Threat Grid Documentation - Main API
Threat Grid Documentation - Main API
Contents
Intro
API Access
Authentication
JSON Response Format
Pagination
Error Handling
Experimental API Calls
Samples API
Sample Info Record
Samples API Endpoint Summary Table
Submission
POST /samples
Querying Samples
GET /samples
GET /samples/ID
GET /samples/ID/state
POST/GET /samples/state
Samples Search API
GET /samples/search
Analysis Results
GET /samples/ID/video.webm
GET /samples/ID/analysis.json
GET /samples/ID/processes.json
GET /samples/ID/network.pcap
GET /samples/ID/warnings.json
GET /samples/ID/summary
GET /samples/ID/threat
GET /samples/ID/report.html
GET /samples/id/sample.zip
Access to Specic Elements of analysis.json
GET /samples/ID/analysis/iocs
GET /samples/ID/analysis/iocs/IOC
GET /samples/ID/analysis/network_streams
GET /samples/ID/analysis/network_streams/NSID
GET /samples/ID/analysis/artifacts
GET /samples/ID/analysis/artifacts/AID
GET /samples/ID/analysis/processes
GET /samples/ID/analysis/processes/PID
GET /samples/ID/analysis/annotations
GET /samples/ID/analysis/metadata
Indicator of Compromise Feeds
IP Address Feed - GET /iocs/feeds/ips
Domain/Hostname Feed - GET /iocs/feeds/domains
URL Feed - GET /iocs/feeds/urls
Artifact Feed - GET /iocs/feeds/artifacts
Path Feed - GET /iocs/feeds/paths
Network Stream Feed - GET /iocs/feeds/network_streams
Registry Key Feed - GET /iocs/feeds/registry_keys
Sample Feeds
GET /samples/feeds/paths
GET /samples/feeds/checksums
GET /samples/feeds/domains
GET /samples/feeds/ips
Entity Search
Get /search/registry-keys
GET /search/paths
GET /search/ips
GET /search/domains
GET /search/artifacts
GET /search/samples
GET /search/urls
https://panacea.threatgrid.com/doc/main/api.html#post-samples 1/29
2/21/2017 Threat Grid Documentation
Entity Queries
GET /domains/NAME
GET /paths/ID
GET /registry_keys/ID
GET /registry_keys/ID/name/ID
GET /urls/id
GET /artifacts/ID
GET /artifacts/ID/threat
GET /artifacts/ID/download
Flags - GET /ENTITY-PATH/ags
Tags
GET /ENTITY-PATH/tag
POST /ENTITY-PATH/tag
DELETE /ENTITY-PATH/tag/TAG
Federation
GET /samples/feeds/federated
GET /samples/ID/federated.json
GET /samples/ID/Federated.dijon
Intro
API Access
ALL API Access is done over HTTPS, and the URLs start with:
https://<threatgridurl>/api/v2/
Authentication
All API responses are JSON objects; that includes errors. The form of
these objects is:
https://panacea.threatgrid.com/doc/main/api.html#post-samples 2/29
2/21/2017 Threat Grid Documentation
api_version String identifying the API version
error JSON object representing an error; if present, there will be no data object.
* message A user readable message describing the rst error.
* code A numeric code identifying the rst error.
* errors A list of error objects:
* code The numeric code for this error.
* message The user readable message describing this error.
* report (optional) A URL or email address to report the error to.
* help (optional) A URL for user documentation regarding this error.
Pagination
Most of these API requests can return very large data sets, so
pagination/segmentation of the results is implied in each API call.
When a request is made, a default per page value will be used.
Users can override it, up to a ceiling value we pick.
All calls which return multiple results will support the following
parameters to control pagination:
Parameter
Description
Name
limit The most results to be returned in the response. The server will put a cap
on this value as well.
Error Handling
https://panacea.threatgrid.com/doc/main/api.html#post-samples 3/29
2/21/2017 Threat Grid Documentation
Since we are experimenting with exposing as much of our data model as
we can, we are going to be explicit in which parts of the API we
consider stable, and which parts we consider experimental.
Samples API
The core entity of ThreatGRID is the sample, a piece of malware
subjected to analysis. A piece of malware can be submitted multiple
times, and that will produce multiple samples. This is because sample
behavior often changes over time as malware interacts with the network
at large.
