", "description": "File hash indicator for md5 hash 785e77aec9e57035bfabc5a633302fd7", "pattern": "[ file:hashes.MD5 = '785e77aec9e57035bfabc5a633302fd7' ]", "valid_from": "2002-05-08T14:29:00.000Z" } ] } ```
parameters: - name: collectionID in: path description: 'ID Of the Collection to get. ID must be in UUID format. For example: d4ff8286-b4ed-38f7-0520-4cbfcf8216fa, early_warning_hosts, early_warning_threats' required: true schema: type: string - name: objectID in: path description: 'ID Of the Object to get. ID must be STIX2 identifier format. For example: indicator--785e77ae-c9e5-7035-bfab-c5a633302fd7' required: true schema: type: string - name: User-Agent in: header description: 'User-Agent is recommended to pass in request header for TAXII 2.1, its not mandatory. The User-Agent header is used by HTTP to identify the TAXII Client software name and version.' required: false schema: type: string responses: 200: description: Successful response content: ["application/vnd.oasis.stix+json; version=2.0","application/vnd.oasis.taxii+json; version=2.0"]: example: |- { "spec_version": "2.0", "type": "bundle", "id": "bundle--f7704a07-1b04-494c-ae9c-1fb210e71230", "objects": [ { "id": "indicator--785e77ae-c9e5-7035-bfab-c5a633302fd7", "type": "indicator", "created": "2002-05-08T14:29:00.000Z", "modified": "2002-05-08T14:29:00.000Z", "labels": [ "xfe-malware-risk-high", "exploit-kit", "trojan", "virus" ], "name": "File hash indicator for md5 hash 785e77aec9e57035bfabc5a633302fd7", "description": "File hash indicator for md5 hash 785e77aec9e57035bfabc5a633302fd7", "pattern": "[ file:hashes.MD5 = '785e77aec9e57035bfabc5a633302fd7' ]", "valid_from": "2002-05-08T14:29:00.000Z" } ] } ["application/vnd.oasis.stix+json; version=2.1","application/vnd.oasis.taxii+json; version=2.1"]: example: |- { "objects": [ { "id": "indicator--785e77ae-c9e5-7035-bfab-c5a633302fd7", "type": "indicator", "created": "2002-05-08T14:29:00.000Z", "modified": "2002-05-08T14:29:00.000Z", "labels": [ "xfe-malware-risk-high", "exploit-kit", "trojan", "virus" ], "name": "File hash indicator for md5 hash 785e77aec9e57035bfabc5a633302fd7", "description": "File hash indicator for md5 hash 785e77aec9e57035bfabc5a633302fd7", "pattern": "[ file:hashes.MD5 = '785e77aec9e57035bfabc5a633302fd7' ]", "valid_from": "2002-05-08T14:29:00.000Z" } ] } 401: description: Unauthorized content: application/vnd.oasis.stix+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' 403: description: The client does not have access to get the collection content: application/vnd.oasis.stix+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' 404: description: The collection cannot be found content: application/vnd.oasis.stix+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' 406: description: No acceptable type specified content: application/vnd.oasis.stix+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' /taxii2/collections/{collectionID}/objects/{objectID}/versions: get: tags: - X-Force Threat Intelligence - TAXII2 summary: Get Object's version by Object ID description: |- Returns an object's version from a Collection by object id. Returns version information for the specific object in one collection. #### Curl Example: ``` curl -u {apikey:password} -H "Accept: application/vnd.oasis.stix+json; version=2.0" https://api.xforce.ibmcloud.com/taxii2/collections/d4ff8286-b4ed-38f7-0520-4cbfcf8216fa/objects/indicator--4387a7a4-67d4-33d5-58fb-59bfad9c17a3/versions ```
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/taxii2/collections/d4ff8286-b4ed-38f7-0520-4cbfcf8216fa/objects/indicator--4387a7a4-67d4-33d5-58fb-59bfad9c17a3/versions` ```json { "versions": ["2022-03-29T01:16:17.000Z"] } ```
parameters: - name: collectionID in: path description: 'ID Of the Collection to get. ID must be in UUID format. For example: d4ff8286-b4ed-38f7-0520-4cbfcf8216fa, early_warning_hosts, early_warning_threats' required: true schema: type: string - name: objectID in: path description: 'ID Of the Object to get. ID must be STIX2 identifier format. For example: indicator--785e77ae-c9e5-7035-bfab-c5a633302fd7' required: true schema: type: string - name: User-Agent in: header description: 'User-Agent is recommended to pass in request header for TAXII 2.1, its not mandatory. The User-Agent header is used by HTTP to identify the TAXII Client software name and version.' required: false schema: type: string responses: 200: description: Successful response content: application/vnd.oasis.stix+json; version=2.0: example: |- { "versions": ["2022-03-29T01:16:17.000Z"] } application/vnd.oasis.stix+json; version=2.1: example: |- { "versions": ["2022-03-29T01:16:17.000Z"] } 401: description: Unauthorized content: application/vnd.oasis.stix+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' 403: description: The client does not have access to get the collection content: application/vnd.oasis.stix+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' 404: description: The collection cannot be found content: application/vnd.oasis.stix+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' 406: description: No acceptable type specified content: application/vnd.oasis.stix+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' /taxii2/collections/{collectionID}/manifest: get: tags: - X-Force Threat Intelligence - TAXII2 summary: Get manifest by Collection ID description: |- Returns manifest about objects from a Collection. Returns manifest information about all available objects. The information contains id, date_added and media_types. {collectionID} must be in UUID format. For example: d4ff8286-b4ed-38f7-0520-4cbfcf8216fa. #### Curl Example: ``` curl -u {apikey:password} -H "Accept: application/vnd.oasis.taxii+json; version=2.0" https://api.xforce.ibmcloud.com/taxii2/collections/d4ff8286-b4ed-38f7-0520-4cbfcf8216fa/manifest ```
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/taxii2/collections/d4ff8286-b4ed-38f7-0520-4cbfcf8216fa/manifest` ```json { "objects": [ { "id": "indicator--785e77ae-c9e5-7035-bfab-c5a633302fd7", "date_added": "2002-05-08T14:29:00.000Z", "media_type": [ "application/vnd.oasis.stix+json; version=2.0" ] }, { "id": "indicator--c4aa6818-6ae3-4f4e-afd7-25cc391da5d6", "date_added": "2018-01-31T08:10:00.000Z", "media_type": [ "application/vnd.oasis.stix+json; version=2.0" ] }, { "id": "indicator--71cf970a-da88-42e2-b23f-c327abd024ce", "date_added": "2014-01-01T00:00:00.000Z", "media_type": [ "application/vnd.oasis.stix+json; version=2.0" ] } ] } ```
parameters: - name: collectionID in: path description: 'ID Of the Collection to get. ID must be in UUID format. For example: d4ff8286-b4ed-38f7-0520-4cbfcf8216fa, early_warning_hosts, early_warning_threats' required: true schema: type: string - name: added_after in: query description: 'Filter the result set to only include the items added after the specified time. For example: 2019-04-29T10:07:38.165Z' schema: type: string - name: added_before in: query description: 'Filter the result set to only include the items added before the specified time. For example: 2019-04-29T10:07:38.165Z' schema: type: string - name: User-Agent in: header description: 'User-Agent is recommended to pass in request header for TAXII 2.1, its not mandatory. The User-Agent header is used by HTTP to identify the TAXII Client software name and version.' required: false schema: type: string responses: 200: description: Successful response content: application/vnd.oasis.taxii+json; version=2.0: example: |- { "objects": [ { "id": "indicator--785e77ae-c9e5-7035-bfab-c5a633302fd7", "date_added": "2002-05-08T14:29:00.000Z", "media_type": [ "application/vnd.oasis.stix+json; version=2.0" ] }, { "id": "indicator--c4aa6818-6ae3-4f4e-afd7-25cc391da5d6", "date_added": "2018-01-31T08:10:00.000Z", "media_type": [ "application/vnd.oasis.stix+json; version=2.0" ] }, { "id": "indicator--71cf970a-da88-42e2-b23f-c327abd024ce", "date_added": "2014-01-01T00:00:00.000Z", "media_type": [ "application/vnd.oasis.stix+json; version=2.0" ] } ] } application/vnd.oasis.taxii+json; version=2.1: example: |- { "more": false, "objects": [ { "id": "indicator--785e77ae-c9e5-7035-bfab-c5a633302fd7", "date_added": "2002-05-08T14:29:00.000Z", "media_type": [ "application/vnd.oasis.stix+json; version=2.1" ], "versions": [ "2016-02-02T12:30:59.000Z", "2016-02-02T12:30:59.000Z" ] }, { "id": "indicator--c4aa6818-6ae3-4f4e-afd7-25cc391da5d6", "date_added": "2018-01-31T08:10:00.000Z", "media_type": [ "application/vnd.oasis.stix+json; version=2.1" ], "versions": [ "2016-02-02T12:30:59.000Z", "2016-02-02T12:30:59.000Z" ] }, { "id": "indicator--71cf970a-da88-42e2-b23f-c327abd024ce", "date_added": "2014-01-01T00:00:00.000Z", "media_type": [ "application/vnd.oasis.stix+json; version=2.1" ], "versions": [ "2016-02-02T12:30:59.000Z", "2016-02-02T12:30:59.000Z" ] } ] } 401: description: Unauthorized content: application/vnd.oasis.taxii+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' 403: description: The client does not have access to get the collection content: application/vnd.oasis.taxii+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' 404: description: The collection cannot be found content: application/vnd.oasis.taxii+json; version=2.0: schema: $ref: '#/components/schemas/ErrorModelForTaxii' /url: get: tags: - X-Force Threat Intelligence - URL summary: | Get URLs by Category description: | Return a list of URLs according to the category and date range. Access to this information is restricted to paid users. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/url?category=Malware` ```json { "category": "Malware", "rows": [ { "url": "hottycams.com", "created": "2017-07-14T10:17:00.390Z" }, { "url": "ionios-sa.gr/counter", "created": "2017-07-14T10:12:00.477Z" }, { "url": "support4u.pl/counter", "created": "2017-07-14T10:12:00.477Z" }, { "url": "sneakystreams.com/freeyouporndownloader.html", "created": "2017-07-14T02:02:00.890Z" }, { "url": "hgssyouth.com/hgf65g/hgf65g", "created": "2017-07-13T17:47:00.817Z" }, { "url": "0x00000000000000000000FFFFB211AAD3/panel/lib/bs.dll.c", "created": "2017-07-13T16:07:01.017Z" }, { "url": "login.e.cantonfair.com.login.login.cf.locale.en.us.returnurl.xtrapolate.com/trade.htm", "created": "2017-07-13T14:07:00.137Z" }, ... ... "nextPage": "/url?category=Malware&limit=3&endDate=2017-07-14T16:07:01.017ZZ&skip=3", "previousPage": "/url?category=Malware&startDate=2017-07-14T16:07:01.017Z&descending=false&limit=3" ```
