ThreatConnect v2 (Deprecated)
ThreatConnect Pack.#
This Integration is part of theDeprecated
Use the ThreatConnect v3 integration instead.
Deprecated. Use the ThreatConnect v2 integration instead.
#
Configure ThreatConnect v2 in CortexParameter | Description | Required |
---|---|---|
baseUrl | Base Url | True |
accessId | Access ID | True |
secretKey | Secret Key | True |
defaultOrg | Default Organization | False |
Source Reliability | Reliability of the source providing the intelligence data. The default value is: B - Usually reliable. | True |
rating | Rating threshold for Malicious Indicators | False |
confidence | Confidence threshold for Malicious Indicators | False |
freshness | Indicator Reputation Freshness (in days) | False |
proxy | Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
ipSearches for an indicator of type IP address.
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
ip | The IPv4 or IPv6 address. | Required |
owners | A comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners. | Optional |
ratingThreshold | A list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical". | Optional |
confidenceThreshold | A list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Indicator.Name | string | The name of the indicator. |
TC.Indicator.Type | string | The type of the indicator. |
TC.Indicator.ID | string | The ID of the indicator. |
TC.Indicator.Description | string | The description of the indicator. |
TC.Indicator.Owner | string | The owner of the indicator. |
TC.Indicator.CreateDate | date | The date on which the indicator was created. |
TC.Indicator.LastModified | date | The date on which the indicator was modified. |
TC.Indicator.Rating | number | The threat rating of the indicator. |
TC.Indicator.Confidence | number | The confidence rating of the indicator. |
DBotScore.Indicator | string | The value assigned by DBot for the indicator. |
DBotScore.Type | string | The type assigned by DBot for the indicator. |
DBotScore.Score | number | The score assigned by DBot for the indicator. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
IP.Address | string | The IP address of the indicator. |
IP.Malicious.Vendor | string | For malicious IP addresses, the vendor that made the decision. |
IP.Malicious.Description | string | For malicious IP addresses, the full description. |
TC.Indicator.WebLink | string | The web link of the indicator. |
#
Command Example!ip ip=88.88.88.88
#
Context Example#
Human Readable Output#
ThreatConnect IP Reputation for: 88.88.88.88
Confidence Create Date ID Last Modified Name Owner Rating Type 0 2020-04-27T04:57:20Z 112677927 2020-04-27T04:57:20Z 88.88.88.88 Demisto Inc. 0 Address
#
urlSearches for an indicator of type URL.
#
Base Commandurl
#
InputArgument Name | Description | Required |
---|---|---|
url | The URL for which to search. For example, www.demisto.com . | Required |
owners | A comma-separated list of a client's organizations, sources, or communities to which a client’s API user has been granted permission. For example, "owner1", "owner2", or "owner3". | Optional |
ratingThreshold | A list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical". | Optional |
confidenceThreshold | A list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Indicator.Name | string | The name of the indicator. |
TC.Indicator.Type | string | The type of the indicator. |
TC.Indicator.ID | string | The ID of the indicator. |
TC.Indicator.Description | string | The description of the indicator. |
TC.Indicator.Owner | string | The owner of the indicator. |
TC.Indicator.CreateDate | date | The date on which the indicator was created. |
TC.Indicator.LastModified | date | The date on which the indicator was last modified. |
TC.Indicator.Rating | number | The threat rating of the indicator. |
TC.Indicator.Confidence | number | The confidence rating of the indicator. |
DBotScore.Indicator | string | The value assigned by DBot for the indicator. |
DBotScore.Type | string | The type assigned by DBot for the indicator. |
DBotScore.Score | number | The score assigned by DBot for the indicator. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
URL.Data | string | The data of the URL indicator. |
URL.Malicious.Vendor | string | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | string | For malicious URLs, the full description. |
TC.Indicator.WebLink | string | The web link of the indicator. |
#
Command Example!url url=https://www.domain.com
#
Context Example#
Human Readable Outputhttps://www.domain.com#
ThreatConnect URL Reputation for:
Confidence Create Date ID Last Modified Name Owner Rating Type 50 2020-04-23T14:41:16Z 112618313 2020-04-27T10:03:38Z https://www.domain.com Demisto Inc. 3 URL https://www.domain.com#
ThreatConnect URL Reputation for:
Confidence Create Date ID Last Modified Name Owner Rating Type 50 2020-04-23T14:41:16Z 112618313 2020-04-27T10:03:38Z https://www.domain.com Demisto Inc. 3 URL
#
fileSearches for an indicator of type file.
#
Base Commandfile
#
InputArgument Name | Description | Required |
---|---|---|
file | The hash of the file. Can be "MD5", "SHA-1", or "SHA-256". | Required |
owners | A comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners. | Optional |
ratingThreshold | A list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical". | Optional |
confidenceThreshold | A list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Indicator.Name | string | The name of the indicator. |
TC.Indicator.Type | string | The type of the indicator. |
TC.Indicator.ID | string | The ID of the indicator. |
TC.Indicator.Description | string | The description of the indicator. |
TC.Indicator.Owner | string | The owner of the indicator. |
TC.Indicator.CreateDate | date | The date on which the indicator was created. |
TC.Indicator.LastModified | date | The last date on which the indicator was modified. |
TC.Indicator.Rating | number | The threat rating of the indicator. |
TC.Indicator.Confidence | number | The confidence rating of the indicator. |
TC.Indicator.File.MD5 | string | The MD5 hash of the indicator. |
TC.Indicator.File.SHA1 | string | The SHA1 hash of the indicator. |
TC.Indicator.File.SHA256 | string | The SHA256 hash of the indicator. |
DBotScore.Indicator | string | The value assigned by DBot for the indicator. |
DBotScore.Type | string | The type assigned by DBot for the indicator. |
DBotScore.Score | number | The score assigned by DBot for the indicator. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
File.MD5 | string | The MD5 hash of the indicator. |
File.SHA1 | string | The SHA1 hash of the indicator. |
File.SHA256 | string | The SHA256 hash of the indicator. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
File.Malicious.Description | string | For malicious files, the full description. |
TC.Indicator.WebLink | string | The web link of the indicator. |
#
Command Example!file file=4a4a4e885f7189bbaa2fcc2f2403b128f79e951826c57c0e1ab50e085ae390e7
#
Context Example#
Human Readable Output#
ThreatConnect File Report for: 4a4a4e885f7189bbaa2fcc2f2403b128f79e951826c57c0e1ab50e085ae390e7
Confidence Create Date File ID Last Modified Owner Rating Type 0 2020-04-23T14:40:26Z SHA256: 4A4A4E885F7189BBAA2FCC2F2403B128F79E951826C57C0E1AB50E085AE390E7 112618312 2020-04-23T14:40:26Z Demisto Inc. 0 File
#
tc-ownersRetrieves all owners for the current account.
