Workflow Templates

Workflow Templates are codified procedures for the steps to be taken within a Case. ThreatConnect provides a set of Workflow Templates via TC Exchange™, or users and administrators with the requisite permissions can create Workflow Templates from scratch.

Endpoint: /api/v3/workflowTemplates

Endpoint Options

Available Fields

Send the following request to retrieve a list of available fields, including each field’s name, description, and accepted data type, that can be included in the body of a POST or PUT request to the /v3/workflowTemplates endpoint: .. code:

OPTIONS /v3/workflowTemplates

Hint

To include read-only fields in the response, append ?show=readonly to the end of the request URL.

Alternatively, refer to the following table for a list of available fields that can be included in the body of a POST or PUT request to the /v3/workflowTemplates endpoint.

Field

Description

Type

Required for Creation?

Updatable?

Example Value(s)

configAttribute

A list of Attribute Types to include in the Workflow Template [1]

Config Attribute Object

FALSE

TRUE

[{“attributeTypeId”: 271}]

description

The description of the Workflow Template

String

FALSE

TRUE

“Workflow for phishing investigations.”

name

The name of the Workflow Template

String

True

TRUE

“Phishing Investigation Workflow”

version

The version of the Workflow Template

Integer

FALSE

TRUE

1, 2, 3

Include Additional Fields in Responses

When creating, retrieving, or updating data, you can use the fields query parameter to include additional fields in the API response that are not included by default.

Send the following request to retrieve a list of fields you can include in responses returned from the /v3/workflowTemplates endpoint:

OPTIONS /v3/workflowTemplates/fields

Filter Results

When retrieving data, you can use the tql query parameter to filter results with ThreatConnect Query Language (TQL).

Send the following request to retrieve a list of valid TQL parameters you can use when including the tql query parameter in a request to the /v3/workflowTemplates endpoint:

OPTIONS /v3/workflowTemplates/tql

Create Workflow Templates

The following example illustrates the basic format for creating a Workflow Template:

POST /v3/workflowTemplates
Content-Type: application/json

{
    "name": "Example Workflow Template"
}

For example, the following request will create a Workflow Template named Phishing Investigation Workflow and add a description to it:

POST /v3/workflowTemplates
Content-Type: application/json

{
    "name": "Phishing Investigation Workflow",
    "description": "Workflow for phishing investigations."
}

JSON Response:

{
    "data": {
        "id": 3,
        "name": "Phishing Investigation Workflow",
        "description": "Workflow for phishing investigations.",
        "active": false,
        "version": 1
    },
    "message": "Created",
    "status": "Success"
}

Refer to the Available Fields and section for a list of available fields that can be included in the body of a POST request to the /v3/workflowTemplates endpoint.

Retrieve Workflow Templates

Retrieve All Workflow Templates

Send the following request to retrieve data for all Workflow Templates:

GET /v3/workflowTemplates

JSON Response:

{
    "data": [
        {
            "id": 1,
            "name": "Example Workflow",
            "description": "This is an example Workflow.",
            "active": false,
            "version": 1,
            "configAttribute": [
                {
                    "attributeTypeId": 271
                }
            ]
        },
        {
            "id": 2,
            "name": "Email Analysis",
            "description": "Workflow for analyzing suspicious emails.",
            "configTask": [
                {
                    "configPlaybook": null,
                    "fields": [],
                    "name": "Create a Meeting Notes folder",
                    "required": true,
                    "workflowId": 2,
                    "workflowPhase": 1,
                    "workflowStep": 1,
                    "assignee": {
                        "displayName": "Pat Jones",
                        "id": 2,
                        "name": "[email protected]",
                        "type": "User",
                        "ownerId": 7,
                        "superUser": false,
                        "firstName": "Pat",
                        "lastName": "Jones"
                    },
                    "durationType": "Hours",
                    "duration": 2
                },
                {
                    "configPlaybook": null,
                    "fields": [
                        {
                            "artifactType": "Email Address",
                            "dataType": "String",
                            "intelType": "indicator-EmailAddress",
                            "name": "emailAddress",
                            "required": true,
                            "uiElement": "String",
                            "uiLabel": "Email Address"
                        },
                        {
                            "artifactType": "Email Subject",
                            "dataType": "String",
                            "intelType": "indicator-Email Subject",
                            "name": "emailSubject",
                            "required": true,
                            "uiElement": "String",
                            "uiLabel": "Email Subject"
                        }
                    ],
                    "name": "Analyze Email",
                    "description": "Perform analysis of suspicious email.",
                    "required": true,
                    "workflowId": 2,
                    "workflowPhase": 2,
                    "workflowStep": 2,
                    "workflowStep": 1,
                    "assignee": {
                        "displayName": "SOC Team",
                        "id": 1,
                        "name": "SOC Team",
                        "type": "Group",
                        "ownerId": 7,
                        "superUser": false
                    },
                    "dependentOnTaskName": "Confirm Receipt of Email",
                    "durationType": "Days",
                    "duration": 3
                },
                {
                    "configPlaybook": null,
                    "fields": [],
                    "name": "Confirm Receipt of Email",
                    "required": false,
                    "workflowId": 2,
                    "workflowPhase": 2,
                    "workflowStep": 1,
                    "assignee": null
                }
            ],
            "active": true,
            "version": 1
        },
        {...}
    ],
    "status": "Success"
}

Retrieve a Specific Workflow Template

Send a request in the following format to retrieve data for a specific Workflow Template:

GET /v3/workflowTemplates/{workflowTemplateId}

For example, the following request will retrieve data for the Workflow Template whose ID is 3:

GET /v3/workflowTemplates/3

JSON Response:

{
    "data": {
        "id": 3,
        "name": "Phishing Investigation Workflow",
        "description": "Workflow for phishing investigations.",
        "active": false,
        "version": 1
    },
    "status": "Success"
}

Update Workflow Templates

The following example illustrates the basic format for updating a Workflow Template:

PUT /v3/workflowTemplates/{workflowTemplateId}
Content-Type: application/json

{
    {updatedField}: {updatedValue}
}

For example, the following request will update the version number of the Workflow Template whose ID is 3 and add two Attribute Types to it:

PUT /v3/workflowTemplates/3
Content-Type: application/json

{
    "version": 2,
    "configAttribute": [
        {
            "attributeTypeId": 269
        },
        {
            "attributeTypeId": 271
        }
    ]
}

JSON Response:

{
    "data": {
        "name": "Phishing Investigation Workflow",
        "description": "Workflow for phishing investigations.",
        "active": false,
        "version": 2,
        "configAttribute": [
            {
                "attributeTypeId": 269
            },
            {
                "attributeTypeId": 271
            }
        ]
    },
    "message": "Updated",
    "status": "Success"
}

Refer to the Available Fields and section for a list of available fields that can be included in the body of a PUT request to the /v3/workflowTemplates endpoint.

Delete Workflow Templates

Send a request in the following format to delete a Workflow Template:

DELETE /v3/workflowTemplates/{workflowTemplateId}

For example, the following request will delete the Workflow Template whose ID is 1:

DELETE /v3/workflowTemplates/1

JSON Response:

{
    "message": "Deleted",
    "status": "Success"
}

Delete Workflow Templates in Bulk

For instructions on deleting Workflow Templates in bulk, refer to Delete Case Objects in Bulk.


TC Exchange™ is a trademark of ThreatConnect, Inc.