ThreatConnect (Deprecated)

Deprecated

Use the ThreatConnect integration to identify, manage, and block threats.

This integration was integrated and tested with ThreatConnect Python SDK v2.

Configure ThreatConnect on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for ThreatConnect1.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Access ID
    • Secret Key
    • baseUrl
    • Default Organization
    • ProxyIP (or http://${ip} )
    • ProxyPort
    • Rating threshold for Malicious Indicators
    • Confidence threshold for Malicious Indicators
    • Indicator Reputation Freshness (in days)
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Search for an IP indicator: ip
  2. Search for a URL indicator: url
  3. Search for a file indicator: file
  4. Retrieve possible owners from an account: tc-owners
  5. Retrieve all indicators: tc-indicators
  6. Get all tags: tc-get-tags
  7. Tag an existing indicator: tc-tag-indicator
  8. Get an indicator: tc-get-indicator
  9. Get all indicators with a specific tag: tc-get-indicators-by-tag
  10. Add a new indicator: tc-add-indicator
  11. Create a new incident: tc-create-incident
  12. Fetch incidents: tc-fetch-incidents
  13. Associate an indicator to an incident: tc-incident-associate-indicator
  14. Check domain reputation: domain
  15. Get incidents related to an indicator: tc-get-incident-associate-indicators
  16. Update an indicator: tc-update-indicator
  17. Remove a tag from an indicator: tc-delete-indicator-tag
  18. Delete an indicator: tc-delete-indicator
  19. Create a group from a campaign: tc-create-campaign
  20. Create a group from an event: tc-create-event
  21. Create a group from threats: tc-create-threat
  22. Delete a group: tc-delete-group
  23. Add an attribute to an event: tc-add-group-attribute
  24. Get a list of events: tc-get-events
  25. Get all groups: tc-get-groups
  26. Add a security label to a group: tc-add-group-security-label
  27. Add tags to a group: tc-add-group-tag
  28. Get all indicator types: tc-get-indicator-types
  29. Associate an indicator to a group: tc-group-associate-indicator
  30. Create a document group: tc-create-document-group
  31. Retrieve a single group: tc-get-group
  32. Retrieves the attribute of a group: tc-get-group-attributes
  33. Retrieves the security labels of a group: tc-get-group-security-labels
  34. Retrieves the tags of a group: tc-get-group-tags
  35. Downloads the contents of a document: tc-download-document
  36. Returns indicators associated with a group: tc-get-group-indicators
  37. Returns indicators associated with a specified group: tc-get-associated-groups
  38. Associates one group with another group: tc-associate-group-to-group

1. Search for an IP address indicator


Searches for an indicator of type IP address.

Base Command

ip

Input
Argument Name Description Required
ip The IPv4 or IPv6 address. Required
owners A CSV list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners. Optional
ratingThreshold A list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical". Optional
confidenceThreshold A list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed". Optional

Context Output
Path Type Description
TC.Indicator.Name string The name of the indicator.
TC.Indicator.Type string The type of the indicator.
TC.Indicator.ID string The ID of the indicator.
TC.Indicator.Description string The description of the indicator.
TC.Indicator.Owner string The owner of the indicator.
TC.Indicator.CreateDate date The date on which the indicator was created.
TC.Indicator.LastModified date The date on which the indicator was modified.
TC.Indicator.Rating number The threat rating of the indicator.
TC.Indicator.Confidence number The confidence rating of the indicator.
DBotScore.Indicator string The value assigned by DBot for the indicator.
DBotScore.Type string The type assigned by DBot for the indicator.
DBotScore.Score number The score assigned by DBot for the indicator.
DBotScore.Vendor string The vendor used to calculate the score.
IP.Address string The IP address of the indicator.
IP.Malicious.Vendor string For malicious IP addresses, the vendor that made the decision.
IP.Malicious.Description string For malicious IP addresses, the full description.

Command Example
!ip ip=7.77.7.7
Context Example

50242697-cfc09b80-03d3-11e9-9615-35fc485fa84c_1_Search_for_an_IP_indicator.png

Human Readable Output

50281763-2e7c2880-0459-11e9-88ea-ed6532e56bad_1_Human_Readable_Output.png

2. Search for an indicator of type URL


Searches for an indicator of type URL.

Base Command

url

Input
Argument Name Description Required
url The URL for which to search. For example, "www.demisto.com". Required
owners A CSV list of a client's organizations, sources, or communities to which a client’s API user has been granted permission. For example, "owner1", "owner2", or "owner3". Optional
ratingThreshold A list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical". Optional
confidenceThreshold A list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed". Optional

Context Output
Path Type Description
TC.Indicator.Name string The name of the indicator.
TC.Indicator.Type string The type of the indicator.
TC.Indicator.ID string The ID of the indicator.
TC.Indicator.Description string The description of the indicator.
TC.Indicator.Owner string The owner of the indicator.
TC.Indicator.CreateDate date The date on which the indicator was created.
TC.Indicator.LastModified date The date on which the indicator was last modified.
TC.Indicator.Rating number The threat rating of the indicator.
TC.Indicator.Confidence number The confidence rating of the indicator.
DBotScore.Indicator string The value assigned by DBot for the indicator.
DBotScore.Type string The type assigned by DBot for the indicator.
DBotScore.Score number The score assigned by DBot for the indicator.
DBotScore.Vendor string The vendor used to calculate the score.
URL.Data string The data of the URL indicator.
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision.
URL.Malicious.Description string For malicious URLs, the full description.

Command Example
!url url=https://a.co.il
Context Example

50274409-df78c800-0445-11e9-9a30-6f3335a6a60a_2_Search_for_a_URL_indicator_Context_Example.png

Human Readable Output

3. Search for an indicator of type file


Searches for an indicator of type file.

