Skip to main content

ThreatConnect v2 (Deprecated)

This Integration is part of the ThreatConnect Pack.#

Deprecated

Use the ThreatConnect v3 integration instead.

Deprecated. Use the ThreatConnect v2 integration instead.

Configure ThreatConnect v2 in Cortex#

ParameterDescriptionRequired
baseUrlBase UrlTrue
accessIdAccess IDTrue
secretKeySecret KeyTrue
defaultOrgDefault OrganizationFalse
Source ReliabilityReliability of the source providing the intelligence data. The default value is: B - Usually reliable.True
ratingRating threshold for Malicious IndicatorsFalse
confidenceConfidence threshold for Malicious IndicatorsFalse
freshnessIndicator Reputation Freshness (in days)False
proxyUse system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Searches for an indicator of type IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipThe IPv4 or IPv6 address.Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners.Optional
ratingThresholdA list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator was created.
TC.Indicator.LastModifieddateThe date on which the indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
DBotScore.IndicatorstringThe value assigned by DBot for the indicator.
DBotScore.TypestringThe type assigned by DBot for the indicator.
DBotScore.ScorenumberThe score assigned by DBot for the indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

Command Example#

!ip ip=88.88.88.88

Context Example#

{ "TC.Indicator":
[ {
"Rating": 0,
"Confidence": 0,
"Name": "88.88.88.88",
"LastModified": "2020-04-27T04:57:20Z",
"CreateDate": "2020-04-27T04:57:20Z",
"Owner": "Demisto Inc.",
Type": "Address",
"ID": 112677927
} ],
"DBotScore": [ {
"Vendor": "ThreatConnect",
"Indicator": "88.88.88.88",
"Score": 1,
"Type": "ip" } ]
}

Human Readable Output#

ThreatConnect IP Reputation for: 88.88.88.88#

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
02020-04-27T04:57:20Z1126779272020-04-27T04:57:20Z88.88.88.88Demisto Inc.0Address

url#


Searches for an indicator of type URL.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlThe URL for which to search. For example, www.demisto.com.Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a client’s API user has been granted permission. For example, "owner1", "owner2", or "owner3".Optional
ratingThresholdA list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator was created.
TC.Indicator.LastModifieddateThe date on which the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
DBotScore.IndicatorstringThe value assigned by DBot for the indicator.
DBotScore.TypestringThe type assigned by DBot for the indicator.
DBotScore.ScorenumberThe score assigned by DBot for the indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
URL.DatastringThe data of the URL indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

Command Example#

!url url=https://www.domain.com

Context Example#

{
"DBotScore": [
{
"Indicator": "https://www.domain.com",
"Score": 2,
"Type": "url",
"Vendor": "ThreatConnect"
}
],
"TC": {
"Indicator": {
"Confidence": 50,
"CreateDate": "2020-04-23T14:41:16Z",
"ID": 112618313,
"LastModified": "2020-04-27T10:03:38Z",
"Name": "https://www.domain.com",
"Owner": "Demisto Inc.",
"Rating": 3,
"Type": "URL"
}
}
}

Human Readable Output#

ThreatConnect URL Reputation for: https://www.domain.com#

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
502020-04-23T14:41:16Z1126183132020-04-27T10:03:38Zhttps://www.domain.comDemisto Inc.3URL

ThreatConnect URL Reputation for: https://www.domain.com#

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
502020-04-23T14:41:16Z1126183132020-04-27T10:03:38Zhttps://www.domain.comDemisto Inc.3URL

file#


Searches for an indicator of type file.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileThe hash of the file. Can be "MD5", "SHA-1", or "SHA-256".Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners.Optional
ratingThresholdA list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator was created.
TC.Indicator.LastModifieddateThe last date on which the indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.File.MD5stringThe MD5 hash of the indicator.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator.
DBotScore.IndicatorstringThe value assigned by DBot for the indicator.
DBotScore.TypestringThe type assigned by DBot for the indicator.
DBotScore.ScorenumberThe score assigned by DBot for the indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
File.MD5stringThe MD5 hash of the indicator.
File.SHA1stringThe SHA1 hash of the indicator.
File.SHA256stringThe SHA256 hash of the indicator.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

Command Example#

!file file=4a4a4e885f7189bbaa2fcc2f2403b128f79e951826c57c0e1ab50e085ae390e7

Context Example#

{
"TC.Indicator": [ {
"Rating": 0,
"Confidence": 0,
"LastModified": "2020-04-23T14:40:26Z",
"CreateDate": "2020-04-23T14:40:26Z",
"File": {
"SHA256": "4A4A4E885F7189BBAA2FCC2F2403B128F79E951826C57C0E1AB50E085AE390E7"
},
"Owner": "Demisto Inc.",
"Type": "File",
"ID": 112618312
} ],
"DBotScore": [{
"Vendor": "ThreatConnect",
"Score": 1,
"Type": "file"
}]
}

Human Readable Output#

ThreatConnect File Report for: 4a4a4e885f7189bbaa2fcc2f2403b128f79e951826c57c0e1ab50e085ae390e7#

ConfidenceCreate DateFileIDLast ModifiedOwnerRatingType
02020-04-23T14:40:26ZSHA256: 4A4A4E885F7189BBAA2FCC2F2403B128F79E951826C57C0E1AB50E085AE390E71126183122020-04-23T14:40:26ZDemisto Inc.0File

tc-owners#


Retrieves all owners for the current account.

Base Command#

tc-owners

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
TC.Owner.NamestringThe name of the owner.
TC.Owner.IDstringThe ID of the owner.
TC.Owner.TypestringThe type of the owner.

Command Example#

!tc-owners

Context Example#

{
"TC": {
"Owner": [
{
"ID": 737,
"Name": "Demisto Inc.",
"Type": "Organization"
},
{
"ID": 646,
"Name": "Blocklist.de Strong IPs",
"Type": "Source"
},
{
"ID": 716,
"Name": "BotScout Bot List",
"Type": "Source"
}
]
}
}

Human Readable Output#

ThreatConnect Owners:#

IDNameType
737Demisto Inc.Organization
646Blocklist.de Strong IPsSource
716BotScout Bot ListSource

tc-indicators#


Retrieves a list of all indicators.

