Workflow Templates¶
Workflow Templates are codified procedures for the steps to be taken within a Case. ThreatConnect provides a set of Workflow Templates via TC Exchange™, or users and administrators with the requisite permissions can create Workflow Templates from scratch.
Endpoint: /api/v3/workflowTemplates
Available Fields¶
You can retrieve a list of available fields for the /v3/workflowTemplates endpoint, including each field’s name, description, and accepted data type, by using the following query:
OPTIONS /v3/workflowTemplates
Hint
To view all fields, including read-only fields, include the ?show=readonly query parameter.
Alternatively, refer to the following table for a list of available fields that can be included in the body of a POST or PUT request for the workflowTemplates object.
| Field | Description | Type | Required for Creation? | Updatable? | Example Value(s) |
|---|---|---|---|---|---|
| configAttribute | The Attribute Type to include in the Workflow Template | Config Attribute Object | FALSE | TRUE | [{“attributeTypeId”: 3}] |
| description | The description of the Workflow Template | String | FALSE | TRUE | “Template for phishing investigations.” |
| name | The name of the Workflow Template | String | True | TRUE | “Phishing Workflow Template” |
| version | The version of the Workflow Template | Integer | FALSE | TRUE | 1, 2, 3 |
Note
Alist of available Attribute Types and their corresponding ID can be retrieved with the following query:
GET /v3/attributeTypes
Create Workflow Templates¶
The basic format for creating a Workflow Template is:
POST /v3/workflowTemplates
{
"name": "Example Workflow Template"
}
For example, the following query will create a Workflow Template with the name Phishing Investigation Template and a description of the Template:
POST /v3/workflowTemplates
{
"name": "Phishing Investigation Template",
"description": "Template for phishing investigations."
}
JSON Response:
{
"data": {
"id": 3,
"name": "Phishing Investigation Template",
"description": "Template for phishing investigations.",
"active": false,
"version": 1
},
"message": "Created",
"status": "Success"
}
Refer to the Available Fields and section for a list of available fields that can be included in the body of a POST request for the workflowTemplates object.
Retrieve Workflow Templates¶
Retrieve All Workflow Templates¶
To retrieve all Workflow Templates, use the following query:
GET /v3/workflowTemplates
JSON Response:
{
"data": [
{
"id": 1,
"name": "Example Template",
"description": "A description for this Workflow Template.",
"active": false,
"version": 1,
"configAttribute": [{
"attributeTypeId": 86
}]
},
{
"id": 2,
"name": "Demo Template with Tasks",
"configTask": [
{
"configPlaybook": null,
"fields": [],
"name": "Create a Meeting Notes folder",
"workflowId": 2,
"workflowPhase": 1,
"workflowStep": 1,
"assignee": {
"displayName": "Pat Jones",
"id": 2,
"name": "[email protected]",
"type": "User",
"ownerId": 7,
"superUser": false,
"firstName": "Pat",
"lastName": "Jones"
},
"duration": 2
},
{
"configPlaybook": null,
"fields": [
{
"artifactType": "Email Address",
"dataType": "String",
"intelType": "indicator-EmailAddress",
"name": "emailAddress",
"required": true,
"uiElement": "String",
"uiLabel": "Email Address"
},
{
"artifactType": "Email Subject",
"dataType": "String",
"intelType": "indicator-Email Subject",
"name": "emailSubject",
"required": true,
"uiElement": "String",
"uiLabel": "Email Subject"
}
],
"name": "Analyze Email",
"workflowId": 2,
"workflowPhase": 2,
"workflowStep": 2,
"assignee": null,
"dependentOnTaskName": "Confirm Receipt of Email",
"duration": 3
},
{
"configPlaybook": null,
"fields": [],
"name": "Confirm Receipt of Email",
"workflowId": 2,
"workflowPhase": 2,
"workflowStep": 1,
"assignee": null
}
],
"active": true,
"version": 1
},
{...}
],
"status": "Success"
}
Retrieve a Single Workflow Template¶
To retrieve a specific Workflow Template, use a query in the following format:
GET /v3/workflowTemplates/{workflowTemplateId}
For example, the following query will return information about the Workflow template with ID 1:
GET /v3/workflowTemplates/1
JSON Response:
{
"data": {
"id": 1,
"name": "Example Template",
"description": "A description for this Workflow Template.",
"active": false,
"version": 1,
"configAttribute": [{
"attributeTypeId": 86
}]
},
"status": "Success"
}
Request Additional Fields¶
To request additional fields not automatically included with each returned object, refer to Include Additional Fields for Returned Objects.
Filter Results¶
To filter returned objects using ThreatConnect Query Language (TQL), refer to Filter Results with TQL.
Update Workflow Templates¶
The basic format for updating a Workflow Template is:
PUT /v3/workflowTemplates/{workflowTemplateId}
{
{updatedField}: {updatedValue}
}
For example, the following query will update the name and version number of the Workflow Template with ID 3 and add an Attribute Type to the Workflow Template:
PUT /v3/workflowTemplates/3
{
"name": "Example Workflow Template Version 2.0",
"version": 2,
"configAttribute": [{"attributeTypeId": 3}]
}
JSON Response:
{
"data": {
"name": "Example Workflow Template Version 2.0",
"description": "Template for phishing investigations.",
"active": false,
"version": 2,
"configAttribute": [{
"attributeTypeId": 3
}]
},
"message": "Updated",
"status": "Success"
}
Refer to the Available Fields and section for a list of available fields that can be included in the body of a PUT request for the workflowTemplates object.
Delete Workflow Templates¶
The basic format to delete a Workflow Template is:
DELETE /v3/workflowTemplates/{workflowTemplateId}
For example, the following query will delete the Workflow Template with ID 1:
DELETE /v3/workflowTemplates/1
JSON Response:
{
"message": "Deleted",
"status": "Success"
}
Delete Workflow Templates in Bulk¶
To delete Workflow Templates in bulk, refer to Delete Case Objects in Bulk.