#
Base Commandtc-owners
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
TC.Owner.Name | string | The name of the owner. |
TC.Owner.ID | string | The ID of the owner. |
TC.Owner.Type | string | The type of the owner. |
#
Command Example!tc-owners
#
Context Example#
Human Readable Output#
ThreatConnect Owners:
ID Name Type 737 Demisto Inc. Organization 646 Blocklist.de Strong IPs Source 716 BotScout Bot List Source
#
tc-indicatorsRetrieves a list of all indicators.
#
Base Commandtc-indicators
#
InputArgument Name | Description | Required |
---|---|---|
owner | A list of results filtered by the owner of the indicator. | Optional |
limit | The maximum number of results that can be returned. The default is 500. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Indicator.Name | string | The name of the indicator. |
TC.Indicator.Type | string | The type of the indicator. |
TC.Indicator.ID | string | The ID of the indicator. |
TC.Indicator.Description | string | The description of the indicator. |
TC.Indicator.Owner | string | The owner of the indicator. |
TC.Indicator.CreateDate | date | The date on which the indicator was created. |
TC.Indicator.LastModified | date | The last date on which the indicator was modified. |
TC.Indicator.Rating | number | The threat rating of the indicator. |
TC.Indicator.Confidence | number | The confidence rating of the indicator. |
TC.Indicator.WhoisActive | string | The active indicator (for domains only). |
TC.Indicator.File.MD5 | string | The MD5 hash of the indicator of the file. |
TC.Indicator.File.SHA1 | string | The SHA1 hash of the indicator of the file. |
TC.Indicator.File.SHA256 | string | The SHA256 hash of the indicator of the file. |
DBotScore.Indicator | string | The value assigned by DBot for the indicator. |
DBotScore.Type | string | The type assigned by DBot for the indicator. |
DBotScore.Score | number | The score assigned by DBot for the indicator. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
IP.Address | string | The IP address of the indicator. |
IP.Malicious.Vendor | string | For malicious IP addresses, the vendor that made the decision. |
IP.Malicious.Description | string | For malicious IP addresses, the full description. |
URL.Data | string | The data of the URL of the indicator. |
URL.Malicious.Vendor | string | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | string | For malicious URLs, the full description. |
Domain.Name | string | The name of the domain. |
Domain.Malicious.Vendor | string | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | string | For malicious domains, the full description. |
File.MD5 | string | The MD5 hash of the file. |
File.SHA1 | string | The SHA1 hash of the file. |
File.SHA256 | string | The SHA256 hash of the file. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
File.Malicious.Description | string | For malicious files, the full description. |
TC.Indicator.WebLink | string | The web link of the indicator. |
#
Command Example!tc-indicators limit=3 owner="Demisto Inc."
#
Context Example#
Human Readable Output#
ThreatConnect Indicators:
Confidence Create Date ID Last Modified Name Owner Rating Type 0 2020-05-10T09:45:19Z 112951652 2020-05-10T09:45:19Z 88.88.88.88 Demisto Inc. 0 Address 0 2020-04-23T14:42:21Z 112618314 2020-04-23T14:42:21Z domain.info Demisto Inc. 0 Host 50 2020-04-23T14:41:16Z 112618313 2020-04-27T10:03:38Z https://www.domain.com Demisto Inc. 3 URL
#
tc-get-tagsReturns a list of all ThreatConnect tags.
#
Base Commandtc-get-tags
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
TC.Tags | Unknown | A list of tags. |
#
Command Example!tc-get-tags
#
Context Example#
Human Readable Output#
ThreatConnect Tags:
Name malicious file malicious ip malicious url
#
tc-tag-indicatorAdds a tag to an existing indicator.
#
Base Commandtc-tag-indicator
#
InputArgument Name | Description | Required |
---|---|---|
tag | The name of the tag. | Required |
indicator | The indicator to tag. For example, for an IP indicator, "8.8.8.8". | Required |
owner | A list of indicators filtered by the owner. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!tc-tag-indicator indicator=99.99.99.99 tag="malicious ip"
#
Context Example#
Human Readable OutputIndicator 99.99.99.99 with ID 112951655, was tagged with: malicious ip
#
tc-get-indicatorRetrieves information about an indicator.
#
Base Commandtc-get-indicator
#
InputArgument Name | Description | Required |
---|---|---|
indicator | The name of the indicator by which to search. The command retrieves information from all owners. Can be an IP address, a URL, or a file hash. | Required |
indicator_type | Only for custom. Leave empty for standard ones | Optional |
owners | Indicator Owner(s) | Optional |
ratingThreshold | A list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical". | Optional |
confidenceThreshold | A list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed". | Optional |
group_associations | Retrieve Indicator Group Associations | Required |
indicator_associations | Retrieve Indicator Associations | Optional |
indicator_observations | Retrieve Indicator Observations | Optional |
indicator_tags | Retrieve Indicator Tags | Optional |
indicator_attributes | Retrieve Indicator Attributes | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Indicator.Name | string | The name of the indicator. |
TC.Indicator.Type | string | The type of the indicator. |
TC.Indicator.ID | string | The ID of the indicator. |
TC.Indicator.Description | string | The description of the indicator. |
TC.Indicator.Owner | string | The owner of the indicator. |
TC.Indicator.CreateDate | date | The date on which the indicator was created. |
TC.Indicator.LastModified | date | The last date on which the indicator was modified. |
TC.Indicator.Rating | number | The threat rating of the indicator. |
TC.Indicator.Confidence | number | The confidence rating of the indicator. |
TC.Indicator.WhoisActive | string | The active indicator (for domains only). |
TC.Indicator.File.MD5 | string | The MD5 hash of the indicator of the file. |
TC.Indicator.File.SHA1 | string | The SHA1 hash of the indicator of the file. |
TC.Indicator.File.SHA256 | string | The SHA256 hash of the indicator of the file. |
TC.Indicator.IndicatorAttributes.dateAdded | date | The date on which the indicator attribute was originally added. |
TC.Indicator.IndicatorAttributes.displayed | boolean | A boolean flag to show on ThreatConnect. |
TC.Indicator.IndicatorAttributes.id | number | The ID of the attribute. |
TC.Indicator.IndicatorAttributes.lastModified | date | The date on which the indicator attribute was last modified. |
TC.Indicator.IndicatorAttributes.type | string | The name of the attribute. |
TC.Indicator.IndicatorAttributes.value | string | The contents of the attribute. |
DBotScore.Indicator | string | The value assigned by DBot for the indicator. |
DBotScore.Type | string | The type assigned by DBot for the indicator. |
DBotScore.Score | number | The score assigned by DBot for the indicator. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
IP.Address | string | The IP address of the indicator. |
IP.Malicious.Vendor | string | For malicious IP addresses, the vendor that made the decision. |
IP.Malicious.Description | string | For malicious IP addresses, the full description. |
URL.Data | string | The data of the indicator of the URL. |
URL.Malicious.Vendor | string | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | string | For malicious URLs, the full description. |
Domain.Name | string | The domain name of the indicator. |
Domain.Malicious.Vendor | string | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | string | For malicious domains, the full description. |
File.MD5 | string | The MD5 hash of the file. |
File.SHA1 | string | The SHA1 hash of the file. |
File.SHA256 | string | The SHA256 hash of the file. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
File.Malicious.Description | string | For malicious files, the full description. |
TC.Indicator.WebLink | string | The web link of the indicator. |
#
Command Example!tc-get-indicator indicator=99.99.99.99 group_associations=false
#
Context Example#
Human Readable Output#
ThreatConnect indicator for: 99.99.99.99
Confidence Create Date ID Last Modified Name Owner Rating Type 70 2020-05-10T09:57:18Z 112951655 2020-05-10T09:57:27Z 99.99.99.99 Demisto Inc. 1 Address
#
tc-get-indicators-by-tagFetches all indicators that have a tag.