Base Command

file

Input
Argument Name Description Required
file The hash of the file. Can be "MD5", "SHA-1", or "SHA-256". Required
owners A CSV list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners. Optional
ratingThreshold A list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical". Optional
confidenceThreshold A list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed". Optional

Context Output
Path Type Description
TC.Indicator.Name string The name of the indicator.
TC.Indicator.Type string The type of the indicator.
TC.Indicator.ID string The ID of the indicator.
TC.Indicator.Description string The description of the indicator.
TC.Indicator.Owner string The owner of the indicator.
TC.Indicator.CreateDate date The date on which the indicator was created.
TC.Indicator.LastModified date The last date on which the indicator was modified.
TC.Indicator.Rating number The threat rating of the indicator.
TC.Indicator.Confidence number The confidence rating of the indicator.
TC.Indicator.File.MD5 string The MD5 hash of the indicator.
TC.Indicator.File.SHA1 string The SHA1 hash of the indicator.
TC.Indicator.File.SHA256 string The SHA256 hash of the indicator.
DBotScore.Indicator string The value assigned by DBot for the indicator.
DBotScore.Type string The type assigned by DBot for the indicator.
DBotScore.Score number The score assigned by DBot for the indicator.
DBotScore.Vendor string The vendor used to calculate the score.
File.MD5 string The MD5 hash of the indicator.
File.SHA1 string The SHA1 hash of the indicator.
File.SHA256 string The SHA256 hash of the indicator.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the full description.

Command Example

50275319-bd804500-0447-11e9-927f-3e272f74bb60.png

Human Readable Output

50281206-64201200-0457-11e9-8b72-4db2d9aadb0a.png

4. Retrieves all owners for the current account


Retrieves all owners for the current account.

Base Command

tc-owners

Context Output
Path Type Description
TC.Owner.Name string The name of the owner.
TC.Owner.ID string The ID of the owner.
TC.Owner.Type string The type of the owner.

5. Retrieve a list of all indicators


Retrieves a list of all indicators.

Base Command

tc-indicators

Input
Argument Name Description Required
owner A list of results filtered by the owner of the indicator. Optional
limit The maximum number of results that can be returned. The default is 500. Optional

Context Output
Path Type Description
TC.Indicator.Name string The name of the indicator.
TC.Indicator.Type string The type of the indicator.
TC.Indicator.ID string The ID of the indicator.
TC.Indicator.Description string The description of the indicator.
TC.Indicator.Owner string The owner of the indicator.
TC.Indicator.CreateDate date The date on which the indicator was created.
TC.Indicator.LastModified date The last date on which the indicator was modified.
TC.Indicator.Rating number The threat rating of the indicator.
TC.Indicator.Confidence number The confidence rating of the indicator.
TC.Indicator.WhoisActive string The active indicator (for domains only).
TC.Indicator.File.MD5 string The MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1 string The SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256 string The SHA256 hash of the indicator of the file.
DBotScore.Indicator string The value assigned by DBot for the indicator.
DBotScore.Type string The type assigned by DBot for the indicator.
DBotScore.Score number The score assigned by DBot for the indicator.
DBotScore.Vendor string The vendor used to calculate the score.
IP.Address string The IP address of the indicator.
IP.Malicious.Vendor string For malicious IP addresses, the vendor that made the decision.
IP.Malicious.Description string For malicious IP addresses, the full description.
URL.Data string The data of the URL of the indicator.
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision.
URL.Malicious.Description string For malicious URLs, the full description.
Domain.Name string The name of the domain.
Domain.Malicious.Vendor string For malicious domains, the vendor that made the decision.
Domain.Malicious.Description string For malicious domains, the full description.
File.MD5 string The MD5 hash of the file.
File.SHA1 string The SHA1 hash of the file.
File.SHA256 string The SHA256 hash of the file.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the full description.

Command Example
!tc-indicators limit=5
Context Example

50281877-96327380-0459-11e9-8c94-a1136e0949a7.png

Human Readable Output

50281832-6edba680-0459-11e9-8ac2-e0f00b97db98.png

6. Return a list of all ThreatConnect tags


Returns a list of all ThreatConnect tags.

Base Command

tc-get-tags

Input
Argument Name Description Required
tag The name of the tag Required
indicator
The indicator to tag. For example, for an IP indicator, "8.8.8.8".
Required
owner
A list of indicators filtered by the owner.
Required

Context Output
Path Type Description
TC.Tags Unknown A list of tags.

Command Example
!tc-get-tags
Human Readable Output

50281926-c37f2180-0459-11e9-83bb-8d6abeb79d48.png

7. Add a tag to an existing indicator


Adds a tag to an existing indicator.

Base Command

tc-tag-indicator

Input
Argument Name Description Required
tag The name of the tag. Required
indicator The indicator to tag. For example, for an IP indicator, "8.8.8.8". Required
owner A list of indicators filtered by the owner. Optional

Command Example
!tc-tag-indicator indicator=7.77.7.7 tag=NewTagName
Human Readable Output

50282035-18bb3300-045a-11e9-9a51-1bc93a3b7df0_7_Tag_an_existing_indicator_Human_Readable_Output.png

8. Retrieves information about an indicator


Retrieves information about an indicator.

