Skip to main content

ThreatConnect v3

This Integration is part of the ThreatConnect Pack.#

ThreatConnect's integration is a intelligence-driven security operations solution with intelligence, automation, analytics, and workflows. This integration was integrated and tested with version 3 of ThreatConnect v3 REST API

ThreatConnect v3 HMAC credentials#

  1. On the top navigation bar, hover the cursor over the Settings icon and select Org Settings from the dropdown menu.
  2. Click the Create API User button on the Membership tab of the Organization Settings screen, and the API User Administration window will be displayed.
  3. Enter the following information:
    • First Name: Enter the API user’s first name.
    • Last Name: Enter the API user’s last name.
    • Organization Role: Use the dropdown menu to select an Organization role for the user.
    • Include in Observations and False Positives: Check this box to allow data provided by the API user to be included in observation and false-positive counts.
    • Disabled: Click the checkbox to disable an API user’s account in the event that the Administrator wants to retain log integrity when the API user no longer requires ThreatConnect access.
  4. Record the Secret Key, as it will not be accessible after the window is closed.
  5. Click SAVE to create the API user account.

For more information - click here (Section - Creating an API User).

Configure ThreatConnect v3 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for ThreatConnect v3.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Base UrlThe base URL for the APITrue
    Access IDThe API credentialsTrue
    Secret keyThe API secret keyTrue
    Default OrganizationThe default owner for the integrationFalse
    Tags filter for the fetchFree text box to add comma-separated tags to filter the fetched incidents by.False
    Group Type filter for the fetchThe group type to filter the fetched incidents by.False
    Status filter for the fetchThe status to filter the fetched incidents by (if not field will fetch all statuses).False
    First fetch timestamp (<number> <time unit>, for example, 12 hours, 7 days, 3 months, 1 year)True
    Incident MetadataThe metadata to collect.False
    Source ReliabilityReliability of the source providing the intelligence data.True
    Rating Threshold for Malicious Indicators (needed for reputation calculation)Rating Threshold for Malicious Indicators. This is necessary to calculate reputation.False
    Confidence Threshold for Malicious Indicators (needed for reputation calculation)Confidence Threshold for Malicious Indicators. This is necessary to calculate reputation.False
    Indicator Reputation Freshness in days (needed for reputation calculation)Indicator Reputation Freshness.This is necessary to calculate reputation.False
    Trust any certificate (not secure)Whether or not to trust any certificateFalse
    Use system proxy settingsWhether or not to use proxyFalse
    Maximum number of incidents to fetchThe maximum amount of incident to fetch per run200
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Searches for an indicator of type IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipA comma-separated list of IPv4 or IPv6 addresses.Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners.Optional
ratingThresholdA comma-separated list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA comma-separated list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the indicator was created.
TC.Indicator.LastModifieddateThe date the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

url#


Searches for an indicator of type URL.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlA comma-separated list of URLs for which to search. For example, "www.demisto.com".Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a client’s API user has been granted permission. For example, "owner1", "owner2", or "owner3".Optional
ratingThresholdA comma-separated list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA comma-separated list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the indicator was created.
TC.Indicator.LastModifieddateThe date the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilitystringReliability of the source providing the intelligence data.
URL.DatastringThe data of the URL indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

file#


Searches for an indicator of type file.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileA comma-separated list of the hashes of the files. Can be "MD5", "SHA-1", or "SHA-256".Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners.Optional
ratingThresholdA comma-separated list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA comma-separated list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the indicator was created.
TC.Indicator.LastModifieddateThe date the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.File.MD5stringThe MD5 hash of the indicator.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilitystringReliability of the source providing the intelligence data.
File.MD5stringThe MD5 hash of the indicator.
File.SHA1stringThe SHA1 hash of the indicator.
File.SHA256stringThe SHA256 hash of the indicator.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-owners#


Retrieves all owners for the current account.

Base Command#

tc-owners

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
TC.Owner.NamestringThe name of the owner.
TC.Owner.IDstringThe ID of the owner.
TC.Owner.TypestringThe type of the owner.

tc-indicators#


Retrieves a list of all indicators.

Base Command#

tc-indicators

Input#

Argument NameDescriptionRequired
ownerA comma-separated list of results filtered by the owner of the indicator.Optional
pageThe page to take the results from.Optional
limitThe maximum number of results that can be returned. The default is 500.Optional
fields_to_returnComma separated list of additional fields to return as part of the result indicator metadata. Possible values are: associatedGroups, associatedIndicators, observations, tags, and attributes.Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the indicator was created.
TC.Indicator.LastModifieddateThe date the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilitystringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-get-tags#


Returns a list of all ThreatConnect tags.

Base Command#

tc-get-tags

Input#

Argument NameDescriptionRequired
pageThe page to take the results from.Optional
limitThe maximum number of results that can be returned. The default is 500.Optional
nameThe name of the tag to get.Optional

Context Output#

PathTypeDescription
TC.TagsUnknownA list of tags.

tc-tag-indicator#


Adds a tag to an existing indicator.

Base Command#

tc-tag-indicator

Input#

Argument NameDescriptionRequired
tagThe name of the tag.Required
indicatorThe indicator to tag. For example, for an IP indicator, "8.8.8.8".Required

Context Output#

There is no context output for this command.

tc-get-indicator#


Retrieves information about an indicator.

Base Command#

tc-get-indicator

Input#

Argument NameDescriptionRequired
idThe ID of the indicator by which to search.Required

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the indicator was created.
TC.Indicator.LastModifieddateThe date the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
TC.Indicator.IndicatorAttributes.dateAddeddateThe date the indicator attribute was added.
TC.Indicator.IndicatorAttributes.displayedbooleanWhether to display the indicator attributes on ThreatConnect.
TC.Indicator.IndicatorAttributes.idnumberThe ID of the attribute.
TC.Indicator.IndicatorAttributes.lastModifieddateThe date the indicator attribute was last modified.
TC.Indicator.IndicatorAttributes.typestringThe name of the attribute.
TC.Indicator.IndicatorAttributes.valuestringThe contents of the attribute.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the indicator of the URL.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-get-indicators-by-tag#


Fetches all indicators that have a tag.

