Skip to main content

Cyware Orchestrate

ThreatConnect

App Vendor: ThreatConnect

App Category: Data Enrichment & Threat Intelligence, Analytics & SIEM

Connector version: V1.0.1

Platform Version: v5

API Version: v2.0.0

About App

The ThreatConnect Threat Intelligence Platform (TIP) centralizes the aggregation and management of all of your threat data. The ThreatConnect platform normalizes data from a variety of sources, adds additional context, and automates manual threat intelligence-related security processes. ThreatConnect TIP provides you with a workbench to organize and prioritize your threat data and use it to drive actions across your security team.

The ThreatConnect app is configured with the Orchestrate application to perform the following actions:

Action Name

Description

Get the list of indicators

This action retrieves the list of indicators using query parameters from the ThreatConnect application.

Get details of an indicator

This action retrieves details of an indicator using indicator type and value from the ThreatConnect application.

Create an indicator

This action creates an indicator using indicator type, value, and/or additional details in the ThreatConnect application.

Update an indicator

This action updates the details of an indicator using indicator type, value, and additional details in the ThreatConnect application.

Configuration Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Base URL

Enter the base URL for your ThreatConnect application.

Example:

"http|https://api.threatconnect.com[:port]"

Text

Required

API ID

Enter the API ID generated from your ThreatConnect application.

Example:

"12345678901234567890"

Text

Required

API secret key

Enter the API Secret Key generated from your ThreatConnect application.

Example:

"PthSlXIA7rNMow1h8wShfvOnTOhxHd+7njUe4MT4ZS"

Password

Required

Action: Get the list of indicators

This action retrieves the list of indicators using query parameters from the ThreatConnect application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query parameters

Enter the filter parameters in the form of key-value pairs.

Key Value

Optional

Allowed keys:

  • active (boolean)

  • summary (string)

  • dateAdded (date)

  • rating (bigdecimal)

  • confidence (integer)

  • threatAssessScore (integer)

  • threatAssessRating (double)

  • threatAssessConfidence (double)

  • falsePositive (integer)

  • city (string)

  • countryCode (string)

  • countryName (string)

  • organization (string)

  • state (string)

  • timezone (string)

  • asn (integer)

  • whoisActive (boolean)

  • dnsActive (boolean)

Example Request 

[
    {
        "params": {
            "active": "True",
            "rating": 4.5
            }
    }
]
Action: Get details of an indicator

This action retrieves details of an indicator using indicator type and value from the ThreatConnect application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator type

Enter the indicator type.

Example:

"asns"

Text

Required

Allowed values:

  • asns

  • cidrBlocks

  • emailAddresses

  • files

  • hosts

  • mutexes

  • registryKeys

  • urls

  • userAgents

Indicator value

Enter the indicator value.

Example:

"exampleuser@abc.com"

Text

Required

Example Request 

[
    {
        "indicator_type": "emailAddresses",
        "indicator_value": "exampleuser@abc.com"
    }
]
Action: Create an indicator

This action creates an indicator using indicator type, value, and/or additional details in the ThreatConnect application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator type

Enter the indicator type.

Example:

"emailAddresses"

Text

Required

Allowed values:

  • addresses

  • emailAddresses

  • files

  • hosts

  • urls

Indicator value

Enter the indicator value.

Example:

"exampleuser@abc.com"

Text

Optional

Additional details

Enter the additional details in the form of key-value pairs.

Key Value

Optional

Allowed values:

  • rating

  • confidence

  • active

  • activeLocked

  • md5

  • sha1

  • dnsActive

  • whoisActive

Example Request 

[
    {
        "indicator_type": "emailAddresses",
        "indicator_value": "exampleuser@abc.com",
        "extra_fields": {
                "confidence": "80"
                },
    }
]
Action: Update an indicator

This action updates the details of an indicator using indicator type, value and additional details in the ThreatConnect application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator type

Enter the indicator type.

Example:

"emailAddresses"

Text

Required

Allowed values:

  • addresses

  • emailAddresses

  • files

  • urls

Indicator value

Enter the indicator value.

Example:

"exampleuser@abc.com"

Text

Required

Additional details

Enter the additional details in the form of key-value pairs.

Key Value

Required

Allowed values:

  • rating

  • confidence

  • active

  • activeLocked

  • md5

  • sha1

  • dnsActive

  • whoisActive

Example Request 

[
    {
        "indicator_type": "emailAddresses",
        "indicator_value": "exampleuser@abc.com",
        "extra_fields": {
                "confidence": "80"
                },
    }
]