REST API

Getting Started

• Quick Start
  • Creating an API Key
  • Using the API
  • API Versioning
  • Authentication
  • Testing API Connectivity
  • Next Steps

---

v3 API

Overview

• Available Endpoints
• Postman Configuration

Features

• Create Activity Logs
• Delete Case Objects in Bulk
• Enable Pagination
• Filter Results with TQL
• HTTP Status Codes
• Include Additional Fields in API Responses
• Retrieve a List of Available Fields for an Endpoint
• Retrieve OpenAPI Documentation
• Return a Count of Items
• Sort Results
• Specify an Owner
• Update an Object’s Metadata

Case Management Objects

Case Management and the Workflow feature in ThreatConnect enables analysts and their teams to define and operationalize consistent, standardized processes for managing threat intelligence and performing security operations.

Note

To add, edit, and delete Case Management data, the API user’s Organization role must be set to Organization Administrator.

• Artifact Types
  • Available Fields
  • Retrieve Artifact Types
• Artifacts
  • Endpoint Options
  • Create Artifacts
  • Retrieve Artifacts
  • Update Artifacts
  • Delete Artifacts
• Case Attributes
  • Available Fields
  • Create Case Attributes
  • Retrieve Case Attributes
  • Update Case Attributes
  • Delete Case Attributes
• Cases
  • Endpoint Options
  • Create Cases
  • Retrieve Cases
  • Update Cases
  • Delete Cases
• Notes
  • Available Fields
  • Create Notes
  • Retrieve Notes
  • Update Notes
  • Delete Notes
• Tasks
  • Endpoint Options
  • Create Workflow Tasks
  • Retrieve Workflow Tasks
  • Update Workflow Tasks
  • Delete Workflow Tasks
• Workflow Events
  • Endpoint Options
  • Create Workflow Events
  • Retrieve Workflow Events
  • Update Workflow Events
  • Delete Workflow Events
• Workflow Templates
  • Available Fields
  • Create Workflow Templates
  • Retrieve Workflow Templates
  • Update Workflow Templates
  • Delete Workflow Templates

Threat Intelligence Objects

• Group Attributes
  • Available Fields
  • Create Group Attributes
  • Retrieve Group Attributes
  • Update Group Attributes
  • Delete Group Attributes
• Groups
  • Endpoint Options
  • Create Groups
  • Retrieve Groups
  • Update Groups
  • Delete Groups
  • Retrieve, Upload, and Update Files for Document and Report Groups
  • Retrieve a PDF Report for a Group
• Indicator Attributes
  • Available Fields
  • Create Indicator Attributes
  • Retrieve Indicator Attributes
  • Update Indicator Attributes
  • Delete Indicator Attributes
• Indicators
  • Endpoint Options
  • Create Indicators
  • Retrieve Indicators
  • Update Indicators
  • Delete Indicators
  • Indicator-to-Indicator Associations
  • File Actions
  • File Occurrences
  • Merge File Hashes
• Security Labels
  • Available Fields
  • Retrieve Security Labels
• Tags
  • Available Fields
  • Create Tags
  • Retrieve Tags
  • Update Tags
  • Delete Tags
• Victim Assets
  • Available Fields
  • Create Victim Assets
  • Retrieve Victim Assets
  • Update Victim Assets
  • Delete Victim Assets
• Victim Attributes
  • Available Fields
  • Create Victim Attributes
  • Retrieve Victim Attributes
  • Update Victim Attributes
  • Delete Victim Attributes
• Victims
  • Endpoint Options
  • Create Victims
  • Retrieve Victims
  • Update Victims
  • Delete Victims

Miscellaneous Objects

• Attribute Types
  • Available Fields
  • Retrieve Attribute Types
• Owner Roles
  • Available Fields
  • Retrieve Owner Roles
• Owners
  • Available Fields
  • Retrieve Owners
• System Roles
  • Available Fields
  • Retrieve System Roles
• User Groups
  • Available Fields
  • Retrieve User Groups
• Users
  • Available Fields
  • Create Users
  • Retrieve Users
  • Update Users
  • Delete Users

---

v2 API

• API Overview
  • Pagination
  • Available Endpoints
  • HTTP Status Codes
  • Specifying an Owner
  • Retrieving an Item’s Tags and Attributes
• Associations
  • Group Associations
  • Indicator Associations
  • Tag Associations
  • Task Associations
  • Victim Associations
  • Retrieving Available Associations
• Attributes
  • Retrieving Attributes
  • Adding Attributes
  • Retrieving Available Attributes
  • Updating Attributes
  • Deleting Attributes
• Custom Metrics
  • Retrieving Custom Metrics
  • Creating a Custom Metric
  • Creating Content in a Custom Metric
  • Deleting a Custom Metric
• Groups
  • Retrieve Groups
  • Retrieve Group Metadata
  • Retrieve Group Associations
  • Create Groups
  • Create Group Metadata
  • Create Group Associations
  • Update Groups
  • Update Group Metadata
  • Delete Groups
  • Delete Group Metadata
  • Delete/Disassociate Group Associations
  • Publish Groups
  • Create PDF Report for Groups
• Indicators
  • Retrieve Indicators
  • Retrieve Indicator Metadata
  • Retrieve Indicator Associations
  • Create Indicators
  • Create Indicator Metadata
  • Create Indicator Associations
  • Update Indicators
  • Update Indicator Metadata
  • Delete Indicators
  • Viewing Recently Deleted Indicators
  • Delete Indicator Metadata
  • Delete/Disassociate Indicator Associations
  • Indicator to Indicator Associations
  • Private Indicators
  • Bulk Indicator Reports
  • Batch Upload: Indicators
• Notifications
  • Creating a Notification
• Owners
  • Retrieve Owners
  • Retrieve Owner Metrics
• Playbooks
  • Retrieving Playbooks
• Security Labels
  • Retrieve Security Labels
  • Retrieve Items Labeled with Security Labels
  • Add Security Labels to Data Imported Via Batch API
  • Delete Security Labels
  • Additional Links
• Tags
  • Retrieve Tags
  • Retrieve Tag Associations
  • Create Tags
  • Delete Tags
• Tasks
  • Retrieve Tasks
  • Retrieve Task Metadata
  • Retrieve Task Associations
  • Create Tasks
  • Create Task Metadata
  • Create Task Associations
  • Update Tasks
  • Update Task Metadata
  • Delete Tasks
  • Delete Task Metadata
  • Delete/Disassociate Task Associations
• Victims
  • Retrieve Victims
  • Retrieve Victim Metadata
  • Retrieve Victim Associations
  • Create Victims
  • Create Victim Assets
  • Create Victim Metadata
  • Create Victim Associations
  • Update Victims
  • Update Victim Assets
  • Update Victim Metadata
  • Delete Victims
  • Delete Victim Assets
  • Delete Victim Metadata
  • Delete/Disassociate Victim Associations

---

TAXII Services

• TAXII 2.1
  • Authentication
  • Required Headers
  • Supported Endpoints
  • Available Parameters
  • Example Requests and Responses
• TAXII 1.x
  • Authentication
  • Discovery Service
  • Collection Management Service
  • Poll Service