Base Command#

tc-get-indicators-by-tag

Input#

Argument NameDescriptionRequired
tagThe name of the tag by which to filter the results.Required
ownerA comma-separated list of indicators filtered by the owner.Optional
pageThe page to take the results from.Optional
limitThe maximum number of results that can be returned. The default is 500.Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the tagged indicator.
TC.Indicator.TypestringThe type of the tagged indicator.
TC.Indicator.IDstringThe ID of the tagged indicator.
TC.Indicator.DescriptionstringThe description of the tagged indicator.
TC.Indicator.OwnerstringThe owner of the tagged indicator.
TC.Indicator.CreateDatedateThe date the tagged indicator was created.
TC.Indicator.LastModifieddateThe date the tagged indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the tagged indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the tagged indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the tagged indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the tagged indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the tagged indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-add-indicator#


Adds a new indicator to ThreatConnect.

Base Command#

tc-add-indicator

Input#

Argument NameDescriptionRequired
indicatorThe indicator to add.Required
indicatorTypeThe type of the indicator. Possible values are: Address, Agent, User, Registry Key, Mutex, Hashtag, Email Subject, Subject, Email, CIDR, Host, URL, ASN, File, EmailAddress.Required
hashTypeThe type of hash for the file indicator. Possible values are: md5, sha1, sha256.Optional
ratingThe threat rating of the indicator. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThe confidence rating of the indicator. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional
descriptionThe description of the indicator.Optional
tagsA comma-separated list of the tags to apply to the campaign.Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the added indicator was created.
TC.Indicator.LastModifieddateThe date the added indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the added indicator of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-create-incident#


Creates a new incident group.

Base Command#

tc-create-incident

Input#

Argument NameDescriptionRequired
incidentNameThe name of the incident group.Required
eventDateThe creation time of an incident in the "2017-03-21T00:00:00Z" format.Optional
tagA comma-separated list of the tags applied to the incident.Optional
securityLabelThe security label applied to the incident. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE.Optional
descriptionThe description of the incident.Optional

Context Output#

PathTypeDescription
TC.Incident.NamestringThe name of the new incident group.
TC.Incident.OwnerstringThe owner of the new incident.
TC.Incident.EventDatedateThe date on which the event that indicates an incident occurred.
TC.Incident.TagstringThe name of the tag of the new incident.
TC.Incident.SecurityLabelstringThe security label of the new incident.
TC.Incident.IDUnknownThe ID of the new incident.

tc-incident-associate-indicator#


Associates an indicator with an existing incident. The indicator must exist before running this command. To add an indicator, run the tc-add-indicator command.

Base Command#

tc-incident-associate-indicator

Input#

Argument NameDescriptionRequired
incidentIdThe ID of the incident to which the indicator is associated.Required
indicatorThe ID of the indicator.Required

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the associated indicator was created.
TC.Indicator.LastModifieddateThe date the associated indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringIP address of the associated indicator of the file.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the associated indicator of the file.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the indicator of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

domain#


Searches for an indicator of type domain.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainA comma-separated list of names of the domain.Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners.Optional
ratingThresholdA comma-separated list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA comma-separated list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the domain.
TC.Indicator.IDstringThe ID of the domain.
TC.Indicator.DescriptionstringThe description of the domain.
TC.Indicator.OwnerstringThe owner of the domain.
TC.Indicator.CreateDatedateThe date the indicator of the domain was created.
TC.Indicator.LastModifieddateThe date the indicator of the domain was last modified.
TC.Indicator.RatingnumberThe threat rating of the domain.
TC.Indicator.ConfidencenumberThe confidence rating of the domain.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Domain.NamestringThe name of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-get-incident-associate-indicators#


Returns indicators that are related to a specific incident.

Base Command#

tc-get-incident-associate-indicators

Input#

Argument NameDescriptionRequired
incidentIdThe ID of the incident.Required

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the returned indicator.
TC.Indicator.TypestringThe type of the returned indicator.
TC.Indicator.IDstringThe ID of the returned indicator.
TC.Indicator.DescriptionstringThe description of the returned indicator.
TC.Indicator.OwnerstringThe owner of the returned indicator.
TC.Indicator.CreateDatedateThe date the returned indicator was created.
TC.Indicator.LastModifieddateThe date the returned indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the returned indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the returned indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the returned indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the returned indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.

tc-update-indicator#


Updates the indicator in ThreatConnect.

Base Command#

tc-update-indicator

Input#

Argument NameDescriptionRequired
indicatorThe name of the updated indicator.Required
ratingThe threat rating of the updated indicator.Optional
confidenceThe confidence rating of the updated indicator.Optional
sizeThe size of the file of the updated indicator.Optional
dnsActiveWhether the DNS indicator is active (only for hosts). Possible values are: True, False.Optional
whoisActiveWhether the indicator is active (only for hosts). Possible values are: True, False.Optional
securityLabelThe security label applied to the incident. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE.Optional
tagsA comma-separated list of tags.Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the indicator was created.
TC.Indicator.LastModifieddateThe date the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-delete-indicator-tag#


Removes a tag from a specified indicator.

Base Command#

tc-delete-indicator-tag

Input#

Argument NameDescriptionRequired
indicatorThe ID of the indicator from which to remove a tag.Required
tagThe name of the tag to remove from the indicator.Required

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the indicator was created.
TC.Indicator.LastModifieddateThe date the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-delete-indicator#


Deletes an indicator from ThreatConnect.

Base Command#

tc-delete-indicator

Input#

Argument NameDescriptionRequired
indicatorThe ID of the indicator to delete.Required

Context Output#

There is no context output for this command.

tc-create-campaign#


Creates a group based on the Campaign type.

