ThreatConnect Intelligence

the threatconnect intelligence connector facilitates the interaction with threatconnect's suite of threat intelligence tools, enabling users to automate actions related to indicators, attributes, and tags threatconnect intelligence is a robust threat intelligence platform that provides comprehensive data on indicators of compromise (iocs) and adversaries this connector enables swimlane turbine users to integrate real time threat intelligence into their security workflows, allowing for the automation of indicator management, enrichment, and analysis by leveraging threatconnect's detailed threat ratings, attributes, and tags, security teams can enhance incident response, streamline threat hunting, and improve overall security posture with actionable insights prerequisites to effectively utilize the threatconnect intelligence connector with swimlane turbine, ensure you have the following hmac authentication with the necessary parameters url endpoint for threatconnect api access access key unique identifier for api access secret key confidential key paired with the access key for secure authentication capabilities the threatconnect connector provides the following capabilities add indicator false positive create indicator attributes create indicator threat and confidence ratings fetch all indicators get indicators get indicators by incident id get tags by incident id update indicator attributes tasks setup fetch all indicators if we do not pass any indicator type , this action will fetch all the indicators to check all the possible values of indicator types https //docs threatconnect com/en/latest/rest api/v2/indicators/indicators html#retrieve multiple indicators notes if using an api user account on threatconnect’s public cloud instance, the threatconnect api is accessible at https //app threatconnect com/api if using an api user account on a dedicated cloud or on premises threatconnect instance, the threatconnect api is accessible at the base url of your instance followed by /api (e g , https //companyabc threatconnect com/api ) https //docs threatconnect com/en/latest/python/quick start html https //training threatconnect com/learn/article/creating user accounts kb article configurations threatconnect hmac authenticates using hmac configuration parameters parameter description type required url a url to the target host string required access key access key string required secret key secret key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add indicator false positive marks an indicator as a false positive in threatconnect intelligence, specifying the indicator type and value endpoint url /api/v2/indicators/{{indicatortype}}/{{indicator}}/falsepositive method post input argument name type required description path parameters indicatortype string required type of the indicator path parameters indicator string required specific indicator value input example {"path parameters" {"indicatortype" "hosts","indicator" "example com"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value data object response data data falsepositive object response data data falsepositive count number response data data falsepositive lastreported string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" "success","data" {"falsepositive" {}}}} create indicator attributes adds custom attributes to a specified indicator in threatconnect intelligence, using type and value for precise targeting endpoint url /api/v2/indicators/{{indicatortype}}/{{indicator}}/attributes method post input argument name type required description path parameters indicatortype string required type of the indicator path parameters indicator string required specific indicator value type string optional type of the attribute value string optional value of the attribute displayed boolean optional whether attribute is displayed input example {"json body" {"type" "description","value" "this is a test description ","displayed"\ true},"path parameters" {"indicatortype" "emailaddresses","indicator" "bad\@example com"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value data object response data data attribute object response data data attribute id string response data data attribute type string response data data attribute dateadded string response data data attribute lastmodified string response data data attribute displayed boolean response data data attribute value string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" "success","data" {"attribute" {}}}} create indicator threat and confidence ratings create threat and confidence ratings for a specified indicator type in threatconnect intelligence, requiring a 'type' in the json body endpoint url /api/v3/indicators?fields=associatedgroups\&fields=attributes\&fields=securitylabels\&fields=tags method post input argument name type required description active boolean optional indicates whether the indicator is active activelocked boolean optional indicates whether the active indicator status is locked associatedartifacts object optional a list of artifacts associated to the indicator associatedartifacts data array optional response data associatedartifacts data id number optional artifact id associatedartifacts data caseid number optional the id of the case to which the artifact belongs associatedartifacts data summary string optional the summary (i e , name) of the artifact associatedartifacts data type string optional the artifact's type associatedcases object optional a list of cases associated to the indicator associatedcases data array optional response data associatedcases data id number optional case id associatedcases data name string optional the name of the case associatedcases data status string optional the status of the case associatedcases data severity string optional the severity of the case associatedgroups object optional a list of groups associated to the indicator associatedgroups data array optional response data associatedgroups data id number optional group id associatedgroups data name string optional the group's name associatedgroups data type string optional the type of group associatedgroups data ownername string optional the name of the owner to which the group belongs associatedindicators object optional a list of indicators associated to the indicator associatedindicators data array optional response data associatedindicators data id number optional indicator id associatedindicators data hostname string optional the host name associated with the host indicator associatedindicators data type string optional the type of indicator input example {"json body" {"type" "host","hostname" "ultrabadguy com","dnsactive"\ true,"whoisactive"\ true,"active"\ true,"associatedgroups" {"data" \[{"id" 12},{"name" "bad guy","type" "adversary","ownername" "demo source"}]},"attributes" {"data" \[{"type" "description","value" "this host is very dangerous","default"\ true}]},"confidence" 85,"rating" 5,"securitylabels" {"data" \[{"name" "tlp\ amber"}]},"tags" {"data" \[{"name" "targeted attack"},{"techniqueid" "t1566"}]}}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id number response data data ownerid number response data data ownername string response data data dateadded string response data data weblink string response data data type string response data data lastmodified string response data data rating number response data data confidence number response data data description string response data data summary string response data data privateflag boolean response data data active boolean response data data activelocked boolean response data data hostname string response data data dnsactive boolean response data data whoisactive boolean response data data legacylink string response data message string response message status string status