ThreatConnect Intelligence

the threatconnect intelligence connector facilitates the interaction with threatconnect's suite of threat intelligence tools, enabling users to automate actions related to indicators, attributes, and tags threatconnect intelligence is a robust threat intelligence platform that provides comprehensive data on indicators of compromise (iocs) and adversaries this connector enables swimlane turbine users to integrate real time threat intelligence into their security workflows, allowing for the automation of indicator management, enrichment, and analysis by leveraging threatconnect's detailed threat ratings, attributes, and tags, security teams can enhance incident response, streamline threat hunting, and improve overall security posture with actionable insights prerequisites to effectively utilize the threatconnect intelligence connector with swimlane turbine, ensure you have the following hmac authentication with the necessary parameters url endpoint for threatconnect api access access key unique identifier for api access secret key confidential key paired with the access key for secure authentication capabilities the threatconnect connector provides the following capabilities add indicator false positive create indicator attributes create indicator threat and confidence ratings fetch all indicators get indicators get indicators by incident id get tags by incident id update indicator attributes tasks setup fetch all indicators if we do not pass any indicator type , this action will fetch all the indicators to check all the possible values of indicator types click here! https //docs threatconnect com/en/latest/rest api/v2/indicators/indicators html#retrieve multiple indicators configurations threatconnect hmac authenticates using hmac configuration parameters parameter description type required url a url to the target host string required access key access key string required secret key secret key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add indicator false positive marks an indicator as a false positive in threatconnect intelligence, specifying the indicator type and value endpoint url /api/v2/indicators/{{indicatortype}}/{{indicator}}/falsepositive method post input argument name type required description indicatortype string required type of the indicator indicator string required specific indicator value output parameter type description status code number http status code of the response reason string response reason phrase status string status value data object response data falsepositive object output field falsepositive count number count value lastreported string output field lastreported example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "status" "success", "data" {} } } ] create indicator attributes adds custom attributes to a specified indicator in threatconnect intelligence, using type and value for precise targeting endpoint url /api/v2/indicators/{{indicatortype}}/{{indicator}}/attributes method post input argument name type required description indicatortype string required type of the indicator indicator string required specific indicator value type string optional type of the attribute value string optional value of the attribute displayed boolean optional whether attribute is displayed output parameter type description status code number http status code of the response reason string response reason phrase status string status value data object response data attribute object output field attribute id string unique identifier type string type of the resource dateadded string output field dateadded lastmodified string output field lastmodified displayed boolean output field displayed value string value for the parameter example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "status" "success", "data" {} } } ] create indicator threat and confidence ratings create threat and confidence ratings for a specified indicator type in threatconnect intelligence, requiring a 'type' in the json body endpoint url /api/v3/indicators?fields=associatedgroups\&fields=attributes\&fields=securitylabels\&fields=tags method post input argument name type required description active boolean optional indicates whether the indicator is active activelocked boolean optional indicates whether the active indicator status is locked associatedartifacts object optional a list of artifacts associated to the indicator data array optional response data id number optional artifact id caseid number optional the id of the case to which the artifact belongs summary string optional the summary (i e , name) of the artifact type string optional the artifact's type associatedcases object optional a list of cases associated to the indicator data array optional response data id number optional case id name string optional the name of the case status string optional the status of the case severity string optional the severity of the case associatedgroups object optional a list of groups associated to the indicator data array optional response data id number optional group id name string optional the group's name type string optional the type of group ownername string optional the name of the owner to which the group belongs associatedindicators object optional a list of indicators associated to the indicator data array optional response data id number optional indicator id hostname string optional the host name associated with the host indicator type string optional the type of indicator output parameter type description status code number http status code of the response reason string response reason phrase data object response data id number unique identifier ownerid number unique identifier ownername string name of the resource dateadded string output field dateadded weblink string output field weblink type string type of the resource lastmodified string output field lastmodified rating number output field rating confidence number unique identifier description string output field description summary string output field summary privateflag boolean output field privateflag active boolean output field active activelocked boolean output field activelocked hostname string name of the resource dnsactive boolean output field dnsactive whoisactive boolean output field whoisactive legacylink string output field legacylink message string response message status string status value example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "data" {}, "message" "created", "status" "success" } } ] get all indicators retrieve all indicators of a specified type from threatconnect intelligence using the 'type' path parameter endpoint url /api/v2/indicators/{{type}} method get input argument name type