Base Command#

tc-create-campaign

Input#

Argument NameDescriptionRequired
nameThe name of the campaign group.Required
firstSeenThe date the campaign was first seen.Optional
descriptionThe description of the campaign.Optional
tagComma-separated list of the tags to apply to the campaign.Optional
securityLabelThe security label applied to the incident. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE.Optional

Context Output#

PathTypeDescription
TC.Campaign.NamestringThe name of the campaign.
TC.Campaign.OwnerstringThe owner of the campaign.
TC.Campaign.FirstSeendateThe date the campaign was first seen.
TC.Campaign.TagstringThe tag of the campaign.
TC.Campaign.SecurityLevelstringThe security label of the campaign.
TC.Campaign.IDstringThe ID of the campaign.

tc-create-event#


Creates a group based on the Event type.

Base Command#

tc-create-event

Input#

Argument NameDescriptionRequired
nameThe name of the event group.Required
eventDateThe date the event occurred. If the date is not specified, the current date is used.Optional
statusThe status of the event. Possible values are: Needs Review, False Positive, No Further Action, Escalated.Optional
tagA comma-separated list of the tags of the event.Optional
owner_nameThe name of the owner to which the group belongs. By default, events will be created in the organization in which the API user account resides.Optional

Context Output#

PathTypeDescription
TC.Event.NamestringThe name of the event.
TC.Event.DatedateThe date of the event.
TC.Event.StatusstringThe status of the event.
TC.Event.OwnerstringThe owner of the event.
TC.Event.TagstringThe tag of the event.
TC.Event.IDstringThe ID of the event.
TC.Event.TypestringThe type of the event.

tc-create-threat#


Creates a group based on the "Threats" type.

Base Command#

tc-create-threat

Input#

Argument NameDescriptionRequired
nameThe name of the threat group.Required
eventDateThe creation time of a threat in the "2017-03-21T00:00:00Z" format.Optional
tagsA comma-separated list of the tags applied to the threat.Optional
securityLabelThe security label applied to the threat. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE.Optional
descriptionThe description of the threat.Optional

Context Output#

PathTypeDescription
TC.Threat.NamestringThe name of the threat.
TC.Threat.IDstringThe ID of the threat.

tc-delete-group#


Deletes a group.

Base Command#

tc-delete-group

Input#

Argument NameDescriptionRequired
groupIDA comma-separated list of the IDs of the groups to delete.Required

Context Output#

There is no context output for this command.

tc-get-events#


Returns a list of events.

Base Command#

tc-get-events

Input#

Argument NameDescriptionRequired
fromDateThe date to retrieve groups from in the yyyy-mm-dd format, e.g., 1111-11-11.Optional
tagThe tag to retrieve groups by.Optional
pageThe page to take the results from.Optional
limitThe maximum number of results that can be returned. The default is 500.Optional
idA comma-separated list of IDs to filter the groups by.Optional
filterA free text TQL filter. Refer to https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql for a basic TQL guide.Optional

Context Output#

PathTypeDescription
TC.Event.DateAddedDateThe date the event was added.
TC.Event.EventDateDateThe date the event occurred.
TC.Event.IDNumberThe ID of the event.
TC.Event.OwnerNameStringThe name of the owner of the event.
TC.Event.StatusStringThe status of the event.
TC.Event.AssociatedGroupsStringThe associated groups for the event.
TC.Event.AssociatedIndicatorsStringThe associated indicators for the event.
TC.Event.TagsStringThe tags of the event.

tc-list-groups#


Returns all groups.

Base Command#

tc-list-groups

Input#

Argument NameDescriptionRequired
group_typeThe type of the group. Possible values are: Adversary, Attack Pattern, Campaign, Course of Action, Document, E-mail, Event, Incident, Intrusion Set, Malware, Report, Signature, Tactic, Task, Threat, Tool, Vulnerability.Optional
fromDateThe date to retrieve groups from in the yyyy-mm-dd format, e.g., 1111-11-11.Optional
tagThe tag to retrieve groups by.Optional
pageThe page to take the results from.Optional
limitThe maximum number of results that can be returned. The default is 500.Optional
idA comma-separated list of IDs to filter the groups by.Optional
filterA free text TQL filter. Refer to https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql for a basic TQL guide.Optional
include_tagsAdd group tags metadata to the results.Optional
include_security_labelsAdd group security labels metadata to the results.Optional
include_attributesAdd group attributes metadata to the results.Optional
include_associated_groupsAdd group associated groups metadata to the results.Optional
include_associated_indicatorsAdd group associated indicators metadata to the results.Optional
include_all_metaDataAdd all group metadata to the results.Optional

Context Output#

PathTypeDescription
TC.Group.DateAddedDateThe date the group was added.
TC.Group.EventDateDateThe date the event occurred.
TC.Group.NameStringThe name of the group.
TC.Group.OwnerNameStringThe name of the owner of the group.
TC.Group.StatusStringThe status of the group.
TC.Group.IDNumberThe ID of the group.

tc-add-group-tag#


Adds tags to a specified group.

Base Command#

tc-add-group-tag

Input#

Argument NameDescriptionRequired
group_idThe ID of the group to which to add the tag. To get the ID, run the tc-list-groups command.Required
tag_nameThe name of the tag to add to the group.Required

Context Output#

There is no context output for this command.

tc-get-indicator-types#


Returns all indicator types available.

Base Command#

tc-get-indicator-types

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
TC.IndicatorType.ApiBranchStringThe branch of the API.
TC.IndicatorType.ApiEntityStringThe entity of the API.
TC.IndicatorType.CasePreferenceStringThe case preference of the indicator. For example, "sensitive", "upper", or "lower".
TC.IndicatorType.CustomBooleanWhether the indicator is a custom indicator.
TC.IndicatorType.ParsableBooleanWhether the indicator can be parsed.
TC.IndicatorType.Value1TypeStringThe value type of the indicator.
TC.IndicatorType.Value1LabelStringThe value label of the indicator.

tc-create-document-group#


Creates a document group.