value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"id" 4,"ownerid" 1,"ownername" "demo organization","dateadded" "2021 11 05t16 43 17z","weblink" "https //app threatconnect com/#/details/indicators/4/overview","type" "host","lastmodified" "2021 11 05t16 43 17z","rating" 5,"confidence" 85,"description" "this host is very dangerous","summary" "ultrabadguy com","privateflag"\ false,"active"\ true,"activelocked"\ false,"hostname" "ultrabadguy com"},"message" "created","status" get all indicators retrieve all indicators of a specified type from threatconnect intelligence using the 'type' path parameter endpoint url /api/v2/indicators/{{type}} method get input argument name type required description path parameters type string required parameters for the get all indicators action input example {"path parameters" {"type" "hosts"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value data object response data data resultcount number response data data indicator array response data data indicator id number response data data indicator ownername string response data data indicator type string response data data indicator dateadded string response data data indicator lastmodified string response data data indicator threatassessrating number response data data indicator threatassessconfidence number response data data indicator threatassessscore number response data data indicator calscore number response data data indicator calindicatorstatus number response data data indicator weblink string response data data indicator summary string response data data indicator communityorsource boolean response data data indicator additionalowners array response data output example {"status" "active","data" {"resultcount" 123,"indicator" \[{}]}} get indicator retrieves detailed information for a specified indicator type and value from threatconnect intelligence endpoint url /api/v2/indicators/{{type}}/{{value}} method get input argument name type required description path parameters type string required parameters for the get indicator action path parameters value string required parameters for the get indicator action input example {"path parameters" {"type" "emailaddresses","value" "bad\@example com"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value data object response data data address object response data data address id number response data data address owner object response data data address owner id number response data data address owner name string response data data address owner type string response data data address dateadded string response data data address lastmodified string response data data address threatassessrating number response data data address threatassessconfidence number response data data address threatassessscore number response data data address calscore number response data data address calindicatorstatus number response data data address weblink string response data data address communityorsource boolean response data data address additionalowners array response data data address additionalowners file name string response data data address additionalowners file string response data data address ip string response data output example {"status" "active","data" {"address" {"id" 123,"owner" {},"dateadded" "string","lastmodified" "string","threatassessrating" 123,"threatassessconfidence" 123,"threatassessscore" 123,"calscore" 123,"calindicatorstatus" 123,"weblink" "string","communityorsource"\ true,"additionalowners" \[],"ip" "string"}}} get indicators by incident id retrieve indicators associated with a specific incident id from threatconnect intelligence using the required path parameter endpoint url /api/v2/groups/incidents/{{incident id}}/indicators method get input argument name type required description path parameters incident id number required parameters for the get indicators by incident id action input example {"path parameters" {"incident id" 67360}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value data object response data data resultcount number response data data indicator array response data data indicator id number response data data indicator ownername string response data data indicator type string response data data indicator dateadded string response data data indicator lastmodified string response data data indicator rating number response data data indicator confidence number response data data indicator threatassessrating number response data data indicator threatassessconfidence number response data data indicator threatassessscore number response data data indicator calscore number response data data indicator calindicatorstatus number response data data indicator weblink string response data data indicator description string response data data indicator summary string response data data indicator communityorsource boolean response data data indicator additionalowners array response data output example {"status" "active","data" {"resultcount" 123,"indicator" \[{}]}} get tags retrieves tags associated with a given incident id in threatconnect intelligence for enhanced categorization and analysis endpoint url /api/v2/groups/incidents/{{incident id}}/tags method get input argument name type required description path parameters incident id number required parameters for the get tags action input example {"path parameters" {"incident id" 67360}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value data object response data data resultcount number response data data tag array response data data tag name string response data data tag weblink string response data output example {"status" "active","data" {"resultcount" 123,"tag" \[{}]}} update indicator attributes updates an indicator's attributes in threatconnect intelligence, specifying type, identifier, attribute id, and new value endpoint url /api/v2/indicators/{{indicatortype}}/{{indicator}}/attributes/{{attributeid}} method put input argument name type required description path parameters indicatortype string required type of the indicator path parameters indicator string required specific indicator value path parameters attributeid string required id of the attribute value string optional new value for the attribute displayed boolean optional whether attribute is displayed source string optional source of the attribute input example {"json body" {"value" "updated description ","displayed"\ true,"source" "updated source"},"path parameters" {"indicatortype" "emailaddresses","indicator" "bad\@example com","attributeid" "54321"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value data object response data data attribute object response data data attribute id string response data data attribute type string response data data attribute dateadded string response data data attribute lastmodified string response data data attribute displayed boolean response data data attribute value string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" "success","data" {"attribute" {}}}} response headers header description example access control allow methods http response header access control allow methods access control allow origin http response header access control allow origin cache control directives for caching mechanisms connection http response header connection content encoding http response header content encoding content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt pragma http response header pragma server information about the software used by the origin server set cookie http response header set cookie strict transport security http response header strict transport security transfer encoding http response header transfer encoding x content type options http response header x content type options x frame options http response header x frame options x xss protection http response header x xss protection