Skip to main content

ThreatConnect v3

This Integration is part of the ThreatConnect Pack.#

ThreatConnect's integration is a intelligence-driven security operations solution with intelligence, automation, analytics, and workflows. This integration was integrated and tested with version 3 of ThreatConnect v3 REST API

ThreatConnect v3 HMAC credentials#

  1. On the top navigation bar, hover the cursor over the Settings icon and select Org Settings from the dropdown menu.
  2. Click the Create API User button on the Membership tab of the Organization Settings screen, and the API User Administration window will be displayed.
  3. Enter the following information:
    • First Name: Enter the API user’s first name.
    • Last Name: Enter the API user’s last name.
    • Organization Role: Use the dropdown menu to select an Organization role for the user.
    • Include in Observations and False Positives: Check this box to allow data provided by the API user to be included in observation and false-positive counts.
    • Disabled: Click the checkbox to disable an API user’s account in the event that the Administrator wants to retain log integrity when the API user no longer requires ThreatConnect access.
  4. Record the Secret Key, as it will not be accessible after the window is closed.
  5. Click SAVE to create the API user account.

For more information - click here (Section - Creating an API User).

Configure ThreatConnect v3 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for ThreatConnect v3.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Base UrlThe base URL for the APITrue
    Access IDThe API credentialsTrue
    Secret keyThe API secret keyTrue
    Default OrganizationThe default owner for the integrationFalse
    Tags filter for the fetchFree text box to add comma-separated tags to filter the fetched incidents by.False
    Group Type filter for the fetchThe group type to filter the fetched incidents by.False
    Status filter for the fetchThe status to filter the fetched incidents by (if not field will fetch all statuses).False
    First fetch timestamp (<number> <time unit>, for example, 12 hours, 7 days, 3 months, 1 year)True
    Incident MetadataThe metadata to collect.False
    Source ReliabilityReliability of the source providing the intelligence data.True
    Rating Threshold for Malicious Indicators (needed for reputation calculation)Rating Threshold for Malicious Indicators, it is necessary to calculate reputation.False
    Confidence Threshold for Malicious Indicators (needed for reputation calculation)Confidence Threshold for Malicious Indicators. This is necessary to calculate reputation.False
    Indicator Reputation Freshness in days (needed for reputation calculation)Indicator Reputation Freshness.This is necessary to calculate reputation.False
    Trust any certificate (not secure)Whether or not to trust any certificateFalse
    Use system proxy settingsWhether or not to use proxyFalse
    Maximum number of incidents to fetchThe maximum amount of incident to fetch per run200
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Searches for an indicator of type IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipA comma-separated list of IPv4 or IPv6 addresses.Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners.Optional
ratingThresholdA comma-separated list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA comma-separated list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the indicator was created.
TC.Indicator.LastModifieddateThe date the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

url#


Searches for an indicator of type URL.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlA comma-separated list of URLs for which to search. For example, "www.demisto.com".Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a client’s API user has been granted permission. For example, "owner1", "owner2", or "owner3".Optional
ratingThresholdA comma-separated list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA comma-separated list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the indicator was created.
TC.Indicator.LastModifieddateThe date the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilitystringReliability of the source providing the intelligence data.
URL.DatastringThe data of the URL indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

file#


Searches for an indicator of type file.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileA comma-separated list of the hashes of the files. Can be "MD5", "SHA-1", or "SHA-256".Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners.Optional
ratingThresholdA comma-separated list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA comma-separated list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the indicator was created.
TC.Indicator.LastModifieddateThe date the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.File.MD5stringThe MD5 hash of the indicator.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilitystringReliability of the source providing the intelligence data.
File.MD5stringThe MD5 hash of the indicator.
File.SHA1stringThe SHA1 hash of the indicator.
File.SHA256stringThe SHA256 hash of the indicator.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-owners#


Retrieves all owners for the current account.

Base Command#

tc-owners

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
TC.Owner.NamestringThe name of the owner.
TC.Owner.IDstringThe ID of the owner.
TC.Owner.TypestringThe type of the owner.

tc-indicators#


Retrieves a list of all indicators.