Base Command

tc-get-indicator

Input
Argument Name Description Required
indicator The name of the indicator by which to search. The command retrieves information from all owners. Can be an IP address, a URL, or a file hash. Required
ratingThreshold A list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical". Optional
confidenceThreshold A list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed". Optional

Context Output
Path Type Description
TC.Indicator.Name string The name of the indicator.
TC.Indicator.Type string The type of the indicator.
TC.Indicator.ID string The ID of the indicator.
TC.Indicator.Description string The description of the indicator.
TC.Indicator.Owner string The owner of the indicator.
TC.Indicator.CreateDate date The date on which the indicator was created.
TC.Indicator.LastModified date The last date on which the indicator was modified.
TC.Indicator.Rating number The threat rating of the indicator.
TC.Indicator.Confidence number The confidence rating of the indicator.
TC.Indicator.WhoisActive string The active indicator (for domains only).
TC.Indicator.File.MD5 string The MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1 string The SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256 string The SHA256 hash of the indicator of the file.
DBotScore.Indicator string The value assigned by DBot for the indicator.
DBotScore.Type string The type assigned by DBot for the indicator.
DBotScore.Score number The score assigned by DBot for the indicator.
DBotScore.Vendor string The vendor used to calculate the score.
IP.Address string The IP address of the indicator.
IP.Malicious.Vendor string For malicious IP addresses, the vendor that made the decision.
IP.Malicious.Description string For malicious IP addresses, the full description.
URL.Data string The data of the indicator of the URL.
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision.
URL.Malicious.Description string For malicious URLs, the full description.
Domain.Name string The domain name of the indicator.
Domain.Malicious.Vendor string For malicious domains, the vendor that made the decision.
Domain.Malicious.Description string For malicious domains, the full description.
File.MD5 string The MD5 hash of the file.
File.SHA1 string The SHA1 hash of the file.
File.SHA256 string The SHA256 hash of the file.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the full description.

Command Example
!tc-get-indicator indicator=7.77.7.7
Human Readable Output

50282140-78b1d980-045a-11e9-995b-a9fc2595b663_8_Get_an_indicator_Human_Readable_Output.png

9. Fetch all indicators that have a tag


Fetches all indicators that have a tag.

Base Command

tc-get-indicators-by-tag

Input
Argument Name Description Required
tag The name of the tag by which to filter. Required
owner A list of indicators filtered by the owner. Optional

Context Output
Path Type Description
TC.Indicator.Name string The name of the tagged indicator.
TC.Indicator.Type string The type of the tagged indicator.
TC.Indicator.ID string The ID of the tagged indicator.
TC.Indicator.Description string The description of the tagged indicator.
TC.Indicator.Owner string The owner of the tagged indicator.
TC.Indicator.CreateDate date The date on which the tagged indicator was created.
TC.Indicator.LastModified date The last date on which the tagged indicator was modified.
TC.Indicator.Rating number The threat rating of the tagged indicator.
TC.Indicator.Confidence number The confidence rating of the tagged indicator.
TC.Indicator.WhoisActive string The active indicator (for domains only).
TC.Indicator.File.MD5 string The MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1 string The SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256 string The SHA256 hash of the indicator of the file.
DBotScore.Indicator string The value assigned by DBot for the tagged indicator.
DBotScore.Type string The type assigned by DBot for the tagged indicator.
DBotScore.Score number The score assigned by DBot for the tagged indicator.
DBotScore.Vendor string The vendor used to calculate the score.
IP.Address string The IP address of the tagged indicator.
IP.Malicious.Vendor string For malicious IP addresses, the vendor that made the decision.
IP.Malicious.Description string For malicious IP addresses, the full description.
URL.Data string The data of the URL of the tagged indicator.
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision.
URL.Malicious.Description string For malicious URLs, the full description.
Domain.Name string The domain name of the tagged indicator.
Domain.Malicious.Vendor string For malicious domains, the vendor that made the decision.
Domain.Malicious.Description string For malicious domains, the full description.
File.MD5 string The MD5 hash of the file.
File.SHA1 string The SHA1 hash of the file.
File.SHA256 string The SHA256 hash of the file.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the full description.

Command Example
!tc-get-indicators-by-tag tag=NewTagName
Human Readable Output

50281832-6edba680-0459-11e9-8ac2-e0f00b97db98_9_Get_all_indicators_with_a_specific_tag_Human_Readable.png

10. Add a new indicator to ThreatConnect


Adds a new indicator to ThreatConnect.

Base Command

tc-add-indicator

Input
Argument Name Description Required
indicator The indicator to add. Required
rating The threat rating of the indicator. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical". Optional
confidence The confidence rating of the indicator. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed". Optional
owner The owner of the new indicator. The default is the "defaultOrg" parameter. Optional

Context Output
Path Type Description
TC.Indicator.Name string The name the indicator.
TC.Indicator.Type string The type of indicator.
TC.Indicator.ID string The ID of the indicator.
TC.Indicator.Description string The description of the indicator.
TC.Indicator.Owner string The owner of the indicator.
TC.Indicator.CreateDate date The date on which the added indicator was created.
TC.Indicator.LastModified date The last date on which the added indicator was modified.
TC.Indicator.Rating number The threat rating of the indicator.
TC.Indicator.Confidence number The confidence rating of the indicator.
TC.Indicator.WhoisActive string The active indicator (for domains only).
TC.Indicator.File.MD5 string The MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1 string The SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256 string The SHA256 hash of the indicator of the file.
IP.Address string The IP address of the indicator.
IP.Malicious.Vendor string For malicious IP addresses, the vendor that made the decision.
IP.Malicious.Description string For malicious IP addresses, the full description.
URL.Data string The data of the URL of the indicator.
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision.
URL.Malicious.Description string For malicious URLs, the full description.
Domain.Name string The name of the added indicator of the domain.
Domain.Malicious.Vendor string For malicious domains, the vendor that made the decision.
Domain.Malicious.Description string For malicious domains, the full description.
File.MD5 string The MD5 hash of the file.
File.SHA1 string The SHA1 hash of the file.
File.SHA256 string The SHA256 hash of the file.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the full description.

Command Example
!tc-add-indicator indicator="9.9.4.4" rating="2" confidence="87"
Human Readable Output

50282140-78b1d980-045a-11e9-995b-a9fc2595b663.png

11. Create a new incident group


Creates a new incident group.