Sample Info
Description
Field
id The sample ID, globally unique, and the canonical identier of this
sample analysis
filename The lename for the sample, as provided or derived from the
submission
state The state of the sample, one of a stable set of strings pending,
running, succ, proc, fail, prep, wait, run
private If the sample is marked private, will have the boolean value, true.
submitted\_at The time at which the sample was submitted (ISO 8601)
started\_at The time the sample analysis was started (ISO 8601)
completed\_at The time the sample analysis was completed (ISO 8601)
The following elds are guaranteed to be present: id, submission_id, submitted_at, lename, state, sha256
https://panacea.threatgrid.com/doc/main/api.html#post-samples 4/29
2/21/2017 Threat Grid Documentation
Example
{
"timestamp":"2012-04-19T04:11:01-0500",
"state":"succ",
"started_at":"2012-04-19T04:00:55-0500",
"os":"",
"osver":"",
"submission_id":45212,
"filename":"a18e507b000ca0aa3d6ef2ffb67a6fa5",
"submitted_at":"2012-04-19T03:58:37-0500",
"id":"6042aae978338b8b52fbed9bf781490c",
"completed_at":"2012-04-19T04:11:05-0500",
"sha256":"b53cb9792e0ad3327425e2d744a2fb4821f1c3fd815fa0a63781c4d5602ef4f8"
}
https://panacea.threatgrid.com/doc/main/api.html#post-samples 5/29
2/21/2017 Threat Grid Documentation
Submission
POST /samples
https://panacea.threatgrid.com/doc/main/api.html#post-samples 6/29
2/21/2017 Threat Grid Documentation
Submits a sample to ThreatGRID for analysis. The request parameters
should be encoded as multipart/form-data .
Parameters
Name Description
private if present, and set to any value but false the sample will be marked private
Returns
{
"state":"wait",
"os":"Unknown",
"osver":"Unknown",
"private":true,
"submission_id":1017050,
"filename":"trojan.exe",
"submitted_at":"2012-09-21T16:02:29-0500",
"id":"a3be3d3ed51a7ba60cd2e02c241cd4ac",
"sha256":"41e86455faa9a3dac193bdc95f74959d5ac9c05c64211e7e6e2d9d6b99a5ee3f"
}
Querying Samples
GET /samples
Params
https://panacea.threatgrid.com/doc/main/api.html#post-samples 7/29
2/21/2017 Threat Grid Documentation
Name Description
sha256 A sha256 of the submitted sample, only matches samples, not their
artifacts
id a sample ID
Returns
A JSON response with a list of sample info objects as the data. The
list is ordered by submission data, descending (most recent rst).
GET /samples/ID
Parameters
Name Description
id The sample ID
https://panacea.threatgrid.com/doc/main/api.html#post-samples 8/29
2/21/2017 Threat Grid Documentation
Returns
GET /samples/ID/state
Parameters
Name Description
ID The sample ID
Returns
POST/GET /samples/state
Parameters
Name Description
Returns
A JSON response with a list of {sample: ID state: STATE status: STATUS} objects as the data.
The Sample Search API is provided to let users search for samples
which have a relationship to another entity, such as an IP address, a
checksum for an artifact, or a hostname.
https://panacea.threatgrid.com/doc/main/api.html#post-samples 9/29
2/21/2017 Threat Grid Documentation
GET /samples/search
Restricted Scopes
org_only If true, will only match against samples submitted by your organization
Checksum
Path
path Match any path modied by the sample, including its own lename.
https://panacea.threatgrid.com/doc/main/api.html#post-samples 10/29
2/21/2017 Threat Grid Documentation
URL
Registry Key
registry_key Match any registry key name created, modied, or deleted by the
sample.
Domain/Hostname
IP
ip_dst Match any IP that was the the destination of a network stream
https://panacea.threatgrid.com/doc/main/api.html#post-samples 11/29
2/21/2017 Threat Grid Documentation
IOC
An IOC/BI (Indicator of Compromise/Behavioral Indicator) query term must match an IOC name.
Query
Description
Term
ioc The IOC name or title. To search for a partial match, use the % character as a
wildcard.
Tags
Query
Description
Term
tag The tag name or title. To search for a partial match, use the % character as a
wildcard.
Returns
match_term The query term type which matched the sample, eg ip. The value will be
the matched value.
relation The relation to the sample, specic to the match type, see query terms
above.
data A JSON data structure, specic to the match type, see query terms above.
