Skip to main content

ThreatConnect Feed

This Integration is part of the ThreatConnect Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This integration fetches indicators from ThreatConnect. This integration was integrated and tested with version 3 of ThreatConnect Feed.

ThreatConnect Feed HMAC credentials#

  1. On the top navigation bar, hover the cursor over the Settings icon and select Org Settings from the dropdown menu.
  2. Click the Create API User button on the Membership tab of the Organization Settings screen, and the API User Administration window will be displayed.
  3. Fill up the following parts of the form:
    • First Name: Enter the API user’s first name.
    • Last Name: Enter the API user’s last name.
    • Organization Role: Use the dropdown menu to select an Organization role for the user.
    • Include in Observations and False Positives: Check this box to allow data provided by the API user to be included in observation and false-positive counts.
    • Disabled: Click the checkbox to disable an API user’s account in the event that the Administrator wishes to retain log integrity when the API user no longer requires ThreatConnect access.
  4. Record the Secret Key, as it will not be accessible after the window is closed.
  5. Click the SAVE button to create the API user account.

For more information - click here (Section - Creating an API User).

Configure ThreatConnect Feed on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for ThreatConnect Feed.

  3. Click Add instance to create and configure a new integration instance.

    Base URLThe API URL.True
    Access IDThe API ID keyTrue
    Secret keyThe secret key for the API.True
    Access IDAPI - Access IDTrue
    Secret keyAPI - Secret keyTrue
    Tags to filter results byA comma-separated list of tags to filter by.False
    OwnersA comma-separated list of owners to fetch indicators from.False
    Fetch indicatorsFalse
    Indicator ReputationIndicators from this integration instance will be marked with this reputation.False
    Source ReliabilityReliability of the source providing the intelligence data.True
    Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.False
    Feed Fetch IntervalThe time interval we send request to fetch indicators.False
    Trust any certificate (not secure)Whether to trust any certificate.False
    Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
    TagsSupports CSV values.False
    Indicator typesFetch specific ThreatConnect indicator types. Default value is "All".False
    Group typeFetch specific ThreatConnect group types. Default value is "All".False
    Active Indicators OnlyFetch active only indicators when true. Default is "True".False
    Create RelationshipsFetch related indicators. Default is "False".False
    Indicator QueryFilter results using ThreatConnect Query Language (TQL). For more information, see the ThreatConnect documentation
    Confidence ThresholdMinimal confidence value to fetch indicators by (an integer between 0 to 100). Note: this parameter is not relevant for groups.False
    Threat Assess Score ThresholdMinimal threat assess score value to fetch indicators by (an integer between 0 to 1000). Note: this parameter is not relevant for groups.False
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Gets indicators from ThreatConnect.

Base Command#



Argument NameDescriptionRequired
ownersComma-separated list of owners to fetch indicators from. (If not specified will retrieve only indicators owned by the account. If you supply this argument, it overwrites the "Owners" parameter.).Optional
limitThe maximum number of indicators to retrieve. Default is 50.Optional
offsetThe index of the first indicator to fetch. Possible values are: . Default is 0.Optional
tql_queryFilter results using ThreatConnect Query Language (TQL), will override all other arguments. For more information, see the ThreatConnect documentation
indicator_typeComma-separated list that will allow filtering of the retrieved indicators. Possible values are: All, EmailAddress, File, Host, URL, ASN, CIDR, Mutex, Registry Key, Address.Optional
active_indicatorsIf true, fetches only active indicators. Possible values are: true, false. Default is true.Optional
confidenceThis will fetch indicators with confidence of “greater than” the (integer) input.Optional
threat_assess_scoreAn integer that will determine the threshold (an integer between 0 to 1000).Optional

Context Output#

There is no context output for this command.

Command example#

!tc-get-indicators limit=1 offset=0 indicator_type=URL active_indicators=true

Human Readable Output#

ThreatConnect Feed - Indicators#

firstseenbysource: 2022-09-27T17:20:19Z
updateddate: 2022-09-27T17:20:19Z
description: This indicator appears in a post from VirIT.
name: name
address: address
reportedby: Technical Blogs and Reports
id: 98590287
ownerName: Technical Blogs and Reports
dateAdded: 2022-09-27T17:20:19Z
webLink: link
type: URL
lastModified: 2022-09-27T17:20:19Z
rating: 3.0
confidence: 70
source: source
description: This indicator appears in a post from VirIT.
summary: address/
privateFlag: false
active: true
activeLocked: false
text: address

Command Example#

!tc-get-indicators limit=2 offset=0

Human Readable Output#

id: Indicator012IP8.8.8.8
id: Indicator023IP8.8.4.4


Gets available indicators owners.

Base Command#



There are no input arguments for this command.

Context Output#

There is no context output for this command.

Human Readable Output#

ThreatConnect Feed - Owners#