Base Command

tc-create-incident

Input
Argument Name Description Required
owner The owner of the new incident. The default is the "defaultOrg" parameter. Optional
incidentName The name of the incident group. Required
eventDate The creation time of an incident in the "2017-03-21T00:00:00Z" format. Optional
tag The tag applied to the incident. Optional
securityLabel The security label applied to the incident. Can be "TLP:RED", "TLP:GREEN", "TLP:AMBER", or "TLP:WHITE". Optional
description The description of the incident. Optional

Context Output
Path Type Description
TC.Incident.Name string The name of the new incident group.
TC.Incident.Owner string The owner of the new incident.
TC.Incident.EventDate date The date on which the event that indicates an incident occurred.
TC.Incident.Tag string The name of the tag of the new incident.
TC.Incident.SecurityLabel string The security label of the new incident.
TC.Incident.ID Unknown The ID of the new incident.

Command Example
!tc-create-incident incidentName="NewIncident" description="NewIncident" severity="Critical" category="Intrusion" company=Demisto tag=demisto

12. Fetch incidents from ThreatConnect


Fetches incidents from ThreatConnect.

Base Command

tc-fetch-incidents

Input
Argument Name Description Required
incidentId The fetched incidents filtered by ID. Optional
owner The fetched incidents filtered by owner. Optional
incidentName The fetched incidents filtered by incident name. Optional

Context Output
Path Type Description
TC.Incident string The name of the group of fetched incidents.
TC.Incident.ID string The ID of the fetched incidents.
TC.Incident.Owner string The owner of the fetched incidents.

Command Example
!tc-fetch-incidents incidentId=64862

13. Associate an indicator with an existing incident


Associates an indicator with an existing incident. The indicator must exist before running this command. To add an indicator, run the tc-add-indicator command.

Base Command

tc-incident-associate-indicator

Input
Argument Name Description Required
indicatorType The type of the indicator. Can be "ADDRESSES", "EMAIL_ADDRESSES", "URLS", "HOSTS", "FILES", or "CUSTOM_INDICATORS". Required
incidentId The ID of the incident to which the indicator is associated. Required
indicator The name of the indicator. Required
owner A list of indicators filtered by the owner. Optional

Context Output
Path Type Description
TC.Indicator.Name string The name of the indicator.
TC.Indicator.Type string The type of the indicator.
TC.Indicator.ID string The ID of the indicator.
TC.Indicator.Description string The description of the indicator.
TC.Indicator.Owner string The owner of the indicator.
TC.Indicator.CreateDate date The date on which the indicator associated was created.
TC.Indicator.LastModified date The last date on which the indicator associated was modified.
TC.Indicator.Rating number The threat rating of the indicator.
TC.Indicator.Confidence number The confidence rating of the indicator.
TC.Indicator.WhoisActive string The active indicator (for domains only).
TC.Indicator.File.MD5 string The MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1 string The SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256 string The SHA256 hash of the indicator of the file.
IP.Address string IP address of the associated indicator of the file.
IP.Malicious.Vendor string For malicious IP addresses, the vendor that made the decision.
IP.Malicious.Description string For malicious IP addresses, the full description.
URL.Data string The data of the URL of the associated indicator of the file.
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision.
URL.Malicious.Description string For malicious URLs, the full description.
Domain.Name string The name of the indicator of the domain.
Domain.Malicious.Vendor string For malicious domains, the vendor that made the decision.
Domain.Malicious.Description string For malicious domains, the full description.
File.MD5 string The MD5 hash of the file.
File.SHA1 string The SHA1 hash of the file.
File.SHA256 string The SHA256 hash of the file.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the full description.

Command Example
!tc-incident-associate-indicator indicator=46.148.22.18 incidentId=64862 indicatorType=ADDRESSES
Human Readable Output

14. Search for an indicator of type domain


Searches for an indicator of type domain.

Base Command

domain

Input
Argument Name Description Required
domain The name of the domain. Required
owners A CSV list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners. Optional
ratingThreshold A list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical". Optional
confidenceThreshold A list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed". Optional

Context Output
Path Type Description
TC.Indicator.Name string The name of the of the indicator.
TC.Indicator.Type string The type of the domain.
TC.Indicator.ID string The ID of the domain.
TC.Indicator.Description string The description of the domain.
TC.Indicator.Owner string The owner of the domain.
TC.Indicator.CreateDate date The date on which the indicator of the domain was created.
TC.Indicator.LastModified date The last date on which the indicator of the domain was modified.
TC.Indicator.Rating number The threat rating of the domain.
TC.Indicator.Confidence number The confidence rating of the domain.
TC.Indicator.WhoisActive string The active indicator (for domains only).
DBotScore.Indicator string The value assigned by DBot for the indicator.
DBotScore.Type string The type assigned by DBot for the indicator.
DBotScore.Score number The score assigned by DBot for the indicator.
DBotScore.Vendor string The vendor used to calculate the score.
Domain.Name string The name of the domain.
Domain.Malicious.Vendor string For malicious domains, the vendor that made the decision.
Domain.Malicious.Description string For malicious domains, the full description.

Command Example
!domain domain=com-mapsfinder.info
Human Readable Output

45597328-339d8780-b9d3-11e8-8f72-94a09c8c75ee.png

15. Return indicators related to a specific incident


Returns indicators that are related to a specific incident.

Base Command

tc-get-incident-associate-indicators

ermission 2

Input
Argument Name Description Required
incidentId The ID of the incident. Required
owner A list of indicators filtered by the owner. Optional