#
Base Commandtc-get-indicators-by-tag
#
InputArgument Name | Description | Required |
---|---|---|
tag | The name of the tag by which to filter. | Required |
owner | A list of indicators filtered by the owner. | Optional |
limit | The limit of the indicators that will be available in the raw response. Default value is 100. NOTICE: In the context you will be able to see up to 100 indicators. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Indicator.Name | string | The name of the tagged indicator. |
TC.Indicator.Type | string | The type of the tagged indicator. |
TC.Indicator.ID | string | The ID of the tagged indicator. |
TC.Indicator.Description | string | The description of the tagged indicator. |
TC.Indicator.Owner | string | The owner of the tagged indicator. |
TC.Indicator.CreateDate | date | The date on which the tagged indicator was created. |
TC.Indicator.LastModified | date | The last date on which the tagged indicator was modified. |
TC.Indicator.Rating | number | The threat rating of the tagged indicator. |
TC.Indicator.Confidence | number | The confidence rating of the tagged indicator. |
TC.Indicator.WhoisActive | string | The active indicator (for domains only). |
TC.Indicator.File.MD5 | string | The MD5 hash of the indicator of the file. |
TC.Indicator.File.SHA1 | string | The SHA1 hash of the indicator of the file. |
TC.Indicator.File.SHA256 | string | The SHA256 hash of the indicator of the file. |
DBotScore.Indicator | string | The value assigned by DBot for the tagged indicator. |
DBotScore.Type | string | The type assigned by DBot for the tagged indicator. |
DBotScore.Score | number | The score assigned by DBot for the tagged indicator. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
IP.Address | string | The IP address of the tagged indicator. |
IP.Malicious.Vendor | string | For malicious IP addresses, the vendor that made the decision. |
IP.Malicious.Description | string | For malicious IP addresses, the full description. |
URL.Data | string | The data of the URL of the tagged indicator. |
URL.Malicious.Vendor | string | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | string | For malicious URLs, the full description. |
Domain.Name | string | The domain name of the tagged indicator. |
Domain.Malicious.Vendor | string | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | string | For malicious domains, the full description. |
File.MD5 | string | The MD5 hash of the file. |
File.SHA1 | string | The SHA1 hash of the file. |
File.SHA256 | string | The SHA256 hash of the file. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
File.Malicious.Description | string | For malicious files, the full description. |
TC.Indicator.WebLink | string | The web link of the indicator. |
#
Command Example!tc-get-indicators-by-tag tag="malicious ip"
#
Context Example#
Human Readable Output#
ThreatConnect Indicators with tag: malicious ip
Confidence Create Date ID Last Modified Name Owner Rating Type 70 2020-05-10T09:57:18Z 112951655 2020-05-10T09:57:18Z 99.99.99.99 Demisto Inc. 2 Address 0 2018-10-18T11:12:20Z 59227820 2018-10-18T11:12:36Z 82.28.82.28 Demisto Inc. 0 Address 20 2018-10-22T19:03:29Z 59253542 2018-12-19T15:55:57Z 111.222.111.222 Demisto Inc. 1 Address
#
tc-add-indicatorAdds a new indicator to ThreatConnect.
#
Base Commandtc-add-indicator
#
InputArgument Name | Description | Required |
---|---|---|
indicator | The indicator to add. | Required |
rating | The threat rating of the indicator. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical". | Optional |
confidence | The confidence rating of the indicator. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed". | Optional |
owner | The owner of the new indicator. The default is the "defaultOrg" parameter. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Indicator.Name | string | The name the indicator. |
TC.Indicator.Type | string | The type of indicator. |
TC.Indicator.ID | string | The ID of the indicator. |
TC.Indicator.Description | string | The description of the indicator. |
TC.Indicator.Owner | string | The owner of the indicator. |
TC.Indicator.CreateDate | date | The date on which the added indicator was created. |
TC.Indicator.LastModified | date | The last date on which the added indicator was modified. |
TC.Indicator.Rating | number | The threat rating of the indicator. |
TC.Indicator.Confidence | number | The confidence rating of the indicator. |
TC.Indicator.WhoisActive | string | The active indicator (for domains only). |
TC.Indicator.File.MD5 | string | The MD5 hash of the indicator of the file. |
TC.Indicator.File.SHA1 | string | The SHA1 hash of the indicator of the file. |
TC.Indicator.File.SHA256 | string | The SHA256 hash of the indicator of the file. |
IP.Address | string | The IP address of the indicator. |
IP.Malicious.Vendor | string | For malicious IP addresses, the vendor that made the decision. |
IP.Malicious.Description | string | For malicious IP addresses, the full description. |
URL.Data | string | The data of the URL of the indicator. |
URL.Malicious.Vendor | string | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | string | For malicious URLs, the full description. |
Domain.Name | string | The name of the added indicator of the domain. |
Domain.Malicious.Vendor | string | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | string | For malicious domains, the full description. |
File.MD5 | string | The MD5 hash of the file. |
File.SHA1 | string | The SHA1 hash of the file. |
File.SHA256 | string | The SHA256 hash of the file. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
File.Malicious.Description | string | For malicious files, the full description. |
TC.Indicator.WebLink | string | The web link of the indicator. |
#
Command Example!tc-add-indicator indicator=99.99.99.99 confidence=70 rating=2
#
Context Example#
Human Readable Output#
Created new indicator successfully:
Confidence Create Date ID Last Modified Name Owner Rating Type 70 2020-05-10T09:57:18Z 112951655 2020-05-10T09:57:18Z 99.99.99.99 Demisto Inc. 2 Address
#
tc-create-incidentCreates a new incident group.