Base Command#

tc-create-document-group

Input#

Argument NameDescriptionRequired
file_nameThe name of the file to display in the UI.Required
nameThe name of the group.Required
malwareWhether the file is malware. If "true", ThreatConnect creates a password-protected ZIP file on your local machine that contains the sample and uploads the ZIP file. Possible values are: true, false.Optional
passwordThe password of the ZIP file.Optional
security_labelThe security label applied to the document. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE.Optional
descriptionA description of the group.Optional
entry_idThe ID of the entry, as displayed in the War Room.Required

Context Output#

PathTypeDescription
TC.Group.NameStringThe name of the group.
TC.Group.OwnerStringThe owner of the group.
TC.Group.EventDateDateThe date the group was created.
TC.Group.DescriptionStringThe description of the group.
TC.Group.SecurityLabelStringThe security label of the group.
TC.Group.IDNumberThe ID of the group to which the attribute was added.

tc-download-document#


Downloads the contents of a document.

Base Command#

tc-download-document

Input#

Argument NameDescriptionRequired
document_idThe ID of the document.Required

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe ssdeep hash of the file (same as displayed in file entries).
File.EntryIDStringThe entry ID of the file.
File.InfoStringThe information of the file.
File.TypeStringThe type of the file.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe extension of the file.

tc-get-associated-groups#


Returns groups associated with a specified group.

Base Command#

tc-get-associated-groups

Input#

Argument NameDescriptionRequired
group_idThe ID of the group. To get the ID, run the tc-list-groups command.Required

Context Output#

PathTypeDescription
TC.Group.AssociatedGroup.DateAddedDateThe date the group was added.
TC.Group.AssociatedGroup.GroupIDNumberThe ID of the group.
TC.Group.AssociatedGroup.NameStringThe name of the group.
TC.Group.AssociatedGroup.OwnerNameStringThe name of the owner of the group.
TC.Group.AssociatedGroup.TypeStringThe type of the group.

tc-get-indicator-owners#


Get the owner for an indicator.

Base Command#

tc-get-indicator-owners

Input#

Argument NameDescriptionRequired
indicatorIndicator ID.Required

Context Output#

There is no context output for this command.

tc-download-report#


The group report to download in PDF format.

Base Command#

tc-download-report

Input#

Argument NameDescriptionRequired
group_idThe ID of the group.Required

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe ssdeep hash of the file.
File.EntryIDStringThe entry ID of the file.
File.InfoStringThe information of the file.
File.TypeStringThe type of the file.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe extension of the file.

tc-update-group#


Updates a group.

Base Command#

tc-update-group

Input#

Argument NameDescriptionRequired
idThe ID of the group.Required
custom_fieldCustom fields for the group.Optional
tagsA comma-separated list of The tags applied to the threat.Optional
security_labelThe security label applied to the threat. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE.Optional
associated_group_idAn ID to associate a group by.Optional
associated_indicator_idAn ID to associate an indicator by.Optional
modeThe type of update to the group metadata(associated indicators, attributes,tags etc.). Possible values are: append, delete, replace.Optional
attribute_valueThe value of the attribute to associate.Optional
attribute_typeThe type of the attribute to associate.Optional

Context Output#

PathTypeDescription
TC.Group.NamestringThe name of the group.
TC.Group.OwnerstringThe owner of the group.
TC.Group.TagstringThe tag of the group.
TC.Group.SecurityLevelstringThe security label of the group.
TC.Group.IDstringThe ID of the group.

Redundant Arguments#

The following arguments were removed in this version:

In the tc-tag-indicator command:

  • owner - this argument was redundant.

In the tc-get-indicator command:

  • indicator_type - this argument was redundant.
  • owners - this argument was redundant.
  • ratingThreshold - this argument was redundant.
  • confidenceThreshold - this argument was redundant.
  • group_associations - this argument was redundant.
  • indicator_associations - this argument was redundant.
  • indicator_observations - this argument was redundant.
  • indicator_tags - this argument was redundant.
  • indicator_attributes - this argument was redundant.

In the tc-add-indicator command:

  • owner - this argument was redundant.

In the tc-create-incident command:

  • owner - this argument was redundant.

In the tc-fetch-incidents command:

  • incidentName - this argument was redundant.

In the tc-incident-associate-indicator command:

  • indicatorType - this argument was redundant.
  • owner - this argument was redundant.

In the tc-get-incident-associate-indicators command:

  • owner - this argument was redundant.

In the tc-update-indicator command:

  • observations - this argument was redundant.
  • threatAssessConfidence - this argument was redundant.
  • threatAssessRating - this argument was redundant.
  • owner - this argument was redundant.

In the tc-create-campaign command:

  • owner - this argument was redundant.

In the tc-create-event command:

  • owner - this argument was redundant.

In the tc-delete-group command:

  • type - this argument was redundant.

In the tc-add-group-attribute command:

  • group_type - this argument was redundant.

In the tc-add-group-security-label command:

  • group_type - this argument was redundant.

In the tc-add-group-tag command:

  • group_type - this argument was redundant.

In the tc-group-associate-indicator command:

  • indicator_type - this argument was redundant.
  • group_type - this argument was redundant.

In the tc-get-group command:

  • group_type - this argument was redundant.

In the tc-get-group-attributes command:

  • group_type - this argument was redundant.

In the tc-get-group-security-labels command:

  • group_type - this argument was redundant.

In the tc-get-group-tags command:

  • group_type - this argument was redundant.

In the tc-get-group-indicators command:

  • group_type - this argument was redundant.

In the tc-get-associated-groups command:

  • group_type - this argument was redundant.

In the tc-associate-group-to-group command:

  • group_type - this argument was redundant.
  • associated_group_type - this argument was redundant.

In the tc-download-report command:

  • group_type - this argument was redundant.

Additional Considerations for this version#

API version 3 documentation Use the new REST v3 API instead of the old python module.

tc-create-victim-attribute#


Creates a victim attribute.