Context Output
Path Type Description
TC.Indicator.Name string The name of the returned indicator.
TC.Indicator.Type string The type of the returned indicator.
TC.Indicator.ID string The ID of the returned indicator.
TC.Indicator.Description string The description of the returned indicator.
TC.Indicator.Owner string The owner of the returned indicator.
TC.Indicator.CreateDate date The date on which the returned indicator was created.
TC.Indicator.LastModified date The last date on which the returned indicator was modified.
TC.Indicator.Rating number The threat rating of the returned indicator.
TC.Indicator.Confidence number The confidence rating of the returned indicator.
TC.Indicator.WhoisActive string The active indicator (for domains only).
TC.Indicator.File.MD5 string The MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1 string The SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256 string The SHA256 hash of the indicator of the file.
DBotScore.Indicator string The value assigned by DBot for the indicator.
DBotScore.Type string The type assigned by DBot for the indicator.
DBotScore.Score number The score assigned by DBot for the indicator.
DBotScore.Vendor string The vendor used to calculate the score.
IP.Address string The IP address of the returned indicator.
IP.Malicious.Vendor string For malicious IP addresses, the vendor that made the decision.
IP.Malicious.Description string For malicious IP addresses, the full description.
URL.Data string The data of the URL of the returned indicator.
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision.
URL.Malicious.Description string For malicious URLs, the full description.
Domain.Name string The name of the domain.
Domain.Malicious.Vendor string For malicious domains, the vendor that made the decision.
Domain.Malicious.Description string For malicious domains, the full description.
File.MD5 string The MD5 hash of the file.
File.SHA1 string The SHA1 hash of the file.
File.SHA256 string The SHA256 hash of the file.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the full description.

Command Example
!tc-get-incident-associate-indicators incidentId=64862

16. Update the indicator in ThreatConnect


Updates the indicator in ThreatConnect.

Base Command

tc-update-indicator

Input
Argument Name Description Required
indicator The name of the updated indicator. Required
rating The threat rating of the updated indicator. Optional
confidence The confidence rating of the updated indicator. Optional
size The size of the file of the updated indicator. Optional
dnsActive The active DNS indicator (only for hosts). Optional
whoisActive The active indicator (only for hosts). Optional
updatedValues A CSV list of field:value pairs to update. For example, "rating=3", "confidence=42", and "description=helloWorld". Optional
falsePositive The updated indicator set as a false positive. Can be "True" or "False". Optional
observations The number observations on the updated indicator. Optional
securityLabel The security label applied to the incident. Can be "TLP:RED", "TLP:GREEN", "TLP:AMBER", or "TLP:WHITE". Optional
threatAssessConfidence Assesses the confidence rating of the indicator. Optional
threatAssessRating Assesses the threat rating of the indicator. Optional

Context Output
Path Type Description
TC.Indicator.Name string The name of the indicator.
TC.Indicator.Type string The type of the indicator.
TC.Indicator.ID string The ID of the indicator.
TC.Indicator.Description string The description of the indicator.
TC.Indicator.Owner string The owner of the indicator.
TC.Indicator.CreateDate date The date on which the indicator was created.
TC.Indicator.LastModified date The last date on which the indicator was modified.
TC.Indicator.Rating number The threat rating of the indicator.
TC.Indicator.Confidence number The confidence rating of the indicator.
TC.Indicator.WhoisActive string The active indicator (for domains only).
TC.Indicator.File.MD5 string The MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1 string The SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256 string The SHA256 hash of the indicator of the file.
IP.Address string The IP address of the indicator.
IP.Malicious.Vendor string For malicious IP addresses, the vendor that made the decision.
IP.Malicious.Description string For malicious IP addresses, the full description.
URL.Data string The data of the URL of the indicator.
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision.
URL.Malicious.Description string For malicious URLs, the full description.
Domain.Name string The domain name of the indicator.
Domain.Malicious.Vendor string For malicious domains, the vendor that made the decision.
Domain.Malicious.Description string For malicious domains, the full description.
File.MD5 string The MD5 hash of the file.
File.SHA1 string The SHA1 hash of the file.
File.SHA256 string The SHA256 hash of the file.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the full description.

17. Remove a tag from a specified indicator


Removes a tag from a specified indicator.

Base Command

tc-delete-indicator-tag

Input
Argument Name Description Required
indicator The name of the indicator from which to remove a tag. Required
tag The name of the tag to remove from the indicator. Required

Context Output
Path Type Description
TC.Indicator.Name string The name of the indicator.
TC.Indicator.Type string The type of the indicator.
TC.Indicator.ID string The ID of the indicator.
TC.Indicator.Description string The description of the indicator.
TC.Indicator.Owner string The owner of the indicator.
TC.Indicator.CreateDate date The date on which the indicator was created.
TC.Indicator.LastModified date The last date on which the indicator was modified.
TC.Indicator.Rating number The threat rating of the indicator.
TC.Indicator.Confidence number The confidence rating of the indicator.
TC.Indicator.WhoisActive string The active indicator (for domains only).
TC.Indicator.File.MD5 string The MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1 string The SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256 string The SHA256 hash of the indicator of the file.
IP.Address string The IP address of the indicator.
IP.Malicious.Vendor string For malicious IP addresses, the vendor that made the decision.
IP.Malicious.Description string For malicious IP addresses, the full description.
URL.Data string The data of the URL of the indicator.
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision.
URL.Malicious.Description string For malicious URLs, the full description.
Domain.Name string The domain name of the indicator.
Domain.Malicious.Vendor string For malicious domains, the vendor that made the decision.
Domain.Malicious.Description string For malicious domains, the full description.
File.MD5 string The MD5 hash of the file.
File.SHA1 string The SHA1 hash of the file.
File.SHA256 string The SHA256 hash of the file.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the full description.

18. Delete an indicator from ThreatConnect


Deletes an indicator from ThreatConnect.

Base Command

tc-delete-indicator

Input
Argument Name Description Required
indicator The name of the indicator to delete. Required

Command Example

19. Create a group based on the Campaign type


Creates a group based on the "Campaign" type.

Base Command

tc-create-campaign

Input
Argument Name Description Required
name The name of the campaign group. Required
firstSeen The earliest date on which the campaign was seen. Optional
owner The owner of the new incident. The default is the "defaultOrg" parameter. Optional
description The description of the campaign. Optional
tag The name of the tag to apply to the campaign. Optional
securityLabel The security label of the campaign. For example, "TLP:Green". Optional

Context Output
Path Type Description
TC.Campaign.Name string The name of the campaign.
TC.Campaign.Owner string The owner of the campaign.
TC.Campaign.FirstSeen date The earliest date on which the campaign was seen.
TC.Campaign.Tag string The tag of the campaign.
TC.Campaign.SecurityLevel string The security label of the campaign.
TC.Campaign.ID string The ID of the campaign.