Base Command#

tc-indicators

Input#

Argument NameDescriptionRequired
ownerA list of results filtered by the owner of the indicator.Optional
limitThe maximum number of results that can be returned. The default is 500.Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator was created.
TC.Indicator.LastModifieddateThe last date on which the indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
DBotScore.IndicatorstringThe value assigned by DBot for the indicator.
DBotScore.TypestringThe type assigned by DBot for the indicator.
DBotScore.ScorenumberThe score assigned by DBot for the indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

Command Example#

!tc-indicators limit=3 owner="Demisto Inc."

Context Example#

{
"DBotScore": [
{
"Indicator": "88.88.88.88",
"Score": 1,
"Type": "ip",
"Vendor": "ThreatConnect"
},
{
"Indicator": "domain.info",
"Score": 1,
"Type": "domain",
"Vendor": "ThreatConnect"
},
{
"Indicator": "https://www.domain.com",
"Score": 2,
"Type": "url",
"Vendor": "ThreatConnect"
}
],
"TC": {
"Indicator": [
{
"Confidence": 0,
"CreateDate": "2020-05-10T09:45:19Z",
"ID": 112951652,
"LastModified": "2020-05-10T09:45:19Z",
"Name": "88.88.88.88",
"Owner": "Demisto Inc.",
"Rating": 0,
"Type": "Address"
},
{
"Confidence": 0,
"CreateDate": "2020-04-23T14:42:21Z",
"ID": 112618314,
"LastModified": "2020-04-23T14:42:21Z",
"Name": "domain.info",
"Owner": "Demisto Inc.",
"Rating": 0,
"Type": "Host"
},
{
"Confidence": 50,
"CreateDate": "2020-04-23T14:41:16Z",
"ID": 112618313,
"LastModified": "2020-04-27T10:03:38Z",
"Name": "https://www.domain.com",
"Owner": "Demisto Inc.",
"Rating": 3,
"Type": "URL"
}
]
}
}

Human Readable Output#

ThreatConnect Indicators:#

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
02020-05-10T09:45:19Z1129516522020-05-10T09:45:19Z88.88.88.88Demisto Inc.0Address
02020-04-23T14:42:21Z1126183142020-04-23T14:42:21Zdomain.infoDemisto Inc.0Host
502020-04-23T14:41:16Z1126183132020-04-27T10:03:38Zhttps://www.domain.comDemisto Inc.3URL

tc-get-tags#


Returns a list of all ThreatConnect tags.

Base Command#

tc-get-tags

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
TC.TagsUnknownA list of tags.

Command Example#

!tc-get-tags

Context Example#

{
"TC": {
"Tags": [
"malicious file",
"malicious ip",
"malicious url",
]
}
}

Human Readable Output#

ThreatConnect Tags:#

Name
malicious file
malicious ip
malicious url

tc-tag-indicator#


Adds a tag to an existing indicator.

Base Command#

tc-tag-indicator

Input#

Argument NameDescriptionRequired
tagThe name of the tag.Required
indicatorThe indicator to tag. For example, for an IP indicator, "8.8.8.8".Required
ownerA list of indicators filtered by the owner.Optional

Context Output#

There is no context output for this command.

Command Example#

!tc-tag-indicator indicator=99.99.99.99 tag="malicious ip"

Context Example#

{}

Human Readable Output#

Indicator 99.99.99.99 with ID 112951655, was tagged with: malicious ip

tc-get-indicator#


Retrieves information about an indicator.

Base Command#

tc-get-indicator

Input#

Argument NameDescriptionRequired
indicatorThe name of the indicator by which to search. The command retrieves information from all owners. Can be an IP address, a URL, or a file hash.Required
indicator_typeOnly for custom. Leave empty for standard onesOptional
ownersIndicator Owner(s)Optional
ratingThresholdA list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional
group_associationsRetrieve Indicator Group AssociationsRequired
indicator_associationsRetrieve Indicator AssociationsOptional
indicator_observationsRetrieve Indicator ObservationsOptional
indicator_tagsRetrieve Indicator TagsOptional
indicator_attributesRetrieve Indicator AttributesOptional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator was created.
TC.Indicator.LastModifieddateThe last date on which the indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
TC.Indicator.IndicatorAttributes.dateAddeddateThe date on which the indicator attribute was originally added.
TC.Indicator.IndicatorAttributes.displayedbooleanA boolean flag to show on ThreatConnect.
TC.Indicator.IndicatorAttributes.idnumberThe ID of the attribute.
TC.Indicator.IndicatorAttributes.lastModifieddateThe date on which the indicator attribute was last modified.
TC.Indicator.IndicatorAttributes.typestringThe name of the attribute.
TC.Indicator.IndicatorAttributes.valuestringThe contents of the attribute.
DBotScore.IndicatorstringThe value assigned by DBot for the indicator.
DBotScore.TypestringThe type assigned by DBot for the indicator.
DBotScore.ScorenumberThe score assigned by DBot for the indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the indicator of the URL.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

Command Example#

!tc-get-indicator indicator=99.99.99.99 group_associations=false

Context Example#

{
"DBotScore": [
{
"Indicator": "99.99.99.99",
"Score": 2,
"Type": "ip",
"Vendor": "ThreatConnect"
}
],
"TC": {
"Indicator": {
"Confidence": 70,
"CreateDate": "2020-05-10T09:57:18Z",
"ID": 112951655,
"LastModified": "2020-05-10T09:57:27Z",
"Name": "99.99.99.99",
"Owner": "Demisto Inc.",
"Rating": 1,
"Type": "Address"
}
}
}

Human Readable Output#

ThreatConnect indicator for: 99.99.99.99#

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
702020-05-10T09:57:18Z1129516552020-05-10T09:57:27Z99.99.99.99Demisto Inc.1Address

tc-get-indicators-by-tag#


Fetches all indicators that have a tag.