#
Base Commandtc-create-incident
#
InputArgument Name | Description | Required |
---|---|---|
owner | The owner of the new incident. The default is the "defaultOrg" parameter. | Optional |
incidentName | The name of the incident group. | Required |
eventDate | The creation time of an incident in the "2017-03-21T00:00:00Z" format. | Optional |
tag | The tag applied to the incident. | Optional |
securityLabel | The security label applied to the incident. Can be "TLP:RED", "TLP:GREEN", "TLP:AMBER", or "TLP:WHITE". | Optional |
description | The description of the incident. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Incident.Name | string | The name of the new incident group. |
TC.Incident.Owner | string | The owner of the new incident. |
TC.Incident.EventDate | date | The date on which the event that indicates an incident occurred. |
TC.Incident.Tag | string | The name of the tag of the new incident. |
TC.Incident.SecurityLabel | string | The security label of the new incident. |
TC.Incident.ID | Unknown | The ID of the new incident. |
#
Command Example!tc-create-incident incidentName=test_incident
#
Context Example#
Human Readable OutputIncident test_incident Created Successfully
#
tc-fetch-incidentsFetches incidents from ThreatConnect.
#
Base Commandtc-fetch-incidents
#
InputArgument Name | Description | Required |
---|---|---|
incidentId | The fetched incidents filtered by ID. | Optional |
owner | The fetched incidents filtered by owner. | Optional |
incidentName | The fetched incidents filtered by incident name. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Incident | string | The name of the group of fetched incidents. |
TC.Incident.ID | string | The ID of the fetched incidents. |
TC.Incident.Owner | string | The owner of the fetched incidents. |
#
Command Example!tc-fetch-incidents incidentId=5101576
#
Context Example#
Human Readable Output#
Incidents:
Date Added Event Date Id Name Owner Name Type Weblink 2020-04-21T06:54:46Z 2020-04-21T00:00:00Z 5101576 try Demisto Inc. https://sandbox.threatconnect.com/auth/incident/incident.xhtml?incident=5101576
#
tc-incident-associate-indicatorAssociates an indicator with an existing incident. The indicator must exist before running this command. To add an indicator, run the tc-add-indicator command.
#
Base Commandtc-incident-associate-indicator
#
InputArgument Name | Description | Required |
---|---|---|
indicatorType | The type of the indicator. Can be "ADDRESSES", "EMAIL_ADDRESSES", "URLS", "HOSTS", "FILES", or "CUSTOM_INDICATORS". | Required |
incidentId | The ID of the incident to which the indicator is associated. | Required |
indicator | The name of the indicator. | Required |
owner | A list of indicators filtered by the owner. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Indicator.Name | string | The name of the indicator. |
TC.Indicator.Type | string | The type of the indicator. |
TC.Indicator.ID | string | The ID of the indicator. |
TC.Indicator.Description | string | The description of the indicator. |
TC.Indicator.Owner | string | The owner of the indicator. |
TC.Indicator.CreateDate | date | The date on which the indicator associated was created. |
TC.Indicator.LastModified | date | The last date on which the indicator associated was modified. |
TC.Indicator.Rating | number | The threat rating of the indicator. |
TC.Indicator.Confidence | number | The confidence rating of the indicator. |
TC.Indicator.WhoisActive | string | The active indicator (for domains only). |
TC.Indicator.File.MD5 | string | The MD5 hash of the indicator of the file. |
TC.Indicator.File.SHA1 | string | The SHA1 hash of the indicator of the file. |
TC.Indicator.File.SHA256 | string | The SHA256 hash of the indicator of the file. |
IP.Address | string | IP address of the associated indicator of the file. |
IP.Malicious.Vendor | string | For malicious IP addresses, the vendor that made the decision. |
IP.Malicious.Description | string | For malicious IP addresses, the full description. |
URL.Data | string | The data of the URL of the associated indicator of the file. |
URL.Malicious.Vendor | string | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | string | For malicious URLs, the full description. |
Domain.Name | string | The name of the indicator of the domain. |
Domain.Malicious.Vendor | string | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | string | For malicious domains, the full description. |
File.MD5 | string | The MD5 hash of the file. |
File.SHA1 | string | The SHA1 hash of the file. |
File.SHA256 | string | The SHA256 hash of the file. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
File.Malicious.Description | string | For malicious files, the full description. |
TC.Indicator.WebLink | string | The web link of the indicator. |
#
Command Example!tc-incident-associate-indicator indicator=99.99.99.99 indicatorType=ADDRESSES incidentId=5101577
#
Context Example#
Human Readable OutputIncident for_try with ID 5101577, was tagged with: 99.99.99.99
#
domainSearches for an indicator of type domain.
#
Base Commanddomain
#
InputArgument Name | Description | Required |
---|---|---|
domain | The name of the domain. | Required |
owners | A comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners. | Optional |
ratingThreshold | A list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical". | Optional |
confidenceThreshold | A list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Indicator.Name | string | The name of the of the indicator. |
TC.Indicator.Type | string | The type of the domain. |
TC.Indicator.ID | string | The ID of the domain. |
TC.Indicator.Description | string | The description of the domain. |
TC.Indicator.Owner | string | The owner of the domain. |
TC.Indicator.CreateDate | date | The date on which the indicator of the domain was created. |
TC.Indicator.LastModified | date | The last date on which the indicator of the domain was modified. |
TC.Indicator.Rating | number | The threat rating of the domain. |
TC.Indicator.Confidence | number | The confidence rating of the domain. |
TC.Indicator.WhoisActive | string | The active indicator (for domains only). |
DBotScore.Indicator | string | The value assigned by DBot for the indicator. |
DBotScore.Type | string | The type assigned by DBot for the indicator. |
DBotScore.Score | number | The score assigned by DBot for the indicator. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Domain.Name | string | The name of the domain. |
Domain.Malicious.Vendor | string | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | string | For malicious domains, the full description. |
TC.Indicator.WebLink | string | The web link of the indicator. |
#
Command Example!domain domain=domain.info
#
Context Example#
Human Readable Output#
ThreatConnect Domain Reputation for: domain.info
Active Confidence Create Date ID Last Modified Name Owner Rating Type false 0 2020-04-23T14:42:21Z 112618314 2020-04-23T14:42:21Z domain.info Demisto Inc. 0 Host
#
tc-get-incident-associate-indicatorsReturns indicators that are related to a specific incident.