20. Create a group based on the Event type


Creates a group based on the "Event" type.

Base Command

tc-create-event

Input
Argument Name Description Required
name The name of the event group. Required
eventDate The date on which the event occurred. If the date is not specified, the current date is used. Optional
status The status of the event. Can be "Needs Review", "False Positive", "No Further Action", or "Escalated". Optional
owner The owner of the event. Optional
description The description of the event. Optional
tag The tag of the event. Optional

Context Output
Path Type Description
TC.Event.Name string The name of the event.
TC.Event.Date date The date of the event.
TC.Event.Status string The status of the event.
TC.Event.Owner string The owner of the event.
TC.Event.Tag string The tag of the event.
TC.Event.ID string The ID of the event.

21. Create a group based on the Threats type


Creates a group based on the "Threats" type.

Base Command

tc-create-threat

Input
Argument Name Description Required
name The name of the threat group. Required

Context Output
Path Type Description
TC.Threat.Name string The name of the threat.
TC.Threat.ID string The ID of the threat.

22. Delete a group


Deletes a group.

Base Command

tc-delete-group

Input
Argument Name Description Required
groupID The ID of the group to delete. Required
type The type of the group to delete. Can be "Incidents", "Events", "Campaigns", or "Threats". Required

23. Add an attribute to a specified group


Adds an attribute to a specified group.

Base Command

tc-add-group-attribute

Input
Argument Name Description Required
group_id The ID of the group to which to add attributes. To get the ID of the group, run the tc-get-groups command. Required
attribute_type The type of attribute to add to the group. The type is located in the UI in a specific group or under Org Config. Required
attribute_value The value of the attribute. Required
group_type The type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". Required

Context Output
Path Type Description
TC.Group.DateAdded Date The date on which the attribute was added.
TC.Group.LastModified Date The date on which the added attribute was last modified.
TC.Group.Type String The type of the group to which the attribute was added.
TC.Group.Value String The value of the attribute added to the group.
TC.Group.ID Number The group ID to which the attribute was added.

Command Example
!tc-add-group-attribute attribute_type="EXTERNAL ID" attribute_value=123456789 group_id=4406377 group_type=events

24. Return a list of events


Returns a list of events.

Base Command

tc-get-events

Context Output
Path Type Description
TC.Event.DateAdded Date The date on which the event was added.
TC.Event.EventDate Date The date on which the event occurred.
TC.Event.ID Number The ID of the event.
TC.Event.OwnerName String The name of the owner of the event.
TC.Event.Status String The status of the event.

Command Example
!tc-get-events

25. Return all groups


Returns all groups, filtered by the group type.

Base Command

tc-get-groups

Input
Argument Name Description Required
group_type The type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". Required

Context Output
Path Type Description
TC.Group.DateAdded Date The date on which the group was added.
TC.Group.EventDate Date The date on which the event occurred.
TC.Group.Name String The name of the group.
TC.Group.OwnerName String The name of the owner of the group.
TC.Group.Status String The status of the group.
TC.Group.ID Number The ID of the group.

Command Example
!tc-get-groups group_type=events

26. Add a security label to a group


Adds a security label to a group.

Base Command

tc-add-group-security-label

Input
Argument Name Description Required
group_id The ID of the group to which to add the security label. To get the ID, run the tc-get-groups command. Required
group_type The type of the group to which to add the security label. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". Required
security_label_name The name of the security label to add to the group. For example, "TLP:GREEN". Required

Command Example
!tc-add-group-security-label group_id=4406377 group_type=events security_label_name=TLP:GREEN

27. Adds tags to a specified group


Adds tags to a specified group.

Base Command

tc-add-group-tag

Input
Argument Name Description Required
group_id The ID of the group to which to add the tag. To get the ID, run the tc-get-groups command. Required
group_type The type of the group to which to add the tag. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". Required
tag_name The name of the tag to add to the group. Required

Command Example
!tc-add-group-tag group_id=4378343 group_type=events tag_name=phishing

28. Returns all indicator types


Returns all indicator types available.

Base Command

tc-get-indicator-types

Input
Argument Name Description Required
group_id
The ID of the group to which to add the tag. To get the ID, run the tc-get-groups command.
Required
group_type
The type of the group to which to add the tag.
Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents",
"intrusionSets", "reports", "signatures", or "threats".
Required
tag_name The name of the indicator. For example, "indicator_type=emailAddresses" where "indicator=a@a.co.il". Required

Context Output
Path Type Description
TC.IndicatorType.ApiBranch String The branch of the API.
TC.IndicatorType.ApiEntity String The entity of the API.
TC.IndicatorType.CasePreference String The case preference of the indicator. For example, "sensitive", "upper", or "lower".
TC.IndicatorType.Custom Boolean Whether the indicator is a custom indicator.
TC.IndicatorType.Parsable Boolean Whether the indicator can be parsed.
TC.IndicatorType.Value1Type String The name of the indicator.
TC.IndicatorType.Value1Label String The value label of the indicator.

Command Example
!tc-get-indicator-types

29. Associates an indicator with a group


Associates an indicator with a group.

Base Command

tc-group-associate-indicator

Input
Argument Name Description Required
indicator_type The type of the indicator. To get the available types, run the tc-get-indicator-types command. The indicator must be spelled as displayed in the ApiBranch column of the UI. Required
indicator The name of the indicator. For example, "indicator_type=emailAddresses" where "indicator=a@a.co.il". Required
group_type The type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". Required
group_id The ID of the group. To get the ID of the group, run the tc-get-groups command. Required

Context Output
Path Type Description
TC.Group.GroupID Number The ID of the group.
TC.Group.GroupType String The type of the group.
TC.Group.Indicator String The name of the indicator.
TC.Group.IndicatorType String The type of the indicator.

