ThreatConnect v2

Threat intelligence platform.

Configure ThreatConnect v2 on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for ThreatConnect v2.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
baseUrlbaseUrlTrue
accessIdAccess IDTrue
secretKeySecret KeyTrue
defaultOrgDefault OrganizationFalse
ratingRating threshold for Malicious IndicatorsFalse
confidenceConfidence threshold for Malicious IndicatorsFalse
freshnessIndicator Reputation Freshness (in days)False
proxyIpProxyIP (or http://\<ip>)False
proxyPortProxyPortFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip


Searches for an indicator of type IP address.

Base Command

ip

Input

Argument NameDescriptionRequired
ipThe IPv4 or IPv6 address.Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners.Optional
ratingThresholdA list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator was created.
TC.Indicator.LastModifieddateThe date on which the indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
DBotScore.IndicatorstringThe value assigned by DBot for the indicator.
DBotScore.TypestringThe type assigned by DBot for the indicator.
DBotScore.ScorenumberThe score assigned by DBot for the indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.

Command Example

!ip ip=88.88.88.88

Context Example

{ "TC.Indicator":
[ {
"Rating": 0,
"Confidence": 0,
"Name": "88.88.88.88",
"LastModified": "2020-04-27T04:57:20Z",
"CreateDate": "2020-04-27T04:57:20Z",
"Owner": "Demisto Inc.",
Type": "Address",
"ID": 112677927
} ],
"DBotScore": [ {
"Vendor": "ThreatConnect",
"Indicator": "88.88.88.88",
"Score": 1,
"Type": "ip" } ]
}

Human Readable Output

ThreatConnect IP Reputation for: 88.88.88.88

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
02020-04-27T04:57:20Z1126779272020-04-27T04:57:20Z88.88.88.88Demisto Inc.0Address

url


Searches for an indicator of type URL.

Base Command

url

Input

Argument NameDescriptionRequired
urlThe URL for which to search. For example, "www.demisto.com".Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a client’s API user has been granted permission. For example, "owner1", "owner2", or "owner3".Optional
ratingThresholdA list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator was created.
TC.Indicator.LastModifieddateThe date on which the indicator was last modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
DBotScore.IndicatorstringThe value assigned by DBot for the indicator.
DBotScore.TypestringThe type assigned by DBot for the indicator.
DBotScore.ScorenumberThe score assigned by DBot for the indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
URL.DatastringThe data of the URL indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.

Command Example

!url url=https://www.domain.com

Context Example

{
"DBotScore": [
{
"Indicator": "https://www.domain.com",
"Score": 2,
"Type": "url",
"Vendor": "ThreatConnect"
}
],
"TC": {
"Indicator": {
"Confidence": 50,
"CreateDate": "2020-04-23T14:41:16Z",
"ID": 112618313,
"LastModified": "2020-04-27T10:03:38Z",
"Name": "https://www.domain.com",
"Owner": "Demisto Inc.",
"Rating": 3,
"Type": "URL"
}
}
}

Human Readable Output

ThreatConnect URL Reputation for: https://www.domain.com

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
502020-04-23T14:41:16Z1126183132020-04-27T10:03:38Zhttps://www.domain.comDemisto Inc.3URL

ThreatConnect URL Reputation for: https://www.domain.com

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
502020-04-23T14:41:16Z1126183132020-04-27T10:03:38Zhttps://www.domain.comDemisto Inc.3URL

file


Searches for an indicator of type file.

Base Command

file

Input

Argument NameDescriptionRequired
fileThe hash of the file. Can be "MD5", "SHA-1", or "SHA-256".Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners.Optional
ratingThresholdA list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator was created.
TC.Indicator.LastModifieddateThe last date on which the indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.File.MD5stringThe MD5 hash of the indicator.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator.
DBotScore.IndicatorstringThe value assigned by DBot for the indicator.
DBotScore.TypestringThe type assigned by DBot for the indicator.
DBotScore.ScorenumberThe score assigned by DBot for the indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
File.MD5stringThe MD5 hash of the indicator.
File.SHA1stringThe SHA1 hash of the indicator.
File.SHA256stringThe SHA256 hash of the indicator.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.

Command Example

!file file=4a4a4e885f7189bbaa2fcc2f2403b128f79e951826c57c0e1ab50e085ae390e7

Context Example

{
"TC.Indicator": [ {
"Rating": 0,
"Confidence": 0,
"LastModified": "2020-04-23T14:40:26Z",
"CreateDate": "2020-04-23T14:40:26Z",
"File": {
"SHA256": "4A4A4E885F7189BBAA2FCC2F2403B128F79E951826C57C0E1AB50E085AE390E7"
},
"Owner": "Demisto Inc.",
"Type": "File",
"ID": 112618312
} ],
"DBotScore": [{
"Vendor": "ThreatConnect",
"Score": 1,
"Type": "file"
}]
}

Human Readable Output

ThreatConnect File Report for: 4a4a4e885f7189bbaa2fcc2f2403b128f79e951826c57c0e1ab50e085ae390e7

ConfidenceCreate DateFileIDLast ModifiedOwnerRatingType
02020-04-23T14:40:26ZSHA256: 4A4A4E885F7189BBAA2FCC2F2403B128F79E951826C57C0E1AB50E085AE390E71126183122020-04-23T14:40:26ZDemisto Inc.0File

tc-owners


Retrieves all owners for the current account.

Base Command

tc-owners

Input

There are no input arguments for this command.

Context Output

PathTypeDescription
TC.Owner.NamestringThe name of the owner.
TC.Owner.IDstringThe ID of the owner.
TC.Owner.TypestringThe type of the owner.

Command Example

!tc-owners

Context Example

{
"TC": {
"Owner": [
{
"ID": 737,
"Name": "Demisto Inc.",
"Type": "Organization"
},
{
"ID": 646,
"Name": "Blocklist.de Strong IPs",
"Type": "Source"
},
{
"ID": 716,
"Name": "BotScout Bot List",
"Type": "Source"
}
]
}
}

Human Readable Output

ThreatConnect Owners:

IDNameType
737Demisto Inc.Organization
646Blocklist.de Strong IPsSource
716BotScout Bot ListSource

tc-indicators


Retrieves a list of all indicators.

