The threat endpoint lets you retrieve threat information, view and summarize linked indicators, and understand how individual observables connect to broader malicious activity.
What Threats Represent
Threats represent higher-level entities such as malware families, adversary groups, or campaigns.
They provide context that ties indicators together and describes the activity they support.
Threats may include:
- Names, aliases, and descriptive details
- Risk and classification information
- Relationships to indicators and feeds
Threats help you understand how individual indicators fit into broader malicious activity.
Retrieving a Threat
Retrieve threats by their ID or by their name, including common aliases.
Both methods return the same threat information, making it easy to pivot from known threat names or from programmatic lookups.
Retrieving a threat focuses on its descriptive and contextual data.
Indicators associated with the threat can be retrieved separately.
Getting Linked Indicators
Retrieve the full list of indicators associated with a threat to analyze the underlying observables.
Linked indicators help you:
- Explore infrastructure and campaigns
- Connect tactical indicators to strategic context
- Investigate relationships between different data sources
Use linked indicator retrieval to investigate threat-related indicators without re-downloading the threat’s descriptive information.
Getting Indicator Summaries
Threats often link to many indicators.
Summary views make it possible to quickly understand the scope of a threat by providing aggregated counts or distributions of linked indicators.
These summaries can help you:
- Gauge the breadth of activity related to a threat
- Prioritize investigation
- Identify spikes or concentrations in indicator activity
Use summaries to get a high-level view of threat scope and prioritize which indicators to investigate in detail.