Base Command#

tc-get-indicators-by-tag

Input#

Argument NameDescriptionRequired
tagThe name of the tag by which to filter.Required
ownerA list of indicators filtered by the owner.Optional
limitThe limit of the indicators that will be available in the raw response. Default value is 100. NOTICE: In the context you will be able to see up to 100 indicators. Default is 100.Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the tagged indicator.
TC.Indicator.TypestringThe type of the tagged indicator.
TC.Indicator.IDstringThe ID of the tagged indicator.
TC.Indicator.DescriptionstringThe description of the tagged indicator.
TC.Indicator.OwnerstringThe owner of the tagged indicator.
TC.Indicator.CreateDatedateThe date on which the tagged indicator was created.
TC.Indicator.LastModifieddateThe last date on which the tagged indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the tagged indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the tagged indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
DBotScore.IndicatorstringThe value assigned by DBot for the tagged indicator.
DBotScore.TypestringThe type assigned by DBot for the tagged indicator.
DBotScore.ScorenumberThe score assigned by DBot for the tagged indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the tagged indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the tagged indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the tagged indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

Command Example#

!tc-get-indicators-by-tag tag="malicious ip"

Context Example#

{
"DBotScore": [
{
"Indicator": "99.99.99.99",
"Score": 2,
"Type": "ip",
"Vendor": "ThreatConnect"
},
{
"Indicator": "82.28.82.28",
"Score": 1,
"Type": "ip",
"Vendor": "ThreatConnect"
},
{
"Indicator": "111.222.111.222",
"Score": 2,
"Type": "ip",
"Vendor": "ThreatConnect"
}
],
"TC": {
"Indicator": [
{
"Confidence": 70,
"CreateDate": "2020-05-10T09:57:18Z",
"ID": 112951655,
"LastModified": "2020-05-10T09:57:18Z",
"Name": "99.99.99.99",
"Owner": "Demisto Inc.",
"Rating": 2,
"Type": "Address"
},
{
"Confidence": 0,
"CreateDate": "2018-10-18T11:12:20Z",
"ID": 59227820,
"LastModified": "2018-10-18T11:12:36Z",
"Name": "82.28.82.28",
"Owner": "Demisto Inc.",
"Rating": 0,
"Type": "Address"
},
{
"Confidence": 20,
"CreateDate": "2018-10-22T19:03:29Z",
"Description": "Added critical rating",
"ID": 59253542,
"LastModified": "2018-12-19T15:55:57Z",
"Name": "111.222.111.222",
"Owner": "Demisto Inc.",
"Rating": 1,
"Type": "Address"
}
]
}
}

Human Readable Output#

ThreatConnect Indicators with tag: malicious ip#

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
702020-05-10T09:57:18Z1129516552020-05-10T09:57:18Z99.99.99.99Demisto Inc.2Address
02018-10-18T11:12:20Z592278202018-10-18T11:12:36Z82.28.82.28Demisto Inc.0Address
202018-10-22T19:03:29Z592535422018-12-19T15:55:57Z111.222.111.222Demisto Inc.1Address

tc-add-indicator#


Adds a new indicator to ThreatConnect.

Base Command#

tc-add-indicator

Input#

Argument NameDescriptionRequired
indicatorThe indicator to add.Required
ratingThe threat rating of the indicator. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThe confidence rating of the indicator. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional
ownerThe owner of the new indicator. The default is the "defaultOrg" parameter.Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name the indicator.
TC.Indicator.TypestringThe type of indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the added indicator was created.
TC.Indicator.LastModifieddateThe last date on which the added indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the added indicator of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

Command Example#

!tc-add-indicator indicator=99.99.99.99 confidence=70 rating=2

Context Example#

{
"TC": {
"Indicator": {
"Confidence": 70,
"CreateDate": "2020-05-10T09:57:18Z",
"ID": 112951655,
"LastModified": "2020-05-10T09:57:18Z",
"Name": "99.99.99.99",
"Owner": "Demisto Inc.",
"Rating": 2,
"Type": "Address"
}
}
}

Human Readable Output#

Created new indicator successfully:#

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
702020-05-10T09:57:18Z1129516552020-05-10T09:57:18Z99.99.99.99Demisto Inc.2Address

tc-create-incident#


Creates a new incident group.

Base Command#

tc-create-incident

Input#

Argument NameDescriptionRequired
ownerThe owner of the new incident. The default is the "defaultOrg" parameter.Optional
incidentNameThe name of the incident group.Required
eventDateThe creation time of an incident in the "2017-03-21T00:00:00Z" format.Optional
tagThe tag applied to the incident.Optional
securityLabelThe security label applied to the incident. Can be "TLP:RED", "TLP:GREEN", "TLP:AMBER", or "TLP:WHITE".Optional
descriptionThe description of the incident.Optional

Context Output#

PathTypeDescription
TC.Incident.NamestringThe name of the new incident group.
TC.Incident.OwnerstringThe owner of the new incident.
TC.Incident.EventDatedateThe date on which the event that indicates an incident occurred.
TC.Incident.TagstringThe name of the tag of the new incident.
TC.Incident.SecurityLabelstringThe security label of the new incident.
TC.Incident.IDUnknownThe ID of the new incident.

Command Example#

!tc-create-incident incidentName=test_incident

Context Example#

{
"TC": {
"Incident": {
"EventDate": "2020-05-10T09:56:52Z",
"ID": 5156603,
"Name": "test_incident",
"Owner": "Demisto Inc."
}
}
}

Human Readable Output#

Incident test_incident Created Successfully

tc-fetch-incidents#


Fetches incidents from ThreatConnect.

Base Command#

tc-fetch-incidents

Input#

Argument NameDescriptionRequired
incidentIdThe fetched incidents filtered by ID.Optional
ownerThe fetched incidents filtered by owner.Optional
incidentNameThe fetched incidents filtered by incident name.Optional

Context Output#

PathTypeDescription
TC.IncidentstringThe name of the group of fetched incidents.
TC.Incident.IDstringThe ID of the fetched incidents.
TC.Incident.OwnerstringThe owner of the fetched incidents.

Command Example#

!tc-fetch-incidents incidentId=5101576

Context Example#

{
"TC": {
"Incident": {
"dateAdded": "2020-04-21T06:54:46Z",
"eventDate": "2020-04-21T00:00:00Z",
"id": 5101576,
"name": "try",
"ownerName": "Demisto Inc.",
"weblink": "https://sandbox.threatconnect.com/auth/incident/incident.xhtml?incident=5101576"
}
},
"ThreatConnect": {
"incidents": [
{
"dateAdded": "2020-04-21T06:54:46Z",
"eventDate": "2020-04-21T00:00:00Z",
"id": 5101576,
"name": "try",
"ownerName": "Demisto Inc.",
"type": null,
"weblink": "https://sandbox.threatconnect.com/auth/incident/incident.xhtml?incident=5101576"
}
]
}
}

Human Readable Output#

Incidents:#

Date AddedEvent DateIdNameOwner NameTypeWeblink
2020-04-21T06:54:46Z2020-04-21T00:00:00Z5101576tryDemisto Inc.https://sandbox.threatconnect.com/auth/incident/incident.xhtml?incident=5101576

tc-incident-associate-indicator#


Associates an indicator with an existing incident. The indicator must exist before running this command. To add an indicator, run the tc-add-indicator command.