Base Command

tc-indicators

Input

Argument NameDescriptionRequired
ownerA list of results filtered by the owner of the indicator.Optional
limitThe maximum number of results that can be returned. The default is 500.Optional

Context Output

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator was created.
TC.Indicator.LastModifieddateThe last date on which the indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
DBotScore.IndicatorstringThe value assigned by DBot for the indicator.
DBotScore.TypestringThe type assigned by DBot for the indicator.
DBotScore.ScorenumberThe score assigned by DBot for the indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.

Command Example

!tc-indicators limit=3 owner="Demisto Inc."

Context Example

{
"DBotScore": [
{
"Indicator": "88.88.88.88",
"Score": 1,
"Type": "ip",
"Vendor": "ThreatConnect"
},
{
"Indicator": "domain.info",
"Score": 1,
"Type": "domain",
"Vendor": "ThreatConnect"
},
{
"Indicator": "https://www.domain.com",
"Score": 2,
"Type": "url",
"Vendor": "ThreatConnect"
}
],
"TC": {
"Indicator": [
{
"Confidence": 0,
"CreateDate": "2020-05-10T09:45:19Z",
"ID": 112951652,
"LastModified": "2020-05-10T09:45:19Z",
"Name": "88.88.88.88",
"Owner": "Demisto Inc.",
"Rating": 0,
"Type": "Address"
},
{
"Confidence": 0,
"CreateDate": "2020-04-23T14:42:21Z",
"ID": 112618314,
"LastModified": "2020-04-23T14:42:21Z",
"Name": "domain.info",
"Owner": "Demisto Inc.",
"Rating": 0,
"Type": "Host"
},
{
"Confidence": 50,
"CreateDate": "2020-04-23T14:41:16Z",
"ID": 112618313,
"LastModified": "2020-04-27T10:03:38Z",
"Name": "https://www.domain.com",
"Owner": "Demisto Inc.",
"Rating": 3,
"Type": "URL"
}
]
}
}

Human Readable Output

ThreatConnect Indicators:

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
02020-05-10T09:45:19Z1129516522020-05-10T09:45:19Z88.88.88.88Demisto Inc.0Address
02020-04-23T14:42:21Z1126183142020-04-23T14:42:21Zdomain.infoDemisto Inc.0Host
502020-04-23T14:41:16Z1126183132020-04-27T10:03:38Zhttps://www.domain.comDemisto Inc.3URL

tc-get-tags


Returns a list of all ThreatConnect tags.

Base Command

tc-get-tags

Input

There are no input arguments for this command.

Context Output

PathTypeDescription
TC.TagsUnknownA list of tags.

Command Example

!tc-get-tags

Context Example

{
"TC": {
"Tags": [
"malicious file",
"malicious ip",
"malicious url",
]
}
}

Human Readable Output

ThreatConnect Tags:

Name
malicious file
malicious ip
malicious url

tc-tag-indicator


Adds a tag to an existing indicator.

Base Command

tc-tag-indicator

Input

Argument NameDescriptionRequired
tagThe name of the tag.Required
indicatorThe indicator to tag. For example, for an IP indicator, "8.8.8.8".Required
ownerA list of indicators filtered by the owner.Optional

Context Output

There is no context output for this command.

Command Example

!tc-tag-indicator indicator=99.99.99.99 tag="malicious ip"

Context Example

{}

Human Readable Output

Indicator 99.99.99.99 with ID 112951655, was tagged with: malicious ip

tc-get-indicator


Retrieves information about an indicator.

Base Command

tc-get-indicator

Input

Argument NameDescriptionRequired
indicatorThe name of the indicator by which to search. The command retrieves information from all owners. Can be an IP address, a URL, or a file hash.Required
indicator_typeOnly for custom. Leave empty for standard onesOptional
ownersIndicator Owner(s)Optional
ratingThresholdA list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional
group_associationsRetrieve Indicator Group AssociationsRequired
indicator_associationsRetrieve Indicator AssociationsOptional
indicator_observationsRetrieve Indicator ObservationsOptional
indicator_tagsRetrieve Indicator TagsOptional

Context Output

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator was created.
TC.Indicator.LastModifieddateThe last date on which the indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
DBotScore.IndicatorstringThe value assigned by DBot for the indicator.
DBotScore.TypestringThe type assigned by DBot for the indicator.
DBotScore.ScorenumberThe score assigned by DBot for the indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the indicator of the URL.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.

Command Example

!tc-get-indicator indicator=99.99.99.99 group_associations=false

Context Example

{
"DBotScore": [
{
"Indicator": "99.99.99.99",
"Score": 2,
"Type": "ip",
"Vendor": "ThreatConnect"
}
],
"TC": {
"Indicator": {
"Confidence": 70,
"CreateDate": "2020-05-10T09:57:18Z",
"ID": 112951655,
"LastModified": "2020-05-10T09:57:27Z",
"Name": "99.99.99.99",
"Owner": "Demisto Inc.",
"Rating": 1,
"Type": "Address"
}
}
}

Human Readable Output

ThreatConnect indicator for: 99.99.99.99

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
702020-05-10T09:57:18Z1129516552020-05-10T09:57:27Z99.99.99.99Demisto Inc.1Address

tc-get-indicators-by-tag


Fetches all indicators that have a tag.

Base Command

tc-get-indicators-by-tag

Input

Argument NameDescriptionRequired
tagThe name of the tag by which to filter.Required
ownerA list of indicators filtered by the owner.Optional

Context Output

PathTypeDescription
TC.Indicator.NamestringThe name of the tagged indicator.
TC.Indicator.TypestringThe type of the tagged indicator.
TC.Indicator.IDstringThe ID of the tagged indicator.
TC.Indicator.DescriptionstringThe description of the tagged indicator.
TC.Indicator.OwnerstringThe owner of the tagged indicator.
TC.Indicator.CreateDatedateThe date on which the tagged indicator was created.
TC.Indicator.LastModifieddateThe last date on which the tagged indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the tagged indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the tagged indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
DBotScore.IndicatorstringThe value assigned by DBot for the tagged indicator.
DBotScore.TypestringThe type assigned by DBot for the tagged indicator.
DBotScore.ScorenumberThe score assigned by DBot for the tagged indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
IP.AddressstringThe IP address of the tagged indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the tagged indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the tagged indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.