Base Command#

tc-create-victim-attribute

Input#

Argument NameDescriptionRequired
victim_idThe ID of the victim.Required
security_labelsA comma-separated list of the security labels to apply to the victim attribute. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE, TLP:AMBER+STRICT, TLP:CLEAR.Optional
attribute_typeThe attribute type. Possible values are: Additional Analysis and Context, Description, External ID, Impact Description, Impact Score, Physical Address, Response Team & Staff involved, Source, Takedown Requests, Targeted Industry Sector, Title.Required
attribute_valueThe attribute value.Required
sourceThe attribute source.Optional

Context Output#

PathTypeDescription
TC.VictimAttribute.dateAddedstringThe date that the victim attribute was added.
TC.VictimAttribute.defaultstringWhether the attribute is the default attribute of its type for the victim to which it is added.
TC.VictimAttribute.idstringThe ID of the victim attribute.
TC.VictimAttribute.lastModifiedstringThe date that the victim attribute was last modified.
TC.VictimAttribute.pinnedstringWhether the victim attribute is pinned.
TC.VictimAttribute.typestringThe type of the victim attribute.
TC.VictimAttribute.valuestringThe value of the victim attribute.
TC.VictimAttribute.createdBy.firstNamestringThe first name of the user who created the victim attribute.
TC.VictimAttribute.createdBy.idstringThe ID of the victim the attribute associated to.
TC.VictimAttribute.createdBy.lastNamestringThe last name of the user who created the victim attribute.
TC.VictimAttribute.createdBy.ownerstringThe owner of the user who created the victim attribute.
TC.VictimAttribute.createdBy.pseudonymstringThe pseudonym of the user who created the victim attribute.
TC.VictimAttribute.createdBy.userNamestringThe user name of the user who created the victim attribute.

Command example#

!tc-create-victim-attribute attribute_type="Takedown Requests" victim_id=668 attribute_value="test"

Context Example#

{
"TC": {
"VictimAttribute": {
"createdBy": {
"firstName": "Demisto API",
"id": 615,
"lastName": "Demisto API",
"owner": "Palo Alto Cortex XSOAR",
"pseudonym": "APIUsersTest",
"userName": "test"
},
"dateAdded": "2024-01-04T13:24:53Z",
"default": false,
"id": 133,
"lastModified": "2024-01-04T13:24:53Z",
"pinned": false,
"type": "Takedown Requests",
"value": "test"
}
}
}

Human Readable Output#

Victim Attribute 133 created successfully for victim id: 668

tc-create-victim#


Creates a victim.

Base Command#

tc-create-victim

Input#

Argument NameDescriptionRequired
nameThe name of the victim.Required
nationalityThe nationality of the victim.Optional
orgThe organization of the victim.Optional
sub_orgThe sub-organization of the victim.Optional
security_labelsA comma-separated list of the security labels to apply to the victim. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE, TLP:AMBER+STRICT, TLP:CLEAR.Optional
tagsA comma-separated list of tags.Optional
work_locationThe work location of the victim.Optional
asset_typeThe asset type of the victim. Possible values are: EmailAddress, NetworkAccount, Phone, SocialNetwork, WebSite.Optional
asset_valueThe asset value of the victim.Optional
asset_address_typeThe asset address type. Relevant only when the asset_type is EmailAddress.Optional
asset_network_typeThe asset network type. Relevant only when the asset_type is NetworkAccount.Optional
asset_social_networkThe asset social network. Required only when the asset_type is SocialNetwork.Optional
associated_groups_idsA comma-separated list of group IDs to associate to the victim.Optional
attribute_typeThe attribute type to associate to the victim. Possible values are: Additional Analysis and Context, Description, External ID, Impact Description, Impact Score, Physical Address, Response Team & Staff involved, Source, Takedown Requests, Targeted Industry Sector, Title.Optional
attribute_valueThe attribute value to associate to the victim.Optional

Context Output#

PathTypeDescription
TC.Victim.NamestringThe name of the victim.
TC.Victim.ownerIdstringThe owner ID of the victim.
TC.Victim.idstringThe ID of the victim.
TC.Victim.ownerNamestringThe owner name of the victim.
TC.Victim.webLinkstringThe web link of the victim.
TC.Victim.descriptionstringThe description of the victim.
TC.Victim.orgstringThe organization of the victim.
TC.Victim.suborgstringThe sub-organization of the victim.
TC.Victim.workLocationstringThe work location of the victim.
TC.Victim.nationalitystringThe nationality of the victim.

Command example#

!tc-create-victim name="test" org="test" asset_type="EmailAddress" asset_value="test@test.com" attribute_type="Description" attribute_value="test"

Context Example#

{
"TC": {
"Victim": {
"id": 671,
"name": "test",
"org": "test",
"ownerId": 271,
"ownerName": "Palo Alto Cortex XSOAR",
"webLink": "https://threatconnect.com/auth/victim/victim.xhtml?victim=671"
}
}
}

Human Readable Output#

Victim test created successfully with id: 671

tc-create-victim-asset#


Creates a victim asset.

Base Command#

tc-create-victim-asset

Input#

Argument NameDescriptionRequired
victim_idThe ID of the victim.Required
asset_typeThe asset type. Possible values are: EmailAddress, NetworkAccount, Phone, SocialNetwork, WebSite.Required
asset_valueThe asset value.Required
asset_address_typeThe asset address type. Relevant only when the asset_type is EmailAddress.Optional
asset_network_typeThe asset network type. Relevant only when the asset_type is NetworkAccount.Optional
asset_social_networkThe asset social network. Required only when the asset_type is SocialNetwork.Optional

Context Output#

PathTypeDescription
TC.VictimAsset.idstringThe ID of the victim asset.
TC.VictimAsset.typestringThe type of the victim asset.
TC.VictimAsset.victimIdstringThe ID of the victim.
TC.VictimAsset.webLinkstringThe web link of the victim asset.
TC.VictimAsset.phonestringThe phone number of the victim asset.
TC.VictimAsset.addressstringThe address of the victim asset.
TC.VictimAsset.accountNamestringThe account name of the victim asset.
TC.VictimAsset.addressTypestringThe address type of the victim asset.
TC.VictimAsset.networkTypestringThe network type of the victim asset.
TC.VictimAsset.socialNetworkstringThe social network of the victim asset.
TC.VictimAsset.websitestringThe website of the victim asset.

Command example#

!tc-create-victim-asset victim_id=668 asset_type=SocialNetwork asset_value=test asset_social_network=test

Context Example#

{
"TC": {
"VictimAsset": {
"accountName": "test",
"id": 753,
"socialNetwork": "test",
"type": "SocialNetwork",
"victimId": 668,
"webLink": "https://threatconnect.com/auth/victim/victim.xhtml?victim=668"
}
}
}

Human Readable Output#

Victim Asset 753 created successfully for victim id: 668

tc-list-victim-assets#


Retrieves victim assets.

