Threat Actors API Integration Guide

Overview

The Threat Actors API integration allows your NINA workflows to connect with the internal Threat Actors API for searching and retrieving threat actor intelligence data. It provides a single, powerful listing endpoint with rich filtering to query by names/aliases, IOCs, MITRE ATT&CK tactics and techniques, tools, CVEs, malware, actor types, targeted CPEs/technologies, sectors, and geographies.

This is an internal integration service used within your organization's security infrastructure.

Status

The integration supports:

List and Filter Threat Actors: Paginated retrieval with comprehensive filters
Filtering Dimensions: Name/Alias, IOCs, MITRE Tactics/Techniques, Tools, CVEs, Malware, Actor Types, CPEs/Technologies, Sectors, Geographies
Pagination: Page (1-based) and limit controls

Credential Configuration

This integration requires no authentication, only a domain setting.

Authentication Method

No Authentication Required

Field	Description	Example
Domain	Domain of the Threat Actors API service	`http://api.threatactors.com`

How to obtain your Domain:

Contact your organization's security admin for access
Request the internal Threat Actors API domain
Ensure network access to the service (internal)
Use the default domain http://api.threatactors.com or your custom endpoint

Supported Resources and Operations

Threat Actors

Operation	Name	Description
getAll	List and filter threat actors	Retrieve a paginated list of threat actors with comprehensive filtering

Parameter Merging

Parameters are merged from:

Node parameters (highest precedence)
Extracted parameters from input data
Full input data

Examples

Basic Listing (Pagination)

{
  "integration_service": "threat-actors-api",
  "resource": "threat-actors",
  "operation": "getAll",
  "pagination": { "page": 1, "limit": 10 }
}

Filter by Name or Alias

{
  "integration_service": "threat-actors-api",
  "resource": "threat-actors",
  "operation": "getAll",
  "filters": {
    "name": "APT29"
  },
  "pagination": { "page": 1, "limit": 25 }
}

(Uses a combined name/alias match.)

Filter by IOCs (IP, Domain, Hash)

{
  "integration_service": "threat-actors-api",
  "resource": "threat-actors",
  "operation": "getAll",
  "filters": {
    "ioc": [
      "203.0.113.42",
      "malicious-c2.example.com",
      "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
    ]
  },
  "pagination": { "page": 1, "limit": 50 }
}

Filter by MITRE ATT&CK Tactics

{
  "integration_service": "threat-actors-api",
  "resource": "threat-actors",
  "operation": "getAll",
  "filters": {
    "tactics": [
      "initial-access",
      "execution",
      "defense-evasion"
    ]
  }
}

Filter by MITRE ATT&CK Techniques

{
  "integration_service": "threat-actors-api",
  "resource": "threat-actors",
  "operation": "getAll",
  "filters": {
    "techniques": ["T1566.001", "T1059.003", "T1055"]
  }
}

Filter by Tools and Malware

{
  "integration_service": "threat-actors-api",
  "resource": "threat-actors",
  "operation": "getAll",
  "filters": {
    "tools": ["Cobalt Strike", "PowerShell", "PsExec"],
    "malware": ["AkiraBot", "LaZagne"]
  }
}

Filter by CVEs and Targeted CPEs/Technologies

{
  "integration_service": "threat-actors-api",
  "resource": "threat-actors",
  "operation": "getAll",
  "filters": {
    "cves": ["CVE-2024-40711", "CVE-2020-3259"],
    "cpes": ["fortinet", "cisco", "vmware"]
  }
}

Filter by Actor Types, Sectors, Geographies

{
  "integration_service": "threat-actors-api",
  "resource": "threat-actors",
  "operation": "getAll",
  "filters": {
    "threatActorTypes": ["Nation-State", "criminal"],
    "sectors": ["Healthcare", "Finance"],
    "geographies": ["United States", "Europe"]
  },
  "pagination": { "page": 2, "limit": 25 }
}

Combined Filters Example

{
  "integration_service": "threat-actors-api",
  "resource": "threat-actors",
  "operation": "getAll",
  "filters": {
    "name": "APT",
    "tactics": ["initial-access", "command-and-control"],
    "techniques": ["T1059.003"],
    "tools": ["Cobalt Strike"],
    "cves": ["CVE-2021-26855"],
    "sectors": ["Technology", "Government"],
    "geographies": ["Asia"]
  },
  "pagination": { "page": 1, "limit": 50 }
}

Best Practices

Use specific filters to reduce result volume and improve performance.
Paginate large queries using pagination.page (1-based) and pagination.limit.
Normalize IOC formats (IPs, domains, hashes) before queries.
Start broad (e.g., name contains "APT") and refine with tactics/techniques.

Troubleshooting

Issue	Resolution
Connection timeout	Verify the domain URL and internal network access
Service unavailable	Check that the internal Threat Actors API is running and reachable
Invalid domain URL	Include protocol (http://) and confirm endpoint correctness
No results returned	Adjust filters (e.g., broaden name, remove conflicting filters)
Invalid IOC format	Ensure IOCs are valid IPs/domains/hashes before querying
Pagination errors	Use `page >= 1` and reasonable `limit` values

Overview​

Status​

Credential Configuration​

Authentication Method​

No Authentication Required​

Supported Resources and Operations​

Threat Actors​

Parameter Merging​

Examples​

Basic Listing (Pagination)​

Filter by Name or Alias​

Filter by IOCs (IP, Domain, Hash)​

Filter by MITRE ATT&CK Tactics​

Filter by MITRE ATT&CK Techniques​

Filter by Tools and Malware​

Filter by CVEs and Targeted CPEs/Technologies​

Filter by Actor Types, Sectors, Geographies​

Combined Filters Example​

Best Practices​

Troubleshooting​