Command Example

!tc-get-indicators-by-tag tag="malicious ip"

Context Example

{
"DBotScore": [
{
"Indicator": "99.99.99.99",
"Score": 2,
"Type": "ip",
"Vendor": "ThreatConnect"
},
{
"Indicator": "82.28.82.28",
"Score": 1,
"Type": "ip",
"Vendor": "ThreatConnect"
},
{
"Indicator": "111.222.111.222",
"Score": 2,
"Type": "ip",
"Vendor": "ThreatConnect"
}
],
"TC": {
"Indicator": [
{
"Confidence": 70,
"CreateDate": "2020-05-10T09:57:18Z",
"ID": 112951655,
"LastModified": "2020-05-10T09:57:18Z",
"Name": "99.99.99.99",
"Owner": "Demisto Inc.",
"Rating": 2,
"Type": "Address"
},
{
"Confidence": 0,
"CreateDate": "2018-10-18T11:12:20Z",
"ID": 59227820,
"LastModified": "2018-10-18T11:12:36Z",
"Name": "82.28.82.28",
"Owner": "Demisto Inc.",
"Rating": 0,
"Type": "Address"
},
{
"Confidence": 20,
"CreateDate": "2018-10-22T19:03:29Z",
"Description": "Added critical rating",
"ID": 59253542,
"LastModified": "2018-12-19T15:55:57Z",
"Name": "111.222.111.222",
"Owner": "Demisto Inc.",
"Rating": 1,
"Type": "Address"
}
]
}
}

Human Readable Output

ThreatConnect Indicators with tag: malicious ip

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
702020-05-10T09:57:18Z1129516552020-05-10T09:57:18Z99.99.99.99Demisto Inc.2Address
02018-10-18T11:12:20Z592278202018-10-18T11:12:36Z82.28.82.28Demisto Inc.0Address
202018-10-22T19:03:29Z592535422018-12-19T15:55:57Z111.222.111.222Demisto Inc.1Address

tc-add-indicator


Adds a new indicator to ThreatConnect.

Base Command

tc-add-indicator

Input

Argument NameDescriptionRequired
indicatorThe indicator to add.Required
ratingThe threat rating of the indicator. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThe confidence rating of the indicator. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional
ownerThe owner of the new indicator. The default is the "defaultOrg" parameter.Optional

Context Output

PathTypeDescription
TC.Indicator.NamestringThe name the indicator.
TC.Indicator.TypestringThe type of indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the added indicator was created.
TC.Indicator.LastModifieddateThe last date on which the added indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the added indicator of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.

Command Example

!tc-add-indicator indicator=99.99.99.99 confidence=70 rating=2

Context Example

{
"TC": {
"Indicator": {
"Confidence": 70,
"CreateDate": "2020-05-10T09:57:18Z",
"ID": 112951655,
"LastModified": "2020-05-10T09:57:18Z",
"Name": "99.99.99.99",
"Owner": "Demisto Inc.",
"Rating": 2,
"Type": "Address"
}
}
}

Human Readable Output

Created new indicator successfully:

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
702020-05-10T09:57:18Z1129516552020-05-10T09:57:18Z99.99.99.99Demisto Inc.2Address

tc-create-incident


Creates a new incident group.

Base Command

tc-create-incident

Input

Argument NameDescriptionRequired
ownerThe owner of the new incident. The default is the "defaultOrg" parameter.Optional
incidentNameThe name of the incident group.Required
eventDateThe creation time of an incident in the "2017-03-21T00:00:00Z" format.Optional
tagThe tag applied to the incident.Optional
securityLabelThe security label applied to the incident. Can be "TLP:RED", "TLP:GREEN", "TLP:AMBER", or "TLP:WHITE".Optional
descriptionThe description of the incident.Optional

Context Output

PathTypeDescription
TC.Incident.NamestringThe name of the new incident group.
TC.Incident.OwnerstringThe owner of the new incident.
TC.Incident.EventDatedateThe date on which the event that indicates an incident occurred.
TC.Incident.TagstringThe name of the tag of the new incident.
TC.Incident.SecurityLabelstringThe security label of the new incident.
TC.Incident.IDUnknownThe ID of the new incident.

Command Example

!tc-create-incident incidentName=test_incident

Context Example

{
"TC": {
"Incident": {
"EventDate": "2020-05-10T09:56:52Z",
"ID": 5156603,
"Name": "test_incident",
"Owner": "Demisto Inc."
}
}
}

Human Readable Output

Incident test_incident Created Successfully

tc-fetch-incidents


Fetches incidents from ThreatConnect.

Base Command

tc-fetch-incidents

Input

Argument NameDescriptionRequired
incidentIdThe fetched incidents filtered by ID.Optional
ownerThe fetched incidents filtered by owner.Optional
incidentNameThe fetched incidents filtered by incident name.Optional

Context Output

PathTypeDescription
TC.IncidentstringThe name of the group of fetched incidents.
TC.Incident.IDstringThe ID of the fetched incidents.
TC.Incident.OwnerstringThe owner of the fetched incidents.

Command Example

!tc-fetch-incidents incidentId=5101576

Context Example

{
"TC": {
"Incident": {
"dateAdded": "2020-04-21T06:54:46Z",
"eventDate": "2020-04-21T00:00:00Z",
"id": 5101576,
"name": "try",
"ownerName": "Demisto Inc.",
"weblink": "https://sandbox.threatconnect.com/auth/incident/incident.xhtml?incident=5101576"
}
},
"ThreatConnect": {
"incidents": [
{
"dateAdded": "2020-04-21T06:54:46Z",
"eventDate": "2020-04-21T00:00:00Z",
"id": 5101576,
"name": "try",
"ownerName": "Demisto Inc.",
"type": null,
"weblink": "https://sandbox.threatconnect.com/auth/incident/incident.xhtml?incident=5101576"
}
]
}
}

Human Readable Output

Incidents:

Date AddedEvent DateIdNameOwner NameTypeWeblink
2020-04-21T06:54:46Z2020-04-21T00:00:00Z5101576tryDemisto Inc.https://sandbox.threatconnect.com/auth/incident/incident.xhtml?incident=5101576

tc-incident-associate-indicator


Associates an indicator with an existing incident. The indicator must exist before running this command. To add an indicator, run the tc-add-indicator command.

Base Command

tc-incident-associate-indicator

Input

Argument NameDescriptionRequired
indicatorTypeThe type of the indicator. Can be "ADDRESSES", "EMAIL_ADDRESSES", "URLS", "HOSTS", "FILES", or "CUSTOM_INDICATORS".Required
incidentIdThe ID of the incident to which the indicator is associated.Required
indicatorThe name of the indicator.Required
ownerA list of indicators filtered by the owner.Optional

Context Output

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator associated was created.
TC.Indicator.LastModifieddateThe last date on which the indicator associated was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringIP address of the associated indicator of the file.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the associated indicator of the file.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the indicator of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.

