Actor API Introductory Guide and Response Fields
The Actor API allows you to retrieve actor dossiers for selected threat actors, which may include profile information, targets, tools, and/or darknet fingerprint. Actor Summary allows you to retrieve a list of available actor names within DarkOwl’s curated actor database.
Actor Base Search Field (name parameter)
The `name` parameter is the Base Search field for Actor API. This is the name of the actor for which you are retrieving supplemental information. This value for this field is any value returned in the name field from the Actor Summary response.
Actor Response Fields
Note: Individual actors may have varying amounts of information returned, depending on what is known about that actor. Not all fields may be returned for all actors; additionally, the list of returned fields is subject to change, as DarkOwl may add new returned fields when additional information becomes available.
Field name |
Description |
|
name |
Name of the threat actor. |
|
dateUpdated |
Date at which this entry was most recently updated. |
|
dateFirstSeen |
Date at which this threat actor was first seen. |
|
dateLastSeen |
Date at which this threat actor was last seen. |
|
aliases |
List of known aliases for this threat actor. |
|
actorSize |
Size of the threat actor. Options include: group, individual, unknown. |
|
countries |
Country or countries from which the actor is known to operate. |
|
actorTypes |
Descriptors for the type of threat actor group. Options include: activist, competitor, crime-syndicate, criminal, hacker, insider-disgruntled, nation-state, sensationalist, spy, terrorist. |
|
leakNames |
List of leak names with which the threat actor is known to be associated. |
|
marketNames |
List of market names on which the threat actor is known to be associated with/active. |
|
forumNames |
List of forum names on which the threat actor is known to be associated with/active. |
|
forumMarket |
List of usernames the actor is known to use on forums and/or markets. |
|
keyPoints |
Description/main points about the threat actor. |
|
lawEnforcement |
Description of any law enforcement activity related to the threat actor (if known). |
|
contactInfo |
Any known contact information for the threat actor. Individual objects within this field will include the type of contact and an array of strings for relevant addresses of that type. |
|
paymentInfo |
Any known payment information for the threat actor. Some types include: Bitcoin, Monero, PayPal. Individual objects within this field will include the type of payment and an array of strings for relevant addresses of that type. |
|
websites |
List of website domains that the threat actor is known to be associated with/active on. |
|
socialMediaInfo |
Any known social media handles for the threat actor. Individual objects within this field will include the type of payment and an array of strings for relevant addresses of that type. |
|
cves |
List of CVEs that the threat actor is known to be associated with/has exploited. |
|
tools |
List of tools that the threat actor is known to be associated with/has used. |
|
actorSophistication |
Description of the actor's relative sophistication level, using STIX classification. Options in increasing order of sophistication: unknown, minimal, intermediate, advanced, expert, innovator, strategic. |
|
actorSpecializations |
Area(s) in which the threat actor is known to specialize. For example: ransomware, espionage, exploit developer, etc. |
|
targets |
Any known targets of the threat actor. Individual objects within this field will include the category of the target and the name of the target. |
|
isActive |
Is the actor known to be currently active. |