Command Example
!tc-group-associate-indicator group_id=4406377 group_type=events indicator_type=emailAddresses indicator=a@a.co.il

30. Create a document group


Creates a document group.

Base Command

tc-create-document-group

Input
Argument Name Description Required
file_name The name of the file to display in the UI. Required
name The name of the file. Required
malware Whether the file is malware. If "true", ThreatConnect creates a password-protected ZIP file on your local machine that contains the sample and uploads the ZIP file. Optional
password The password of the ZIP file. Optional
security_label The security label of the group. Optional
description A description of the group. Optional
entry_id The file of the ID of the entry, as displayed in the War Room. Required

Context Output
Path Type Description
TC.Group.Name String The name of the group.
TC.Group.Owner String The owner of the group.
TC.Group.EventDate Date The date on which the group was created.
TC.Group.Description String The description of the group.
TC.Group.SecurityLabel String The security label of the group.
TC.Group.ID Number The ID of the group to which the attribute was added.

Command Example
!tc-create-document-group file_name="sample.pdf" name="sample.pdf" EntryID="13094@b2672a50-1db8-4424-8dcc-2136f4548ce4"

31. Retrieve a single group


Retrieves a single group.

Base Command

tc-get-group

Input
Argument Name Description Required
group_type The type of group for which to return the ID. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". Required
group_id The ID of the group to retrieve. To get the ID, run the tc-get-groups command. Required

Context Output
Path Type Description
TC.Group.DateAdded Date The date on which the group was added.
TC.Group.EventDate Date The date on which the event occurred.
TC.Group.Name String The name of the group.
TC.Group.Owner.ID Number The ID of the group owner.
TC.Group.Owner.Name String The name of the group owner.
TC.Group.Owner.Type String The type of the owner.
TC.Group.Status String The status of the group.

Command Example

!tc-get-group group_id=4579650 group_type=events

Context Example
{
    "TC.Group": {
        "DateAdded": "2019-09-18T10:08:37Z",
        "EventDate": "2019-09-18T10:08:37Z",
        "ID": 4579650,
        "Name": "MyTest",
        "Owner": {
            "ID": 737,
            "Name": "Demisto Inc.",
            "Type": "Organization"
        },
        "Status": "Needs Review"
    }
}
Human Readable Output

ThreatConnect Group information

DateAdded EventDate ID Name Owner Status
2019-09-18T10:08:37Z 2019-09-18T10:08:37Z 4579650 MyTest Type: Organization
Name: Demisto Inc.
ID: 737
Needs Review

32. Retrieve the attribute of a group


Retrieves the attribute of a group.

Base Command

tc-get-group-attributes

Input
Argument Name Description Required
group_type The type of group for which to return the attribute. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". Required
group_id The ID of the group for which to return the attribute. To get the ID, run the tc-get-groups command. Required

Context Output
Path Type Description
TC.Group.Attribute.DateAdded Date The date on which the group was added.
TC.Group.Attribute.Displayed Boolean Whether the attribute is displayed on the UI.
TC.Group.Attribute.AttributeID Number The ID of the attribute.
TC.Group.Attribute.LastModified Date The date on which the attribute was last modified.
TC.Group.Attribute.Type String The type of the attribute.
TC.Group.Attribute.Value String The value of the attribute.

Command Example

!tc-get-group-attributes group_id=4579650 group_type=events

Context Example
{
    "TC.Group.Attribute": [
        {
            "AttributeID": 20279371,
            "DateAdded": "2019-09-18T10:13:06Z",
            "Displayed": false,
            "GroupID": 4579650,
            "LastModified": "2019-09-18T10:13:06Z",
            "Type": "External ID",
            "Value": "123456789"
        },
        {
            "AttributeID": 20279370,
            "DateAdded": "2019-09-18T10:11:37Z",
            "Displayed": false,
            "GroupID": 4579650,
            "LastModified": "2019-09-18T10:11:37Z",
            "Type": "External ID",
            "Value": "123456789"
        },
        {
            "AttributeID": 20279368,
            "DateAdded": "2019-09-18T10:10:07Z",
            "Displayed": false,
            "GroupID": 4579650,
            "LastModified": "2019-09-18T10:10:07Z",
            "Type": "External ID",
            "Value": "123456789"
        },
        {
            "AttributeID": 20279366,
            "DateAdded": "2019-09-18T10:08:38Z",
            "Displayed": false,
            "GroupID": 4579650,
            "LastModified": "2019-09-18T10:08:38Z",
            "Type": "External ID",
            "Value": "123456789"
        }
    ]
}
Human Readable Output

ThreatConnect Group Attributes

AttributeID Type Value DateAdded LastModified Displayed
20279371 External ID 123456789 2019-09-18T10:13:06Z 2019-09-18T10:13:06Z false
20279370 External ID 123456789 2019-09-18T10:11:37Z 2019-09-18T10:11:37Z false
20279368 External ID 123456789 2019-09-18T10:10:07Z 2019-09-18T10:10:07Z false
20279366 External ID 123456789 2019-09-18T10:08:38Z 2019-09-18T10:08:38Z false

33. Retrieve the security labels of a group


Retrieves the security labels of a group.

Base Command

tc-get-group-security-labels

Input
Argument Name Description Required
group_type The type of group for which to return the security labels. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". Required
group_id The ID of the group for which to return the security labels. To get the ID, run the tc-get-groups command. Required

Context Output
Path Type Description
TC.Group.SecurityLabel.Name String The name of the security label.
TC.Group.SecurityLabel.Description String The description of the security label.
TC.Group.SecurityLabel.DateAdded Date The date on which the security label was added.