parameters: - name: category in: query description: |- categories for URLs, For example, ``` - Illegal Activities - Computer Crime / Hacking - Warez / Software Piracy - Violence / Extreme - Spam URLs - Malware - Phishing URLs - Botnet Command and Control Server ``` For a full list of supported categories see here required: true schema: type: string - name: startDate in: query description: the start of the date range for searching, For example, `2016-01-01T00:00:00Z`. schema: type: string - name: endDate in: query description: the end of the date range for searching, For example, `2016-01-01T00:00:00Z`. If not specified, the query will return the newest URLs. schema: type: string - name: descending in: query description: the order of returned URLs according to the created date and URLs, default value is true schema: type: string - name: limit in: query description: the number of returned URLs, default value is 200 when not specified. The limit must not be larger than `10000`. schema: type: integer - name: skip in: query description: the number of URLs to be skipped while searching. schema: type: integer responses: 200: description: |- Successful response. The attribute `rows` contains the URLs that are in the specified category and date range. The attribute `nextPage` contains the query to retrieve the subsequent URLs later in time. Analogously, the attribute `previousPage` contains the query to retrieve the ones earlier in time. content: application/json: example: category: string rows: - url: string created: string nextPage: string previousPage: string 403: description: Access denied. content: {} 404: description: Not found. content: {} /url/{url}: get: tags: - X-Force Threat Intelligence - URL summary: | Get URL Report description: |- Returns the URL report for the entered URL.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/url/www.ibm.com%2Fsmarterplanet` ```json { "result": { "url": "www.ibm.com", "cats": { "Software / Hardware": true, "General Business": true }, "score": 1, "application": { "canonicalName": "ibm kenexa companalyst", "name": "IBM Kenexa CompAnalyst", "description": "An compensation tool for employees.", "actionDescriptions": {}, "categories": { "Software / Hardware": true, "General Business": true }, "categoryDescriptions": { "Software / Hardware": "This category includes Web sites from the area of software, computer hardware and other electronic components.", "General Business": "This category includes Web sites of industry, business, economy and supply of services." }, "id": 8678, "actions": {}, "score": 0.2, "baseurl": "http://01.ibm.com/software/smarterworkforce/compensation_divestiture", "urls": [ "ibm.com", "www-03.ibm.com" ], "riskfactors": { "insecure communication": { "value": 16, "description": "Limited parts of this application are provided over an unencrypted connection" } } }, "categoryDescriptions": { "Software / Hardware": "This category includes Web sites from the area of software, computer hardware and other electronic components.", "General Business": "This category includes Web sites of industry, business, economy and supply of services." } }, "associated": [ { "url": "ibm.com", "cats": { "Software / Hardware": true, "General Business": true }, "score": 1, "categoryDescriptions": { "Software / Hardware": "This category includes Web sites from the area of software, computer hardware and other electronic components.", "General Business": "This category includes Web sites of industry, business, economy and supply of services." } } ], "tags": [] } ```
parameters: - name: url in: path description: url For example, ibm.com, www.ibm.com/smarterplanet required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/urlLong' 403: description: Access denied. content: {} 404: description: Not found. content: {} /url/history/{url}: get: tags: - X-Force Threat Intelligence - URL summary: | Get URL History description: |- Returns the URL history for the entered URL.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/url/history/www.ibm.com` ```json { "url": "www.ibm.com", "created": "2014-01-01T00:00:00.000Z", "cats": { "Software / Hardware": { "confidence": 100, "reasons": [ { "id": "XFR", "name": "X-Force Research", "description": "X-Force Research" } ], "description": "This category includes Web sites from the area of software, computer hardware and other electronic components." }, "General Business": { "confidence": 100, "reasons": [ { "id": "XFR", "name": "X-Force Research", "description": "X-Force Research" } ], "description": "This category includes Web sites of industry, business, economy and supply of services." } }, "score": 1, "history": [ { "url": "www.ibm.com", "created": "2014-01-01T00:00:00.000Z", "cats": { "Software / Hardware": { "confidence": 100, "reasons": [], "description": "This category includes Web sites from the area of software, computer hardware and other electronic components." }, "General Business": { "confidence": 100, "reasons": [], "description": "This category includes Web sites of industry, business, economy and supply of services." } }, "score": 1 } ] } ```
parameters: - name: url in: path description: For example, ibm.com, www.ibm.com/smarterplanet required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/urlHistory' 403: description: Access denied. content: {} 404: description: Not found. content: {} /url/malware/{url}: get: tags: - X-Force Threat Intelligence - URL summary: | Get Malware for URL description: |- Returns the malware associated with the entered URL.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/url/malware/media.com` ```json { "malware": [ { "type": "SPM", "md5": "655AB3F2EB92AD80121B759802EF611A", "domain": "media.com", "firstseen": "2015-06-17T15:30:00Z", "lastseen": "2015-06-17T15:30:00Z", "ip": "108.6.250.14", "count": 1, "filepath": "informed_id_40483_contact.zip", "origin": "SPM", "uri": "informed_id_40483_contact.zip", "family": [ "Spam Zero-Day" ] } ], "count": 1 } ```
parameters: - name: url in: path description: url For example, mediaget.com required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: type: object properties: count: minimum: 0 type: integer malware: type: array items: $ref: '#/components/schemas/malwareServer' 403: description: Access denied. content: {} 404: description: Not found. content: {} /url/deltas: get: tags: - X-Force Threat Intelligence - URL summary: | Get URL updates (Deltas) description: |- The Delta API provides the data as a bulk download ("base content") for each category supported, followed by periodic downloads of content updates ("deltas") for the category. New base content for each category is created daily (every twenty-four hours), and a new delta pull for each category every 15 minutes. Note: If you already have a pull_id it can be used to fetch delta information only. If not, leave it empty, Delta API will return base content along with pull_id which can be used on next request to fetch delta information only. For more details, refer to the XFE [FAQ](https://exchange.xforce.ibmcloud.com/faq) page.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/url/deltas?category=Malware` ```json { "data": [ { "url": "0x00000000000000000000FFFF2F5C8AF1", "created": "2023-03-01T11:10:00Z", "score": "10" }, { "url": "0x00000000000000000000FFFF2F5C8AF1/update.exe", "created": "2023-03-01T11:07:00Z", "score": "10" }, { "url": "0x00000000000000000000FFFF325748DB/japanesevehicles.us/ebjesn.exe", "created": "2019-10-22T09:44:00Z", "score": "10" }, { "url": "102030.co.il", "created": "2020-07-31T19:35:00Z", "score": "10" }, ... ... ], "pullID": 1681712764084, "createdAt": "2023-04-17T13:37:47.757Z" } ```
parameters: - name: category in: query description: |- categories for URLs, For example, ``` - Illegal Activities - Computer Crime / Hacking - Warez / Software Piracy - Violence / Extreme - Spam URLs - Malware - Phishing URLs - Botnet Command and Control Server ``` For a full list of supported categories see here required: true schema: type: string - name: pull_id in: query description: |- schema: type: integer responses: 200: description: OK - Success with an appropriate response payload. content: application/json: schema: type: object properties: data: type: array items: $ref: '#/components/schemas/urlDeltasItem' pullID: type: integer createdAt: type: string 401: description: Unauthorized - Your requests do not properly include credentials. Retries will not help unless the request format you send changes. 402: description: Payment Required - Your credentials are valid, but the request you made requires a higher level of license. Retries will not help; the account associated with the credentials must be updated, or a different set of (properly authorized) credentials used. 403: description: Forbidden - Your credentials are not valid. Retries will not help. Get a set of valid credentials. 404: description: Not found. 410: description: Gone - The pull ID has expired and become useless. Score data from that base content cannot be updated any further. Discard all retained score data and pull IDs for the category. Start a new "shadow" database and pull chain for the category by downloading new base content and deltas. 500: description: Server Error - These errors are usually temporary, but indicate problems in XFE itself. /url/categories: get: tags: - X-Force Threat Intelligence - URL summary: | Get URL category list description: |- Return a list of URL categories provided by XFE.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/url/categories` ```json [ { "name": "Education", "description": "Includes e-learning Web sites, dictionaries, encyclopaedias, scientific literature and educational institutions such as universities, colleges, schools, kindergartens etc." }, { "name": "Political Parties", "description": "This category contains Web sites of political parties and politicians." }, { "name": "Religion", "description": "Includes Web sites with religious content, information about the five main religions, and religious communities that have emerged out of these religions." }, { "name": "Sects", "description": "This category contains sites about sects, cults, occultism, Satanism etc." }, .... .... ] ```