required description type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase status string status value data object response data resultcount number result of the operation indicator array output field indicator id number unique identifier ownername string name of the resource type string type of the resource dateadded string output field dateadded lastmodified string output field lastmodified threatassessrating number output field threatassessrating threatassessconfidence number unique identifier threatassessscore number score value calscore number score value calindicatorstatus number status value weblink string output field weblink summary string output field summary communityorsource boolean output field communityorsource additionalowners array output field additionalowners example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "status" "active", "data" {} } } ] get indicator retrieves detailed information for a specified indicator type and value from threatconnect intelligence endpoint url /api/v2/indicators/{{type}}/{{value}} method get input argument name type required description type string required type of the resource value string required value for the parameter output parameter type description status code number http status code of the response reason string response reason phrase status string status value data object response data address object output field address id number unique identifier owner object output field owner id number unique identifier name string name of the resource type string type of the resource dateadded string output field dateadded lastmodified string output field lastmodified threatassessrating number output field threatassessrating threatassessconfidence number unique identifier threatassessscore number score value calscore number score value calindicatorstatus number status value weblink string output field weblink communityorsource boolean output field communityorsource additionalowners array output field additionalowners file name string name of the resource file string output field file ip string output field ip example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "status" "active", "data" {} } } ] get indicators by incident id retrieve indicators associated with a specific incident id from threatconnect intelligence using the required path parameter endpoint url /api/v2/groups/incidents/{{incident id}}/indicators method get input argument name type required description incident id number required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase status string status value data object response data resultcount number result of the operation indicator array output field indicator id number unique identifier ownername string name of the resource type string type of the resource dateadded string output field dateadded lastmodified string output field lastmodified rating number output field rating confidence number unique identifier threatassessrating number output field threatassessrating threatassessconfidence number unique identifier threatassessscore number score value calscore number score value calindicatorstatus number status value weblink string output field weblink description string output field description summary string output field summary communityorsource boolean output field communityorsource additionalowners array output field additionalowners example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "status" "active", "data" {} } } ] get tags retrieves tags associated with a given incident id in threatconnect intelligence for enhanced categorization and analysis endpoint url /api/v2/groups/incidents/{{incident id}}/tags method get input argument name type required description incident id number required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase status string status value data object response data resultcount number result of the operation tag array output field tag name string name of the resource weblink string output field weblink example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "status" "active", "data" {} } } ] update indicator attributes updates an indicator's attributes in threatconnect intelligence, specifying type, identifier, attribute id, and new value endpoint url /api/v2/indicators/{{indicatortype}}/{{indicator}}/attributes/{{attributeid}} method put input argument name type required description indicatortype string required type of the indicator indicator string required specific indicator value attributeid string required id of the attribute value string required new value for the attribute displayed boolean optional whether attribute is displayed source string optional source of the attribute output parameter type description status code number http status code of the response reason string response reason phrase status string status value data object response data attribute object output field attribute id string unique identifier type string type of the resource dateadded string output field dateadded lastmodified string output field lastmodified displayed boolean output field displayed value string value for the parameter example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "status" "success", "data" {} } } ] response headers header description example access control allow methods http response header access control allow methods access control allow origin http response header access control allow origin cache control directives for caching mechanisms connection http response header connection content encoding http response header content encoding content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt pragma http response header pragma server information about the software used by the origin server set cookie http response header set cookie strict transport security http response header strict transport security transfer encoding http response header transfer encoding x content type options http response header x content type options x frame options http response header x frame options x xss protection http response header x xss protection notes if using an api user account on threatconnect’s public cloud instance, the threatconnect api is accessible at https //app threatconnect com/api https //app threatconnect com/api if using an api user account on a dedicated cloud or on premises threatconnect instance, the threatconnect api is accessible at the base url of your instance followed by /api (e g , https //companyabc threatconnect com/api https //companyabc threatconnect com/api ) threatconnect api documentation https //docs threatconnect com/en/latest/python/quick start htmlcreate an api user https //training threatconnect com/learn/article/creating user accounts kb article