Base Command#

tc-indicators

Input#

Argument NameDescriptionRequired
ownerA comma-separated list of results filtered by the owner of the indicator.Optional
pageThe page to take the results from.Optional
limitThe maximum number of results that can be returned. The default is 500.Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the indicator was created.
TC.Indicator.LastModifieddateThe date the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilitystringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-get-tags#


Returns a list of all ThreatConnect tags.

Base Command#

tc-get-tags

Input#

Argument NameDescriptionRequired
pageThe page to take the results from.Optional
limitThe maximum number of results that can be returned. The default is 500.Optional
nameThe name of the tag to get.Optional

Context Output#

PathTypeDescription
TC.TagsUnknownA list of tags.

tc-tag-indicator#


Adds a tag to an existing indicator.

Base Command#

tc-tag-indicator

Input#

Argument NameDescriptionRequired
tagThe name of the tag.Required
indicatorThe indicator to tag. For example, for an IP indicator, "8.8.8.8".Required

Context Output#

There is no context output for this command.

tc-get-indicator#


Retrieves information about an indicator.

Base Command#

tc-get-indicator

Input#

Argument NameDescriptionRequired
idThe ID of the indicator by which to search.Required

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the indicator was created.
TC.Indicator.LastModifieddateThe date the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
TC.Indicator.IndicatorAttributes.dateAddeddateThe date the indicator attribute was added.
TC.Indicator.IndicatorAttributes.displayedbooleanWhether to display the indicator attributes on ThreatConnect.
TC.Indicator.IndicatorAttributes.idnumberThe ID of the attribute.
TC.Indicator.IndicatorAttributes.lastModifieddateThe date the indicator attribute was last modified.
TC.Indicator.IndicatorAttributes.typestringThe name of the attribute.
TC.Indicator.IndicatorAttributes.valuestringThe contents of the attribute.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the indicator of the URL.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-get-indicators-by-tag#


Fetches all indicators that have a tag.

Base Command#

tc-get-indicators-by-tag

Input#

Argument NameDescriptionRequired
tagThe name of the tag by which to filter the results.Required
ownerA comma-separated list of indicators filtered by the owner.Optional
pageThe page to take the results from.Optional
limitThe maximum number of results that can be returned. The default is 500.Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the tagged indicator.
TC.Indicator.TypestringThe type of the tagged indicator.
TC.Indicator.IDstringThe ID of the tagged indicator.
TC.Indicator.DescriptionstringThe description of the tagged indicator.
TC.Indicator.OwnerstringThe owner of the tagged indicator.
TC.Indicator.CreateDatedateThe date the tagged indicator was created.
TC.Indicator.LastModifieddateThe date the tagged indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the tagged indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the tagged indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the tagged indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the tagged indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the tagged indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-add-indicator#


Adds a new indicator to ThreatConnect.

Base Command#

tc-add-indicator

Input#

Argument NameDescriptionRequired
indicatorThe indicator to add.Required
indicatorTypeThe type of the indicator. Possible values are: Address, Agent, User, Registry Key, Mutex, Hashtag, Email Subject, Subject, Email, CIDR, Host, URL, ASN, File, EmailAddress.Required
hashTypeThe type of hash for the file indicator. Possible values are: md5, sha1, sha256.Optional
ratingThe threat rating of the indicator. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThe confidence rating of the indicator. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional
descriptionThe description of the indicator.Optional
tagsA comma-separated list of the tags to apply to the campaign.Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the added indicator was created.
TC.Indicator.LastModifieddateThe date the added indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the added indicator of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-create-incident#


Creates a new incident group.