responses: 200: description: |- Successful response. content: application/json: schema: $ref: '#/components/schemas/iprurlCategories' 404: description: Not found. content: {} /all-subscriptions/usage: get: tags: - X-Force Threat Intelligence - Usage summary: | Get API usage details description: |- Get API usage details per month for each subscription type.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/all-subcriptions/usage` ```json [ { "subscriptionType": "api", "usageData": { "entitlement": 10000, "type": "paid", "usage": [ { "cycle": "2019-09", "usage": "1266" } ], "subscriptionID": "15a25ea8-ba54-4002-8d1e-56b0b63ced1d", "created": "2019-08-26T08:15:57.324Z" }, "meteringType": "quota" }, { "subscriptionType": "xftiall", "usageData": { "entitlement": 1, "type": "paid", "usage": [ { "cycle": "2019-09", "usage": "351" } ], "subscriptionID": "bec07096-76bc-4a5e-9b64-e8a9c6ef3675", "created": "2019-09-25T15:55:26.163Z", "expire": "2020-09-24T15:55:22.632Z" }, "meteringType": "count" } ] ```
responses: 200: description: Successful response content: application/json: schema: type: array items: $ref: '#/components/schemas/usageDetails' 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /user/profile: get: tags: - X-Force Threat Intelligence - User summary: | Get User Information description: |- Returns information about the user's profile
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/user/profile` ```json { "connectionsProfile": { "family-name": "DOE", "given-name": "JOHN", "fn": "John Doe", "email": "john.doe@ibm.com", "title": "", "address1": null, "address4": "" }, "statistics": { "numberOfCollections": 7, "numberOfComments": 0, "memberSince": "2017-05-02T13:18:45.084Z", "numberOfGroups": 3 }, "integrations": { "botScout": { "name": "BotScout", "authentication": [ { "label": "API Key", "auth1": "" } ], "types": [ "ip" ], "indicators": null, "link": "http://botscout.com", "active": false }, "ciscoThreatGrid": { "name": "Cisco - Threat Grid", "authentication": [ { "label": "API Key", "auth1": "" } ], "types": [ "ip", "malware", "url" ], "indicators": null, "link": "https://panacea.threatgrid.com", "active": false }, "crowdStrike": { "name": "CrowdStrike", "authentication": [ { "label": "API ID", "auth1": "" }, { "label": "API Key", "auth2": "" } ], "types": [ "url", "ip", "malware" ], "indicators": null, "link": "https://falcon.crowdstrike.com", "active": false }, "phishTank": { "name": "PhishTank", "authentication": [ { "label": "API Key", "auth1": "" } ], "types": [ "url" ], "indicators": null, "link": "https://www.phishtank.com/", "active": false }, "recordedFuture": { "name": "Recorded Future", "authentication": [ { "label": "API Key", "auth1": "" } ], "types": [ "url", "ip", "malware" ], "indicators": null, "link": "https://app.recordedfuture.com/live/", "active": false }, "reversingLabs": { "name": "ReversingLabs", "authentication": [ { "label": "Username", "auth1": "" }, { "label": "Password", "auth2": "" } ], "types": [ "malware", "ip", "url", "malwareFamily" ], "indicators": null, "link": "https://a1000.reversinglabs.com", "active": false }, "riskIQ": { "name": "RiskIQ", "authentication": [ { "label": "API ID", "auth1": "" }, { "label": "API Key", "auth2": "" } ], "types": [ "ip", "url" ], "indicators": null, "link": "https://www.passivetotal.org/search/", "active": false }, "virusTotal": { "name": "VirusTotal", "authentication": [ { "label": "API Key", "auth1": "" } ], "types": [ "malware", "url", "ip" ], "indicators": null, "link": "https://www.virustotal.com", "active": false } } } ```
responses: 200: description: Object with profile information content: application/json: schema: $ref: '#/components/schemas/userProfile' /version: get: tags: - X-Force Threat Intelligence - Version Information summary: | Get Current Version description: |- Returns information on the current running API version.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/version` ```json { "build": "21661a", "created": "2017-07-07T10:59:21.000Z" } ```
responses: 200: description: Object with version information as child content: application/json: schema: $ref: '#/components/schemas/version' 403: description: Access denied. content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /vulnerabilities: post: tags: - X-Force Threat Intelligence - Vulnerabilities summary: | Get Vulnerabilities in bulk description: |- Returns vulnerabilities in bulk.
Usage The list must not have more than 200 search entries. #### Example: Send a HTTP POST request to `https://api.xforce.ibmcloud.com/vulnerabilities/` ```json [ "CVE20209947", "cve202027918", "CVE-2020-9951", "CVE-2020-9948" ] ```
requestBody: description: |- JSON document containing a list of Search term, For example, [CVE-2014-2601, BID-69453, US-CERT VU#546340, RHSA20131456]. The list must not contain more than 200 entries. content: application/json: schema: type: array required: true responses: 200: description: key(stdcode) - value response for the stdcode searched content: application/json: schema: type: object 400: description: Invalid input. content: {} 403: description: Access denied. content: {} 413: description: Limit exceeded. content: {} /vulnerabilities/: get: tags: - X-Force Threat Intelligence - Vulnerabilities summary: | Get Recent Vulnerabilities description: |- Returns recent vulnerabilities.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/vulnerabilities/` ```json [ { "type": "vulnerability", "xfdbid": 125462, "updateid": 34215, "updated": true, "variant": "single", "title": "IBM Daeja ViewONE file download", "description": "IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 could allow an authenticated attacker to download files they should not have access to due to improper access controls. IBM X-Force ID: 125462.", "risk_level": 4.3, "cvss": { "version": "3.0", "privilegesrequired": "Low", "userinteraction": "None", "scope": "Unchanged", "access_vector": "Network", "access_complexity": "Low", "confidentiality_impact": "None", "integrity_impact": "Low", "availability_impact": "None", "remediation_level": "Official Fix" }, "temporal_score": 3.8, "remedy": "Refer to the appropriate IBM Security Bulletin for patch, upgrade or suggested workaround information. See References.", "remedy_fmt": "

Refer to the appropriate IBM Security Bulletin for patch, upgrade or suggested workaround information. See References.

", "reported": "2017-07-12T00:00:00Z", "tagname": "ibm-dejaviewone-cve20171308-file-download", "stdcode": [ "CVE-2017-1308" ], "platforms_affected": [ "IBM Daeja ViewONE 4.1.5.1", "IBM Daeja ViewONE 5.0" ], "exploitability": "Unproven", "consequences": "Gain Access", "references": [ { "link_target": "http://www.ibm.com/support/docview.wss?uid=swg22003806", "link_name": "IBM Security Bulletin 2003806 (Daeja ViewONE)", "description": "Daeja ViewONE arbitrary files can be accessed" }, { "link_target": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1308", "link_name": "CVE-2017-1308", "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." } ], "report_confidence": "Confirmed" }, ... ... ```
parameters: - name: startDate in: query description: the start of the date range for searching, For example, `2016-01-01T00:00:00Z`. schema: type: string - name: endDate in: query description: the end of the date range for searching, For example, `2016-01-01T00:00:00Z`. If not specified, the query will return the newest vulnerabilities. schema: type: string - name: descending in: query description: the order of returned Vulnerabilities according to the reported date, default value is true schema: type: string - name: limit in: query description: the number of returned vulnerabilities. Default value set to 200. Default value is set to 7 if start/end date (above) are not specified. The limit must not be larger than `200`. schema: type: integer - name: skip in: query description: the number of Vulnerabilities to be skipped while searching. schema: type: integer responses: 200: description: Successful response content: application/json: schema: type: array items: $ref: '#/components/schemas/vulnerability' 403: description: Access denied. content: {} 404: description: Not found. content: {} /vulnerabilities/change: get: tags: - X-Force Threat Intelligence - Vulnerabilities summary: | Get Updated Vulnerabilities description: |- Returns a list of vulnerabilities that were updated
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/vulnerabilities/changes?descending=false,limit=1` ```json { "rows": [ { "type": "vulnerability", "xfdbid": 181793, "updateid": 4903, "updated": true, "variant": "single", "title": "Adobe DNG Software Development Kit buffer overflow", "description": "Adobe DNG Software Development Kit (SDK) is vulnerable to a heap-based buffer overflow. By persuading a victim to open a specially-crafted document, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.", "description_fmt": "

Adobe DNG Software Development Kit (SDK) is vulnerable to a heap-based buffer overflow. By persuading a victim to open a specially-crafted document, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

", "risk_level": 7.8, "cvss": { "version": "3.0", "privilegesrequired": "None", "userinteraction": "Required", "scope": "Unchanged", "access_vector": "Local", "access_complexity": "Low", "confidentiality_impact": "High", "integrity_impact": "High", "availability_impact": "High", "remediation_level": "Official Fix" }, "temporal_score": 6.8, "remedy": "Refer to Adobe Security Bulletin APSB20-26 for patch, upgrade or suggested workaround information. See References.", "remedy_fmt": "

Refer to Adobe Security Bulletin APSB20-26 for patch, upgrade or suggested workaround information. See References.