Command Example

!tc-incident-associate-indicator indicator=99.99.99.99 indicatorType=ADDRESSES incidentId=5101577

Context Example

{
"TC": {
"Incident": {
"dateAdded": "2020-04-21T07:03:56Z",
"eventDate": "2020-04-21T00:00:00Z",
"id": 5101577,
"name": "for_try",
"ownerName": "Demisto Inc.",
"weblink": "https://sandbox.threatconnect.com/auth/incident/incident.xhtml?incident=5101577"
}
}
}

Human Readable Output

Incident for_try with ID 5101577, was tagged with: 99.99.99.99

domain


Searches for an indicator of type domain.

Base Command

domain

Input

Argument NameDescriptionRequired
domainThe name of the domain.Required
ownersA comma-separated list of a client's organizations, sources, or communities to which a user has permissions. For example, users with admin permissions can search for indicators belonging to all owners.Optional
ratingThresholdA list of results filtered by indicators whose threat rating is greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".Optional
confidenceThresholdA list of results filtered by indicators whose confidence rating is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".Optional

Context Output

PathTypeDescription
TC.Indicator.NamestringThe name of the of the indicator.
TC.Indicator.TypestringThe type of the domain.
TC.Indicator.IDstringThe ID of the domain.
TC.Indicator.DescriptionstringThe description of the domain.
TC.Indicator.OwnerstringThe owner of the domain.
TC.Indicator.CreateDatedateThe date on which the indicator of the domain was created.
TC.Indicator.LastModifieddateThe last date on which the indicator of the domain was modified.
TC.Indicator.RatingnumberThe threat rating of the domain.
TC.Indicator.ConfidencenumberThe confidence rating of the domain.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
DBotScore.IndicatorstringThe value assigned by DBot for the indicator.
DBotScore.TypestringThe type assigned by DBot for the indicator.
DBotScore.ScorenumberThe score assigned by DBot for the indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
Domain.NamestringThe name of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.

Command Example

!domain domain=domain.info

Context Example

{
"TC.Indicator": [ {
"Rating": 0,
"Confidence": 0,
"Name": "domain.info"
"LastModified": "2020-04-23T14:42:21Z",
"CreateDate": "2020-04-23T14:42:21Z",
"Owner": "Demisto Inc.",
"Active": "false",
"Type": "Host",
"ID": 112618314
} ],
"DBotScore": [{
"Vendor": "ThreatConnect",
"Indicator": "domain.info",
"Score": 1,
"Type": "domain"
}]
}

Human Readable Output

ThreatConnect Domain Reputation for: domain.info

ActiveConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
false02020-04-23T14:42:21Z1126183142020-04-23T14:42:21Zdomain.infoDemisto Inc.0Host

tc-get-incident-associate-indicators


Returns indicators that are related to a specific incident.

Base Command

tc-get-incident-associate-indicators

Input

Argument NameDescriptionRequired
incidentIdThe ID of the incident.Required
ownerA list of indicators filtered by the owner.Optional

Context Output

PathTypeDescription
TC.Indicator.NamestringThe name of the returned indicator.
TC.Indicator.TypestringThe type of the returned indicator.
TC.Indicator.IDstringThe ID of the returned indicator.
TC.Indicator.DescriptionstringThe description of the returned indicator.
TC.Indicator.OwnerstringThe owner of the returned indicator.
TC.Indicator.CreateDatedateThe date on which the returned indicator was created.
TC.Indicator.LastModifieddateThe last date on which the returned indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the returned indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the returned indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
DBotScore.IndicatorstringThe value assigned by DBot for the indicator.
DBotScore.TypestringThe type assigned by DBot for the indicator.
DBotScore.ScorenumberThe score assigned by DBot for the indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
IP.AddressstringThe IP address of the returned indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the returned indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe name of the domain.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.

Command Example

!tc-get-incident-associate-indicators incidentId=5101576 owner="Demisto Inc."

Context Example

{"TC.Indicator": [{
"Rating": 0,
"Confidence": 0,
"Name": "88.88.88.88",
"LastModified": "2020-04-27T04:57:20Z",
"CreateDate": "2020-04-27T04:57:20Z",
"Owner": "Demisto Inc.",
"Type": "Address",
"ID": 112677927 } ],
"DBotScore": [ {
"Vendor": "ThreatConnect",
"Indicator": "88.88.88.88",
"Score": 1,
"Type": "ip" } ]
}

Human Readable Output

Incident Associated Indicators:

ConfidenceCreate DateIDLast ModifiedNameOwnerRatingType
02020-04-27T04:57:20Z1126779272020-04-27T04:57:20Z88.88.88.88Demisto Inc.0Address

tc-update-indicator


Updates the indicator in ThreatConnect.

Base Command

tc-update-indicator

Input

Argument NameDescriptionRequired
indicatorThe name of the updated indicator.Required
ratingThe threat rating of the updated indicator.Optional
confidenceThe confidence rating of the updated indicator.Optional
sizeThe size of the file of the updated indicator.Optional
dnsActiveThe active DNS indicator (only for hosts).Optional
whoisActiveThe active indicator (only for hosts).Optional
updatedValuesA comma-separated list of field:value pairs to update. For example, "rating=3", "confidence=42", and "description=helloWorld".Optional
falsePositiveThe updated indicator set as a false positive. Can be "True" or "False".Optional
observationsThe number observations on the updated indicator.Optional
securityLabelThe security label applied to the incident. Can be "TLP:RED", "TLP:GREEN", "TLP:AMBER", or "TLP:WHITE".Optional
threatAssessConfidenceAssesses the confidence rating of the indicator.Optional
threatAssessRatingAssesses the threat rating of the indicator.Optional

Context Output

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator was created.
TC.Indicator.LastModifieddateThe last date on which the indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.

Command Example

!tc-update-indicator indicator=99.99.99.99 rating=1

Context Example

{
"TC": {
"Indicator": {
"Confidence": 70,
"CreateDate": "2020-05-10T09:57:18Z",
"ID": 112951655,
"LastModified": "2020-05-10T09:57:25Z",
"Name": "99.99.99.99",
"Owner": "Demisto Inc.",
"Rating": 1,
"Type": "Address"
}
}
}

Human Readable Output

Indicator 112951655 Updated Successfully

tc-delete-indicator-tag


Removes a tag from a specified indicator.