Base Command#

tc-create-incident

Input#

Argument NameDescriptionRequired
incidentNameThe name of the incident group.Required
eventDateThe creation time of an incident in the "2017-03-21T00:00:00Z" format.Optional
tagA comma-separated list of the tags applied to the incident.Optional
securityLabelThe security label applied to the incident. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE.Optional
descriptionThe description of the incident.Optional

Context Output#

PathTypeDescription
TC.Incident.NamestringThe name of the new incident group.
TC.Incident.OwnerstringThe owner of the new incident.
TC.Incident.EventDatedateThe date on which the event that indicates an incident occurred.
TC.Incident.TagstringThe name of the tag of the new incident.
TC.Incident.SecurityLabelstringThe security label of the new incident.
TC.Incident.IDUnknownThe ID of the new incident.

tc-incident-associate-indicator#


Associates an indicator with an existing incident. The indicator must exist before running this command. To add an indicator, run the tc-add-indicator command.

Base Command#

tc-incident-associate-indicator

Input#

Argument NameDescriptionRequired
incidentIdThe ID of the incident to which the indicator is associated.Required
indicatorThe ID of the indicator.Required

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the associated indicator was created.
TC.Indicator.LastModifieddateThe date the associated indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringIP address of the associated indicator of the file.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the associated indicator of the file.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the indicator of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

domain#


Searches for an indicator of type domain.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainA comma-separated list of names of the domain.Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners.Optional
ratingThresholdA comma-separated list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA comma-separated list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the domain.
TC.Indicator.IDstringThe ID of the domain.
TC.Indicator.DescriptionstringThe description of the domain.
TC.Indicator.OwnerstringThe owner of the domain.
TC.Indicator.CreateDatedateThe date the indicator of the domain was created.
TC.Indicator.LastModifieddateThe date the indicator of the domain was last modified.
TC.Indicator.RatingnumberThe threat rating of the domain.
TC.Indicator.ConfidencenumberThe confidence rating of the domain.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Domain.NamestringThe name of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-get-incident-associate-indicators#


Returns indicators that are related to a specific incident.

Base Command#

tc-get-incident-associate-indicators

Input#

Argument NameDescriptionRequired
incidentIdThe ID of the incident.Required

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the returned indicator.
TC.Indicator.TypestringThe type of the returned indicator.
TC.Indicator.IDstringThe ID of the returned indicator.
TC.Indicator.DescriptionstringThe description of the returned indicator.
TC.Indicator.OwnerstringThe owner of the returned indicator.
TC.Indicator.CreateDatedateThe date the returned indicator was created.
TC.Indicator.LastModifieddateThe date the returned indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the returned indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the returned indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
IP.AddressstringThe IP address of the returned indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the returned indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.

tc-update-indicator#


Updates the indicator in ThreatConnect.

Base Command#

tc-update-indicator

Input#

Argument NameDescriptionRequired
indicatorThe name of the updated indicator.Required
ratingThe threat rating of the updated indicator.Optional
confidenceThe confidence rating of the updated indicator.Optional
sizeThe size of the file of the updated indicator.Optional
dnsActiveWhether the DNS indicator is active (only for hosts). Possible values are: True, False.Optional
whoisActiveWhether the indicator is active (only for hosts). Possible values are: True, False.Optional
falsePositiveWhether the updated indicator is a false positive. Possible values are: True, False.Optional
securityLabelThe security label applied to the incident. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE.Optional
tagsA comma-separated list of tags.Optional

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the indicator was created.
TC.Indicator.LastModifieddateThe date the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-delete-indicator-tag#


Removes a tag from a specified indicator.

Base Command#

tc-delete-indicator-tag

Input#

Argument NameDescriptionRequired
indicatorThe ID of the indicator from which to remove a tag.Required
tagThe name of the tag to remove from the indicator.Required

Context Output#

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date the indicator was created.
TC.Indicator.LastModifieddateThe date the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.
TC.Indicator.WebLinkstringThe web link of the indicator.

tc-delete-indicator#


Deletes an indicator from ThreatConnect.

Base Command#

tc-delete-indicator

Input#

Argument NameDescriptionRequired
indicatorThe ID of the indicator to delete.Required

Context Output#

There is no context output for this command.

tc-create-campaign#


Creates a group based on the Campaign type.