#
Base Commandtc-get-incident-associate-indicators
#
InputArgument Name | Description | Required |
---|---|---|
incidentId | The ID of the incident. | Required |
owner | A list of indicators filtered by the owner. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Indicator.Name | string | The name of the returned indicator. |
TC.Indicator.Type | string | The type of the returned indicator. |
TC.Indicator.ID | string | The ID of the returned indicator. |
TC.Indicator.Description | string | The description of the returned indicator. |
TC.Indicator.Owner | string | The owner of the returned indicator. |
TC.Indicator.CreateDate | date | The date on which the returned indicator was created. |
TC.Indicator.LastModified | date | The last date on which the returned indicator was modified. |
TC.Indicator.Rating | number | The threat rating of the returned indicator. |
TC.Indicator.Confidence | number | The confidence rating of the returned indicator. |
TC.Indicator.WhoisActive | string | The active indicator (for domains only). |
TC.Indicator.File.MD5 | string | The MD5 hash of the indicator of the file. |
TC.Indicator.File.SHA1 | string | The SHA1 hash of the indicator of the file. |
TC.Indicator.File.SHA256 | string | The SHA256 hash of the indicator of the file. |
DBotScore.Indicator | string | The value assigned by DBot for the indicator. |
DBotScore.Type | string | The type assigned by DBot for the indicator. |
DBotScore.Score | number | The score assigned by DBot for the indicator. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
IP.Address | string | The IP address of the returned indicator. |
IP.Malicious.Vendor | string | For malicious IP addresses, the vendor that made the decision. |
IP.Malicious.Description | string | For malicious IP addresses, the full description. |
URL.Data | string | The data of the URL of the returned indicator. |
URL.Malicious.Vendor | string | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | string | For malicious URLs, the full description. |
Domain.Name | string | The name of the domain. |
Domain.Malicious.Vendor | string | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | string | For malicious domains, the full description. |
File.MD5 | string | The MD5 hash of the file. |
File.SHA1 | string | The SHA1 hash of the file. |
File.SHA256 | string | The SHA256 hash of the file. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
File.Malicious.Description | string | For malicious files, the full description. |
#
Command Example!tc-get-incident-associate-indicators incidentId=5101576 owner="Demisto Inc."
#
Context Example#
Human Readable Output#
Incident Associated Indicators:
Confidence Create Date ID Last Modified Name Owner Rating Type 0 2020-04-27T04:57:20Z 112677927 2020-04-27T04:57:20Z 88.88.88.88 Demisto Inc. 0 Address
#
tc-update-indicatorUpdates the indicator in ThreatConnect.
#
Base Commandtc-update-indicator
#
InputArgument Name | Description | Required |
---|---|---|
indicator | The name of the updated indicator. | Required |
rating | The threat rating of the updated indicator. | Optional |
confidence | The confidence rating of the updated indicator. | Optional |
size | The size of the file of the updated indicator. | Optional |
dnsActive | The active DNS indicator (only for hosts). | Optional |
whoisActive | The active indicator (only for hosts). | Optional |
updatedValues | A comma-separated list of field:value pairs to update. For example, "rating=3", "confidence=42", and "description=helloWorld". | Optional |
falsePositive | The updated indicator set as a false positive. Can be "True" or "False". | Optional |
observations | The number observations on the updated indicator. | Optional |
securityLabel | The security label applied to the incident. Can be "TLP:RED", "TLP:GREEN", "TLP:AMBER", or "TLP:WHITE". | Optional |
threatAssessConfidence | Assesses the confidence rating of the indicator. | Optional |
threatAssessRating | Assesses the threat rating of the indicator. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Indicator.Name | string | The name of the indicator. |
TC.Indicator.Type | string | The type of the indicator. |
TC.Indicator.ID | string | The ID of the indicator. |
TC.Indicator.Description | string | The description of the indicator. |
TC.Indicator.Owner | string | The owner of the indicator. |
TC.Indicator.CreateDate | date | The date on which the indicator was created. |
TC.Indicator.LastModified | date | The last date on which the indicator was modified. |
TC.Indicator.Rating | number | The threat rating of the indicator. |
TC.Indicator.Confidence | number | The confidence rating of the indicator. |
TC.Indicator.WhoisActive | string | The active indicator (for domains only). |
TC.Indicator.File.MD5 | string | The MD5 hash of the indicator of the file. |
TC.Indicator.File.SHA1 | string | The SHA1 hash of the indicator of the file. |
TC.Indicator.File.SHA256 | string | The SHA256 hash of the indicator of the file. |
IP.Address | string | The IP address of the indicator. |
IP.Malicious.Vendor | string | For malicious IP addresses, the vendor that made the decision. |
IP.Malicious.Description | string | For malicious IP addresses, the full description. |
URL.Data | string | The data of the URL of the indicator. |
URL.Malicious.Vendor | string | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | string | For malicious URLs, the full description. |
Domain.Name | string | The domain name of the indicator. |
Domain.Malicious.Vendor | string | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | string | For malicious domains, the full description. |
File.MD5 | string | The MD5 hash of the file. |
File.SHA1 | string | The SHA1 hash of the file. |
File.SHA256 | string | The SHA256 hash of the file. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
File.Malicious.Description | string | For malicious files, the full description. |
TC.Indicator.WebLink | string | The web link of the indicator. |
#
Command Example!tc-update-indicator indicator=99.99.99.99 rating=1
#
Context Example#
Human Readable OutputIndicator 112951655 Updated Successfully
#
tc-delete-indicator-tagRemoves a tag from a specified indicator.
#
Base Commandtc-delete-indicator-tag
#
InputArgument Name | Description | Required |
---|---|---|
indicator | The name of the indicator from which to remove a tag. | Required |
tag | The name of the tag to remove from the indicator. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Indicator.Name | string | The name of the indicator. |
TC.Indicator.Type | string | The type of the indicator. |
TC.Indicator.ID | string | The ID of the indicator. |
TC.Indicator.Description | string | The description of the indicator. |
TC.Indicator.Owner | string | The owner of the indicator. |
TC.Indicator.CreateDate | date | The date on which the indicator was created. |
TC.Indicator.LastModified | date | The last date on which the indicator was modified. |
TC.Indicator.Rating | number | The threat rating of the indicator. |
TC.Indicator.Confidence | number | The confidence rating of the indicator. |
TC.Indicator.WhoisActive | string | The active indicator (for domains only). |
TC.Indicator.File.MD5 | string | The MD5 hash of the indicator of the file. |
TC.Indicator.File.SHA1 | string | The SHA1 hash of the indicator of the file. |
TC.Indicator.File.SHA256 | string | The SHA256 hash of the indicator of the file. |
IP.Address | string | The IP address of the indicator. |
IP.Malicious.Vendor | string | For malicious IP addresses, the vendor that made the decision. |
IP.Malicious.Description | string | For malicious IP addresses, the full description. |
URL.Data | string | The data of the URL of the indicator. |
URL.Malicious.Vendor | string | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | string | For malicious URLs, the full description. |
Domain.Name | string | The domain name of the indicator. |
Domain.Malicious.Vendor | string | For malicious domains, the vendor that made the decision. |
Domain.Malicious.Description | string | For malicious domains, the full description. |
File.MD5 | string | The MD5 hash of the file. |
File.SHA1 | string | The SHA1 hash of the file. |
File.SHA256 | string | The SHA256 hash of the file. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
File.Malicious.Description | string | For malicious files, the full description. |
TC.Indicator.WebLink | string | The web link of the indicator. |
#
Command Example!tc-delete-indicator-tag indicator=99.99.99.99 tag="malicious ip"
#
Context Example#
Human Readable OutputRemoved tag malicious ip from indicator 99.99.99.99.