", "reported": "2020-05-12T00:00:00Z", "changed": "2020-05-12T22:10:00Z", "tagname": "adobe-dng-cve20209590-bo", "stdcode": [ "CVE-2020-9590" ], "platforms_affected": [ "Adobe DNG Software Development Kit (SDK) 1.5" ], "exploitability": "Unproven", "consequences": "Gain Access", "references": [ { "link_target": "https://helpx.adobe.com/security/products/dng-sdk/apsb20-26.html", "link_name": "Adobe Security Bulletin APSB20-26", "description": "Security?update available?for?Adobe?DNG Software Development Kit (SDK)" }, { "link_target": "https://bugs.chromium.org/p/project-zero/issues/detail?id=2010&can=7&q=modified-after%3Atoday-30&sort=-modified&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary%20Modified%20Cve&cells=tiles&redir=1", "link_name": "Google Security Research Issue 2010", "description": "Adobe DNG SDK memory corruption and other crashes caused by malformed .dng images" }, { "link_target": "https://packetstormsecurity.com/files/157677", "link_name": "Packet Storm Security [05-12-2020]", "description": "Adobe DNG SDK Memory Corruption" }, { "link_target": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9590", "link_name": "CVE-2020-9590", "description": "Adobe DNG Software Development Kit (SDK) 1.5 and earlier versions have a heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution." } ], "signatures": [ { "coverage": "TIFF_DNG_BPS_Overflow", "coverage_date": "2021-02-09T00:00:00Z" } ], "report_confidence": "Confirmed" } ], "previousPage": "", "nextPage": "/vulnerabilities/change?limit=1&descending=false&skip=1" } ```
parameters: - name: startDate in: query description: The start of the date range. For example, `2016-01-01T00:00:00Z`. Must not be later than `endDate`. If not specified, the range will not be restricted. schema: type: string - name: endDate in: query description: The end of the date range. For example, `2016-01-01T00:00:00Z`. If not specified, the range will not be restricted. schema: type: string - name: descending in: query description: The order of returned Vulnerabilities according to the updated date, default value is true. schema: type: string - name: limit in: query description: The number of returned vulnerabilities, default value is 200. The limit must not be larger than `200`. schema: type: integer - name: skip in: query description: The number of Vulnerabilities to be skipped. schema: type: integer responses: 200: description: Successful response content: application/json: schema: type: array items: $ref: '#/components/schemas/vulnerability' 403: description: Access denied. content: {} /vulnerabilities/fulltext: get: tags: - X-Force Threat Intelligence - Vulnerabilities summary: | Search Vulnerabilities description: |- Returns list of all vulnerabilities associated with the search term.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/vulnerabilities/fulltext?q=ESET%20Cyber%20Security%20denial%20of%20service` ```json { "total_rows": 2, "bookmark": "g1AAAADIeJzLYWBgYMpgTmFQS0lKzi9KdUhJMjTUy0zK1a1Iyy9KTjUwMNRLzskvTUnMK9HLSy3JAalPcgCSSfH____PAvNzgYSIkYGhpa6hka6RcYiBgRUYRSUxMPg2ZKEZb0LI-DwWIMnwAEj9R7fCyFDX0EDXyBLFisRpWVkA76s3Kw", "rows": [ { "type": "vulnerability", "xfdbid": 212457, "updateid": 126155, "inserted": true, "variant": "single", "title": "ESET Cyber Security denial of service", "description": "ESET Cyber Security is vulnerable to a denial of service, caused by an unspecified flaw. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.", "risk_level": 5.5, "cvss": { "version": "3.0", "privilegesrequired": "Low", "userinteraction": "None", "scope": "Unchanged", "access_vector": "Local", "access_complexity": "Low", "confidentiality_impact": "None", "integrity_impact": "None", "availability_impact": "High", "remediation_level": "Official Fix" }, "temporal_score": 4.8, "remedy": "Upgrade to the latest version of ESET Cyber Security, ESET Cyber Security Pro, ESET Endpoint Antivirus for macOS, ESET Endpoint Security for macOS (6.11.2.0, 6.11.2.0, 6.11.1.0, 6.11.1.0 respectively, or later), available from the ESET Web site. See References.", "remedy_fmt": "

Upgrade to the latest version of ESET Cyber Security, ESET Cyber Security Pro, ESET Endpoint Antivirus for macOS, ESET Endpoint Security for macOS (6.11.2.0, 6.11.2.0, 6.11.1.0, 6.11.1.0 respectively, or later), available from the ESET Web site. See References.

", "reported": "2021-10-29T00:00:00Z", "tagname": "eset-cve202137850-dos", "stdcode": [ "CVE-2021-37850" ], "platforms_affected": [ "ESET Cyber Security 6.10.700", "ESET Cyber Security Pro 6.10.700", "ESET Endpoint Antivirus for macOS 6.10.910.0", "ESET Endpoint Security for macOS 6.10.910.0" ], "exploitability": "Unproven", "consequences": "Denial of Service", "references": [ { "link_target": "http://jvn.jp/en/jp/JVN60553023/index.html", "link_name": "JVN#60553023", "description": "ESET Cyber Security and ESET Endpoint series vulnerable to denial-of-service (DoS)" }, { "link_target": "https://www.eset.com/us/", "link_name": "ESET Web site", "description": "ESET" }, { "link_target": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37850", "link_name": "CVE-2021-37850", "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." } ], "report_confidence": "Confirmed" }, { "type": "vulnerability", "xfdbid": 177158, "updateid": 86107, "inserted": true, "variant": "single", "title": "ESET Cyber Security denial of service", "description": "ESET Cyber Security is vulnerable to a denial of service, caused by allowing any user to stop (kill) ESET processes. A local attacker could exploit this vulnerability to cause a denial of service.", "risk_level": 6.2, "cvss": { "version": "3.0", "privilegesrequired": "None", "userinteraction": "None", "scope": "Unchanged", "access_vector": "Local", "access_complexity": "Low", "confidentiality_impact": "None", "integrity_impact": "None", "availability_impact": "High", "remediation_level": "Official Fix" }, "temporal_score": 5.4, "remedy": "Upgrade to the latest version of Cyber Security ( 6.8.300.0 or later), available from the ESET Web site. See References.", "remedy_fmt": "

Upgrade to the latest version of Cyber Security ( 6.8.300.0 or later), available from the ESET Web site. See References.

", "reported": "2019-12-23T00:00:00Z", "tagname": "eset-cybersecurity-cve201917549-dos", "stdcode": [ "CVE-2019-17549" ], "platforms_affected": [ "ESET Cyber Security for macOS" ], "exploitability": "Unproven", "consequences": "Denial of Service", "references": [ { "link_target": "https://www.eset.com/int/home/cyber-security/", "link_name": "ESET Web site", "description": "Fast and powerful antivirus for your Mac" }, { "link_target": "https://danishcyberdefence.dk/blog/esets-cyber-security", "link_name": "Danish Cyber Defence Web site", "description": "Multiple privilege escalations in ESET's Cyber Security" }, { "link_target": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17549", "link_name": "CVE-2019-17549", "description": "ESET Cyber Security before 6.8.1.0 is vulnerable to a denial-of-service allowing any user to stop (kill) ESET processes. An attacker can abuse this bug to stop the protection from ESET and launch his attack." } ], "report_confidence": "Confirmed" } ] } ```
parameters: - name: q in: query description: Search term For example, Heartbleed. For searching based on affected platforms, place the index "platforms_affected" before search term, For example, platforms_affected:"IBM Security Network Protection" required: true schema: type: string - name: startDate in: query description: the start of the date range for searching, For example, `2016-01-01T00:00:00Z`. schema: type: string - name: endDate in: query description: the end of the date range for searching, For example, `2016-01-01T00:00:00Z`. If not specified, the query will return the newest vulnerabilities. schema: type: string - name: bookmark in: query description: Bookmark used to page through results. Page limit is fixed to 200. schema: type: string responses: 200: description: Successful response content: application/json: schema: type: object properties: total_rows: type: integer bookmark: type: string rows: type: array items: $ref: '#/components/schemas/vulnerability' 403: description: Access denied. content: {} 404: description: Not found. content: {} /vulnerabilities/{xfid}: get: tags: - X-Force Threat Intelligence - Vulnerabilities summary: | Get by XFID description: |- Returns the vulnerability associated with the entered xfdbid.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/vulnerabilities/92744` ```json { "type": "vulnerability", "xfdbid": 92744, "updateid": 0, "variant": "single", "title": "HP Integrated Lights-Out 2 Heartbleed denial of service", "description": "HP Integrated Lights-Out 2 (iLO 2) is vulnerable to a denial of service, caused by an error when scanned by vulnerability assessment tools scan for the Heartbleed vulnerability. A remote attacker could exploit this vulnerability to cause the server to crash.", "risk_level": 7.8, "cvss": { "version": "2.0", "authentication": "None", "access_vector": "Network", "access_complexity": "Low", "confidentiality_impact": "None", "integrity_impact": "None", "availability_impact": "Complete", "remediation_level": "Official Fix" }, "temporal_score": 5.8, "remedy": "Refer to HPSBHF03006 for patch, upgrade or suggested workaround information. See References.", "remedy_fmt": "

Refer to HPSBHF03006 for patch, upgrade or suggested workaround information. See References.