Base Command#

tc-create-campaign

Input#

Argument NameDescriptionRequired
nameThe name of the campaign group.Required
firstSeenThe date the campaign was first seen.Optional
descriptionThe description of the campaign.Optional
tagComma-separated list of the tags to apply to the campaign.Optional
securityLabelThe security label applied to the incident. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE.Optional

Context Output#

PathTypeDescription
TC.Campaign.NamestringThe name of the campaign.
TC.Campaign.OwnerstringThe owner of the campaign.
TC.Campaign.FirstSeendateThe date the campaign was first seen.
TC.Campaign.TagstringThe tag of the campaign.
TC.Campaign.SecurityLevelstringThe security label of the campaign.
TC.Campaign.IDstringThe ID of the campaign.

tc-create-event#


Creates a group based on the Event type.

Base Command#

tc-create-event

Input#

Argument NameDescriptionRequired
nameThe name of the event group.Required
eventDateThe date the event occurred. If the date is not specified, the current date is used.Optional
statusThe status of the event. Possible values are: Needs Review, False Positive, No Further Action, Escalated.Optional
descriptionThe description of the event.Optional
tagA comma-separated list of the tags of the event.Optional

Context Output#

PathTypeDescription
TC.Event.NamestringThe name of the event.
TC.Event.DatedateThe date of the event.
TC.Event.StatusstringThe status of the event.
TC.Event.OwnerstringThe owner of the event.
TC.Event.TagstringThe tag of the event.
TC.Event.IDstringThe ID of the event.
TC.Event.TypestringThe type of the event.

tc-create-threat#


Creates a group based on the "Threats" type.

Base Command#

tc-create-threat

Input#

Argument NameDescriptionRequired
nameThe name of the threat group.Required
eventDateThe creation time of a threat in the "2017-03-21T00:00:00Z" format.Optional
tagsA comma-separated list of the tags applied to the threat.Optional
securityLabelThe security label applied to the threat. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE.Optional
descriptionThe description of the threat.Optional

Context Output#

PathTypeDescription
TC.Threat.NamestringThe name of the threat.
TC.Threat.IDstringThe ID of the threat.

tc-delete-group#


Deletes a group.

Base Command#

tc-delete-group

Input#

Argument NameDescriptionRequired
groupIDA comma-separated list of the IDs of the groups to delete.Required

Context Output#

There is no context output for this command.

tc-get-events#


Returns a list of events.

Base Command#

tc-get-events

Input#

Argument NameDescriptionRequired
fromDateThe date to retrieve groups from in the format yyyy-mm-dd, e.g., 1111-11-11.Optional
tagThe tag to retrieve groups by.Optional
pageThe page to take the results from.Optional
limitThe maximum number of results that can be returned. The default is 500.Optional
idA comma-separated list of IDs to filter the groups by.Optional
filterA free text TQL filter. (Refer here for a basic TQL guide).Optional

Context Output#

PathTypeDescription
TC.Event.DateAddedDateThe date the event was added.
TC.Event.EventDateDateThe date the event occurred.
TC.Event.IDNumberThe ID of the event.
TC.Event.OwnerNameStringThe name of the owner of the event.
TC.Event.StatusStringThe status of the event.
TC.Event.AssociatedGroupsStringThe associated groups for the event.
TC.Event.AssociatedIndicatorsStringThe associated indicators for the event.
TC.Event.TagsStringThe tags of the event.

tc-list-groups#


Returns all groups.

