Skip to main content

ThreatConnect Feed

This Integration is part of the ThreatConnect Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This integration fetches indicators from ThreatConnect. This integration was integrated and tested with version 3 of ThreatConnect Feed.

ThreatConnect Feed HMAC credentials#

  1. On the top navigation bar, hover the cursor over the Settings icon and select Org Settings from the dropdown menu.
  2. Click the Create API User button on the Membership tab of the Organization Settings screen, and the API User Administration window will be displayed.
  3. Fill up the following parts of the form:
    • First Name: Enter the API user’s first name.
    • Last Name: Enter the API user’s last name.
    • Organization Role: Use the dropdown menu to select an Organization role for the user.
    • Include in Observations and False Positives: Check this box to allow data provided by the API user to be included in observation and false-positive counts.
    • Disabled: Click the checkbox to disable an API user’s account in the event that the Administrator wishes to retain log integrity when the API user no longer requires ThreatConnect access.
  4. Record the Secret Key, as it will not be accessible after the window is closed.
  5. Click the SAVE button to create the API user account.

For more information - click here (Section - Creating an API User).

Configure ThreatConnect Feed on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for ThreatConnect Feed.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Base URLThe API URL.True
    Access IDThe API ID key.True
    Secret keyThe secret key for the API.True
    Tags to filter results byA comma-separated list of tags to filter by.False
    OwnersComma-separated list of owners to fetch indicators from.False
    Fetch indicatorsFalse
    Indicator ReputationIndicators from this integration instance will be marked with this reputation.False
    Source ReliabilityReliability of the source providing the intelligence data.True
    Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.False
    Feed Fetch IntervalThe time interval we send request to fetch indicators.False
    Trust any certificate (not secure)Whether to trust any certificate.False
    Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
    TagsSupports CSV values.False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

tc-get-indicators#


Gets indicators from ThreatConnect.

Base Command#

tc-get-indicators

Input#

Argument NameDescriptionRequired
ownersComma-separated list of owners to fetch indicators from. (If not specified, will retrieve only indicators owned by the account. If you supply this argument, it overwrites the "Owners" parameter.)Optional
limitThe maximum number of indicators to retrieve. Default is 50.Optional
offsetThe index of the first indicator to fetch. Default is 0.Optional

Context Output#

There is no context output for this command.

Command Example#

!tc-get-indicators limit=2 offset=0

Human Readable Output#

rawJSONscoretypevalue
id: Indicator012IP8.8.8.8
id: Indicator023IP8.8.4.4

tc-get-owners#


Gets available indicators owners.

Base Command#

tc-get-owners

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Human Readable Output#

ThreatConnect Feed - Owners#

idnametype
10303NAME-01Organization
10666NAME-02Source