", "reported": "2014-04-24T00:00:00Z", "tagname": "hp-ilo-cve20142601-dos", "stdcode": [ "BID-67054", "SA58224", "CVE-2014-2601" ], "platforms_affected": [ "HP Integrated Lights-Out 2 (iLO2) 2.23" ], "exploitability": "Unproven", "consequences": "Denial of Service", "references": [ { "link_target": "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04244787", "link_name": "HPSBHF03006", "description": "HP Integrated Lights-Out 2 (iLO 2) Denial of Service" }, { "link_target": "http://www.securityfocus.com/bid/67054", "link_name": "BID-67054", "description": "HP Integrated Lights-Out CVE-2014-2601 Remote Denial of Service Vulnerability" }, { "link_target": "http://secunia.com/advisories/58224", "link_name": "SA58224", "description": "HP Integrated Lights-Out 2 Denial of Service Vulnerability" }, { "link_target": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2601", "link_name": "CVE-2014-2601", "description": "The server in HP Integrated Lights-Out 2 (aka iLO 2) 2.23 and earlier allows remote attackers to cause a denial of service via crafted HTTPS traffic, as demonstrated by traffic from a CVE-2014-0160 vulnerability-assessment tool." } ], "report_confidence": "Confirmed", "uuid": "7d71d8e3856c692cb73c4b7daf1c21ce", "tags": [] } ```
parameters: - name: xfid in: path description: Search term For example, 92744 required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/extendedVulnerability' 403: description: Access denied. content: {} 404: description: Not found. content: {} /vulnerabilities/search/{stdcode}: get: tags: - X-Force Threat Intelligence - Vulnerabilities summary: | Get by STDCODE description: |- Returns the vulnerability associated with the entered stdcode. Supported codes are CVE, BID, US-CERT VU# and RHSA.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/vulnerabilities/search/CVE-2014-2601` ```json [ { "type": "vulnerability", "xfdbid": 92744, "updateid": 0, "variant": "single", "title": "HP Integrated Lights-Out 2 Heartbleed denial of service", "description": "HP Integrated Lights-Out 2 (iLO 2) is vulnerable to a denial of service, caused by an error when scanned by vulnerability assessment tools scan for the Heartbleed vulnerability. A remote attacker could exploit this vulnerability to cause the server to crash.", "risk_level": 7.8, "cvss": { "version": "2.0", "authentication": "None", "access_vector": "Network", "access_complexity": "Low", "confidentiality_impact": "None", "integrity_impact": "None", "availability_impact": "Complete", "remediation_level": "Official Fix" }, "temporal_score": 5.8, "remedy": "Refer to HPSBHF03006 for patch, upgrade or suggested workaround information. See References.", "remedy_fmt": "

Refer to HPSBHF03006 for patch, upgrade or suggested workaround information. See References.

", "reported": "2014-04-24T00:00:00Z", "tagname": "hp-ilo-cve20142601-dos", "stdcode": [ "BID-67054", "SA58224", "CVE-2014-2601" ], "platforms_affected": [ "HP Integrated Lights-Out 2 (iLO2) 2.23" ], "exploitability": "Unproven", "consequences": "Denial of Service", "references": [ { "link_target": "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04244787", "link_name": "HPSBHF03006", "description": "HP Integrated Lights-Out 2 (iLO 2) Denial of Service" }, { "link_target": "http://www.securityfocus.com/bid/67054", "link_name": "BID-67054", "description": "HP Integrated Lights-Out CVE-2014-2601 Remote Denial of Service Vulnerability" }, { "link_target": "http://secunia.com/advisories/58224", "link_name": "SA58224", "description": "HP Integrated Lights-Out 2 Denial of Service Vulnerability" }, { "link_target": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2601", "link_name": "CVE-2014-2601", "description": "The server in HP Integrated Lights-Out 2 (aka iLO 2) 2.23 and earlier allows remote attackers to cause a denial of service via crafted HTTPS traffic, as demonstrated by traffic from a CVE-2014-0160 vulnerability-assessment tool." } ], "report_confidence": "Confirmed", "uuid": "7d71d8e3856c692cb73c4b7daf1c21ce" } ] ```
parameters: - name: stdcode in: path description: |- Search term, For example, CVE-2014-2601, BID-69453, US-CERT VU#546340, RHSA20131456 required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: type: array items: $ref: '#/components/schemas/vulnerability' 403: description: Access denied. content: {} 404: description: Not found. content: {} /vulnerabilities/msid/{msid}: get: tags: - X-Force Threat Intelligence - Vulnerabilities summary: | Get by Microsoft Security Bulletin ID description: |- Returns the vulnerability associated with the entered Microsoft Security Bulletin ID.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/vulnerabilities/msid/MS15-065` ```json [ { "risk_level": 9.3, "title": "Microsoft Internet Explorer code execution", "xfdbid": 103360, "stdcode": [ "CVE-2015-1737" ], "reference": "MS15065", "reported": "2015-06-09T00:00:00Z" }, { "risk_level": 5.8, "title": "Microsoft Internet Explorer privilege escalation", "xfdbid": 103366, "stdcode": [ "CVE-2015-1743", "BID-74996" ], "reference": "MS15065", "reported": "2015-06-09T00:00:00Z" }, { "risk_level": 9.3, "title": "Microsoft Internet Explorer code execution", "xfdbid": 103356, "stdcode": [ "CVE-2015-1732" ], "reference": "MS15065", "reported": "2015-06-09T00:00:00Z" }, { "risk_level": 9.3, "title": "Microsoft Internet Explorer code execution", "xfdbid": 103365, "stdcode": [ "CVE-2015-1742" ], "reference": "MS15065", "reported": "2015-06-09T00:00:00Z" }, { "risk_level": 5.8, "title": "Microsoft Internet Explorer privilege escalation", "xfdbid": 103362, "stdcode": [ "CVE-2015-1739", "BID-74995" ], "reference": "MS15065", "reported": "2015-06-09T00:00:00Z" }, { "risk_level": 9.3, "title": "Microsoft Internet Explorer code execution", "xfdbid": 103354, "stdcode": [ "CVE-2015-1730" ], "reference": "MS15065", "reported": "2015-06-09T00:00:00Z" }, { "risk_level": 5.8, "title": "Microsoft Internet Explorer privilege escalation", "xfdbid": 103371, "stdcode": [ "CVE-2015-1748", "BID-74997" ], "reference": "MS15065", "reported": "2015-06-09T00:00:00Z" }, { "risk_level": 9.3, "title": "Microsoft Internet Explorer code execution", "xfdbid": 103355, "stdcode": [ "CVE-2015-1731" ], "reference": "MS15065", "reported": "2015-06-09T00:00:00Z" }, ... ... ```
parameters: - name: msid in: path description: Search term, For example, MS15-065 required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: type: array items: $ref: '#/components/schemas/msid' 403: description: Access denied. content: {} 404: description: Not found. content: {} /whois/{host}: get: tags: - X-Force Threat Intelligence - WHOIS summary: |- Get WHOIS information description: |- Returns a JSON object containing information about the given host address.