Base Command#

tc-list-groups

Input#

Argument NameDescriptionRequired
group_typeThe type of the group. Possible values are: Adversary, Attack Pattern, Campaign, Course of Action, Document, E-mail, Event, Incident, Intrusion Set, Malware, Report, Signature, Tactic, Task, Threat, Tool, Vulnerability.Optional
fromDateThe date to retrieve groups from in the yyyy-mm-dd format, e.g., 1111-11-11.Optional
tagThe tag to retrieve groups by.Optional
pageThe page to take the results from.Optional
limitThe maximum number of results that can be returned. The default is 500.Optional
idA comma-separated list of IDs to filter the groups by.Optional
filterA free text TQL filter. (Refer here for a basic TQL guide).Optional
include_tagsAdd group tags metadata to the results.Optional
include_security_labelsAdd group security labels metadata to the results.Optional
include_attributesAdd group attributes metadata to the results.Optional
include_associated_groupsAdd group associated groups metadata to the results.Optional
include_associated_indicatorsAdd group associated indicators metadata to the results.Optional
include_all_metaDataAdd all group metadata to the results.Optional

Context Output#

PathTypeDescription
TC.Group.DateAddedDateThe date the group was added.
TC.Group.EventDateDateThe date the event occurred.
TC.Group.NameStringThe name of the group.
TC.Group.OwnerNameStringThe name of the owner of the group.
TC.Group.StatusStringThe status of the group.
TC.Group.IDNumberThe ID of the group.

tc-add-group-tag#


Adds tags to a specified group.

Base Command#

tc-add-group-tag

Input#

Argument NameDescriptionRequired
group_idThe ID of the group to which to add the tag. To get the ID, run the tc-list-groups command.Required
tag_nameThe name of the tag to add to the group.Required

Context Output#

There is no context output for this command.

tc-get-indicator-types#


Returns all indicator types available.

Base Command#

tc-get-indicator-types

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
TC.IndicatorType.ApiBranchStringThe branch of the API.
TC.IndicatorType.ApiEntityStringThe entity of the API.
TC.IndicatorType.CasePreferenceStringThe case preference of the indicator. For example, "sensitive", "upper", or "lower".
TC.IndicatorType.CustomBooleanWhether the indicator is a custom indicator.
TC.IndicatorType.ParsableBooleanWhether the indicator can be parsed.
TC.IndicatorType.Value1TypeStringThe value type of the indicator.
TC.IndicatorType.Value1LabelStringThe value label of the indicator.

tc-create-document-group#


Creates a document group.

Base Command#

tc-create-document-group

Input#

Argument NameDescriptionRequired
file_nameThe name of the file to display in the UI.Required
nameThe name of the group.Required
malwareWhether the file is malware. If "true", ThreatConnect creates a password-protected ZIP file on your local machine that contains the sample and uploads the ZIP file. Possible values are: true, false.Optional
passwordThe password of the ZIP file.Optional
security_labelThe security label applied to the document. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE.Optional
descriptionA description of the group.Optional
entry_idThe ID of the entry, as displayed in the War Room.Required

Context Output#

PathTypeDescription
TC.Group.NameStringThe name of the group.
TC.Group.OwnerStringThe owner of the group.
TC.Group.EventDateDateThe date the group was created.
TC.Group.DescriptionStringThe description of the group.
TC.Group.SecurityLabelStringThe security label of the group.
TC.Group.IDNumberThe ID of the group to which the attribute was added.

tc-download-document#


Downloads the contents of a document.

Base Command#

tc-download-document

Input#

Argument NameDescriptionRequired
document_idThe ID of the document.Required

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe ssdeep hash of the file (same as displayed in file entries).
File.EntryIDStringThe entry ID of the file.
File.InfoStringThe information of the file.
File.TypeStringThe type of the file.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe extension of the file.

tc-get-associated-groups#


Returns groups associated with a specified group.

Base Command#

tc-get-associated-groups

Input#

Argument NameDescriptionRequired
group_idThe ID of the group. To get the ID, run the tc-list-groups command.Required

Context Output#

PathTypeDescription
TC.Group.AssociatedGroup.DateAddedDateThe date the group was added.
TC.Group.AssociatedGroup.GroupIDNumberThe ID of the group.
TC.Group.AssociatedGroup.NameStringThe name of the group.
TC.Group.AssociatedGroup.OwnerNameStringThe name of the owner of the group.
TC.Group.AssociatedGroup.TypeStringThe type of the group.

tc-get-indicator-owners#


Get the owner for an indicator.