#
tc-delete-indicatorDeletes an indicator from ThreatConnect.
#
Base Commandtc-delete-indicator
#
InputArgument Name | Description | Required |
---|---|---|
indicator | The name of the indicator to delete. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!tc-delete-indicator indicator=99.99.99.99
#
Context Example#
Human Readable OutputIndicator 99.99.99.99 removed Successfully
#
tc-create-campaignCreates a group based on the "Campaign" type.
#
Base Commandtc-create-campaign
#
InputArgument Name | Description | Required |
---|---|---|
name | The name of the campaign group. | Required |
firstSeen | The earliest date on which the campaign was seen. | Optional |
owner | The owner of the new incident. The default is the "defaultOrg" parameter. | Optional |
description | The description of the campaign. | Optional |
tag | The name of the tag to apply to the campaign. | Optional |
securityLabel | The security label of the campaign. For example, "TLP:Green". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Campaign.Name | string | The name of the campaign. |
TC.Campaign.Owner | string | The owner of the campaign. |
TC.Campaign.FirstSeen | date | The earliest date on which the campaign was seen. |
TC.Campaign.Tag | string | The tag of the campaign. |
TC.Campaign.SecurityLevel | string | The security label of the campaign. |
TC.Campaign.ID | string | The ID of the campaign. |
#
Command Example!tc-create-campaign name=test_campaign description="test campaign"
#
Context Example#
Human Readable OutputCampaign test_campaign Created Successfully
#
tc-create-eventCreates a group based on the "Event" type.
#
Base Commandtc-create-event
#
InputArgument Name | Description | Required |
---|---|---|
name | The name of the event group. | Required |
eventDate | The date on which the event occurred. If the date is not specified, the current date is used. | Optional |
status | The status of the event. Can be "Needs Review", "False Positive", "No Further Action", or "Escalated". | Optional |
owner | The owner of the event. | Optional |
description | The description of the event. | Optional |
tag | The tag of the event. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Event.Name | string | The name of the event. |
TC.Event.Date | date | The date of the event. |
TC.Event.Status | string | The status of the event. |
TC.Event.Owner | string | The owner of the event. |
TC.Event.Tag | string | The tag of the event. |
TC.Event.ID | string | The ID of the event. |
#
Command Example!tc-create-event name=test_event
#
Context Example#
Human Readable OutputIncident test_event Created Successfully
#
tc-create-threatCreates a group based on the "Threats" type.
#
Base Commandtc-create-threat
#
InputArgument Name | Description | Required |
---|---|---|
name | The name of the threat group. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Threat.Name | string | The name of the threat. |
TC.Threat.ID | string | The ID of the threat. |
#
Command Example!tc-create-threat name=test_threat
#
Context Example#
Human Readable OutputThreat test_threat Created Successfully
#
tc-delete-groupDeletes a group.
#
Base Commandtc-delete-group
#
InputArgument Name | Description | Required |
---|---|---|
groupID | The ID of the group to delete. | Required |
type | The type of the group to delete. Can be "Incidents", "Events", "Campaigns", or "Threats". | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!tc-delete-group groupID=5101578 type=Campaigns
#
Human Readable Outputcampaigns 5101578 deleted Successfully
#
tc-add-group-attributeAdds an attribute to a specified group.
#
Base Commandtc-add-group-attribute
#
InputArgument Name | Description | Required |
---|---|---|
group_id | The ID of the group to which to add attributes. To get the ID of the group, run the tc-get-groups command. | Required |
attribute_type | The type of attribute to add to the group. The type is located in the UI in a specific group or under Org Config. | Required |
attribute_value | The value of the attribute. | Required |
group_type | The type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". | Required |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Group.DateAdded | Date | The date on which the attribute was added. |
TC.Group.LastModified | Date | The date on which the added attribute was last modified. |
TC.Group.Type | String | The type of the group to which the attribute was added. |
TC.Group.Value | String | The value of the attribute added to the group. |
TC.Group.ID | Number | The group ID to which the attribute was added. |
#
Command Example!tc-add-group-attribute group_id=5101576 group_type=incidents attribute_type=description attribute_value="test add group attribute"
#
Context Example#
Human Readable Output#
The attribute was added successfully to group 5101576
Type Value ID DateAdded LastModified Description test add group attribute 23379726 2020-05-10T09:57:00Z 2020-05-10T09:57:00Z
#
tc-get-eventsReturns a list of events.
#
Base Commandtc-get-events
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
TC.Event.DateAdded | Date | The date on which the event was added. |
TC.Event.EventDate | Date | The date on which the event occurred. |
TC.Event.ID | Number | The ID of the event. |
TC.Event.OwnerName | String | The name of the owner of the event. |
TC.Event.Status | String | The status of the event. |
#
Command Example!tc-get-events
#
Context Example#
Human Readable Output#
ThreatConnect Events
ID Name OwnerName EventDate DateAdded Status 5156602 test_event Demisto Inc. 2020-05-10T09:56:50Z 2020-05-10T09:56:51Z Needs Review 5156545 MyTest Demisto Inc. 2020-05-10T05:07:51Z 2020-05-10T05:07:52Z Needs Review
#
tc-get-groupsReturns all groups, filtered by the group type.