Base Command#

tc-incident-associate-indicator

Input#

Argument NameDescriptionRequired
indicatorTypeThe type of the indicator. Can be "ADDRESSES", "EMAIL_ADDRESSES", "URLS", "HOSTS", "FILES", or "CUSTOM_INDICATORS".Required
incidentIdThe ID of the incident to which the indicator is associated.Required
indicatorThe name of the indicator.Required
ownerA list of indicators filtered by the owner.Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator associated was created.
TC.Indicator.LastModifieddateThe last date on which the indicator associated was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringIP address of the associated indicator of the file.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the associated indicator of the file.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the indicator of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

Command Example#

!tc-incident-associate-indicator indicator=99.99.99.99 indicatorType=ADDRESSES incidentId=5101577

Context Example#

{
"TC": {
"Incident": {
"dateAdded": "2020-04-21T07:03:56Z",
"eventDate": "2020-04-21T00:00:00Z",
"id": 5101577,
"name": "for_try",
"ownerName": "Demisto Inc.",
"weblink": "https://sandbox.threatconnect.com/auth/incident/incident.xhtml?incident=5101577"
}
}
}

Human Readable Output#

Incident for_try with ID 5101577, was tagged with: 99.99.99.99

domain#


Searches for an indicator of type domain.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainThe name of the domain.Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners.Optional
ratingThresholdA list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the of the indicator.
TC.Indicator.TypestringThe type of the domain.
TC.Indicator.IDstringThe ID of the domain.
TC.Indicator.DescriptionstringThe description of the domain.
TC.Indicator.OwnerstringThe owner of the domain.
TC.Indicator.CreateDatedateThe date on which the indicator of the domain was created.
TC.Indicator.LastModifieddateThe last date on which the indicator of the domain was modified.
TC.Indicator.RatingnumberThe threat rating of the domain.
TC.Indicator.ConfidencenumberThe confidence rating of the domain.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
DBotScore.IndicatorstringThe value assigned by DBot for the indicator.
DBotScore.TypestringThe type assigned by DBot for the indicator.
DBotScore.ScorenumberThe score assigned by DBot for the indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Domain.NamestringThe name of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

Command Example#

!domain domain=domain.info

Context Example#

{
"TC.Indicator": [ {
"Rating": 0,
"Confidence": 0,
"Name": "domain.info"
"LastModified": "2020-04-23T14:42:21Z",
"CreateDate": "2020-04-23T14:42:21Z",
"Owner": "Demisto Inc.",
"Active": "false",
"Type": "Host",
"ID": 112618314
} ],
"DBotScore": [{
"Vendor": "ThreatConnect",
"Indicator": "domain.info",
"Score": 1,
"Type": "domain"
}]
}

Human Readable Output#

ThreatConnect Domain Reputation for: domain.info#

ActiveConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
false02020-04-23T14:42:21Z1126183142020-04-23T14:42:21Zdomain.infoDemisto Inc.0Host

tc-get-incident-associate-indicators#


Returns indicators that are related to a specific incident.

Base Command#

tc-get-incident-associate-indicators

Input#

Argument NameDescriptionRequired
incidentIdThe ID of the incident.Required
ownerA list of indicators filtered by the owner.Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the returned indicator.
TC.Indicator.TypestringThe type of the returned indicator.
TC.Indicator.IDstringThe ID of the returned indicator.
TC.Indicator.DescriptionstringThe description of the returned indicator.
TC.Indicator.OwnerstringThe owner of the returned indicator.
TC.Indicator.CreateDatedateThe date on which the returned indicator was created.
TC.Indicator.LastModifieddateThe last date on which the returned indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the returned indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the returned indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
DBotScore.IndicatorstringThe value assigned by DBot for the indicator.
DBotScore.TypestringThe type assigned by DBot for the indicator.
DBotScore.ScorenumberThe score assigned by DBot for the indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the returned indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the returned indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.

Command Example#

!tc-get-incident-associate-indicators incidentId=5101576 owner="Demisto Inc."

Context Example#

{"TC.Indicator": [{
"Rating": 0,
"Confidence": 0,
"Name": "88.88.88.88",
"LastModified": "2020-04-27T04:57:20Z",
"CreateDate": "2020-04-27T04:57:20Z",
"Owner": "Demisto Inc.",
"Type": "Address",
"ID": 112677927 } ],
"DBotScore": [ {
"Vendor": "ThreatConnect",
"Indicator": "88.88.88.88",
"Score": 1,
"Type": "ip" } ]
}

Human Readable Output#

Incident Associated Indicators:#

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
02020-04-27T04:57:20Z1126779272020-04-27T04:57:20Z88.88.88.88Demisto Inc.0Address

tc-update-indicator#


Updates the indicator in ThreatConnect.

Base Command#

tc-update-indicator

Input#

Argument NameDescriptionRequired
indicatorThe name of the updated indicator.Required
ratingThe threat rating of the updated indicator.Optional
confidenceThe confidence rating of the updated indicator.Optional
sizeThe size of the file of the updated indicator.Optional
dnsActiveThe active DNS indicator (only for hosts).Optional
whoisActiveThe active indicator (only for hosts).Optional
updatedValuesA comma-separated list of field:value pairs to update. For example, "rating=3", "confidence=42", and "description=helloWorld".Optional
falsePositiveThe updated indicator set as a false positive. Can be "True" or "False".Optional
observationsThe number observations on the updated indicator.Optional
securityLabelThe security label applied to the incident. Can be "TLP:RED", "TLP:GREEN", "TLP:AMBER", or "TLP:WHITE".Optional
threatAssessConfidenceAssesses the confidence rating of the indicator.Optional
threatAssessRatingAssesses the threat rating of the indicator.Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator was created.
TC.Indicator.LastModifieddateThe last date on which the indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

Command Example#

!tc-update-indicator indicator=99.99.99.99 rating=1

Context Example#

{
"TC": {
"Indicator": {
"Confidence": 70,
"CreateDate": "2020-05-10T09:57:18Z",
"ID": 112951655,
"LastModified": "2020-05-10T09:57:25Z",
"Name": "99.99.99.99",
"Owner": "Demisto Inc.",
"Rating": 1,
"Type": "Address"
}
}
}

Human Readable Output#

Indicator 112951655 Updated Successfully

tc-delete-indicator-tag#


Removes a tag from a specified indicator.