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/whois/google.ie` ```json { "createdDate": "2002-03-21T00:00:00.000Z", "expiresDate": "2018-03-21T00:00:00.000Z", "contact": [ { "type": "registrant", "organization": "Google, Inc\nBody Corporate (Ltd,PLC,Company)\nRegistered Trade Mark Name\nGoogle, Inc\nBody Corporate (Ltd,PLC,Company)\nRegistered Trade Mark Name" } ], "extended": { "createdDate": "2002-03-21T00:00:00.000Z", "expiresDate": "2018-03-21T00:00:00.000Z", "contact": [ { "type": "registrant", "organization": "Google, Inc\nBody Corporate (Ltd,PLC,Company)\nRegistered Trade Mark Name\nGoogle, Inc\nBody Corporate (Ltd,PLC,Company)\nRegistered Trade Mark Name" } ] } } ```
parameters: - name: host in: path description: Search term, For example, ibm.com, 8.8.8.8 required: true schema: type: string responses: 200: description: Successful response content: application/json: schema: $ref: '#/components/schemas/whois' example: |- { "createdDate": "string", "updatedDate": "string", "netRange": "string", "contact": [ { "type": "string", "organization": "string", "country": "string" } ], "extended": { "createdDate": "string", "updatedDate": "string", "netRange": "string", "contactEmail": "string", "registrarName": "string", "contact": [ { "type": "string", "organization": "string", "country": "string" } ], "sub": [ { "createdDate": "string", "updatedDate": "string", "netRange": "string", "contact": [ { "type": "string", "organization": "string", "country": "string" } ] } ] } } 400: description: Invalid host. content: application/json: schema: $ref: '#/components/schemas/ErrorModel' error: example: Invalid input. 401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorModel' /stix/v2/export/{stixversion}/{object}/{type}/{fullReport}: get: tags: - X-Force Threat Intelligence - STIX export summary: | Get an object in STIX format description: |- Return an Object in STIX format. Access to this information is restricted to paid users. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/stix/v2/export/2.1/rarog/botnet/true` ```json { "spec_version": "2.0", "type": "bundle", "objects": [ { "id": "indicator--d3f67565-7827-4b3b-85de-66d4ba4d49ff", "type": "indicator", "created": "2017-07-21T06:21:00.000Z", "modified": "2018-08-10T07:23:00.000Z", "labels": [ "malicious-activity", "xfe-threat-score-7.1" ], "name": "IP Report for IP address 185.213.208.228", "description": "This data was imported from a third party feed.", "pattern": "[ ipv4-addr:value = '185.213.208.228' ]", "valid_from": "2018-08-10T07:23:00.000Z" }, { "id": "indicator--89c6f990-ffb3-49d5-bfd0-9eb7638e1c44", "type": "indicator", "created": "2012-03-22T07:26:00.000Z", "modified": "2018-06-06T03:13:00.000Z", "labels": [ "anomalous-activity", "xfe-threat-score-5.7" ], "name": "IP Report for IP address 37.1.206.48", "description": "At least one of the websites that is hosted on this IP address contains content of the aforementioned category.", "pattern": "[ ipv4-addr:value = '37.1.206.48' ]", "valid_from": "2018-06-06T03:13:00.000Z" }, { "id": "indicator--4a9a677a-c54c-458b-86ea-b1b7efd31a58", "type": "indicator", "created": "2012-03-22T07:26:00.000Z", "modified": "2018-10-16T00:54:00.000Z", "labels": [ "anomalous-activity", "xfe-threat-score-4.3" ], "name": "IP Report for IP address 194.58.56.152", "description": "This data was imported from a third party feed.", "pattern": "[ ipv4-addr:value = '194.58.56.152' ]", "valid_from": "2018-10-16T00:54:00.000Z" }, ... ... ```
parameters: - name: fullReport in: path description: If set to true the DNS details are added to the returned data. required: true schema: type: boolean - name: object in: path description: |- The object identifier. It can be an IP address, a URL address, a malware hash, a botnet name etc. For example: mirai. required: true schema: type: string - name: type in: path description: |- Type of object to export in the STIX format, For example, ``` - IP - URL - Botnet - Malware ``` required: true schema: type: string - name: stixversion in: path description: |- STIX version to export in the STIX format, For example, ``` - 2.0 - 2.1 ``` required: true schema: type: string enum: ["2.0", "2.1"] default: "2.0" responses: 200: description: Success. content: {} 403: description: Access denied. content: {} 404: description: Not found. content: {} /stix/v2/botnets: get: tags: - X-Force Threat Intelligence - STIX export summary: | Get botnets information in STIX format description: |- Return the full list of botnets in STIX format with their associated Command and Control server details. Access to this information is restricted to paid users. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/stix/v2/export/2.1/botnets/false` ```json { "spec_version": "2.0", "type": "bundle", "objects": [ { "id": "report--06240664-ff3d-456e-a467-fd2b0c1c1f61", "type": "report", "labels": [ "x-ibm-xforce-botnet-report" ], "name": "Botnet Report for asdf", "description": "botnet report containing c2 details associated with asdf", "object_refs": [] }, { "id": "report--f94f569a-d313-4d78-931e-a853f5732d22", "type": "report", "created": "2018-09-25T20:08:00Z", "modified": "2018-09-25T20:08:00Z", "labels": [ "x-ibm-xforce-botnet-report" ], "name": "Botnet Report for mirai", "description": "botnet report containing c2 details associated with mirai", "object_refs": [] }, { "id": "report--346ca888-bbba-4c1a-9437-4374bd865560", "type": "report", "created": "2018-09-25T20:08:00Z", "modified": "2018-09-25T20:08:00Z", "labels": [ "x-ibm-xforce-botnet-report" ], "name": "Botnet Report for smokeloader", "description": "botnet report containing c2 details associated with smokeloader", "object_refs": [ "indicator--e9f6c8d8-63e1-4586-b366-2034de7ae66b", "indicator--1b8d67f2-26f0-4d67-81da-b8ac83d3877a", "indicator--84cf2e2c-d2e6-4546-92fa-2b6338b3bdcc", "indicator--a5a38443-3bd7-461c-81ef-e14f3df43261", "indicator--d748b43d-dfea-442d-a218-0b2b671596de", "indicator--dd7d6502-03f6-41be-83ca-cf9215466ebf", "indicator--dd7d6502-03f6-41be-83ca-cf9215466ebf", "indicator--dd7d6502-03f6-41be-83ca-cf9215466ebf", "indicator--dd7d6502-03f6-41be-83ca-cf9215466ebf" ] }, ... ... ```
parameters: - name: fullReport in: query description: If set to true the DNS details are added to the returned data. schema: type: boolean responses: 200: description: Success. content: {} 403: description: Access denied. content: {} 404: description: Not found. content: {} /stix/v2/tis-export/{stixversion}/{object}/{type}/false: get: tags: - X-Force Threat Intelligence - STIX export summary: | Get a TIS object in STIX format description: |- Return a TIS Object (Threat Group, Industry or Malware report) in STIX format. Access to this information is restricted to paid users. Please visit this link [https://www.ibm.com/products/xforce-exchange/editions](https://www.ibm.com/products/xforce-exchange/editions) for more information
Usage #### Example: Send a HTTP GET request to `https://api.xforce.ibmcloud.com/stix/v2/tis-export/2.1/4005cb35be10d65ee4b5773907f736c7/malwareAnalysis/true` ```json { "type": "bundle", "id": "bundle--7ad9a94f-0dd5-45bc-87fa-2a2b312fcd2c", "spec_version": "2.0" "objects": [ { "name": "5020c08bcc061236643293bf0d897321", "labels": [ "" ], "pattern": "[file:hashes.MD5 = '5020c08bcc061236643293bf0d897321']", "type": "indicator", "id": "indicator--17db3255-289b-4feb-b531-3a6fe76cb024", "created": "2019-07-15T04:03:42.028Z", "modified": "2019-07-15T04:03:42.028Z", "valid_from": "2019-07-15T04:03:42.028378Z" }, { "name": "aca7037286b64b0da05c9708d647c013", "labels": [ "" ], "pattern": "[file:hashes.MD5 = 'aca7037286b64b0da05c9708d647c013']", "type": "indicator", "id": "indicator--f33acc7b-f904-4361-8924-6854da7b1ca0", "created": "2019-07-15T04:03:42.046Z", "modified": "2019-07-15T04:03:42.046Z", "valid_from": "2019-07-15T04:03:42.046114Z" }, { "name": "bd9e4c82bf12c4e7a58221fc52fed705", "labels": [ "" ], "pattern": "[file:hashes.MD5 = 'bd9e4c82bf12c4e7a58221fc52fed705']", "type": "indicator", "id": "indicator--66cf81f3-fa8e-409f-bb5f-f13af1ab528a", "created": "2019-07-15T04:03:42.061Z", "modified": "2019-07-15T04:03:42.061Z", "valid_from": "2019-07-15T04:03:42.061913Z" }, ... ... ```
parameters: - name: type in: path description: |- Type of TIS object to export in the STIX format, For example, ``` - malwareAnalysis - threatGroup - industry ``` required: true schema: type: string - name: stixversion in: path description: |- STIX version to export in the STIX format, For example, ``` - 2.0 - 2.1 ``` required: true schema: type: string enum: ["2.0", "2.1"] default: "2.0" - name: object in: path description: |- The object identifier. Unique ID of the report. For example: guid:f8409554b71a79792ff099081bc5ac24. required: true schema: type: string responses: 200: description: Success. content: {} 403: description: Access denied. content: {} 404: description: Not found. content: {} components: schemas: Xfti: type: object properties: FeedCategory: type: string FeedType: type: string Version: type: string CreationDate: type: string IndicatorCount: type: string data: type: array items: type: string Industry_single: type: object properties: type: type: string example: "bundle" id: type: string example: "bundle--7646891c-7794-41c5-9197-f52a0caa449a" spec_version: type: string example: "2.0" objects: type: array items: $ref: '#/components/schemas/Industry_object' Industry_object: type: object properties: type: type: string example: "report" labels: type: array items: type: string example: "industry" name: type: string example: "US Defense Industrial Base Industry Profile" published: type: string format: date-time example: "2021-10-11T03:05:06Z" object_refs: type: array items: type: string x_com_ibm_short_description: type: string example: "According to the United States (US) Government Accountability Office (GAO), as of 2018 the U.S. Department of Defense (DoD) spends billions of dollars to procure and maintain critical systems to meet US national security objectives. To design, develop, produce and maintain critical systems, the DoD relies on a multi-tiered network of privately and publicly-owned suppliers that characterize the Defense Industrial Base (DIB). The US DoD's reliance on DIB-owned unclassified networks to generate, communicate, and store sensitive unclassified material, or Covered Defense Information (CDI), make those industries associated with the DIB high-value targets for state-sponsored cyber threat actors." id: type: string example: "report--3b691bc1-cc74-4477-9761-32c95ada5a94" created: type: string format: date-time example: "2020-09-03T08:06:12Z" modified: type: string format: date-time example: "2021-10-11T03:05:06Z" x_com_ibm_tags: type: array items: type: string resolve: type: object properties: A: type: array items: type: string AAAA: type: array items: type: string MX: type: object properties: exchange: type: string priority: type: integer TXT: type: array items: type: string RDNS: type: array items: type: string Passive: type: object properties: query: type: string records: type: array items: type: object properties: value: type: string type: type: string recordType: type: string last: type: string format: date-time first: type: string format: date-time Taxii_api_success: type: object properties: title: type: string example: "IBM X-Force Exchange - X-Force Threat Intelligence - Protection Feed TAXII 2 API Root" description: type: string example: "TAXII 2 service for X-Force Exchange X-Force Threat Intelligence - Protection Feed users" versions: type: array items: type: string example: "'taxii-2.0', 'taxii-2.1'" max_content_length: type: integer format: int64 example: 10000000 Taxii_api_error: type: object properties: title: type: string description: type: string http_status: type: integer format: int64 example: 0 Taxii_collections_success: type: object properties: collections: type: array items: $ref: '#/components/schemas/Xfti_colection' Xfti_colection: type: object properties: id: type: string example: "c2server_ipv4" title: type: string example: "Botnet CnC Servers - IPv4" description: type: string example: "Returns a list of IPv4 addresses that are categorized as botnet command and control servers." can_read: type: boolean default: true can_write: type: boolean default: false media_types: type: array items: type: string example: "'application/vnd.oasis.stix+json; version=2.0', 'application/vnd.oasis.stix+json; version=2.1'" Taxii_collections_2.0: type: object properties: spec_version: type: string example: "2.0" id: type: string example: "bundle--0000000010" type: type: string example: "bundle" x_ibm_copyright: type: string example: "© Copyright IBM Corp. 2019, All Rights Reserved" x_ibm_part_no: type: string example: "D01VKZX" x_ibm_feedcategory: type: string example: "Botnet Command and Control Server" x_ibm_feedtype: type: string example: "IPv6" x_ibm_version: type: string example: "0000000010" x_ibm_creationdate: type: string format: date-time example: "2019-08-27T13:10:29.51Z" x_ibm_indicatorcount: type: string example: "2" objects: type: array items: $ref: '#/components/schemas/Xfti_objects_2.0' Xfti_objects_2.0: type: object properties: id: type: string example: "indicator-ccbdc20c-5c87-44f5-6378-5457ce14e1db" type: type: string example: "indicator" labels: type: array items: type: string example: "malicious-activity" pattern: type: string example: "[ipv6-addr:value = '2001:db8:1234::8']" valid_from: type: string format: date-time example: "2019-08-27T13:10:29.51Z" Taxii_collections_2.1: type: object properties: spec_version: type: string example: "2.1" id: type: string example: "bundle--0000000010" type: type: string example: "bundle" x_ibm_copyright: type: string example: "© Copyright IBM Corp. 2019, All Rights Reserved" x_ibm_part_no: type: string example: "D01VKZX" x_ibm_feedcategory: type: string example: "Botnet Command and Control Server" x_ibm_feedtype: type: string example: "IPv6" x_ibm_version: type: string example: "0000000010" x_ibm_creationdate: type: string format: date-time example: "2019-08-27T13:10:29.51Z" x_ibm_indicatorcount: type: string example: "2" objects: type: array items: $ref: '#/components/schemas/Xfti_objects_2.1' Xfti_objects_2.1: type: object properties: id: type: string example: "indicator-ccbdc20c-5c87-44f5-6378-5457ce14e1db" type: type: string example: "indicator" indicator_types: type: array items: type: string example: "malicious-activity" pattern: type: string example: "[ipv6-addr:value = '2001:db8:1234::8']" patterns_type: type: string example: "stix" valid_from: type: string format: date-time example: "2019-08-27T13:10:29.51Z" extensions: type: array items: type: object properties: id: type: string key: type: string value: type: object properties: app_details: type: object properties: crypt_types: type: string documents: type: object properties: partner_agreement: type: object screenshots: type: array items: {} additional_doc: type: object icons: type: object tags: type: object properties: content: type: object search_tags: type: array items: {} categories: type: array items: {} ibm_security_products: type: array items: {} locale: type: object properties: en: type: object supported_language_set: type: array items: {} internetAccessRequired: type: string authored_by: type: string company_name: type: string shared_users: type: array items: {} min_mb: type: integer support_label: type: string app_versions: type: object properties: 1.0.0: type: object properties: status: type: string license: type: object properties: type: type: string packaged_on: type: integer file_name: type: string status_date: type: integer file_id: type: string license_id: type: string revision: type: integer compatibility: type: object md5checksum: type: string whats_new: type: string downloads: type: integer ErrorModel: properties: error: type: string required: - error type: object apiKeyName: type: object properties: name: type: string createNewKeyPair: required: - apiKey - password type: object properties: apiKey: type: string password: type: string collection: type: object properties: created: type: string owner: type: object properties: name: type: string uuid: type: string isDisabled: type: boolean default: false title: type: string caseFileID: type: string tags: type: array items: type: string links: type: array items: type: string tlpColor: type: object writeable: type: boolean deletable: type: boolean nPeople: minimum: 0 type: integer nPGroups: minimum: 0 type: integer shared: $ref: '#/components/schemas/shared' mine: type: boolean coOwner: type: boolean default: false contents: type: object properties: wiki: type: string plainText: type: string reports: type: array items: type: string editorType: type: string extensions: type: array shortCollection: required: - created - owner - shared - title - writeable type: object properties: created: type: string format: date-time owner: required: - name type: object properties: name: type: string shared: $ref: '#/components/schemas/shared' title: type: string writeable: type: boolean description: A smaller representation of a Collection without wiki information casefilesOfGroup: required: - casefiles type: object properties: casefiles: type: array items: $ref: '#/components/schemas/casefileArrayItem' description: Object that holds the information about all Collections of a Group. casefileArrayItem: required: - caseFileID - created - owner - title - writeable type: object properties: caseFileID: type: string created: type: string title: type: string writeable: type: boolean owner: type: string description: Basic information about a Collection that belong to a Group linkTo: type: object properties: linkTo: type: string attachment: type: object properties: caseFileID: type: string description: Unique identifier of a Collection attachedTo: type: string description: Collection this attachment is attached to attachedBy: $ref: '#/components/schemas/attachedby' attachedAt: type: string description: Date attachment was created imported: type: boolean description: Attachment imported true or false md5checksum: type: string description: Checksum aliasFileName: type: string description: Attachment filename file: $ref: '#/components/schemas/attachmentFile' description: An attachment on a Collection. attachedby: type: object properties: name: type: string description: User that created this attachment userUniqueID: type: string description: User ID that created this attachment attachmentFile: type: object properties: filename: type: string description: Attachment database filename length: type: string description: Length of the attachment content_type: type: string description: Attachment mime type reportkeys: type: object properties: reportkeys: type: array items: type: object properties: type: type: string value: type: string wanted: type: boolean shared: type: string description: Share level settings of a Collection default: off enum: - off - shared - public earlyWarning: type: object properties: rows: type: array items: $ref: '#/components/schemas/earlyWarningItem' earlyWarningItem: type: object properties: host: type: string type: type: string update: type: string longApp: type: object properties: application: type: object properties: actions: type: object properties: {} baseurl: type: string canonicalName: type: string categories: type: object properties: categoryName: type: boolean description: type: string id: type: integer name: type: string rlfs: $ref: '#/components/schemas/rlfs' score: $ref: '#/components/schemas/score' urls: type: array items: type: string tags: type: array items: $ref: '#/components/schemas/tags' rlfs: type: object properties: risk: $ref: '#/components/schemas/apprisk' apprisk: type: object properties: description: type: string value: type: integer score: maximum: 1E+1 minimum: 1 type: number format: double tags: type: object properties: type: type: string tag: type: string entityType: type: string entityId: type: string commentId: type: string user: type: string date: type: string displayName: type: string applicationList: type: object properties: applications: type: array items: $ref: '#/components/schemas/shortApp' shortApp: type: object properties: canonicalName: type: string description: type: string name: type: string score: $ref: '#/components/schemas/score' iprCategory: required: - category - nextPage - previousPage - rows type: object properties: category: type: string rows: type: array items: $ref: '#/components/schemas/categoriedIp' nextPage: type: string previousPage: type: string description: An object contains category, ips and proposal queries. iprurlCategories: type: object properties: name: type: string description: type: string description: An object contains category name and description. categoriedIp: required: - created - ip - score type: object properties: ip: type: string created: type: string score: type: integer description: An ip object returned via ipr category ipr: required: - subnets type: object properties: ip: type: string history: type: array items: $ref: '#/components/schemas/ip' subnets: type: array items: $ref: '#/components/schemas/ip' cats: $ref: '#/components/schemas/cats' geo: $ref: '#/components/schemas/geo' score: $ref: '#/components/schemas/score' reason: type: string reasonDescription: type: string categoryDescriptions: $ref: '#/components/schemas/categoryDescriptions' tags: type: array items: $ref: '#/components/schemas/tags' description: An IPR Object ip: required: - created - ip type: object properties: created: type: string format: date-time geo: $ref: '#/components/schemas/geo' ip: type: string reason: type: string reasonDescription: type: string malware_extended: $ref: '#/components/schemas/malwareExtended' deleted: type: boolean reason_removed: type: boolean categoryDescriptions: $ref: '#/components/schemas/categoryDescriptions' cats: $ref: '#/components/schemas/cats' score: $ref: '#/components/schemas/score' subnet: $ref: '#/components/schemas/subnet' asns: $ref: '#/components/schemas/asns' malwareExtended: type: object properties: BotNet: type: string lat: type: number long: type: number city: type: string CC: type: string country: type: number isnew: type: boolean geo: type: object properties: country: type: string countrycode: type: string format: cca2 cats: type: object properties: key: type: string value: type: string categoryDescriptions: type: object properties: key: type: string value: type: string subnet: pattern: (([01]?