#
Base Commandtc-get-groups
#
InputArgument Name | Description | Required |
---|---|---|
group_type | The type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". | Required |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Group.DateAdded | Date | The date on which the group was added. |
TC.Group.EventDate | Date | The date on which the event occurred. |
TC.Group.Name | String | The name of the group. |
TC.Group.OwnerName | String | The name of the owner of the group. |
TC.Group.Status | String | The status of the group. |
TC.Group.ID | Number | The ID of the group. |
#
Command Example!tc-get-groups group_type=incidents
#
Context Example#
Human Readable Output#
ThreatConnect incidents
ID Name OwnerName EventDate DateAdded 5156603 test_incident Demisto Inc. 2020-05-10T00:00:00Z 2020-05-10T09:56:52Z 5156599 test_incident Demisto Inc. 2020-05-10T00:00:00Z 2020-05-10T09:54:44Z 5156595 test_incident Demisto Inc. 2020-05-10T00:00:00Z 2020-05-10T09:47:58Z
#
tc-add-group-security-labelAdds a security label to a group.
#
Base Commandtc-add-group-security-label
#
InputArgument Name | Description | Required |
---|---|---|
group_id | The ID of the group to which to add the security label. To get the ID, run the tc-get-groups command. | Required |
group_type | The type of the group to which to add the security label. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". | Required |
security_label_name | The name of the security label to add to the group. For example, "TLP:GREEN". | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!tc-add-group-security-label group_id=5101576 group_type=incidents security_label_name=TLP:GREEN
#
Context Example#
Human Readable OutputThe security label TLP:GREEN was added successfully to incidents 5101576
#
tc-add-group-tagAdds tags to a specified group.
#
Base Commandtc-add-group-tag
#
InputArgument Name | Description | Required |
---|---|---|
group_id | The ID of the group to which to add the tag. To get the ID, run the tc-get-groups command. | Required |
group_type | The type of the group to which to add the tag. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". | Required |
tag_name | The name of the tag to add to the group. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!tc-add-group-tag group_id=5101576 group_type=incidents tag_name="malicious ip"
#
Context Example#
Human Readable OutputThe tag malicious ip was added successfully to group incidents 5101576
#
tc-get-indicator-typesReturns all indicator types available.
#
Base Commandtc-get-indicator-types
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
TC.IndicatorType.ApiBranch | String | The branch of the API. |
TC.IndicatorType.ApiEntity | String | The entity of the API. |
TC.IndicatorType.CasePreference | String | The case preference of the indicator. For example, "sensitive", "upper", or "lower". |
TC.IndicatorType.Custom | Boolean | Whether the indicator is a custom indicator. |
TC.IndicatorType.Parsable | Boolean | Whether the indicator can be parsed. |
TC.IndicatorType.Value1Type | String | The name of the indicator. |
TC.IndicatorType.Value1Label | String | The value label of the indicator. |
#
Command Example!tc-get-indicator-types
#
Context Example#
Human Readable Output#
ThreatConnect indicator types
Name Custom Parsable ApiBranch CasePreference Value1Type Address false true addresses File false true files text Host false true hosts URL false true urls
#
tc-group-associate-indicatorAssociates an indicator with a group.
#
Base Commandtc-group-associate-indicator
#
InputArgument Name | Description | Required |
---|---|---|
indicator_type | The type of the indicator. To get the available types, run the tc-get-indicator-types command. The indicator must be spelled as displayed in the ApiBranch column of the UI. | Required |
indicator | The name of the indicator. For example, "indicator_type=emailAddresses" where "indicator=a@a.co.il". | Required |
group_type | The type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". | Required |
group_id | The ID of the group. To get the ID of the group, run the tc-get-groups command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Group.GroupID | Number | The ID of the group. |
TC.Group.GroupType | String | The type of the group. |
TC.Group.Indicator | String | The name of the indicator. |
TC.Group.IndicatorType | String | The type of the indicator. |
#
Command Exampletc-group-associate-indicator indicator_type=addresses group_id=5101576 group_type=incidents indicator=99.99.99.99
#
Human Readable Output#
tc-create-document-groupCreates a document group.
#
Base Commandtc-create-document-group
#
InputArgument Name | Description | Required |
---|---|---|
file_name | The name of the file to display in the UI. | Required |
name | The name of the file. | Required |
malware | Whether the file is malware. If "true", ThreatConnect creates a password-protected ZIP file on your local machine that contains the sample and uploads the ZIP file. | Optional |
password | The password of the ZIP file. | Optional |
security_label | The security label of the group. | Optional |
description | A description of the group. | Optional |
entry_id | The file of the ID of the entry, as displayed in the War Room. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Group.Name | String | The name of the group. |
TC.Group.Owner | String | The owner of the group. |
TC.Group.EventDate | Date | The date on which the group was created. |
TC.Group.Description | String | The description of the group. |
TC.Group.SecurityLabel | String | The security label of the group. |
TC.Group.ID | Number | The ID of the group to which the attribute was added. |
#
Command Example!tc-create-document-group entry_id=11@11 file_name=test.txt name=test_document
#
Human Readable Output#
tc-get-groupRetrieves a single group.
#
Base Commandtc-get-group
#
InputArgument Name | Description | Required |
---|---|---|
group_type | The type of group for which to return the ID. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". | Required |
group_id | The ID of the group to retrieve. To get the ID, run the tc-get-groups command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Group.DateAdded | Date | The date on which the group was added. |
TC.Group.EventDate | Date | The date on which the event occurred. |
TC.Group.Name | String | The name of the group. |
TC.Group.Owner.ID | Number | The ID of the group owner. |
TC.Group.Owner.Name | String | The name of the group owner. |
TC.Group.Owner.Type | String | The type of the owner. |
TC.Group.Status | String | The status of the group. |
#
Command Example!tc-get-group group_id=5101576 group_type=incidents
#
Context Example#
Human Readable Output#
ThreatConnect Group information
DateAdded EventDate ID Name Owner 2020-04-21T06:54:46Z 2020-04-21T00:00:00Z 5101576 try Name: Demisto Inc.
ID: 737
Type: Organization
#
tc-get-group-attributesRetrieves the attribute of a group.
#
Base Commandtc-get-group-attributes
#
InputArgument Name | Description | Required |
---|---|---|
group_type | The type of group for which to return the attribute. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". | Required |
group_id | The ID of the group for which to return the attribute. To get the ID, run the tc-get-groups command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Group.Attribute.DateAdded | Date | The date on which the group was added. |
TC.Group.Attribute.Displayed | Boolean | Whether the attribute is displayed on the UI. |
TC.Group.Attribute.AttributeID | Number | The ID of the attribute. |
TC.Group.Attribute.LastModified | Date | The date on which the attribute was last modified. |
TC.Group.Attribute.Type | String | The type of the attribute. |
TC.Group.Attribute.Value | String | The value of the attribute. |
#
Command Example!tc-get-group-attributes group_id=5101576 group_type=incidents
#
Context Example#
Human Readable Output#
ThreatConnect Group Attributes
AttributeID Type Value DateAdded LastModified Displayed 23379726 Description test add group attribute 2020-05-10T09:57:00Z 2020-05-10T09:57:00Z true 23379725 Description test add group attribute 2020-05-10T09:54:51Z 2020-05-10T09:54:51Z false
#
tc-get-group-security-labelsRetrieves the security labels of a group.
