Get a specific exploitation Use this to look up exploitation data when you want to know if a vulnerability has been exploited in the wild, and who detected the exploitation. This function retrieves detailed information about a specific exploitation incident using its unique identifier. Args: identifier (str): The unique UUID of the exploitation to retrieve. Example format: "123e4567-e89b-12d3-a456-426614174000" Returns: Dict[str, Any]: Dictionary containing detailed exploitation data including: - uuid: Unique identifier for the exploitation - begins_at: When the exploitation was first observed - ends_at: When the exploitation activity ended - count: Number of exploitation occurrences detected - detection_signature_uuid: UUID of the detection signature - detection_signature_name: Name of the detection signature - detection_signature_source: Source of the detection (e.g., vendor, tool) - detection_signature_method: Method used for detection - created_at: When this record was created - updated_at: When this record was last updated

Get exploitation data Use this to look up exploitation data when you want to know if vulnerabilities have been exploited in the wild, and who detected the exploitations. This function retrieves a list of exploitation incidents with filtering and sorting options. The data can help identify: - Recent exploitations in the wild - Which detection signatures identified the exploitations - Frequency of exploitation activities (count) - Timeframes of exploitation activities Args: offset (int, optional): The number of items to skip before starting to collect the result set. Defaults to 0. limit (int, optional): The maximum number of items to return. Minimum value is 1. Defaults to 10 (API default is 100). sort (str, optional): Field to sort by - either 'count', 'created_at', or 'updated_at'. Defaults to 'created_at'. order (str, optional): Sort order - either 'asc' or 'desc'. Defaults to 'desc'. Returns: Dict[str, Any]: Dictionary containing: - data: List of exploitation records with fields including: - uuid - begins_at - ends_at - count - detection_signature_uuid - detection_signature_name - detection_signature_source - detection_signature_method - created_at - updated_at

Get threat actor by identifier Use this tool when you need detailed intelligence about a specific threat actor or advanced persistent threat (APT) group. This information is valuable for: - Understanding the tactics, techniques, and procedures (TTPs) of threat actors - Researching who might be behind a security incident - Evaluating the sophistication level of potential adversaries - Gathering threat intelligence for security briefings - Understanding which sectors or regions a threat actor typically targets Args: identifier (str): The identifier of the threat actor - can be either: - UUID (e.g., "a9b46d37-42b8-4b27-8b69-583dbcb2f5e1") - Name (e.g., "dark_cloud_shield") Returns: Dict[str, Any]: Detailed threat actor information including: - uuid: Unique identifier for this threat actor - name: Machine-readable name (typically lowercase with underscores) - display_name: Human-readable name with proper formatting - created_at/updated_at/enriched_at: Timestamps for record management - gen_description: Generated description (if available) - mentions: List of references to this threat actor from various sources, each containing: - uuid: Unique identifier for this mention - overview: Summary of the threat actor's activities from this source - published_at: When the source material was published - collected_at: When this mention was collected - reference_url: URL of the source material - reference_source: Name of the source (e.g., "talos_intelligence_blog") - reference_user_generated_content: Whether this is user-generated content - Other metadata about the mention and reference These mentions provide valuable context about the threat actor's: - Known attack vectors and exploited vulnerabilities - Target sectors, regions, or organizations - Tools and malware used - Attribution confidence and alternate names

Get threat actors Use this tool when you need to search, browse, or list multiple threat actors. This is particularly useful for: - Discovering recently added threat actors in the database - Searching for specific threat actors by name - Creating reports on threat actor landscapes - Building comprehensive threat intelligence briefings - Comparing multiple threat actors Args: filter (str, optional): A string used to filter threat actors. It can start with specific prefixes: * `name:`: Filter by Name. * `uuid:`: Filter by UUID. * If no prefix is provided, it defaults to a name filter. Defaults to "". offset (int, optional): The number of items to skip before starting to collect the result set. Defaults to 0. limit (int, optional): The maximum number of items to return. Minimum value is 1. Defaults to 10 (API default is 100). sort (str, optional): Field to sort by - either 'name', 'created_at', or 'updated_at'. Defaults to 'created_at'. order (str, optional): Sort order - either 'asc' or 'desc'. Defaults to 'desc'. Returns: Dict[str, Any]: Dictionary containing: - total: Total number of threat actors matching the filter criteria - offset: Current pagination offset - limit: Number of items returned per page - message: Status message (usually null when successful) - data: List of threat actor records, each containing: - uuid: Unique identifier for the threat actor - name: Machine-readable name (typically lowercase with underscores) - display_name: Human-readable name with proper formatting - gen_description: Generated description (if available) - misp_uuid: Reference ID in MISP (Malware Information Sharing Platform) - created_at: Timestamp when this record was first added - updated_at: Timestamp when this record was last modified - enriched_at: Timestamp when this record was last enriched with additional data Note: This function returns summary information about threat actors. To get detailed information including mentions and intelligence sources for a specific threat actor, use the get_threat_actor() function with the uuid or name.