Analysis Results
GET /samples/ID/video.webm
https://panacea.threatgrid.com/doc/main/api.html#post-samples 12/29
2/21/2017 Threat Grid Documentation
Requests the samples display output, transcoded to WEBM format. May
only be used with samples with a state of succ. Future revisions may
provide support for fail samples. This returns the WEBM stream, as
video/webm content-type.
GET /samples/ID/analysis.json
GET /samples/ID/processes.json
GET /samples/ID/network.pcap
GET /samples/ID/warnings.json
GET /samples/ID/summary
GET /samples/ID/threat
GET /samples/ID/report.html
GET /samples/ID/sample.zip
https://panacea.threatgrid.com/doc/main/api.html#post-samples 13/29
2/21/2017 Threat Grid Documentation
GET /samples/ID/analysis/iocs
GET /samples/ID/analysis/iocs/IOC
GET /samples/ID/analysis/network_streams
GET /samples/ID/analysis/network_streams/NSID
GET /samples/ID/analysis/artifacts
GET /samples/ID/analysis/artifacts/AID
Returns a JSON object, which is a summary of the static analysis of this artifact.
GET /samples/ID/analysis/processes
Returns a JSON object whose attributes are PIDs, and whose values are
process summaries.
https://panacea.threatgrid.com/doc/main/api.html#post-samples 14/29
2/21/2017 Threat Grid Documentation
GET /samples/ID/analysis/processes/PID
Returns a JSON object, which is the process summary of the specied PID.
GET /samples/ID/analysis/annotations
GET /samples/ID/analysis/metadata
IP Address Feed
GET /iocs/feeds/ips
Params
Record
ip The IP address
port OPTIONAL The destination port on the IP address associated with the IOC
reverse_lookup OPTIONAL The hostname returned by a reverse lookup of this IP at sample runtime
city OPTIONAL The city associated with this IP in a GeoIP database
country OPTIONAL The country associated with this IP in a GeoIP database
timestamp The timestamp (ISO 8601) when this IOC occured
ioc The IOC name
condence The IOC condence (see IOC documentation for details)
severity The IOC severity (see IOC documentation for details)
sample_id The ID of the sample that generated this IOC
https://panacea.threatgrid.com/doc/main/api.html#post-samples 15/29
2/21/2017 Threat Grid Documentation
sample_sha256 The sha256 hash of the sample that generated this IOC.
Domain/Hostname Feed
GET /iocs/feeds/domains
Params
Record
URL Feed
GET /iocs/feeds/urls
Params
https://panacea.threatgrid.com/doc/main/api.html#post-samples 16/29
2/21/2017 Threat Grid Documentation
user_only If true, will only match against samples you submitted
sample A comma-separated list of sample IDs. Restrict results to these samples.
Record
Artifact Feed
GET /iocs/feeds/artifacts
Params
Record
Path Feed
https://panacea.threatgrid.com/doc/main/api.html#post-samples 17/29
2/21/2017 Threat Grid Documentation
GET /iocs/feeds/paths
Params
Record
path The path the artifact was found at, may be partial or empty
timestamp The timestamp (ISO 8601) when this IOC occured
ioc The IOC name
condence The IOC condence (see IOC documentation for details)
severity The IOC severity (see IOC documentation for details)
sample_id The ID of the sample that generated this IOC
sample_sha256 The sha256 of the sample that generated this IOC
GET /iocs/feeds/network_streams
Params
Record
https://panacea.threatgrid.com/doc/main/api.html#post-samples 18/29
2/21/2017 Threat Grid Documentation
condence The IOC condence (see IOC documentation for details)
severity The IOC severity (see IOC documentation for details)
sample_id The ID of the sample that generated this IOC
sample_sha256 The sha256 of the sample that generated this IOC
GET /iocs/feeds/registry_keys
Params
Record
Sample Feeds
A sample feed is a straight dump of sample information, with no tie to
indicators of compromise, or other analysis of its maliciousness.