Base Command#

tc-delete-indicator-tag

Input#

Argument NameDescriptionRequired
indicatorThe name of the indicator from which to remove a tag.Required
tagThe name of the tag to remove from the indicator.Required

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator was created.
TC.Indicator.LastModifieddateThe last date on which the indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

Command Example#

!tc-delete-indicator-tag indicator=99.99.99.99 tag="malicious ip"

Context Example#

{
"TC": {
"Indicator": {
"Confidence": 70,
"CreateDate": "2020-05-10T09:57:18Z",
"ID": 112951655,
"LastModified": "2020-05-10T09:57:18Z",
"Name": "99.99.99.99",
"Owner": "Demisto Inc.",
"Rating": 2,
"Type": "Address"
}
}
}

Human Readable Output#

Removed tag malicious ip from indicator 99.99.99.99.

tc-delete-indicator#


Deletes an indicator from ThreatConnect.

Base Command#

tc-delete-indicator

Input#

Argument NameDescriptionRequired
indicatorThe name of the indicator to delete.Required

Context Output#

There is no context output for this command.

Command Example#

!tc-delete-indicator indicator=99.99.99.99

Context Example#

{}

Human Readable Output#

Indicator 99.99.99.99 removed Successfully

tc-create-campaign#


Creates a group based on the "Campaign" type.

Base Command#

tc-create-campaign

Input#

Argument NameDescriptionRequired
nameThe name of the campaign group.Required
firstSeenThe earliest date on which the campaign was seen.Optional
ownerThe owner of the new incident. The default is the "defaultOrg" parameter.Optional
descriptionThe description of the campaign.Optional
tagThe name of the tag to apply to the campaign.Optional
securityLabelThe security label of the campaign. For example, "TLP:Green".Optional

Context Output#

PathTypeDescription
TC.Campaign.NamestringThe name of the campaign.
TC.Campaign.OwnerstringThe owner of the campaign.
TC.Campaign.FirstSeendateThe earliest date on which the campaign was seen.
TC.Campaign.TagstringThe tag of the campaign.
TC.Campaign.SecurityLevelstringThe security label of the campaign.
TC.Campaign.IDstringThe ID of the campaign.

Command Example#

!tc-create-campaign name=test_campaign description="test campaign"

Context Example#

{
"TC": {
"Campaign": {
"FirstSeen": "2020-05-10T00:00:00Z",
"ID": 5156601,
"Name": "test_campaign",
"Owner": "Demisto Inc."
}
}
}

Human Readable Output#

Campaign test_campaign Created Successfully

tc-create-event#


Creates a group based on the "Event" type.

Base Command#

tc-create-event

Input#

Argument NameDescriptionRequired
nameThe name of the event group.Required
eventDateThe date on which the event occurred. If the date is not specified, the current date is used.Optional
statusThe status of the event. Can be "Needs Review", "False Positive", "No Further Action", or "Escalated".Optional
ownerThe owner of the event.Optional
descriptionThe description of the event.Optional
tagThe tag of the event.Optional

Context Output#

PathTypeDescription
TC.Event.NamestringThe name of the event.
TC.Event.DatedateThe date of the event.
TC.Event.StatusstringThe status of the event.
TC.Event.OwnerstringThe owner of the event.
TC.Event.TagstringThe tag of the event.
TC.Event.IDstringThe ID of the event.

Command Example#

!tc-create-event name=test_event

Context Example#

{
"TC": {
"Event": {
"Date": "2020-05-10T09:56:50Z",
"ID": 5156602,
"Name": "test_event",
"Owner": "Demisto Inc."
}
}
}

Human Readable Output#

Incident test_event Created Successfully

tc-create-threat#


Creates a group based on the "Threats" type.

Base Command#

tc-create-threat

Input#

Argument NameDescriptionRequired
nameThe name of the threat group.Required

Context Output#

PathTypeDescription
TC.Threat.NamestringThe name of the threat.
TC.Threat.IDstringThe ID of the threat.

Command Example#

!tc-create-threat name=test_threat

Context Example#

{
"TC": {
"Threat": {
"ID": 5156604,
"Name": "test_threat"
}
}
}

Human Readable Output#

Threat test_threat Created Successfully

tc-delete-group#


Deletes a group.

Base Command#

tc-delete-group

Input#

Argument NameDescriptionRequired
groupIDThe ID of the group to delete.Required
typeThe type of the group to delete. Can be "Incidents", "Events", "Campaigns", or "Threats".Required

Context Output#

There is no context output for this command.

Command Example#

!tc-delete-group groupID=5101578 type=Campaigns

Human Readable Output#

campaigns 5101578 deleted Successfully

tc-add-group-attribute#


Adds an attribute to a specified group.

Base Command#

tc-add-group-attribute

Input#

Argument NameDescriptionRequired
group_idThe ID of the group to which to add attributes. To get the ID of the group, run the tc-get-groups command.Required
attribute_typeThe type of attribute to add to the group. The type is located in the UI in a specific group or under Org Config.Required
attribute_valueThe value of the attribute.Required
group_typeThe type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required

Context Output#

PathTypeDescription
TC.Group.DateAddedDateThe date on which the attribute was added.
TC.Group.LastModifiedDateThe date on which the added attribute was last modified.
TC.Group.TypeStringThe type of the group to which the attribute was added.
TC.Group.ValueStringThe value of the attribute added to the group.
TC.Group.IDNumberThe group ID to which the attribute was added.

Command Example#

!tc-add-group-attribute group_id=5101576 group_type=incidents attribute_type=description attribute_value="test add group attribute"

Context Example#

{
"TC": {
"Group": {
"DateAdded": "2020-05-10T09:57:00Z",
"ID": 23379726,
"LastModified": "2020-05-10T09:57:00Z",
"Type": "Description",
"Value": "test add group attribute"
}
}
}

Human Readable Output#

The attribute was added successfully to group 5101576#

TypeValueIDDateAddedLastModified
Descriptiontest add group attribute233797262020-05-10T09:57:00Z2020-05-10T09:57:00Z

tc-get-events#


Returns a list of events.