Command Example

!tc-get-group-security-labels group_id=4579650 group_type=events

Context Example
{
    "TC.Group.SecurityLabel": [
        {
            "DateAdded": "2016-08-31T00:00:00Z",
            "Description": "This security label is used for information that is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.",
            "GroupID": 4579650,
            "Name": "TLP:GREEN"
        }
    ]
}
Human Readable Output

ThreatConnect Group Security Labels

Name Description DateAdded
TLP:GREEN This security label is used for information that is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. 2016-08-31T00:00:00Z

34. Retrieves the tags of a group


Retrieves the tags of a group.

Base Command

tc-get-group-tags

Input
Argument Name Description Required
group_type The type of group for which to return the tags. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". Required
group_id The ID of the group for which to return the tags. To get the ID, run the tc-get-groups command. Required

Context Output
Path Type Description
TC.Group.Tag.Name String The name of the tag.

Command Example

!tc-get-group-tags group_id=4579650 group_type=events

Context Example
{
    "TC.Group.Tag": [
        {
            "GroupID": 4579650,
            "Name": "Testing"
        }
    ]
}
Human Readable Output

ThreatConnect Group Tags

Name
Testing

35. Downloads the contents of a document


Downloads the contents of a document.

Base Command

tc-download-document

Input
Argument Name Description Required
document_id The ID of the document. Required

Context Output
Path Type Description
File.Size Number The size of the file.
File.SHA1 String The SHA1 hash of the file.
File.SHA256 String The SHA256 hash of the file.
File.Name String The name of the file.
File.SSDeep String The ssdeep hash of the file (same as displayed in file entries).
File.EntryID String The entry ID of the file.
File.Info String The information of the file.
File.Type String The type of the file.
File.MD5 String The MD5 hash of the file.
File.Extension String The extension of the file.

Command Example

!tc-download-document document_id=1234567

36. Returns indicators associated with a group


Returns indicators associated with a group.

Base Command

tc-get-group-indicators

Input
Argument Name Description Required
group_type The type of the group for which to return the indicators. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". Required
group_id The ID of the group for which to return the indicators. To get the ID, run the tc-get-groups command. Required

Context Output
Path Type Description
TC.Group.Indicator.Summary String The summary of the indicator.
TC.Group.Indicator.ThreatAssessConfidence String The confidence rating of the indicator.
TC.Group.Indicator.IndicatorID Number The ID of the indicator.
TC.Group.Indicator.DateAdded Date The date on which the indicator was added.
TC.Group.Indicator.Type String The type of the indicator.
TC.Group.Indicator.Rating Number The threat rating of the indicator.
TC.Group.Indicator.ThreatAssertRating Number The rating of the threat assert.
TC.Group.Indicator.OwnerName String The name of the owner of the indicator.
TC.Group.Indicator.LastModified Date The date that the indicator was last modified.

Command Example

!tc-get-group-indicators group_id=4579650 group_type=events

Context Example
{
    "TC.Group.Indicator": [
        {
            "Confidence": null,
            "DateAdded": "2019-01-03T16:08:07Z",
            "GroupID": 4579650,
            "IndicatorID": 63441869,
            "LastModified": "2019-01-03T16:08:15Z",
            "OwnerName": "Demisto Inc.",
            "Rating": 2,
            "Summary": "a@a.co.il",
            "ThreatAssertRating": 2,
            "ThreatAssessConfidence": 0,
            "Type": "EmailAddress"
        }
    ]
}
Human Readable Output

ThreatConnect Group Indicators

DateAdded GroupID IndicatorID LastModified OwnerName Rating Summary ThreatAssertRating ThreatAssessConfidence Type
2019-01-03T16:08:07Z 4579650 63441869 2019-01-03T16:08:15Z Demisto Inc. 2.0 a@a.co.il 2.0 0.0 EmailAddress

37. Returns indicators associated with a specific group


Returns indicators associated with a specified group.

Base Command

tc-get-associated-groups

Input
Argument Name Description Required
group_type The type of group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". Required
group_id The ID of the group. To get the ID, run the tc-get-groups command. Required

Context Output
Path Type Description
TC.Group.AssociatedGroup.DateAdded Date The date on which group was added.
TC.Group.AssociatedGroup.GroupID Number The ID of the group.
TC.Group.AssociatedGroup.Name String The name of the group.
TC.Group.AssociatedGroup.OwnerName String The name of the owner of the group.
TC.Group.AssociatedGroup.Type String The type of the group.

Command Example

!tc-get-associated-groups group_id=4579650 group_type=events

Context Example
{
    "TC.Group.AssociatedGroup": [
        {
            "DateAdded": "2019-01-13T18:13:19Z",
            "GroupID": 3594873,
            "Name": "NewCampaign",
            "OwnerName": "Demisto Inc.",
            "Type": "Campaign"
        }
    ]
}
Human Readable Output

ThreatConnect Associated Groups

GroupID Name Type OwnerName DateAdded
3594873 NewCampaign Campaign Demisto Inc. 2019-01-13T18:13:19Z

38. Associates one group with another group


Associates one group with another group.

Base Command

tc-associate-group-to-group

Input
Argument Name Description Required
group_type The type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". Required
group_id The ID of the group. To get the ID of the group, run the tc-get-groups command. Required
associated_group_type The type of group to associate. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". Required
associated_group_id The ID of the group to associate. Required

Context Output
Path Type Description
TC.Group.AssociatedGroup.AssociatedGroupID Number The ID of the associated group.
TC.Group.AssociatedGroup.AssociatedGroupType String The type of the associated group.
TC.Group.AssociatedGroup.GroupID Number The ID of the group to associate to.
TC.Group.AssociatedGroup.GroupType String The type of the group to associate to.

Command Example

!tc-associate-group-to-group associated_group_id=3594873 associated_group_type=campaigns group_id=4410738 group_type=events

Context Example
{
    "TC.Group.AssociatedGroup": {
        "AssociatedGroupID": 3594873,
        "AssociatedGroupType": "campaigns",
        "GroupID": 4410738,
        "GroupType": "events"
    }
}
Human Readable Output

The group 3594873 was associated successfully.