Base Command

tc-delete-indicator-tag

Input

Argument NameDescriptionRequired
indicatorThe name of the indicator from which to remove a tag.Required
tagThe name of the tag to remove from the indicator.Required

Context Output

PathTypeDescription
TC.Indicator.NamestringThe name of the indicator.
TC.Indicator.TypestringThe type of the indicator.
TC.Indicator.IDstringThe ID of the indicator.
TC.Indicator.DescriptionstringThe description of the indicator.
TC.Indicator.OwnerstringThe owner of the indicator.
TC.Indicator.CreateDatedateThe date on which the indicator was created.
TC.Indicator.LastModifieddateThe last date on which the indicator was modified.
TC.Indicator.RatingnumberThe threat rating of the indicator.
TC.Indicator.ConfidencenumberThe confidence rating of the indicator.
TC.Indicator.WhoisActivestringThe active indicator (for domains only).
TC.Indicator.File.MD5stringThe MD5 hash of the indicator of the file.
TC.Indicator.File.SHA1stringThe SHA1 hash of the indicator of the file.
TC.Indicator.File.SHA256stringThe SHA256 hash of the indicator of the file.
IP.AddressstringThe IP address of the indicator.
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision.
IP.Malicious.DescriptionstringFor malicious IP addresses, the full description.
URL.DatastringThe data of the URL of the indicator.
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionstringFor malicious URLs, the full description.
Domain.NamestringThe domain name of the indicator.
Domain.Malicious.VendorstringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionstringFor malicious domains, the full description.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.Malicious.VendorstringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionstringFor malicious files, the full description.

Command Example

!tc-delete-indicator-tag indicator=99.99.99.99 tag="malicious ip"

Context Example

{
"TC": {
"Indicator": {
"Confidence": 70,
"CreateDate": "2020-05-10T09:57:18Z",
"ID": 112951655,
"LastModified": "2020-05-10T09:57:18Z",
"Name": "99.99.99.99",
"Owner": "Demisto Inc.",
"Rating": 2,
"Type": "Address"
}
}
}

Human Readable Output

Removed tag malicious ip from indicator 99.99.99.99.

tc-delete-indicator


Deletes an indicator from ThreatConnect.

Base Command

tc-delete-indicator

Input

Argument NameDescriptionRequired
indicatorThe name of the indicator to delete.Required

Context Output

There is no context output for this command.

Command Example

!tc-delete-indicator indicator=99.99.99.99

Context Example

{}

Human Readable Output

Indicator 99.99.99.99 removed Successfully

tc-create-campaign


Creates a group based on the "Campaign" type.

Base Command

tc-create-campaign

Input

Argument NameDescriptionRequired
nameThe name of the campaign group.Required
firstSeenThe earliest date on which the campaign was seen.Optional
ownerThe owner of the new incident. The default is the "defaultOrg" parameter.Optional
descriptionThe description of the campaign.Optional
tagThe name of the tag to apply to the campaign.Optional
securityLabelThe security label of the campaign. For example, "TLP:Green".Optional

Context Output

PathTypeDescription
TC.Campaign.NamestringThe name of the campaign.
TC.Campaign.OwnerstringThe owner of the campaign.
TC.Campaign.FirstSeendateThe earliest date on which the campaign was seen.
TC.Campaign.TagstringThe tag of the campaign.
TC.Campaign.SecurityLevelstringThe security label of the campaign.
TC.Campaign.IDstringThe ID of the campaign.

Command Example

!tc-create-campaign name=test_campaign description="test campaign"

Context Example

{
"TC": {
"Campaign": {
"FirstSeen": "2020-05-10T00:00:00Z",
"ID": 5156601,
"Name": "test_campaign",
"Owner": "Demisto Inc."
}
}
}

Human Readable Output

Campaign test_campaign Created Successfully

tc-create-event


Creates a group based on the "Event" type.

Base Command

tc-create-event

Input

Argument NameDescriptionRequired
nameThe name of the event group.Required
eventDateThe date on which the event occurred. If the date is not specified, the current date is used.Optional
statusThe status of the event. Can be "Needs Review", "False Positive", "No Further Action", or "Escalated".Optional
ownerThe owner of the event.Optional
descriptionThe description of the event.Optional
tagThe tag of the event.Optional

Context Output

PathTypeDescription
TC.Event.NamestringThe name of the event.
TC.Event.DatedateThe date of the event.
TC.Event.StatusstringThe status of the event.
TC.Event.OwnerstringThe owner of the event.
TC.Event.TagstringThe tag of the event.
TC.Event.IDstringThe ID of the event.

Command Example

!tc-create-event name=test_event

Context Example

{
"TC": {
"Event": {
"Date": "2020-05-10T09:56:50Z",
"ID": 5156602,
"Name": "test_event",
"Owner": "Demisto Inc."
}
}
}

Human Readable Output

Incident test_event Created Successfully

tc-create-threat


Creates a group based on the "Threats" type.

Base Command

tc-create-threat

Input

Argument NameDescriptionRequired
nameThe name of the threat group.Required

Context Output

PathTypeDescription
TC.Threat.NamestringThe name of the threat.
TC.Threat.IDstringThe ID of the threat.

Command Example

!tc-create-threat name=test_threat

Context Example

{
"TC": {
"Threat": {
"ID": 5156604,
"Name": "test_threat"
}
}
}

Human Readable Output

Threat test_threat Created Successfully

tc-delete-group


Deletes a group.

Base Command

tc-delete-group

Input

Argument NameDescriptionRequired
groupIDThe ID of the group to delete.Required
typeThe type of the group to delete. Can be "Incidents", "Events", "Campaigns", or "Threats".Required

Context Output

There is no context output for this command.

Command Example

!tc-delete-group groupID=5101578 type=Campaigns

Human Readable Output

campaigns 5101578 deleted Successfully

tc-add-group-attribute


Adds an attribute to a specified group.

Base Command

tc-add-group-attribute

Input

Argument NameDescriptionRequired
group_idThe ID of the group to which to add attributes. To get the ID of the group, run the tc-get-groups command.Required
attribute_typeThe type of attribute to add to the group. The type is located in the UI in a specific group or under Org Config.Required
attribute_valueThe value of the attribute.Required
group_typeThe type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required

Context Output

PathTypeDescription
TC.Group.DateAddedDateThe date on which the attribute was added.
TC.Group.LastModifiedDateThe date on which the added attribute was last modified.
TC.Group.TypeStringThe type of the group to which the attribute was added.
TC.Group.ValueStringThe value of the attribute added to the group.
TC.Group.IDNumberThe group ID to which the attribute was added.