Base Command#

tc-get-indicator-owners

Input#

Argument NameDescriptionRequired
indicatorIndicator ID.Required

Context Output#

There is no context output for this command.

tc-download-report#


The group report to download in PDF format.

Base Command#

tc-download-report

Input#

Argument NameDescriptionRequired
group_idThe ID of the group.Required

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe ssdeep hash of the file.
File.EntryIDStringThe entry ID of the file.
File.InfoStringThe information of the file.
File.TypeStringThe type of the file.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe extension of the file.

tc-update-group#


Updates a group.

Base Command#

tc-update-group

Input#

Argument NameDescriptionRequired
idThe ID of the group.Required
custom_fieldCustom fields for the group.Optional
tagsA comma-separated list of The tags applied to the threat.Optional
security_labelThe security label applied to the threat. Possible values are: TLP:RED, TLP:GREEN, TLP:AMBER, TLP:WHITE.Optional
associated_group_idAn ID to associate a group by.Optional
associated_indicator_idAn ID to associate an indicator by.Optional
security_labelThe type of update to the group metadata (associated indicators, attributes,tags, etc.). Possible values are: append, delete, replace.Optional
attribute_valueThe value of the attribute to associate.Optional
attribute_typeThe type of the attribute to associate.Optional

Context Output#

PathTypeDescription
TC.Group.NamestringThe name of the group.
TC.Group.OwnerstringThe owner of the group.
TC.Group.TagstringThe tag of the group.
TC.Group.SecurityLevelstringThe security label of the group.
TC.Group.IDstringThe ID of the group.

Redundant Arguments#

The following arguments were removed in this version:

In the tc-tag-indicator command:

  • owner - this argument was redundant.

In the tc-get-indicator command:

  • indicator_type - this argument was redundant.
  • owners - this argument was redundant.
  • ratingThreshold - this argument was redundant.
  • confidenceThreshold - this argument was redundant.
  • group_associations - this argument was redundant.
  • indicator_associations - this argument was redundant.
  • indicator_observations - this argument was redundant.
  • indicator_tags - this argument was redundant.
  • indicator_attributes - this argument was redundant.

In the tc-add-indicator command:

  • owner - this argument was redundant.

In the tc-create-incident command:

  • owner - this argument was redundant.

In the tc-fetch-incidents command:

  • incidentName - this argument was redundant.

In the tc-incident-associate-indicator command:

  • indicatorType - this argument was redundant.
  • owner - this argument was redundant.

In the tc-get-incident-associate-indicators command:

  • owner - this argument was redundant.

In the tc-update-indicator command:

  • observations - this argument was redundant.
  • threatAssessConfidence - this argument was redundant.
  • threatAssessRating - this argument was redundant.
  • owner - this argument was redundant.

In the tc-create-campaign command:

  • owner - this argument was redundant.

In the tc-create-event command:

  • owner - this argument was redundant.

In the tc-delete-group command:

  • type - this argument was redundant.

In the tc-add-group-attribute command:

  • group_type - this argument was redundant.

In the tc-add-group-security-label command:

  • group_type - this argument was redundant.

In the tc-add-group-tag command:

  • group_type - this argument was redundant.

In the tc-group-associate-indicator command:

  • indicator_type - this argument was redundant.
  • group_type - this argument was redundant.

In the tc-get-group command:

  • group_type - this argument was redundant.

In the tc-get-group-attributes command:

  • group_type - this argument was redundant.

In the tc-get-group-security-labels command:

  • group_type - this argument was redundant.

In the tc-get-group-tags command:

  • group_type - this argument was redundant.

In the tc-get-group-indicators command:

  • group_type - this argument was redundant.

In the tc-get-associated-groups command:

  • group_type - this argument was redundant.

In the tc-associate-group-to-group command:

  • group_type - this argument was redundant.
  • associated_group_type - this argument was redundant.

In the tc-download-report command:

  • group_type - this argument was redundant.

Additional Considerations for this version#

API version 3 documentation Use the new REST v3 API instead of the old python module.