GET /samples/feeds/paths
https://panacea.threatgrid.com/doc/main/api.html#post-samples 19/29
2/21/2017 Threat Grid Documentation
Params
Returns
{
"api_version": 2,
"id": 5111262
"data": {
"current_item_count": 2,
"index": 0,
"items": [
{
"data": {
"artifacts": [
{
"aid": 13,
"sha256": "2eea7f88077bd134c2412d2e18bf63417bc6595ca1bcc92700bda037367182fe"
}
]
},
"path": "\\Documents and Settings\\Joe Maldive\\NTUSER.DAT",
"relation": "artifact",
"sample": "37df001fae491c6195e10e131b38ee8e",
"ts": "2391-11-23T09:36:30-0600"
},
{
"data": {
"artifacts": [
{
"aid": 27,
"sha256": "fa1e9645152d5f9510fe9a00cdfd63fe160be70ff094d5205c7a3161c981f921"
}
]
},
"path": "\\WINDOWS\\system32\\config\\software.LOG",
"relation": "artifact",
"sample": "37df001fae491c6195e10e131b38ee8e",
"ts": "2391-11-23T09:36:30-0600"
}
],
"items_per_page": 2
},
}
GET /samples/feeds/checksums
https://panacea.threatgrid.com/doc/main/api.html#post-samples 20/29
2/21/2017 Threat Grid Documentation
recovered from the lesystem. In this case the data eld will be
Artifact ID. A sample relation means it was the submitted sample
data eld will be empty.
Params
Returns
{
"api_version": 2,
"id": 7312922
"data": {
"current_item_count": 2,
"index": 0,
"items": [
{
"data": {
"artifact-ids": [
22
]
},
"checksum": "5b3d171306707acab2d5681d171ca3784a53a1c1"
"relation": "artifact",
"sample": "ea7395f5ced420ea95394b8c204d83d8",
"ts": "2392-07-20T22:13:30-0500",
"type": "sha1"
},
{
"data": {
"artifact-ids": [
20
]
},
"relation": "artifact",
"checksum": "f3f824a57a7cb5b9e7f12bfe146dbf9179797df59e55624df62d3cbb3a20bb48"
"sample": "ea7395f5ced420ea95394b8c204d83d8",
"ts": "2392-07-20T22:13:30-0500",
"type": "sha256"
}
],
"items_per_page": 2
},
}
GET /samples/feeds/domains
https://panacea.threatgrid.com/doc/main/api.html#post-samples 21/29
2/21/2017 Threat Grid Documentation
This is a feed of all the domains seen during the analysis of samples.
The relation eld indicates the source of the path. A dns-lookup
relation means this domain was part of a DNS query, and the data eld
will contain the answers associated with the query. An
http-requests relation indicates the domain was seen as part of a
URL in one or more HTTP requests. The data will be the network stream
ID and http transaction IDs it was seen in, as well as the URL.
Params
Returns
{
"api_version": 2,
"id": 132171
"data": {
"current_item_count": 2,
"index": 0,
"items": [
{
"data": {
"answers": [
"83.133.119.197"
]
},
"domain": "proxim.ircgalaxy.pl",
"relation": "dns-lookup",
"sample": "37df001fae491c6195e10e131b38ee8e",
"ts": "2391-11-23T09:36:30-0600"
},
{
"data": [
{
"nsid": 7,
"tid": 0,
"url": "http://www.sedfr56.com:80/plkoi75.txt"
},
{
"nsid": 8,
"tid": 0,
"url": "http://www.sedfr56.com:80/temp/fast.exe"
}
],
"domain": "www.sedfr56.com",
"relation": "http-requests",
"sample": "37df001fae491c6195e10e131b38ee8e",
"ts": "2391-11-23T09:36:30-0600"
}
],
"items_per_page": 2
},
}
https://panacea.threatgrid.com/doc/main/api.html#post-samples 22/29
2/21/2017 Threat Grid Documentation
GET /samples/feeds/ips
This is a feed of all the domains seen during the analysis of samples.
The relation eld indicates the source of the path. A dns-lookup
relation means this IP was part of an answer to a DNS query, and the
data eld will contain the queries associated with the answer. A
network-stream-[source|destination] relation indicates the IP was
seen as the source or destination of a packet, and the data eld will
contain information about the network stream.