Command Example

!tc-add-group-attribute group_id=5101576 group_type=incidents attribute_type=description attribute_value="test add group attribute"

Context Example

{
"TC": {
"Group": {
"DateAdded": "2020-05-10T09:57:00Z",
"ID": 23379726,
"LastModified": "2020-05-10T09:57:00Z",
"Type": "Description",
"Value": "test add group attribute"
}
}
}

Human Readable Output

The attribute was added successfully to group 5101576

TypeValueIDDateAddedLastModified
Descriptiontest add group attribute233797262020-05-10T09:57:00Z2020-05-10T09:57:00Z

tc-get-events


Returns a list of events.

Base Command

tc-get-events

Input

There are no input arguments for this command.

Context Output

PathTypeDescription
TC.Event.DateAddedDateThe date on which the event was added.
TC.Event.EventDateDateThe date on which the event occurred.
TC.Event.IDNumberThe ID of the event.
TC.Event.OwnerNameStringThe name of the owner of the event.
TC.Event.StatusStringThe status of the event.

Command Example

!tc-get-events

Context Example

{
"TC": {
"Event": [
{
"DateAdded": "2020-05-10T09:56:51Z",
"EventDate": "2020-05-10T09:56:50Z",
"ID": 5156602,
"Name": "test_event",
"OwnerName": "Demisto Inc.",
"Status": "Needs Review"
},
{
"DateAdded": "2020-05-10T05:07:52Z",
"EventDate": "2020-05-10T05:07:51Z",
"ID": 5156545,
"Name": "MyTest",
"OwnerName": "Demisto Inc.",
"Status": "Needs Review"
}
]
}
}

Human Readable Output

ThreatConnect Events

IDNameOwnerNameEventDateDateAddedStatus
5156602test_eventDemisto Inc.2020-05-10T09:56:50Z2020-05-10T09:56:51ZNeeds Review
5156545MyTestDemisto Inc.2020-05-10T05:07:51Z2020-05-10T05:07:52ZNeeds Review

tc-get-groups


Returns all groups, filtered by the group type.

Base Command

tc-get-groups

Input

Argument NameDescriptionRequired
group_typeThe type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required

Context Output

PathTypeDescription
TC.Group.DateAddedDateThe date on which the group was added.
TC.Group.EventDateDateThe date on which the event occurred.
TC.Group.NameStringThe name of the group.
TC.Group.OwnerNameStringThe name of the owner of the group.
TC.Group.StatusStringThe status of the group.
TC.Group.IDNumberThe ID of the group.

Command Example

!tc-get-groups group_type=incidents

Context Example

{
"TC": {
"Group": [
{
"DateAdded": "2020-05-10T09:56:52Z",
"EventDate": "2020-05-10T00:00:00Z",
"ID": 5156603,
"Name": "test_incident",
"OwnerName": "Demisto Inc.",
"Status": null
},
{
"DateAdded": "2020-05-10T09:54:44Z",
"EventDate": "2020-05-10T00:00:00Z",
"ID": 5156599,
"Name": "test_incident",
"OwnerName": "Demisto Inc.",
"Status": null
},
{
"DateAdded": "2020-05-10T09:47:58Z",
"EventDate": "2020-05-10T00:00:00Z",
"ID": 5156595,
"Name": "test_incident",
"OwnerName": "Demisto Inc.",
"Status": null
}
]
}
}

Human Readable Output

ThreatConnect incidents

IDNameOwnerNameEventDateDateAdded
5156603test_incidentDemisto Inc.2020-05-10T00:00:00Z2020-05-10T09:56:52Z
5156599test_incidentDemisto Inc.2020-05-10T00:00:00Z2020-05-10T09:54:44Z
5156595test_incidentDemisto Inc.2020-05-10T00:00:00Z2020-05-10T09:47:58Z

tc-add-group-security-label


Adds a security label to a group.

Base Command

tc-add-group-security-label

Input

Argument NameDescriptionRequired
group_idThe ID of the group to which to add the security label. To get the ID, run the tc-get-groups command.Required
group_typeThe type of the group to which to add the security label. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
security_label_nameThe name of the security label to add to the group. For example, "TLP:GREEN".Required

Context Output

There is no context output for this command.

Command Example

!tc-add-group-security-label group_id=5101576 group_type=incidents security_label_name=TLP:GREEN

Context Example

{}

Human Readable Output

The security label TLP:GREEN was added successfully to incidents 5101576

tc-add-group-tag


Adds tags to a specified group.

Base Command

tc-add-group-tag

Input

Argument NameDescriptionRequired
group_idThe ID of the group to which to add the tag. To get the ID, run the tc-get-groups command.Required
group_typeThe type of the group to which to add the tag. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
tag_nameThe name of the tag to add to the group.Required

Context Output

There is no context output for this command.

Command Example

!tc-add-group-tag group_id=5101576 group_type=incidents tag_name="malicious ip"

Context Example

{}

Human Readable Output

The tag malicious ip was added successfully to group incidents 5101576

tc-get-indicator-types


Returns all indicator types available.

Base Command

tc-get-indicator-types

Input

There are no input arguments for this command.

Context Output

PathTypeDescription
TC.IndicatorType.ApiBranchStringThe branch of the API.
TC.IndicatorType.ApiEntityStringThe entity of the API.
TC.IndicatorType.CasePreferenceStringThe case preference of the indicator. For example, "sensitive", "upper", or "lower".
TC.IndicatorType.CustomBooleanWhether the indicator is a custom indicator.
TC.IndicatorType.ParsableBooleanWhether the indicator can be parsed.
TC.IndicatorType.Value1TypeStringThe name of the indicator.
TC.IndicatorType.Value1LabelStringThe value label of the indicator.