Base Command#

tc-list-victim-assets

Input#

Argument NameDescriptionRequired
victim_asset_idThe ID of a specific victim asset to retrieve. If not specified, all victim assets will be retrieved.Optional
filterA free text TQL filter. Refer to https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql for a basic TQL guide.Optional
pageThe page to take the results from. The first is 0. Default is 0.Optional
limitThe maximum number of results that can be returned. Default is 50.Optional

Context Output#

PathTypeDescription
TC.VictimAsset.idstringThe ID of the victim asset.
TC.VictimAsset.typestringThe type of the victim asset.
TC.VictimAsset.victimIdstringThe ID of the victim.
TC.VictimAsset.webLinkstringThe web link of the victim asset.
TC.VictimAsset.phonestringThe phone number of the victim asset.
TC.VictimAsset.addressstringThe address of the victim asset.
TC.VictimAsset.accountNamestringThe account name of the victim asset.
TC.VictimAsset.addressTypestringThe address type of the victim asset.
TC.VictimAsset.networkTypestringThe network type of the victim asset.
TC.VictimAsset.socialNetworkstringThe social network of the victim asset.
TC.VictimAsset.websitestringThe website of the victim asset.

Command example#

!tc-list-victim-assets limit=1

Context Example#

{
"TC": {
"VictimAsset": {
"id": 740,
"phone": "111111",
"type": "Phone",
"victimId": 660,
"webLink": "https://threatconnect.com/auth/victim/victim.xhtml?victim=660"
}
}
}

Human Readable Output#

Victim assets#

idtypevictimIdasset
740Phone660111111

tc-list-victim-attributes#


Retrieves victim attributes.

Base Command#

tc-list-victim-attributes

Input#

Argument NameDescriptionRequired
victim_attribute_idThe ID of a specific victim attribute to retrieve. If not specified, all victim attributes will be retrieved.Optional
victim_idThe ID of a specific victim to retrieve its attributes.Optional
filterA free text TQL filter. Refer to https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql for a basic TQL guide.Optional
pageThe page to take the results from. The first is 0. Default is 0.Optional
limitThe maximum number of results that can be returned. Default is 50.Optional

Context Output#

PathTypeDescription
TC.VictimAttribute.dateAddedstringThe date that the victim attribute was added.
TC.VictimAttribute.defaultstringWhether the attribute is the default attribute of its type for the victim to which it is added.
TC.VictimAttribute.idstringThe ID of the victim attribute.
TC.VictimAttribute.lastModifiedstringThe date that the victim attribute was last modified.
TC.VictimAttribute.pinnedstringWhether the victim attribute is pinned.
TC.VictimAttribute.typestringThe type of the victim attribute.
TC.VictimAttribute.valuestringThe value of the victim attribute.
TC.VictimAttribute.createdBy.firstNamestringThe first name of the user who created the victim attribute.
TC.VictimAttribute.createdBy.idstringThe ID of the victim the attribute associated to.
TC.VictimAttribute.createdBy.lastNamestringThe last name of the user who created the victim attribute.
TC.VictimAttribute.createdBy.ownerstringThe owner of the user who created the victim attribute.
TC.VictimAttribute.createdBy.pseudonymstringThe pseudonym of the user who created the victim attribute.
TC.VictimAttribute.createdBy.userNamestringThe user name of the user who created the victim attribute.

Command example#

!tc-list-victim-attributes limit=1

Context Example#

{
"TC": {
"VictimAttribute": {
"createdBy": {
"firstName": "Demisto API",
"id": 615,
"lastName": "Demisto API",
"owner": "Palo Alto Cortex XSOAR",
"pseudonym": "APIUsersTest",
"userName": "08265138623174323158"
},
"dateAdded": "2024-01-04T13:24:57Z",
"default": false,
"id": 134,
"lastModified": "2024-01-04T13:24:57Z",
"pinned": false,
"type": "Description",
"value": "test"
}
}
}

Human Readable Output#

Victim attributes#

idtypevaluedateAdded
134Descriptiontest2024-01-04T13:24:57Z

tc-list-victims#


Retrieves victims.

Base Command#

tc-list-victims

Input#

Argument NameDescriptionRequired
victim_idThe ID of a specific victim to retrieve. If not specified, all victims will be retrieved.Optional
filterA free text TQL filter. Refer to https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql for a basic TQL guide.Optional
include_assetsWhether to add victim's assets metadata to the result. Possible values are: true, false. Default is false.Optional
include_associated_groupsWhether to add victim's associated groups metadata to the result. Possible values are: true, false. Default is false.Optional
include_attributesWhether to add victim's attributes metadata to the result. Possible values are: true, false. Default is false.Optional
include_security_labelsWhether to add victim's security labels metadata to the result. Possible values are: true, false. Default is false.Optional
include_all_metaDataWhether to add all victim metadata to the results. Possible values are: true, false. Default is false.Optional
pageThe page to take the results from. The first is 0. Default is 0.Optional
limitThe maximum number of results that can be returned. Default is 50.Optional

