Victim Assets Overview

Victim Assets are endpoints used to leverage a Victim and infiltrate a network.

Endpoint: /api/v3/victimAssets

Endpoint Options

Available Fields

Send the following request to retrieve a list of available fields, including the field's name, description, and accepted data type that can be included in the body of a POST or PUT request to the /v3/victimAssets endpoint:

OPTIONS /v3/victimAssets

👍
Hint
To include read-only fields in the response, append ?show=readonly to the end of the request URL.

Alternatively, refer to the following table for a list of available fields that can be included in the body of a POST or PUT request to the /v3/victimAssets endpoint.

Field	Description	Type	Required for Creation?	Updatable?	Example Value(s)
accountName	The account name associated with a Network Account or Social Network Victim Asset	String	TRUE¹	TRUE	"@johnsmith"
address	The email address associated with an Email Address Victim Asset	String	TRUE¹	TRUE	"[email protected]"
addressType	The type of Email Address Victim Asset	String	FALSE	TRUE	"Corporate email"
associatedGroups	A list of Groups associated to the Victim Asset	Group Object	FALSE	TRUE	{"data": [{"id": 12345}]} {"data": [{"name": "Bad Adversary", "type": "Adversary"}]}
networkType	The type of Network Account Victim Asset	String	FALSE	TRUE	"Company network"
phone	The phone number associated with a Phone Victim Asset	String	TRUE¹	TRUE	"0123456789"
socialNetwork	The type of Social Account Victim Asset	String	FALSE	TRUE	"Twitter"
type²	The type of Victim Asset being created	String	TRUE	FALSE	"EmailAddress", "NetworkAccount", "Phone", "SocialNetwork", or "WebSite"
victimId	The ID of the Victim to which the Victim Asset should be added	Integer	TRUE	FALSE	1, 2, 3
website	The website address associated with a Website Victim Asset	String	TRUE¹	TRUE	"`http://examplesite.com`"

1: This field is required only if creating a Victim Asset that matches the type listed in the Description column.

2: The following are accepted values for the type field:

EmailAddress
NetworkAccount
Phone
SocialNetwork
WebSite

Include Additional Fields in Responses

When creating, retrieving, or updating data, you can use the fields query parameter to include additional fields in the API response that are not included by default.

Send the following request to retrieve a list of fields you can include in responses returned from the /v3/victimAssets endpoint:

OPTIONS /v3/victimAssets/fields

Filter Results

When retrieving data, you can use the tql query parameter to filter results with ThreatConnect Query Language (TQL).

Send the following request to retrieve a list of valid TQL parameters you can use when including the tql query parameter in a request to the /v3/victimAssets endpoint:

OPTIONS /v3/victimAssets/tql

Create Victim Assets

The following example illustrates the basic format for creating a Victim Asset:

POST /v3/victimAssets
Content-Type: application/json

{
    "type": "Victim Asset type goes here",
    "victimId": 12345
    //additional fields for the selected Victim Asset type
}

For example, the following request will create a Phone Victim Asset and add it to the Victim with ID 2:

POST /v3/victimAssets
Content-Type: application/json

{
    "phone": "0123456789",
    "type": "Phone",
    "victimId": 2
}

{
    "data": {
        "id": 4,
        "type": "Phone",
        "victimId": 2,
        "phone": "0123456789",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
    },
    "message": "Created",
    "status": "Success"
}

Refer to the Available Fields section for a list of available fields that can be included in the body of a POST request to the /v3/victimAssets endpoint.

Retrieve Victim Assets

Retrieve All Victim Assets

Send the following request to retrieve data for all Victim Assets:

GET /v3/victimAssets

{
    "data": [
        {
            "id": 4,
            "type": "Phone",
            "victimId": 2,
            "phone": "0123456789",
            "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
        },
        {
            "id": 3,
            "type": "WebSite",
            "victimId": 2,
            "website": "somewebsite.com",
            "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
        },
        {...}
    ],
    "status": "Success"
}

Retrieve a Specific Victim Asset

Send a request in the following format to retrieve data for a specific Victim Asset:

GET /v3/victimAssets/{victimAssetId}

For example, the following request will retrieve data for the Victim Asset whose ID is 3:

GET /v3/victimAssets/3

{
    "data": {
        "id": 3,
        "type": "WebSite",
        "victimId": 2,
        "website": "somewebsite.com",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
    },
    "status": "Success"
}

Update Victim Assets

The following example illustrates the basic format for updating a Victim Asset:

PUT /v3/victimAssets/{victimAssetId}
Content-Type: application/json

{
    {updatedField}: {updatedValue}
}

For example, the following request will perform the following actions for the Victim Asset whose ID is 3:

Create an Incident Group named Bad Incident and associate it to the Victim Asset
Update the website associated with the Victim Asset

👍
Hint
To include the associatedGroups field in the API response, append ?fields=groups to the end of the request URL.

PUT /v3/victimAssets/3
Content-Type: application/json

{
    "associatedGroups": {
        "data": [
            {
                "name": "Bad Incident",
                "type": "Incident"
            }
        ]
    },
    "website": "hackerwebsite.com"
}

{
    "data": {
        "id": 3,
        "type": "WebSite",
        "victimId": 2,
        "website": "hackerwebsite.com",
        "webLink": "https://app.threatconnect.com/auth/victim/victim.xhtml?victim=2"
    },
    "message": "Updated",
    "status": "Success"
}

Refer to the Available Fields section for a list of available fields that can be included in the body of a PUT request to the /v3/victimAssets endpoint.

👍
Hint
When updating a Victim Asset, you can use the mode field within the associatedGroups field to associate Groups to and dissociate them from the Victim Asset. See Update an Object's Metadata for instructions on using the mode field.

Delete Victim Assets

Send a request in the following format to delete a Victim Asset:

DELETE /v3/victimAssets/{victimAssetId}

For example, the following request will delete the Victim Asset whose ID is 1:

DELETE /v3/victimAssets/1

{
    "message": "Deleted",
    "status": "Success"
}

Associations

For instructions on creating and managing associations for Victim Assets, see Create and Manage Associations.