Command Example

!tc-get-indicator-types

Context Example

{
"TC": {
"IndicatorType": [
{
"ApiBranch": "addresses",
"ApiEntity": "address",
"CasePreference": null,
"Custom": "false",
"Name": "Address",
"Parsable": "true",
"Value1Label": null,
"Value1Type": null
},
{
"ApiBranch": "files",
"ApiEntity": "file",
"CasePreference": null,
"Custom": "false",
"Name": "File",
"Parsable": "true",
"Value1Label": "MD5",
"Value1Type": "text"
},
{
"ApiBranch": "hosts",
"ApiEntity": "host",
"CasePreference": null,
"Custom": "false",
"Name": "Host",
"Parsable": "true",
"Value1Label": null,
"Value1Type": null
},
{
"ApiBranch": "urls",
"ApiEntity": "url",
"CasePreference": null,
"Custom": "false",
"Name": "URL",
"Parsable": "true",
"Value1Label": null,
"Value1Type": null
}
]
}
}

Human Readable Output

ThreatConnect indicator types

NameCustomParsableApiBranchCasePreferenceValue1Type
Addressfalsetrueaddresses
Filefalsetruefilestext
Hostfalsetruehosts
URLfalsetrueurls

tc-group-associate-indicator


Associates an indicator with a group.

Base Command

tc-group-associate-indicator

Input

Argument NameDescriptionRequired
indicator_typeThe type of the indicator. To get the available types, run the tc-get-indicator-types command. The indicator must be spelled as displayed in the ApiBranch column of the UI.Required
indicatorThe name of the indicator. For example, "indicator_type=emailAddresses" where "indicator=a@a.co.il".Required
group_typeThe type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group. To get the ID of the group, run the tc-get-groups command.Required

Context Output

PathTypeDescription
TC.Group.GroupIDNumberThe ID of the group.
TC.Group.GroupTypeStringThe type of the group.
TC.Group.IndicatorStringThe name of the indicator.
TC.Group.IndicatorTypeStringThe type of the indicator.

Command Example

tc-group-associate-indicator indicator_type=addresses group_id=5101576 group_type=incidents indicator=99.99.99.99

Human Readable Output

tc-create-document-group


Creates a document group.

Base Command

tc-create-document-group

Input

Argument NameDescriptionRequired
file_nameThe name of the file to display in the UI.Required
nameThe name of the file.Required
malwareWhether the file is malware. If "true", ThreatConnect creates a password-protected ZIP file on your local machine that contains the sample and uploads the ZIP file.Optional
passwordThe password of the ZIP file.Optional
security_labelThe security label of the group.Optional
descriptionA description of the group.Optional
entry_idThe file of the ID of the entry, as displayed in the War Room.Required

Context Output

PathTypeDescription
TC.Group.NameStringThe name of the group.
TC.Group.OwnerStringThe owner of the group.
TC.Group.EventDateDateThe date on which the group was created.
TC.Group.DescriptionStringThe description of the group.
TC.Group.SecurityLabelStringThe security label of the group.
TC.Group.IDNumberThe ID of the group to which the attribute was added.

Command Example

!tc-create-document-group entry_id=11@11 file_name=test.txt name=test_document

Human Readable Output

tc-get-group


Retrieves a single group.

Base Command

tc-get-group

Input

Argument NameDescriptionRequired
group_typeThe type of group for which to return the ID. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group to retrieve. To get the ID, run the tc-get-groups command.Required

Context Output

PathTypeDescription
TC.Group.DateAddedDateThe date on which the group was added.
TC.Group.EventDateDateThe date on which the event occurred.
TC.Group.NameStringThe name of the group.
TC.Group.Owner.IDNumberThe ID of the group owner.
TC.Group.Owner.NameStringThe name of the group owner.
TC.Group.Owner.TypeStringThe type of the owner.
TC.Group.StatusStringThe status of the group.

Command Example

!tc-get-group group_id=5101576 group_type=incidents

Context Example

{
"TC": {
"Group": {
"DateAdded": "2020-04-21T06:54:46Z",
"EventDate": "2020-04-21T00:00:00Z",
"ID": 5101576,
"Name": "try",
"Owner": {
"ID": 737,
"Name": "Demisto Inc.",
"Type": "Organization"
},
"Status": null
}
}
}

Human Readable Output

ThreatConnect Group information

DateAddedEventDateIDNameOwner
2020-04-21T06:54:46Z2020-04-21T00:00:00Z5101576tryName: Demisto Inc.
ID: 737
Type: Organization

tc-get-group-attributes


Retrieves the attribute of a group.

Base Command

tc-get-group-attributes

Input

Argument NameDescriptionRequired
group_typeThe type of group for which to return the attribute. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group for which to return the attribute. To get the ID, run the tc-get-groups command.Required

Context Output

PathTypeDescription
TC.Group.Attribute.DateAddedDateThe date on which the group was added.
TC.Group.Attribute.DisplayedBooleanWhether the attribute is displayed on the UI.
TC.Group.Attribute.AttributeIDNumberThe ID of the attribute.
TC.Group.Attribute.LastModifiedDateThe date on which the attribute was last modified.
TC.Group.Attribute.TypeStringThe type of the attribute.
TC.Group.Attribute.ValueStringThe value of the attribute.

Command Example

!tc-get-group-attributes group_id=5101576 group_type=incidents

Context Example

{
"TC": {
"Group": {
"Attribute": [
{
"AttributeID": 23379726,
"DateAdded": "2020-05-10T09:57:00Z",
"Displayed": true,
"GroupID": 5101576,
"LastModified": "2020-05-10T09:57:00Z",
"Type": "Description",
"Value": "test add group attribute"
},
{
"AttributeID": 23379725,
"DateAdded": "2020-05-10T09:54:51Z",
"Displayed": false,
"GroupID": 5101576,
"LastModified": "2020-05-10T09:54:51Z",
"Type": "Description",
"Value": "test add group attribute"
}
]
}
}
}

Human Readable Output

ThreatConnect Group Attributes

AttributeIDTypeValueDateAddedLastModifiedDisplayed
23379726Descriptiontest add group attribute2020-05-10T09:57:00Z2020-05-10T09:57:00Ztrue
23379725Descriptiontest add group attribute2020-05-10T09:54:51Z2020-05-10T09:54:51Zfalse

tc-get-group-security-labels


Retrieves the security labels of a group.

Base Command

tc-get-group-security-labels

Input

Argument NameDescriptionRequired
group_typeThe type of group for which to return the security labels. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group for which to return the security labels. To get the ID, run the tc-get-groups command.Required

Context Output

PathTypeDescription
TC.Group.SecurityLabel.NameStringThe name of the security label.
TC.Group.SecurityLabel.DescriptionStringThe description of the security label.
TC.Group.SecurityLabel.DateAddedDateThe date on which the security label was added.