Context Output#

PathTypeDescription
TC.Victim.idNumberThe victim's ID.
TC.Victim.securityLabels.data.idNumberThe security label ID.
TC.Victim.securityLabels.data.nameStringThe security label name.
TC.Victim.securityLabels.data.descriptionStringThe security label description.
TC.Victim.securityLabels.data.colorStringThe security label color.
TC.Victim.securityLabels.data.ownerStringThe security label owner.
TC.Victim.securityLabels.data.dateAddedDateThe security label date added.
TC.Victim.ownerIdNumberThe victim's owner ID.
TC.Victim.ownerNameStringThe victim's owner name.
TC.Victim.webLinkStringThe victim's web link.
TC.Victim.tags.data.idNumberThe victim's tag ID.
TC.Victim.tags.data.nameStringThe victim's tag name.
TC.Victim.tags.data.lastUsedDateThe victim's tag last use.
TC.Victim.nameStringThe victim's name.
TC.Victim.descriptionStringThe victim's description.
TC.Victim.orgStringThe victim's organization.
TC.Victim.workLocationStringThe victim's work location.
TC.Victim.nationalityStringThe victim's nationality.
TC.Victim.suborgStringThe victim's sub-organization.
TC.Victim.assets.data.idNumberThe victim asset ID.
TC.Victim.assets.data.typeStringThe victim asset type.
TC.Victim.assets.data.victimIdNumberThe victim asset victim ID.
TC.Victim.assets.data.phoneStringThe victim asset phone number.
TC.Victim.assets.data.webLinkStringThe victim asset web link.
TC.Victim.assets.data.websiteStringThe victim asset website.
TC.Victim.assets.data.accountNameStringThe victim asset account name.
TC.Victim.assets.data.networkTypeStringThe victim asset network type.
TC.Victim.assets.data.addressStringThe victim asset address.
TC.Victim.assets.data.addressTypeStringThe victim asset address type.
TC.Victim.assets.data.socialNetworkStringThe victim asset social network.
TC.Victim.associatedGroups.idUnknownThe victim's associated group ID.
TC.Victim.attributes.data.idNumberThe victim attribute ID.
TC.Victim.attributes.data.dateAddedDateThe victim attribute date added.
TC.Victim.attributes.data.typeStringThe victim attribute type.
TC.Victim.attributes.data.valueStringThe victim attribute value.
TC.Victim.attributes.data.sourceStringThe victim attribute source.
TC.Victim.attributes.data.createdBy.idNumberThe victim attribute creator ID.
TC.Victim.attributes.data.createdBy.userNameStringThe victim attribute creator user name.
TC.Victim.attributes.data.createdBy.firstNameStringThe victim attribute creator first name.
TC.Victim.attributes.data.createdBy.lastNameStringThe victim attribute creator last name.
TC.Victim.attributes.data.createdBy.pseudonymStringThe victim attribute creator pseudonym.
TC.Victim.attributes.data.createdBy.ownerStringThe victim attribute creator owner.
TC.Victim.attributes.data.lastModifiedDateThe victim attribute last modified time.
TC.Victim.attributes.data.pinnedStringWhether the victim attribute is pinned.
TC.Victim.attributes.data.defaultStringWhether the victim attribute is default.

Command example#

!tc-list-victims limit=1

Context Example#

{
"TC": {
"Victim": {
"id": 663,
"name": "nat",
"ownerId": 271,
"ownerName": "Palo Alto Cortex XSOAR",
"webLink": "https://threatconnect.com/auth/victim/victim.xhtml?victim=663"
}
}
}

Human Readable Output#

Victims#

idnameownerNamedescriptionorg
663natPalo Alto Cortex XSOAR

tc-update-victim#


Updates a victim.

Base Command#

tc-update-victim

Input#

Argument NameDescriptionRequired
victim_idThe ID of the victim.Required
nameThe name of the victim.Optional
nationalityThe nationality of the victim.Optional
orgThe organization of the victim.Optional
sub_orgThe sub-organization of the victim.Optional
security_labelsA comma-separated list of the security labels to apply to the victim. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE, TLP:AMBER+STRICT, TLP:CLEAR.Optional
tagsA comma-separated list of tags.Optional
work_locationThe work location of the victim.Optional
asset_typeThe asset type of the victim. Possible values are: EmailAddress, NetworkAccount, Phone, SocialNetwork, WebSite.Optional
asset_valueThe asset value of the victim.Optional
asset_address_typeThe asset address type. Relevant only when the asset_type is EmailAddress.Optional
asset_network_typeThe asset network type. Relevant only when the asset_type is NetworkAccount.Optional
asset_social_networkThe asset social network. Relevant only when the asset_type is SocialNetwork.Optional
associated_groups_idsA comma-separated list of group IDs to associate to the victim.Optional
attribute_typeThe attribute type to associate to the victim. Possible values are: Additional Analysis and Context, Description, External ID, Impact Description, Impact Score, Physical Address, Response Team & Staff involved, Source, Takedown Requests, Targeted Industry Sector, Title.Optional
attribute_valueThe attribute value to associate to the victim.Optional
modeThe mode of the update operation. Relevant for associated groups, attributes, security labels and tags. Possible values are: append, delete, replace. Default is append.Optional

Context Output#

PathTypeDescription
TC.Victim.NamestringThe name of the victim.
TC.Victim.ownerIdstringThe owner ID of the victim.
TC.Victim.idstringThe ID of the victim.
TC.Victim.ownerNamestringThe owner name of the victim.
TC.Victim.webLinkstringThe web link of the victim.
TC.Victim.descriptionstringThe description of the victim.
TC.Victim.orgstringThe organization of the victim.
TC.Victim.suborgstringThe sub-organization of the victim.
TC.Victim.workLocationstringThe work location of the victim.
TC.Victim.nationalitystringThe nationality of the victim.

Command example#

!tc-update-victim victim_id=668 mode=append attribute_type="Source" attribute_value="test"

Context Example#

{
"TC": {
"Victim": {
"id": 668,
"name": "nat",
"ownerId": 271,
"ownerName": "Palo Alto Cortex XSOAR",
"webLink": "https://threatconnect.com/auth/victim/victim.xhtml?victim=668"
}
}
}

Human Readable Output#

Victim 668 was successfully updated.

tc-update-victim-asset#


Updates a victim asset.

Base Command#

tc-update-victim-asset

Input#

Argument NameDescriptionRequired
victim_asset_idThe ID of the victim asset.Required
asset_valueThe asset value.Required
asset_address_typeThe asset address type. Relevant only when the asset_type is EmailAddress.Optional
asset_network_typeThe asset network type. Relevant only when the asset_type is NetworkAccount.Optional
asset_social_networkThe asset social network. Required only when the asset_type is SocialNetwork.Optional

Context Output#

PathTypeDescription
TC.VictimAsset.idstringThe ID of the victim asset.
TC.VictimAsset.typestringThe type of the victim asset.
TC.VictimAsset.victimIdstringThe ID of the victim.
TC.VictimAsset.webLinkstringThe web link of the victim asset.
TC.VictimAsset.phonestringThe phone number of the victim asset.
TC.VictimAsset.addressstringThe address of the victim asset.
TC.VictimAsset.accountNamestringThe account name of the victim asset.
TC.VictimAsset.addressTypestringThe address type of the victim asset.
TC.VictimAsset.networkTypestringThe network type of the victim asset.
TC.VictimAsset.socialNetworkstringThe social network of the victim asset.
TC.VictimAsset.websitestringThe website of the victim asset.

