REST API

Getting Started

• Quick Start
  • Creating an API Key
  • Using the API
  • API Versioning
  • Authentication
  • Testing API Connectivity
  • Next Steps

---

v3 API

Overview

• Available Endpoints
• Postman Configuration

Features

• Create Activity Logs
• Delete Case Objects in Bulk
• Enable Pagination
• Filter Results With TQL
• HTTP Status Codes
• Include Additional Fields in API Responses
• Retrieve a List of Available Fields for an Endpoint
• Retrieve OpenAPI Documentation
• Return a Count of Items
• Sort Results
• Specify an Owner
• Update an Object’s Metadata

Case Management Endpoints

Case Management and the Workflow feature in ThreatConnect enables analysts and their teams to define and operationalize consistent, standardized processes for managing threat intelligence and performing security operations.

Attention

To add, edit, and delete Case Management data, the API user must have an Organization role of Organization Administrator.

• Artifact Types
  • Endpoint Options
  • Retrieve Artifact Types
• Artifacts
  • Endpoint Options
  • Create Artifacts
  • Retrieve Artifacts
  • Update Artifacts
  • Delete Artifacts
• Case Attributes
  • Endpoint Options
  • Create Case Attributes
  • Retrieve Case Attributes
  • Update Case Attributes
  • Delete Case Attributes
• Cases
  • Endpoint Options
  • Create Cases
  • Retrieve Cases
  • Update Cases
  • Delete Cases
• Notes
  • Endpoint Options
  • Create Notes
  • Retrieve Notes
  • Update Notes
  • Delete Notes
• Tasks
  • Endpoint Options
  • Create Workflow Tasks
  • Retrieve Workflow Tasks
  • Update Workflow Tasks
  • Delete Workflow Tasks
• Workflow Events
  • Endpoint Options
  • Create Workflow Events
  • Retrieve Workflow Events
  • Update Workflow Events
  • Delete Workflow Events
• Workflow Templates
  • Endpoint Options
  • Create Workflow Templates
  • Retrieve Workflow Templates
  • Update Workflow Templates
  • Delete Workflow Templates

Threat Intelligence Endpoints

• Group Attributes
  • Endpoint Options
  • Create Group Attributes
  • Retrieve Group Attributes
  • Update Group Attributes
  • Delete Group Attributes
• Groups
  • Endpoint Options
  • Create Groups
  • Retrieve Groups
  • Update Groups
  • Delete Groups
  • Retrieve, Upload, and Update Files for Document and Report Groups
  • Retrieve a PDF Report for a Group
• Indicator Attributes
  • Endpoint Options
  • Create Indicator Attributes
  • Retrieve Indicator Attributes
  • Update Indicator Attributes
  • Delete Indicator Attributes
• Indicator Enrichment
  • Enrich Indicators With Data From an Enrichment Service
  • Include Enrichment Data in API Responses
• Indicators
  • Endpoint Options
  • Create Indicators
  • Retrieve Indicators
  • Update Indicators
  • Delete Indicators
  • Indicator-to-Indicator Associations
  • File Actions
  • File Occurrences
  • Merge File Hashes
• Security Labels
  • Endpoint Options
  • Retrieve Security Labels
• Tags
  • Endpoint Options
  • Create Tags
  • Retrieve Tags
  • Update Tags
  • Delete Tags
• Victim Assets
  • Endpoint Options
  • Create Victim Assets
  • Retrieve Victim Assets
  • Update Victim Assets
  • Delete Victim Assets
• Victim Attributes
  • Endpoint Options
  • Create Victim Attributes
  • Retrieve Victim Attributes
  • Update Victim Attributes
  • Delete Victim Attributes
• Victims
  • Endpoint Options
  • Create Victims
  • Retrieve Victims
  • Update Victims
  • Delete Victims

Miscellaneous Endpoints

• Attribute Types
  • Endpoint Options
  • Retrieve Attribute Types
• Owner Roles
  • Endpoint Options
  • Retrieve Owner Roles
• Owners
  • Endpoint Options
  • Retrieve Owners
• System Roles
  • Endpoint Options
  • Retrieve System Roles
• User Groups
  • Endpoint Options
  • Retrieve User Groups
• Users
  • Endpoint Options
  • Create Users
  • Retrieve Users
  • Update Users
  • Delete Users

TC Exchange Administration Endpoints

• TC Exchange Administration
  • Upload and Install Apps on TC Exchange
  • Generate API Tokens
  • Generate Service Tokens

---

v2 API

• API Overview
  • Pagination
  • Available Endpoints
  • HTTP Status Codes
  • Specifying an Owner
  • Retrieving an Item’s Tags and Attributes
• Associations
  • Group Associations
  • Indicator Associations
  • Tag Associations
  • Task Associations
  • Victim Associations
  • Retrieving Available Associations
• Attributes
  • Retrieving Attributes
  • Adding Attributes
  • Retrieving Available Attributes
  • Updating Attributes
  • Deleting Attributes
• Custom Metrics
  • Retrieving Custom Metrics
  • Creating a Custom Metric
  • Creating Content in a Custom Metric
  • Deleting a Custom Metric
• Groups
  • Retrieve Groups
  • Retrieve Group Metadata
  • Retrieve Group Associations
  • Create Groups
  • Create Group Metadata
  • Create Group Associations
  • Update Groups
  • Update Group Metadata
  • Delete Groups
  • Delete Group Metadata
  • Delete/Disassociate Group Associations
  • Publish Groups
  • Create PDF Report for Groups
• Indicators
  • Retrieve Indicators
  • Retrieve Indicator Metadata
  • Retrieve Indicator Associations
  • Create Indicators
  • Create Indicator Metadata
  • Create Indicator Associations
  • Update Indicators
  • Update Indicator Metadata
  • Delete Indicators
  • Viewing Recently Deleted Indicators
  • Delete Indicator Metadata
  • Delete/Disassociate Indicator Associations
  • Indicator to Indicator Associations
  • Private Indicators
  • Bulk Indicator Reports
  • Batch Upload: Indicators
• Notifications
  • Creating a Notification
• Owners
  • Retrieve Owners
  • Retrieve Owner Metrics
• Playbooks
  • Retrieve Playbooks
• Security Labels
  • Retrieve Security Labels
  • Retrieve Items Labeled with Security Labels
  • Add Security Labels to Data Imported Via Batch API
  • Delete Security Labels
  • Additional Links
• Tags
  • Retrieve Tags
  • Retrieve Tag Associations
  • Create Tags
  • Delete Tags
• Tasks
  • Retrieve Tasks
  • Retrieve Task Metadata
  • Retrieve Task Associations
  • Create Tasks
  • Create Task Metadata
  • Create Task Associations
  • Update Tasks
  • Update Task Metadata
  • Delete Tasks
  • Delete Task Metadata
  • Delete/Disassociate Task Associations
• Victims
  • Retrieve Victims
  • Retrieve Victim Metadata
  • Retrieve Victim Associations
  • Create Victims
  • Create Victim Assets
  • Create Victim Metadata
  • Create Victim Associations
  • Update Victims
  • Update Victim Assets
  • Update Victim Metadata
  • Delete Victims
  • Delete Victim Assets
  • Delete Victim Metadata
  • Delete/Disassociate Victim Associations

---

TAXII Services

• TAXII 2.1
  • Authentication
  • Required Headers
  • Supported Endpoints
  • Available Parameters
  • Example Requests and Responses
• TAXII 1.x
  • Authentication
  • Discovery Service
  • Collection Management Service
  • Poll Service