Step: ThreatConnect

This step lets you send a query to the ThreatConnect API service using your account's API key and password. The step utilizes the Web Data Source to set up the connection, and then allows both GET and POST requests to ThreatConnect. Responses are stored in package table variables to be used in other steps. (Introduced in DarkLight 5.3.1)


Can use table variable values

Allows FreeMarker Expressions

Requires ThreatConnect API Key

  • Web Source: Select a Data Source of type Web
    • The URL field should only contain the base URL for ThreatConnect (with no trailing slash) (e.g. https://api.threatconnect.com)
    • Enter your ThreatConnect API ID in the Username field
    • Enter your ThreatConnect API Key in the Password field
    • KeyStore is not used
  • URL Path/Query String: Enter the remainder of the API URL (e.g. /v2/hosts/example.com) followed by any parameters (e.g. ?owner=Common%20Community)
    • Refer to ThreatConnect's API Documentation for details on how to format a query string.
    • This field allows FreeMarker expressions so you can include values previously stored in your playbook package. (e.g. ${host[0][0]}
    • The full resulting URL will be shown below this box so you can preview what will be sent. (FreeMarker expressions will be resolved before they are sent.)
  • Method: Use GET to request information, and POST to push information.
  • Message Body: Used with a POST to create the data sent to the server. This field allows FreeMarker expressions so you can include values previously stored in your playbook package.
  • Output Variable: The name of the variable that any response messages will be stored in. The value can be referenced in subsequent steps with the FreeMarker expression ${output}
  • Response Code Variable: The name of the variable that any response code will be stored in. The value can be referenced in subsequent steps with the FreeMarker expression ${response-code}

About that Pesky Authentication Header

Nerdy Note: The Authentication header in the ThreatConnect API documentation is handled by this ThreatConnect step automatically. There is no need to gather ID's, timestamps, queries, etc into a hashed header (fist pump).
  • step/threatconnect
  • Last modified: 2018/10/30 15:30