\d?\d|2[0-4]\d|25[0-5])\.){3}([01]?\d?\d|2[0-4]\d|25[0-5])/(\d{1}|[0-2]{1}\d{1}|3[0-2])$ type: string asn: type: object properties: Company: type: string cidr: type: integer asns: type: object properties: asn: $ref: '#/components/schemas/asn' ipv4oripv6: pattern: /(?:.*?)^((?:[0-9a-fA-Fx]{1,4}\.){3,3}[0-9a-fA-Fx]{1,4})$/ type: string iprMalware: type: object properties: malware: type: array items: $ref: '#/components/schemas/malwareShort' description: An array of malware related to an IP Address malwareShort: type: object properties: family: type: array items: type: string first: type: string format: date-time last: type: string format: date-time md5: $ref: '#/components/schemas/md5' origin: type: string uri: type: string format: url description: A short entry that describes a piece of malware md5: pattern: '[0-9A-Fa-f]{32}' type: string description: md5 iprAsn: type: object properties: networks: type: array items: $ref: '#/components/schemas/networkShort' description: An array of networks related to an ASN networkShort: type: string properties: network: type: string description: An entry that describes a network malwareLong: type: object properties: malware: type: object properties: created: type: string format: date-time type: $ref: '#/components/schemas/validHashes' family: type: array items: type: string familyMembers: type: object properties: {} md5: $ref: '#/components/schemas/md5' mimetype: type: string origins: type: object properties: CnCServers: type: object properties: rows: type: array items: $ref: '#/components/schemas/malwareServer' downloadServers: type: object properties: rows: type: array items: $ref: '#/components/schemas/malwareServer' emails: type: object properties: rows: type: array items: $ref: '#/components/schemas/malwareServer' external: type: object properties: detectionCoverage: maximum: 1E+2 minimum: 0 type: integer family: type: array items: type: string subjects: type: object properties: rows: type: array items: type: object properties: md5: $ref: '#/components/schemas/md5' subject: type: string count: minimum: 0 type: integer firstseen: type: string format: date-time ips: type: array items: type: string lastseen: type: string format: date-time origin: type: string type: type: string risk: type: string tags: type: array items: $ref: '#/components/schemas/tags' description: A entry that describes a piece of malware validHashes: type: string enum: - md5 malwareServer: type: object properties: count: minimum: 0 type: integer domain: type: string filepath: type: string firstseen: type: string format: date-time host: type: string ip: type: string lastseen: type: string format: date-time md5: $ref: '#/components/schemas/md5' origin: type: string schema: type: string type: type: string uri: type: string extentedMalwareFamily: allOf: - $ref: '#/components/schemas/malwareFamily' malwareFamily: type: object properties: count: minimum: 0 type: integer family: type: array items: type: string firstseen: type: string format: date-time lastseen: type: string format: date-time malware: type: array items: type: object properties: created: type: string format: date-time family: type: array items: type: string md5: $ref: '#/components/schemas/md5' type: $ref: '#/components/schemas/validHashes' signature: type: object properties: type: $ref: '#/components/schemas/signatureType' pamid: $ref: '#/components/schemas/pamID' updated: type: boolean releaseDate: type: string format: date-time shortDesc: type: string pamName: type: string description: type: string priority: maximum: 3 minimum: 0 type: integer category: type: string products_containing: type: array items: type: object properties: prodname: type: string prodversion: type: string releasedate: type: string format: date-time protects_against: $ref: '#/components/schemas/vulnShort' covers: type: object properties: total_rows: minimum: 0 type: integer rows: type: array items: $ref: '#/components/schemas/vulnShort' signatureShort: type: object properties: type: $ref: '#/components/schemas/signatureType' priority: maximum: 3 minimum: 0 type: integer pamid: $ref: '#/components/schemas/pamID' releaseDate: type: string format: date-time shortDesc: type: string pamName: type: string signatureType: type: string enum: - PAM pamID: pattern: (2|3|5)[0-9]{6} type: string vulnShort: type: object properties: reported: type: string format: date-time risk_level: maximum: 1E+1 minimum: 1 type: integer title: type: string xfdbid: minimum: 0 type: integer tagSearch: type: array items: type: object properties: value: type: string type: type: string data: type: object ErrorModelForTaxii: required: - title type: object properties: title: type: string description: type: string http_status: type: number urlLong: type: object properties: result: $ref: '#/components/schemas/urlShort' associated: type: array items: $ref: '#/components/schemas/urlShort' tags: type: array items: $ref: '#/components/schemas/tags' urlShort: type: object properties: url: type: string cats: type: object properties: category: type: boolean categoryDescriptions: type: object properties: category: type: string score: maximum: 9 minimum: 0 type: integer urlHistory: type: object properties: url: type: string created: type: string cats: $ref: '#/components/schemas/urlCategories' history: type: array items: $ref: '#/components/schemas/urlHistoryItem' score: maximum: 9 minimum: 0 type: integer urlHistoryItem: type: object properties: url: type: string created: type: string expired: type: string cats: $ref: '#/components/schemas/urlCategories' score: maximum: 9 minimum: 0 type: integer urlCategories: required: - categoryName type: object properties: deleted: type: boolean categoryName: required: - confidence - description - reasons type: object properties: confidence: minimum: 1 type: integer reasons: type: array items: type: object description: type: string deleted: type: boolean urlDeltasItem: type: object properties: url: type: string created: type: string score: type: string iprDeltasItem: type: object properties: ip: type: string created: type: string score: type: string usageDetails: required: - meteringType - subscriptionType - usageData type: object properties: subscriptionType: type: string usageData: required: - entitlement - type - usage type: object properties: entitlement: type: number type: type: string usage: type: array items: $ref: '#/components/schemas/usageCycle' subscriptionID: type: string created: type: string expire: type: string tags: type: array items: type: object meteringType: type: string usageCycle: required: - cycle - usage type: object properties: cycle: type: string usage: type: string userProfile: type: object properties: numberOfCollections: minimum: 0 type: integer memberSince: type: string format: date-time numberOfComments: minimum: 0 type: integer version: required: - build - created type: object properties: build: minimum: 0 type: number description: Build Number format: double created: type: string description: When the build was created format: date-time description: Build information about the X-Force Exchange vuln: type: array items: type: string vulnerability: type: object properties: type: type: string xfdbid: type: integer updateid: type: integer updated: type: boolean variant: type: string title: type: string description: type: string description_fmt: type: string risk_level: maximum: 9 minimum: 0 type: number format: double CVSS3_Version: type: string CVSS3_PrivilegesRequired: type: string CVSS3_UserInteraction: type: string CVSS3_Scope: type: string access_vector: type: string access_complexity: type: string confidentiality_impact: type: string integrity_impact: type: string availability_impact: type: string temporal_score: type: number format: double remediation_level: type: string remedy: type: string remedy_fmt: type: string reported: type: string format: date-time tagname: type: string stdcode: type: array items: type: string platforms_affected: type: array items: type: string exploitability: type: string consequences: type: string references: type: array items: type: object properties: link_target: type: string link_name: type: string description: type: string report_confidence: type: string extendedVulnerability: allOf: - $ref: '#/components/schemas/vulnerability' msid: type: object properties: risk_level: type: number format: double title: type: string xfdbid: type: integer stdcode: type: array items: type: string reference: type: string reported: type: string format: date-time whois: allOf: - $ref: '#/components/schemas/netData' whoisContact: type: object properties: type: type: string example: "registrant" name: type: string organization: type: string example: "Google, Inc\nBody Corporate (Ltd,PLC,Company)\nRegistered Trade Mark Name\nGoogle, Inc\nBody Corporate (Ltd,PLC,Company)\nRegistered Trade Mark Name" country: type: string example: "US" netData: type: object properties: createdDate: type: string format: date-time example: "1992-12-01T00:00:00.000Z" updatedDate: type: string format: date-time example: "2018-04-23T00:00:00.000Z" netRange: type: string example: "8.0.0.0 - 8.127.255.255" expiresDate: type: string contactEmail: type: string registrarName: type: string example: "ARIN" contact: type: array items: $ref: '#/components/schemas/whoisContact' xfti_requests: type: object taxii_requests: type: object threat_intelligence: type: object properties: id: type: string reportId: type: string created: type: string name: type: string type: type: string o_type: type: string modified: type: string published: type: string shortDescription: type: string locked: type: boolean statement: type: string threat_intelligence_by_id: type: object properties: name: type: string labels: type: string x_com_ibm_iris_tags: type: object created: type: string modified: type: string valid_from: type: string pattern: type: string type: type: string id: type: string