#
Base Commandtc-get-group-security-labels
#
InputArgument Name | Description | Required |
---|---|---|
group_type | The type of group for which to return the security labels. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". | Required |
group_id | The ID of the group for which to return the security labels. To get the ID, run the tc-get-groups command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Group.SecurityLabel.Name | String | The name of the security label. |
TC.Group.SecurityLabel.Description | String | The description of the security label. |
TC.Group.SecurityLabel.DateAdded | Date | The date on which the security label was added. |
#
Command Example!tc-get-group-security-labels group_id=5101576 group_type=incidents
#
Context Example#
Human Readable Output#
ThreatConnect Group Security Labels
Name Description DateAdded TLP:GREEN This security label is used for information that is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. 2016-08-31T00:00:00Z
#
tc-get-group-tagsRetrieves the tags of a group.
#
Base Commandtc-get-group-tags
#
InputArgument Name | Description | Required |
---|---|---|
group_type | The type of group for which to return the tags. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". | Required |
group_id | The ID of the group for which to return the tags. To get the ID, run the tc-get-groups command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Group.Tag.Name | String | The name of the tag. |
#
Command Example!tc-get-group-tags group_id=5101576 group_type=incidents
#
Context Example#
Human Readable Output#
ThreatConnect Group Tags
Name malicious ip
#
tc-download-documentDownloads the contents of a document.
#
Base Commandtc-download-document
#
InputArgument Name | Description | Required |
---|---|---|
document_id | The ID of the document. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.Size | Number | The size of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
File.Name | String | The name of the file. |
File.SSDeep | String | The ssdeep hash of the file (same as displayed in file entries). |
File.EntryID | String | The entry ID of the file. |
File.Info | String | The information of the file. |
File.Type | String | The type of the file. |
File.MD5 | String | The MD5 hash of the file. |
File.Extension | String | The extension of the file. |
#
Command Example!tc-download-document document_id=12345
#
Human Readable Output#
tc-get-group-indicatorsReturns indicators associated with a group.
#
Base Commandtc-get-group-indicators
#
InputArgument Name | Description | Required |
---|---|---|
group_type | The type of the group for which to return the indicators. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". | Required |
group_id | The ID of the group for which to return the indicators. To get the ID, run the tc-get-groups command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Group.Indicator.Summary | String | The summary of the indicator. |
TC.Group.Indicator.ThreatAssessConfidence | String | The confidence rating of the indicator. |
TC.Group.Indicator.IndicatorID | Number | The ID of the indicator. |
TC.Group.Indicator.DateAdded | Date | The date on which the indicator was added. |
TC.Group.Indicator.Type | String | The type of the indicator. |
TC.Group.Indicator.Rating | Number | The threat rating of the indicator. |
TC.Group.Indicator.ThreatAssertRating | Number | The rating of the threat assert. |
TC.Group.Indicator.OwnerName | String | The name of the owner of the indicator. |
TC.Group.Indicator.LastModified | Date | The date that the indicator was last modified. |
#
Command Example!tc-get-group-indicators group_type="incidents" group_id="5110299"
#
Context Example#
Human Readable Output#
ThreatConnect Group Indicators
Confidence DateAdded GroupID IndicatorID LastModified OwnerName Rating Summary ThreatAssertRating ThreatAssessConfidence Type 0 2020-04-27T04:57:20Z 5110299 112677927 2020-04-27T04:57:20Z Demisto Inc. 0.0 88.88.88.88 3.0 53.0 Address
#
tc-get-associated-groupsReturns indicators associated with a specified group.
#
Base Commandtc-get-associated-groups
#
InputArgument Name | Description | Required |
---|---|---|
group_type | The type of group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". | Required |
group_id | The ID of the group. To get the ID, run the tc-get-groups command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Group.AssociatedGroup.DateAdded | Date | The date on which group was added. |
TC.Group.AssociatedGroup.GroupID | Number | The ID of the group. |
TC.Group.AssociatedGroup.Name | String | The name of the group. |
TC.Group.AssociatedGroup.OwnerName | String | The name of the owner of the group. |
TC.Group.AssociatedGroup.Type | String | The type of the group. |
#
Command Example!tc-get-associated-groups group_id=5101576 group_type=incidents
#
Context Example#
Human Readable Output#
ThreatConnect Associated Groups
GroupID Name Type OwnerName DateAdded 5110299 test_as Incident Demisto Inc. 2020-04-27T05:03:28Z
#
tc-associate-group-to-groupAssociates one group with another group.
#
Base Commandtc-associate-group-to-group
#
InputArgument Name | Description | Required |
---|---|---|
group_type | The type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". | Required |
group_id | The ID of the group. To get the ID of the group, run the tc-get-groups command. | Required |
associated_group_type | The type of group to associate. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats". | Required |
associated_group_id | The ID of the group to associate. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
TC.Group.AssociatedGroup.AssociatedGroupID | Number | The ID of the associated group. |
TC.Group.AssociatedGroup.AssociatedGroupType | String | The type of the associated group. |
TC.Group.AssociatedGroup.GroupID | Number | The ID of the group to associate to. |
TC.Group.AssociatedGroup.GroupType | String | The type of the group to associate to. |
#
Command Example!tc-associate-group-to-group group_id=5101576 group_type=incidents associated_group_id=5101578 associated_group_type=campaigns
#
Context Example#
Human Readable OutputThe group 5101578 was associated successfully.
#
tc-get-indicator-ownersGet Owner for Indicator
#
Base Commandtc-get-indicator-owners
#
InputArgument Name | Description | Required |
---|---|---|
indicator | Indicator Value | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!tc-get-indicator-owners indicator=99.99.99.99
#
Context Example#
Human Readable Output#
ThreatConnect Owners for Indicator:99.99.99.99
id name type 737 Demisto Inc. Organization
#
tc-download-reportThe group report to download in PDF format.
#
Base Commandtc-download-report
#
InputArgument Name | Description | Required |
---|---|---|
group_type | The type of the group. Can be: "adversaries", "campaigns", "emails", "incidents", "signatures", or "threats". Possible values are: adversaries, campaigns, emails, incidents, signatures, threats. | Required |
group_id | The ID of the group. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.Size | Number | The size of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
File.Name | String | The name of the file. |
File.SSDeep | String | The SSDeep hash of the file. |
File.EntryID | String | The entry ID of the file. |
File.Info | String | The information of the file. |
File.Type | String | The type of the file. |
File.MD5 | String | The MD5 hash of the file. |
File.Extension | String | The extension of the file. |