Facebook ThreatExchange

Updated October 26, 2023 19:10

This article describes the Intelligence Card Extension for Facebook Threat Exchange.

About Facebook ThreatExchange

The Facebook ThreatExchange is an API-based platform for security threat information. It was launched in February, 2015, to be a forum for threat information sharing among security professionals and organizations. More about the founding vision can be found in the introductory blog post by Mark Hammell, Manager of the Threat Infrastructure team at Facebook.

To use this extension, you must obtain an ThreatExchange App Secret and App ID:

Please also see the Getting Started With Intelligence Card Extensions page if you're interested in enabling this extension, and this link to getting ThreatExchange specific API access.

The extension is available on several intelligence card types:

domain
hash
IP address
malware
vulnerability

With the introduction of 'on the fly' intelligence cards for any entity type in Recorded Future, the extension was revised to also search for content for the following additional intelligence card types:

Airport
AS Number
Attack Vector
Company
Continent
Country
Filename
Province or State
Source
URL

Any information flagged TLP: White or TLP: Green will be in the response. TLP: Amber data specific to your organization will also be presented in the results.

Extending IP Address Intelligence Cards

You can enrich any IP Intelligence Card with the following threat intelligence from Facebook ThreatExchange:

IOC Type
TLP status
IOC Description
Threat Level and Confidence
Review Status
Add Date
Owner info
Tags
Reactions

Screen_Shot_2017-06-06_at_7.54.04_AM.png

[note: the extension is set up to autorun when an intelligence card is opened]

Screen_Shot_2017-06-06_at_7.59.19_AM.png

[caption: when expanded, this extension may yield a list of many threat descriptors]

Extending Domain Intelligence Cards

You can enrich any Domain Intelligence Card with the following threat intelligence from Facebook ThreatExchange:

IOC Type
TLP status
IOC Description
Threat Level and confidence
Review Status
Add date
Owner info
Tags
Reactions

Screen_Shot_2017-06-06_at_8.00.31_AM.png

Extending Hash Intelligence Cards

You can enrich any Hash Intelligence Card with the following threat intelligence from Facebook ThreatExchange:

TLP status
(Hash) Status
Review Status
Add Date
MD5 Hash
SHA1 Hash
SHA256 Hash
SSDeep Hash
Reactions

You can pivot in Recorded Future on the different hashes in the response.

Screen_Shot_2017-06-06_at_8.01.43_AM.png

Extending Vulnerability Intelligence Cards

You can enrich any Vulnerability Intelligence Card with the following threat intelligence from Facebook ThreatExchange:

Links to sources with information about the vulnerability
IOC Type
TLP status
Threat Level and confidence
Review Status
Add date
Owner info
Tags
Reactions

Screen_Shot_2017-06-06_at_8.03.04_AM.png

Extending Malware Cards

You can enrich any Malware Intelligence Card with the following threat intelligence from Facebook ThreatExchange:

TLP status
Status
Review Status
Add date
MD5 Hash
SHA1 Hash
SHA256 Hash
SSDeep Hash
Reactions

You can pivot in Recorded Future on the different hashes in the response.

Screen_Shot_2017-06-06_at_8.04.08_AM.png

Additional notes:

In cases where Facebook TE has a large number of entries, only the most recent 25 results per category will be displayed.

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.

Articles in this section