Base Command#

tc-get-events

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
TC.Event.DateAddedDateThe date on which the event was added.
TC.Event.EventDateDateThe date on which the event occurred.
TC.Event.IDNumberThe ID of the event.
TC.Event.OwnerNameStringThe name of the owner of the event.
TC.Event.StatusStringThe status of the event.

Command Example#

!tc-get-events

Context Example#

{
"TC": {
"Event": [
{
"DateAdded": "2020-05-10T09:56:51Z",
"EventDate": "2020-05-10T09:56:50Z",
"ID": 5156602,
"Name": "test_event",
"OwnerName": "Demisto Inc.",
"Status": "Needs Review"
},
{
"DateAdded": "2020-05-10T05:07:52Z",
"EventDate": "2020-05-10T05:07:51Z",
"ID": 5156545,
"Name": "MyTest",
"OwnerName": "Demisto Inc.",
"Status": "Needs Review"
}
]
}
}

Human Readable Output#

ThreatConnect Events#

IDNameOwnerNameEventDateDateAddedStatus
5156602test_eventDemisto Inc.2020-05-10T09:56:50Z2020-05-10T09:56:51ZNeeds Review
5156545MyTestDemisto Inc.2020-05-10T05:07:51Z2020-05-10T05:07:52ZNeeds Review

tc-get-groups#


Returns all groups, filtered by the group type.

Base Command#

tc-get-groups

Input#

Argument NameDescriptionRequired
group_typeThe type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required

Context Output#

PathTypeDescription
TC.Group.DateAddedDateThe date on which the group was added.
TC.Group.EventDateDateThe date on which the event occurred.
TC.Group.NameStringThe name of the group.
TC.Group.OwnerNameStringThe name of the owner of the group.
TC.Group.StatusStringThe status of the group.
TC.Group.IDNumberThe ID of the group.

Command Example#

!tc-get-groups group_type=incidents

Context Example#

{
"TC": {
"Group": [
{
"DateAdded": "2020-05-10T09:56:52Z",
"EventDate": "2020-05-10T00:00:00Z",
"ID": 5156603,
"Name": "test_incident",
"OwnerName": "Demisto Inc.",
"Status": null
},
{
"DateAdded": "2020-05-10T09:54:44Z",
"EventDate": "2020-05-10T00:00:00Z",
"ID": 5156599,
"Name": "test_incident",
"OwnerName": "Demisto Inc.",
"Status": null
},
{
"DateAdded": "2020-05-10T09:47:58Z",
"EventDate": "2020-05-10T00:00:00Z",
"ID": 5156595,
"Name": "test_incident",
"OwnerName": "Demisto Inc.",
"Status": null
}
]
}
}

Human Readable Output#

ThreatConnect incidents#

IDNameOwnerNameEventDateDateAdded
5156603test_incidentDemisto Inc.2020-05-10T00:00:00Z2020-05-10T09:56:52Z
5156599test_incidentDemisto Inc.2020-05-10T00:00:00Z2020-05-10T09:54:44Z
5156595test_incidentDemisto Inc.2020-05-10T00:00:00Z2020-05-10T09:47:58Z

tc-add-group-security-label#


Adds a security label to a group.

Base Command#

tc-add-group-security-label

Input#

Argument NameDescriptionRequired
group_idThe ID of the group to which to add the security label. To get the ID, run the tc-get-groups command.Required
group_typeThe type of the group to which to add the security label. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
security_label_nameThe name of the security label to add to the group. For example, "TLP:GREEN".Required

Context Output#

There is no context output for this command.

Command Example#

!tc-add-group-security-label group_id=5101576 group_type=incidents security_label_name=TLP:GREEN

Context Example#

{}

Human Readable Output#

The security label TLP:GREEN was added successfully to incidents 5101576

tc-add-group-tag#


Adds tags to a specified group.

Base Command#

tc-add-group-tag

Input#

Argument NameDescriptionRequired
group_idThe ID of the group to which to add the tag. To get the ID, run the tc-get-groups command.Required
group_typeThe type of the group to which to add the tag. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
tag_nameThe name of the tag to add to the group.Required

Context Output#

There is no context output for this command.

Command Example#

!tc-add-group-tag group_id=5101576 group_type=incidents tag_name="malicious ip"

Context Example#

{}

Human Readable Output#

The tag malicious ip was added successfully to group incidents 5101576

tc-get-indicator-types#


Returns all indicator types available.

Base Command#

tc-get-indicator-types

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
TC.IndicatorType.ApiBranchStringThe branch of the API.
TC.IndicatorType.ApiEntityStringThe entity of the API.
TC.IndicatorType.CasePreferenceStringThe case preference of the indicator. For example, "sensitive", "upper", or "lower".
TC.IndicatorType.CustomBooleanWhether the indicator is a custom indicator.
TC.IndicatorType.ParsableBooleanWhether the indicator can be parsed.
TC.IndicatorType.Value1TypeStringThe name of the indicator.
TC.IndicatorType.Value1LabelStringThe value label of the indicator.

Command Example#

!tc-get-indicator-types

Context Example#

{
"TC": {
"IndicatorType": [
{
"ApiBranch": "addresses",
"ApiEntity": "address",
"CasePreference": null,
"Custom": "false",
"Name": "Address",
"Parsable": "true",
"Value1Label": null,
"Value1Type": null
},
{
"ApiBranch": "files",
"ApiEntity": "file",
"CasePreference": null,
"Custom": "false",
"Name": "File",
"Parsable": "true",
"Value1Label": "MD5",
"Value1Type": "text"
},
{
"ApiBranch": "hosts",
"ApiEntity": "host",
"CasePreference": null,
"Custom": "false",
"Name": "Host",
"Parsable": "true",
"Value1Label": null,
"Value1Type": null
},
{
"ApiBranch": "urls",
"ApiEntity": "url",
"CasePreference": null,
"Custom": "false",
"Name": "URL",
"Parsable": "true",
"Value1Label": null,
"Value1Type": null
}
]
}
}

Human Readable Output#

ThreatConnect indicator types#

NameCustomParsableApiBranchCasePreferenceValue1Type
Addressfalsetrueaddresses
Filefalsetruefilestext
Hostfalsetruehosts
URLfalsetrueurls

tc-group-associate-indicator#


Associates an indicator with a group.