Params
Returns
https://panacea.threatgrid.com/doc/main/api.html#post-samples 23/29
2/21/2017 Threat Grid Documentation
{
"api_version": 2,
"id": 2187681
"data": {
"current_item_count": 2,
"index": 0,
"items": [
{
"data": {
"queries": [
{
"query": "proxim.ircgalaxy.pl",
"type": "A"
}
]
},
"ip": "83.133.119.197/32",
"relation": "dns-lookup",
"sample": "37df001fae491c6195e10e131b38ee8e",
"ts": "2391-11-23T09:36:30-0600"
},
{
"data": {
"network-streams": [
2,
1
]
},
"ip": "22.31.45.6/32",
"relation": "network-stream-destination",
"sample": "37df001fae491c6195e10e131b38ee8e",
"ts": "2391-11-23T09:36:30-0600"
}
],
"items_per_page": 2
},
}
<a name=entity-search-api
GET /search/registry_keys
GET /search/paths
https://panacea.threatgrid.com/doc/main/api.html#post-samples 24/29
2/21/2017 Threat Grid Documentation
tag - paths with a given tag
GET /search/ips
GET /search/domains
GET /search/artifacts
ip - search by IP
url - search by URL
sha256 - search by sha256 hash
md5 - search by MD5 hash
sha1 - search by SHA1 hash
mime-type - search by MIME type
magic-type - search by magic type
path - search by path
source - search by source
tag - search by tag
GET /search/samples
https://panacea.threatgrid.com/doc/main/api.html#post-samples 25/29
2/21/2017 Threat Grid Documentation
path_artifact - search by artifact name
path_deleted - search by path names that were deleted
url - search by url
registry_key - search by registry key accessed
domain - search by domain name
domain_dns_lookup - search by domain name used for DNS lookups
domain_http_request - search by domain name used in HTTP request
ip - search by IP address
ip_dns_lookup - search by IP address returned in DNS lookup
ip_src - search by network stream source IP address
ip_dst - search by network stream destination IP address
tag - search by sample tag
GET /search/urls
Entity Queries
GET /domains/NAME
Returns information for a domain, by name. The data elds returned are:
domain - the domain name
sha256 - the SHA256 hash of the domain
md5 - the MD5 hash of the domain
GET /paths/ID
GET /registry_keys/ID
https://panacea.threatgrid.com/doc/main/api.html#post-samples 26/29
2/21/2017 Threat Grid Documentation
GET /registry_keys/ID/name/ID
GET /urls/ID
Returns information on URLs, by SHA256 of the URL. The data elds returned are:
url - the an object representing the URL
url - the URL
protocol - the protocol of the URL
host - the hostname of the URL
port - the port number of the URL
path - the path of the url
query - the query string of the url
query-params - the query parameters, as a map of parameter to value
sha256 - the SHA256 hash of the key
md5 - the MD5 hash of the key
GET /artifacts/ID
GET /artifacts/ID/threat
Returns information on an artifact, including threat information. The data elds returned
include the primary artifact details along with the threat details
https://panacea.threatgrid.com/doc/main/api.html#post-samples 27/29
2/21/2017 Threat Grid Documentation
samples - an array of samples that include the artifact
iocs - a list of IOCs for the artifact
GET /artifacts/ID/download
Flags
Flags allow for blacklisting and whitelisting of entities. The following paths allow agging:
/samples/ID
/ips/IP
/domains/DOMAIN
/artifacts/SHA256
/paths/PATH
/registry_keys/KEY
/registry_keys/KEY/name/VALUENAME
/urls/SHA256
GET /ENTITY-PATH/ags
Returns a data section with a flags array of ag maps containing the following attributes:
ag - An integer. -1 for a blacklist entry, 1 for a whitelist entry.
reason - The reason text
mine - A boolean indicating ownership of the ag.
Tags
Tags can be attached to the following entity paths:
/samples/ID
/ips/IP
/domains/DOMAIN
/artifacts/SHA256
/paths/PATH
/registry_keys/KEY
/registry_keys/KEY/name/VALUENAME
/urls/SHA256
GET /ENTITY-PATH/tags
Returns a data section with a tags array of tag maps containing the following attributes:
tag - The tag name.
count - An integer, the number of times this tag has been applied.
mine - A boolean indicating the querying user has applied this tag to the entity.
POST /ENTITY-PATH/tag
Tag an entity. The posted content should contain the following parameter;
tag - The tag text
https://panacea.threatgrid.com/doc/main/api.html#post-samples 28/29
2/21/2017 Threat Grid Documentation
DELETE /ENTITY-PATH/tag/TAG
Removes a users tag of an entity. If other users have tagged the entity with the same tag, the
tag may still remain.
Federation
GET /samples/feeds/federated
GET /samples/ID/federated.json
GET /samples/ID/federated.don
All information contained in this report is condential and proprietary information belonging solely to Cisco Systems, Inc. and/or its aliates.
This document is for internal customer use only. The information contained herein may not be disclosed to a third party, in whole or in part, or otherwise stored in a retrieval system or transmitted to a third
party in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) without the prior written permission of Cisco.
https://panacea.threatgrid.com/doc/main/api.html#post-samples 29/29