Workflow Templates

Workflow Templates are codified procedures for the steps to be taken within a Case. ThreatConnect provides a set of Workflow Templates via TC Exchange™, or users and administrators with the requisite permissions can create Workflow Templates from scratch.

Endpoint: /api/v3/workflowTemplates

Create Workflow Templates

The most basic format for creating a Workflow Template is:

POST /v3/workflowTemplates/
{
  "name": "Example Workflow Template"
}

Additional fields can be included when creating a Workflow Template. Refer to the following table for a list of available fields for the workflowTemplates object:

Field Description Required Type
description The description of the Workflow Template FALSE String
name The name of the Workflow Template TRUE String
version The version of the Workflow Template FALSE Integer

For example, the following query will create an Workflow Template with the name Example Workflow Template and a description of the template:

POST /v3/workflowTemplates/
{
  "name": "Example Workflow Template",
  "description": "A description for this Workflow Template."
}

JSON Response:

{
  "data": {
      "id": 1,
      "name": "Example Workflow Template",
      "description": "A description for this Workflow Template.",
      "active": False,
      "version": 1,
  },
  "message": "Created",
  "status": "Success"
}

Retrieve Workflow Templates

Retrieve All Workflow Templates

To retrieve all Workflow Templates, use the following query:

GET /v3/workflowTemplates/

JSON Response:

{
  "data": [{
    "id": 1,
      "name": "Example Workflow Template",
      "description": "A description for this Workflow Template.",
      "active": False,
      "version": 1
    }, {
      "id": 2,
      "name": "Phishing Analysis Template",
      "configTask": [{
        "configPlaybook": None,
        "fields": [],
        "name": "Analyze phishing email",
        "description": "Analyze phishing email",
        "required": True,
        "workflowPhase": 1,
        "workflowStep": 1,
        "assignee": None
    }, {
     "configPlaybook": None,
     "fields": [{
        "artifactType": "Email Subject",
        "dataType": "String",
        "intelType": "indicator-Email Subject",
        "name": "helloSubject",
        "required": False,
        "uiElement": "String",
        "uiLabel": "Subject Line"
        }, {
        "artifactType": "Email Body",
        "dataType": "String",
        "name": "helloBody",
        "required": True,
        "uiElement": "String",
        "uiLabel": "Email Body"
        }],
        "name": "Gather the subject line and email body",
        "description": "Description ",
        "required": True,
        "workflowPhase": 1,
        "workflowStep": 2,
        "assignee": {
            "id": None
        },
        "dependentOnTaskName": "Analyze Phishing Email"
    }, {
        "configPlaybook": "{"playbookApp":{"name":"Example Workflow Escalation Demo","type":"Workflow","version":"1.1.0","updated":"2021-03-15T14:54:36.000Z","programName":"e974ff4b663ee7ac4a126793957305b5","id":619},"automatic":false,"io":{"inputs":[{"name":"escalationSubject","value":"${WORKFLOW:Gather the subject line and email body:helloSubject}"},{"name":"esclationBody","value":"${WORKFLOW:Gather the subject line and email body:helloBody}"}],"outputs":[{"intelTypes":[],"name":"emailReceipient","dataType":"String","optional":true,"failOnError":true,"artifactName":"helloRecipient","artifactType":"Email Address"}]}}",
        "fields": [],
        "name": "Send Escalation Email",
        "description": "Notify Manager",
        "required": False,
        "workflowId": 13,
        "workflowPhase": 2,
        "workflowStep": 1,
        "assignee": {
            "id": None
        },
        "dependentOnTaskName": "Gather the subject line and email body"
    }],
    "active": True,
    "version": 1
    }],
  "count": 2,
  "status": "Success"
}

Retrieve a Single Workflow Template

To retrieve a specific Workflow Template, use a query in the following format:

GET /v3/workflowTemplates/{workflowTemplateID}

For example, the following query will return information about the Workflow template with ID 1:

GET /v3/workflowTemplates/1

JSON Response:

{
  "data": {
      "id": 1,
      "name": "Example Workflow Template",
      "description": "A description for this Workflow Template.",
      "active": False,
      "version": 1,
  },
  "status": "Success"
}

Request Additional Fields

To request additional fields not automatically provided with each returned Workflow Template, refer to the Request Additional Fields for Returned Objects section in this documentation.

Filter Results

To filter returned Workflow Templates using ThreatConnect Query Language (TQL), refer to the Filter Results with TQL section in this documentation.

Update Workflow Templates

To update a Workflow Template, the basic format is:

PUT /v3/workflowTemplates/{workflowTemplateID}
{
    {updatedField}: {updatedValue}
}

Refer to the following table for a list of available fields that can be updated for the workflowTemplates object:

Field Description Type
description The description of the Workflow Template String
name The name of the Workflow Template String
version The version of the Workflow Template Integer

For example, the following query will update the name and version number of the Workflow Template with ID 1:

PUT /v3/workflowTemplates/1
{
  "name": "Example Workflow Template Version 2.0",
  "version": 2
}

JSON Response:

{
  "data": {
      "id": 1,
      "name": "Example Workflow Template Version 2.0",
      "description": "A description for this Workflow Template.",
      "active": False,
      "version": 2,
  },
  "message": "Updated",
  "status": "Success"
}

Delete Workflow Templates

To delete a Workflow Template, use the following query:

DELETE /v3/workflowTemplates/{workflowTemplateID}

For example, the following query will delete the Workflow Template with ID 1:

DELETE /v3/workflowTemplates/1

JSON Response:

{
  "message": "Deleted",
  "status": "Success"
}

Delete Workflow Templates in Bulk

To delete Workflow Templates in bulk, refer to the Delete Case Objects in Bulk section in this documentation.