Base Command#

tc-group-associate-indicator

Input#

Argument NameDescriptionRequired
indicator_typeThe type of the indicator. To get the available types, run the tc-get-indicator-types command. The indicator must be spelled as displayed in the ApiBranch column of the UI.Required
indicatorThe name of the indicator. For example, "indicator_type=emailAddresses" where "indicator=a@a.co.il".Required
group_typeThe type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group. To get the ID of the group, run the tc-get-groups command.Required

Context Output#

PathTypeDescription
TC.Group.GroupIDNumberThe ID of the group.
TC.Group.GroupTypeStringThe type of the group.
TC.Group.IndicatorStringThe name of the indicator.
TC.Group.IndicatorTypeStringThe type of the indicator.

Command Example#

tc-group-associate-indicator indicator_type=addresses group_id=5101576 group_type=incidents indicator=99.99.99.99

Human Readable Output#

tc-create-document-group#


Creates a document group.

Base Command#

tc-create-document-group

Input#

Argument NameDescriptionRequired
file_nameThe name of the file to display in the UI.Required
nameThe name of the file.Required
malwareWhether the file is malware. If "true", ThreatConnect creates a password-protected ZIP file on your local machine that contains the sample and uploads the ZIP file.Optional
passwordThe password of the ZIP file.Optional
security_labelThe security label of the group.Optional
descriptionA description of the group.Optional
entry_idThe file of the ID of the entry, as displayed in the War Room.Required

Context Output#

PathTypeDescription
TC.Group.NameStringThe name of the group.
TC.Group.OwnerStringThe owner of the group.
TC.Group.EventDateDateThe date on which the group was created.
TC.Group.DescriptionStringThe description of the group.
TC.Group.SecurityLabelStringThe security label of the group.
TC.Group.IDNumberThe ID of the group to which the attribute was added.

Command Example#

!tc-create-document-group entry_id=11@11 file_name=test.txt name=test_document

Human Readable Output#

tc-get-group#


Retrieves a single group.

Base Command#

tc-get-group

Input#

Argument NameDescriptionRequired
group_typeThe type of group for which to return the ID. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group to retrieve. To get the ID, run the tc-get-groups command.Required

Context Output#

PathTypeDescription
TC.Group.DateAddedDateThe date on which the group was added.
TC.Group.EventDateDateThe date on which the event occurred.
TC.Group.NameStringThe name of the group.
TC.Group.Owner.IDNumberThe ID of the group owner.
TC.Group.Owner.NameStringThe name of the group owner.
TC.Group.Owner.TypeStringThe type of the owner.
TC.Group.StatusStringThe status of the group.

Command Example#

!tc-get-group group_id=5101576 group_type=incidents

Context Example#

{
"TC": {
"Group": {
"DateAdded": "2020-04-21T06:54:46Z",
"EventDate": "2020-04-21T00:00:00Z",
"ID": 5101576,
"Name": "try",
"Owner": {
"ID": 737,
"Name": "Demisto Inc.",
"Type": "Organization"
},
"Status": null
}
}
}

Human Readable Output#

ThreatConnect Group information#

DateAddedEventDateIDNameOwner
2020-04-21T06:54:46Z2020-04-21T00:00:00Z5101576tryName: Demisto Inc.
ID: 737
Type: Organization

tc-get-group-attributes#


Retrieves the attribute of a group.

Base Command#

tc-get-group-attributes

Input#

Argument NameDescriptionRequired
group_typeThe type of group for which to return the attribute. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group for which to return the attribute. To get the ID, run the tc-get-groups command.Required

Context Output#

PathTypeDescription
TC.Group.Attribute.DateAddedDateThe date on which the group was added.
TC.Group.Attribute.DisplayedBooleanWhether the attribute is displayed on the UI.
TC.Group.Attribute.AttributeIDNumberThe ID of the attribute.
TC.Group.Attribute.LastModifiedDateThe date on which the attribute was last modified.
TC.Group.Attribute.TypeStringThe type of the attribute.
TC.Group.Attribute.ValueStringThe value of the attribute.

Command Example#

!tc-get-group-attributes group_id=5101576 group_type=incidents

Context Example#

{
"TC": {
"Group": {
"Attribute": [
{
"AttributeID": 23379726,
"DateAdded": "2020-05-10T09:57:00Z",
"Displayed": true,
"GroupID": 5101576,
"LastModified": "2020-05-10T09:57:00Z",
"Type": "Description",
"Value": "test add group attribute"
},
{
"AttributeID": 23379725,
"DateAdded": "2020-05-10T09:54:51Z",
"Displayed": false,
"GroupID": 5101576,
"LastModified": "2020-05-10T09:54:51Z",
"Type": "Description",
"Value": "test add group attribute"
}
]
}
}
}

Human Readable Output#

ThreatConnect Group Attributes#

AttributeIDTypeValueDateAddedLastModifiedDisplayed
23379726Descriptiontest add group attribute2020-05-10T09:57:00Z2020-05-10T09:57:00Ztrue
23379725Descriptiontest add group attribute2020-05-10T09:54:51Z2020-05-10T09:54:51Zfalse

tc-get-group-security-labels#


Retrieves the security labels of a group.

Base Command#

tc-get-group-security-labels

Input#

Argument NameDescriptionRequired
group_typeThe type of group for which to return the security labels. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group for which to return the security labels. To get the ID, run the tc-get-groups command.Required

Context Output#

PathTypeDescription
TC.Group.SecurityLabel.NameStringThe name of the security label.
TC.Group.SecurityLabel.DescriptionStringThe description of the security label.
TC.Group.SecurityLabel.DateAddedDateThe date on which the security label was added.

Command Example#

!tc-get-group-security-labels group_id=5101576 group_type=incidents

Context Example#

{
"TC": {
"Group": {
"SecurityLabel": {
"DateAdded": "2016-08-31T00:00:00Z",
"Description": "This security label is used for information that is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.",
"GroupID": 5101576,
"Name": "TLP:GREEN"
}
}
}
}

Human Readable Output#

ThreatConnect Group Security Labels#

NameDescriptionDateAdded
TLP:GREENThis security label is used for information that is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.2016-08-31T00:00:00Z

tc-get-group-tags#


Retrieves the tags of a group.