Command example#

!tc-update-victim-asset victim_asset_id=750 asset_value="11111"

Context Example#

{
"TC": {
"VictimAsset": {
"id": 750,
"phone": "11111",
"type": "Phone",
"victimId": 669,
"webLink": "https://threatconnect.com/auth/victim/victim.xhtml?victim=669"
}
}
}

Human Readable Output#

Victim Asset 750 updated successfully for victim id: 669

tc-update-victim-attribute#


Updates a victim attribute.

Base Command#

tc-update-victim-attribute

Input#

Argument NameDescriptionRequired
victim_attribute_idThe ID of the victim attribute.Required
security_labelsA comma-separated list of the security labels to apply to the victim attribute. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE, TLP:AMBER+STRICT, TLP:CLEAR.Optional
attribute_valueThe attribute value.Required
sourceThe attribute source.Optional

Context Output#

PathTypeDescription
TC.VictimAttribute.dateAddedstringThe date that the victim attribute was added.
TC.VictimAttribute.defaultstringWhether the attribute is the default attribute of its type for the victim to which it is added.
TC.VictimAttribute.idstringThe ID of the victim attribute.
TC.VictimAttribute.lastModifiedstringThe date that the victim attribute was last modified.
TC.VictimAttribute.pinnedstringWhether the victim attribute is pinned.
TC.VictimAttribute.typestringThe type of the victim attribute.
TC.VictimAttribute.valuestringThe value of the victim attribute.
TC.VictimAttribute.createdBy.firstNamestringThe first name of the user who created the victim attribute.
TC.VictimAttribute.createdBy.idstringThe ID of the victim the attribute associated to.
TC.VictimAttribute.createdBy.lastNamestringThe last name of the user who created the victim attribute.
TC.VictimAttribute.createdBy.ownerstringThe owner of the user who created the victim attribute.
TC.VictimAttribute.createdBy.pseudonymstringThe pseudonym of the user who created the victim attribute.
TC.VictimAttribute.createdBy.userNamestringThe user name of the user who created the victim attribute.

Command example#

!tc-update-victim-attribute victim_attribute_id="132" attribute_value="test2"

Context Example#

{
"TC": {
"VictimAttribute": {
"createdBy": {
"firstName": "Demisto API",
"id": 615,
"lastName": "Demisto API",
"owner": "Palo Alto Cortex XSOAR",
"pseudonym": "APIUsersTest",
"userName": "test"
},
"dateAdded": "2024-01-04T09:14:16Z",
"default": false,
"id": 132,
"lastModified": "2024-01-04T13:25:19Z",
"pinned": false,
"type": "Source",
"value": "test2"
}
}
}

Human Readable Output#

Victim attribute 132 was successfully updated.

tc-delete-victim-asset#


Deletes a victim asset.

Base Command#

tc-delete-victim-asset

Input#

Argument NameDescriptionRequired
victim_asset_idThe ID of the victim asset.Required

Context Output#

There is no context output for this command.

Command example#

!tc-delete-victim-asset victim_asset_id=738

Human Readable Output#

Victim asset 738 was successfully deleted.

tc-delete-victim-attribute#


Deletes a victim attribute.

Base Command#

tc-delete-victim-attribute

Input#

Argument NameDescriptionRequired
victim_attribute_idThe ID of the victim attribute.Required

Context Output#

There is no context output for this command.

Command example#

!tc-delete-victim-attribute victim_attribute_id=110

Human Readable Output#

Victim attribute 110 was successfully deleted.

tc-list-attribute-type#


Retrieved all attribute types

Base Command#

tc-list-attribute-type

Input#

Argument NameDescriptionRequired
attribute_type_idA specific attribute type to retrieve. If not specified, all attribute types will be retrieved.Optional
pageThe page to take the results from. The first is 0. Default is 0.Optional
limitThe maximum number of results that can be returned. Default is 50.Optional

Context Output#

PathTypeDescription
TC.AttributeType.allowMarkdownstringWhether the attribute type markdown allowed.
TC.AttributeType.descriptionstringThe attribute type description.
TC.AttributeType.namestringThe attribute type name.
TC.AttributeType.errorMessagestringThe attribute type error message.
TC.AttributeType.idstringThe attribute type ID.
TC.AttributeType.maxSizestringThe attribute type maximum size.
TC.AttributeType.TC.AttributeType.validationRule.descriptionstringThe attribute type validation rule description.
TC.AttributeType.TC.AttributeType.validationRule.idstringThe attribute type validation rule ID.
TC.AttributeType.TC.AttributeType.validationRule.namestringThe attribute type validation rule name.
TC.AttributeType.TC.AttributeType.validationRule.textstringThe attribute type validation rule text.
TC.AttributeType.TC.AttributeType.validationRule.typestringThe attribute type validation rule type.
TC.AttributeType.TC.AttributeType.validationRule.versionstringThe attribute type validation rule version.

Command example#

!tc-list-attribute-type limit=1

Context Example#

{
"TC": {
"AttributeType": {
"allowMarkdown": true,
"description": "Describe the Course of Action Taken.",
"errorMessage": "Please enter a valid Course of Action.",
"id": 1,
"maxSize": 500,
"name": "Course of Action Taken"
}
}
}

Human Readable Output#

Attribute types#

idnamedescription
1Course of Action TakenDescribe the Course of Action Taken.

tc-delete-victim#


Deletes a victim.

Base Command#

tc-delete-victim

Input#

Argument NameDescriptionRequired
victim_idThe ID of the victim.Required

Context Output#

There is no context output for this command.

Command example#

!tc-delete-victim victim_id=660

Human Readable Output#

Victim 660 was successfully deleted.