Command Example

!tc-get-group-security-labels group_id=5101576 group_type=incidents

Context Example

{
"TC": {
"Group": {
"SecurityLabel": {
"DateAdded": "2016-08-31T00:00:00Z",
"Description": "This security label is used for information that is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.",
"GroupID": 5101576,
"Name": "TLP:GREEN"
}
}
}
}

Human Readable Output

ThreatConnect Group Security Labels

NameDescriptionDateAdded
TLP:GREENThis security label is used for information that is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.2016-08-31T00:00:00Z

tc-get-group-tags


Retrieves the tags of a group.

Base Command

tc-get-group-tags

Input

Argument NameDescriptionRequired
group_typeThe type of group for which to return the tags. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group for which to return the tags. To get the ID, run the tc-get-groups command.Required

Context Output

PathTypeDescription
TC.Group.Tag.NameStringThe name of the tag.

Command Example

!tc-get-group-tags group_id=5101576 group_type=incidents

Context Example

{
"TC": {
"Group": {
"Tag": {
"GroupID": 5101576,
"Name": "malicious ip"
}
}
}
}

Human Readable Output

ThreatConnect Group Tags

Name
malicious ip

tc-download-document


Downloads the contents of a document.

Base Command

tc-download-document

Input

Argument NameDescriptionRequired
document_idThe ID of the document.Required

Context Output

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe ssdeep hash of the file (same as displayed in file entries).
File.EntryIDStringThe entry ID of the file.
File.InfoStringThe information of the file.
File.TypeStringThe type of the file.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe extension of the file.

Command Example

!tc-download-document document_id=12345

Human Readable Output

tc-get-group-indicators


Returns indicators associated with a group.

Base Command

tc-get-group-indicators

Input

Argument NameDescriptionRequired
group_typeThe type of the group for which to return the indicators. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group for which to return the indicators. To get the ID, run the tc-get-groups command.Required

Context Output

PathTypeDescription
TC.Group.Indicator.SummaryStringThe summary of the indicator.
TC.Group.Indicator.ThreatAssessConfidenceStringThe confidence rating of the indicator.
TC.Group.Indicator.IndicatorIDNumberThe ID of the indicator.
TC.Group.Indicator.DateAddedDateThe date on which the indicator was added.
TC.Group.Indicator.TypeStringThe type of the indicator.
TC.Group.Indicator.RatingNumberThe threat rating of the indicator.
TC.Group.Indicator.ThreatAssertRatingNumberThe rating of the threat assert.
TC.Group.Indicator.OwnerNameStringThe name of the owner of the indicator.
TC.Group.Indicator.LastModifiedDateThe date that the indicator was last modified.

Command Example

!tc-get-group-indicators group_type="incidents" group_id="5110299"

Context Example

{
"TC.Group.Indicator": [ {
"Rating": 0,
"Confidence": 0,
"DateAdded": "2020-04-27T04:57:20Z",
"ThreatAssessConfidence": 53,
"LastModified": "2020-04-27T04:57:20Z",
"ThreatAssertRating": 3,
"Summary": "88.88.88.88",
"OwnerName": "Demisto Inc.",
"IndicatorID": 112677927,
"Type": "Address",
"GroupID": 5110299 } ]
}

Human Readable Output

ThreatConnect Group Indicators

ConfidenceDateAddedGroupIDIndicatorIDLastModifiedOwnerNameRatingSummaryThreatAssertRatingThreatAssessConfidenceType
02020-04-27T04:57:20Z51102991126779272020-04-27T04:57:20ZDemisto Inc.0.088.88.88.883.053.0Address

tc-get-associated-groups


Returns indicators associated with a specified group.

Base Command

tc-get-associated-groups

Input

Argument NameDescriptionRequired
group_typeThe type of group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group. To get the ID, run the tc-get-groups command.Required

Context Output

PathTypeDescription
TC.Group.AssociatedGroup.DateAddedDateThe date on which group was added.
TC.Group.AssociatedGroup.GroupIDNumberThe ID of the group.
TC.Group.AssociatedGroup.NameStringThe name of the group.
TC.Group.AssociatedGroup.OwnerNameStringThe name of the owner of the group.
TC.Group.AssociatedGroup.TypeStringThe type of the group.

Command Example

!tc-get-associated-groups group_id=5101576 group_type=incidents

Context Example

{
"TC": {
"Group": {
"AssociatedGroup": {
"DateAdded": "2020-04-27T05:03:28Z",
"GroupID": 5110299,
"Name": "test_as",
"OwnerName": "Demisto Inc.",
"Type": "Incident"
}
}
}
}

Human Readable Output

ThreatConnect Associated Groups

GroupIDNameTypeOwnerNameDateAdded
5110299test_asIncidentDemisto Inc.2020-04-27T05:03:28Z

tc-associate-group-to-group


Associates one group with another group.

Base Command

tc-associate-group-to-group

Input

Argument NameDescriptionRequired
group_typeThe type of the group. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
group_idThe ID of the group. To get the ID of the group, run the tc-get-groups command.Required
associated_group_typeThe type of group to associate. Can be "adversaries", "campaigns", "documents", "emails", "events", "incidents", "intrusionSets", "reports", "signatures", or "threats".Required
associated_group_idThe ID of the group to associate.Required

Context Output

PathTypeDescription
TC.Group.AssociatedGroup.AssociatedGroupIDNumberThe ID of the associated group.
TC.Group.AssociatedGroup.AssociatedGroupTypeStringThe type of the associated group.
TC.Group.AssociatedGroup.GroupIDNumberThe ID of the group to associate to.
TC.Group.AssociatedGroup.GroupTypeStringThe type of the group to associate to.

Command Example

!tc-associate-group-to-group group_id=5101576 group_type=incidents associated_group_id=5101578 associated_group_type=campaigns

Context Example
{
"TC.Group.AssociatedGroup": {
"GroupType": "incidents",
"AssociatedGroupID": 5101578,
"AssociatedGroupType": "campaigns",
"GroupID": 5101576
}
}
Human Readable Output

The group 5101578 was associated successfully.

tc-get-indicator-owners


Get Owner for Indicator

Base Command

tc-get-indicator-owners

Input

Argument NameDescriptionRequired
indicatorIndicator ValueRequired

Context Output

There is no context output for this command.

Command Example

!tc-get-indicator-owners indicator=99.99.99.99

Context Example

{
"TC": {
"Owners": [
{
"id": 737,
"name": "Demisto Inc.",
"type": "Organization"
}
]
}
}

Human Readable Output

ThreatConnect Owners for Indicator:99.99.99.99

idnametype
737Demisto Inc.Organization