Base Command#

tc-get-group-tags

Input#

Argument NameDescriptionRequired
group_typeThe type of group for which to return the tags. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group for which to return the tags. To get the ID, run the tc-get-groups command.Required

Context Output#

PathTypeDescription
TC.Group.Tag.NameStringThe name of the tag.

Command Example#

!tc-get-group-tags group_id=5101576 group_type=incidents

Context Example#

{
"TC": {
"Group": {
"Tag": {
"GroupID": 5101576,
"Name": "malicious ip"
}
}
}
}

Human Readable Output#

ThreatConnect Group Tags#

Name
malicious ip

tc-download-document#


Downloads the contents of a document.

Base Command#

tc-download-document

Input#

Argument NameDescriptionRequired
document_idThe ID of the document.Required

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe ssdeep hash of the file (same as displayed in file entries).
File.EntryIDStringThe entry ID of the file.
File.InfoStringThe information of the file.
File.TypeStringThe type of the file.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe extension of the file.

Command Example#

!tc-download-document document_id=12345

Human Readable Output#

tc-get-group-indicators#


Returns indicators associated with a group.

Base Command#

tc-get-group-indicators

Input#

Argument NameDescriptionRequired
group_typeThe type of the group for which to return the indicators. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group for which to return the indicators. To get the ID, run the tc-get-groups command.Required

Context Output#

PathTypeDescription
TC.Group.Indicator.SummaryStringThe summary of the indicator.
TC.Group.Indicator.ThreatAssessConfidenceStringThe confidence rating of the indicator.
TC.Group.Indicator.IndicatorIDNumberThe ID of the indicator.
TC.Group.Indicator.DateAddedDateThe date on which the indicator was added.
TC.Group.Indicator.TypeStringThe type of the indicator.
TC.Group.Indicator.RatingNumberThe threat rating of the indicator.
TC.Group.Indicator.ThreatAssertRatingNumberThe rating of the threat assert.
TC.Group.Indicator.OwnerNameStringThe name of the owner of the indicator.
TC.Group.Indicator.LastModifiedDateThe date that the indicator was last modified.

Command Example#

!tc-get-group-indicators group_type="incidents" group_id="5110299"

Context Example#

{
"TC.Group.Indicator": [ {
"Rating": 0,
"Confidence": 0,
"DateAdded": "2020-04-27T04:57:20Z",
"ThreatAssessConfidence": 53,
"LastModified": "2020-04-27T04:57:20Z",
"ThreatAssertRating": 3,
"Summary": "88.88.88.88",
"OwnerName": "Demisto Inc.",
"IndicatorID": 112677927,
"Type": "Address",
"GroupID": 5110299 } ]
}

Human Readable Output#

ThreatConnect Group Indicators#

ConfidenceDateAddedGroupIDIndicatorIDLastModifiedOwnerNameRatingSummaryThreatAssertRatingThreatAssessConfidenceType
02020-04-27T04:57:20Z51102991126779272020-04-27T04:57:20ZDemisto Inc.0.088.88.88.883.053.0Address

tc-get-associated-groups#


Returns indicators associated with a specified group.

Base Command#

tc-get-associated-groups

Input#

Argument NameDescriptionRequired
group_typeThe type of group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group. To get the ID, run the tc-get-groups command.Required

Context Output#

PathTypeDescription
TC.Group.AssociatedGroup.DateAddedDateThe date on which group was added.
TC.Group.AssociatedGroup.GroupIDNumberThe ID of the group.
TC.Group.AssociatedGroup.NameStringThe name of the group.
TC.Group.AssociatedGroup.OwnerNameStringThe name of the owner of the group.
TC.Group.AssociatedGroup.TypeStringThe type of the group.

Command Example#

!tc-get-associated-groups group_id=5101576 group_type=incidents

Context Example#

{
"TC": {
"Group": {
"AssociatedGroup": {
"DateAdded": "2020-04-27T05:03:28Z",
"GroupID": 5110299,
"Name": "test_as",
"OwnerName": "Demisto Inc.",
"Type": "Incident"
}
}
}
}

Human Readable Output#

ThreatConnect Associated Groups#

GroupIDNameTypeOwnerNameDateAdded
5110299test_asIncidentDemisto Inc.2020-04-27T05:03:28Z

tc-associate-group-to-group#


Associates one group with another group.

Base Command#

tc-associate-group-to-group

Input#

Argument NameDescriptionRequired
group_typeThe type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group. To get the ID of the group, run the tc-get-groups command.Required
associated_group_typeThe type of group to associate. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
associated_group_idThe ID of the group to associate.Required

Context Output#

PathTypeDescription
TC.Group.AssociatedGroup.AssociatedGroupIDNumberThe ID of the associated group.
TC.Group.AssociatedGroup.AssociatedGroupTypeStringThe type of the associated group.
TC.Group.AssociatedGroup.GroupIDNumberThe ID of the group to associate to.
TC.Group.AssociatedGroup.GroupTypeStringThe type of the group to associate to.

Command Example#

!tc-associate-group-to-group group_id=5101576 group_type=incidents associated_group_id=5101578 associated_group_type=campaigns

Context Example#
{
"TC.Group.AssociatedGroup": {
"GroupType": "incidents",
"AssociatedGroupID": 5101578,
"AssociatedGroupType": "campaigns",
"GroupID": 5101576
}
}
Human Readable Output#

The group 5101578 was associated successfully.

tc-get-indicator-owners#


Get Owner for Indicator

Base Command#

tc-get-indicator-owners

Input#

Argument NameDescriptionRequired
indicatorIndicator ValueRequired

Context Output#

There is no context output for this command.

Command Example#

!tc-get-indicator-owners indicator=99.99.99.99

Context Example#

{
"TC": {
"Owners": [
{
"id": 737,
"name": "Demisto Inc.",
"type": "Organization"
}
]
}
}

Human Readable Output#

ThreatConnect Owners for Indicator:99.99.99.99#

idnametype
737Demisto Inc.Organization

tc-download-report#


The group report to download in PDF format.

Base Command#

tc-download-report

Input#

Argument NameDescriptionRequired
group_typeThe type of the group. Can be: "adversaries", "campaigns", "emails", "incidents", "signatures", or "threats". Possible values are: adversaries, campaigns, emails, incidents, signatures, threats.Required
group_idThe ID of the group.Required

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe SSDeep hash of the file.
File.EntryIDStringThe entry ID of the file.
File.InfoStringThe information of the file.
File.TypeStringThe type of the file.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe extension of the file.