Workflow Templates

Workflow Templates are codified procedures for the steps to be taken within a Case. ThreatConnect provides a set of Workflow Templates via TC Exchange™, or users and administrators with the requisite permissions can create Workflow Templates from scratch.

Endpoint: /api/v3/workflowTemplates

Available Fields

You can retrieve a list of available fields for the /v3/workflowTemplates endpoint, including each field’s name, description, and accepted data type, by using the following query:

OPTIONS /v3/workflowTemplates

Hint

To view all fields, including read-only fields, include the ?show=readonly query parameter.

Alternatively, refer to the following table for a list of available fields that can be included in the body of a POST or PUT request for the workflowTemplates object.

Field Description Type Required for Creation? Updatable? Example Value(s)
configAttribute The Attribute Type to include in the Workflow Template Config Attribute Object FALSE TRUE [{“attributeTypeId”: 3}]
description The description of the Workflow Template String FALSE TRUE “Template for phishing investigations.”
name The name of the Workflow Template String True TRUE “Phishing Workflow Template”
version The version of the Workflow Template Integer FALSE TRUE 1, 2, 3

Note

Alist of available Attribute Types and their corresponding ID can be retrieved with the following query:

GET /v3/attributeTypes

Create Workflow Templates

The basic format for creating a Workflow Template is:

POST /v3/workflowTemplates
{
    "name": "Example Workflow Template"
}

For example, the following query will create a Workflow Template with the name Phishing Investigation Template and a description of the Template:

POST /v3/workflowTemplates
{
    "name": "Phishing Investigation Template",
    "description": "Template for phishing investigations."
}

JSON Response:

{
    "data": {
        "id": 3,
        "name": "Phishing Investigation Template",
        "description": "Template for phishing investigations.",
        "active": false,
        "version": 1
    },
    "message": "Created",
    "status": "Success"
}

Refer to the Available Fields and section for a list of available fields that can be included in the body of a POST request for the workflowTemplates object.

Retrieve Workflow Templates

Retrieve All Workflow Templates

To retrieve all Workflow Templates, use the following query:

GET /v3/workflowTemplates

JSON Response:

{
    "data": [
        {
            "id": 1,
            "name": "Example Template",
            "description": "A description for this Workflow Template.",
            "active": false,
            "version": 1,
            "configAttribute": [{
                "attributeTypeId": 86
            }]
        },
        {
            "id": 2,
            "name": "Demo Template with Tasks",
            "configTask": [
                {
                    "configPlaybook": null,
                    "fields": [],
                    "name": "Create a Meeting Notes folder",
                    "workflowId": 2,
                    "workflowPhase": 1,
                    "workflowStep": 1,
                    "assignee": {
                        "displayName": "Pat Jones",
                        "id": 2,
                        "name": "[email protected]",
                        "type": "User",
                        "ownerId": 7,
                        "superUser": false,
                        "firstName": "Pat",
                        "lastName": "Jones"
                    },
                    "duration": 2
                },
                {
                    "configPlaybook": null,
                    "fields": [
                        {
                            "artifactType": "Email Address",
                            "dataType": "String",
                            "intelType": "indicator-EmailAddress",
                            "name": "emailAddress",
                            "required": true,
                            "uiElement": "String",
                            "uiLabel": "Email Address"
                        },
                        {
                            "artifactType": "Email Subject",
                            "dataType": "String",
                            "intelType": "indicator-Email Subject",
                            "name": "emailSubject",
                            "required": true,
                            "uiElement": "String",
                            "uiLabel": "Email Subject"
                        }
                    ],
                    "name": "Analyze Email",
                    "workflowId": 2,
                    "workflowPhase": 2,
                    "workflowStep": 2,
                    "assignee": null,
                    "dependentOnTaskName": "Confirm Receipt of Email",
                    "duration": 3
                },
                {
                    "configPlaybook": null,
                    "fields": [],
                    "name": "Confirm Receipt of Email",
                    "workflowId": 2,
                    "workflowPhase": 2,
                    "workflowStep": 1,
                    "assignee": null
                }
            ],
            "active": true,
            "version": 1
        },
        {...}
    ],
    "status": "Success"
}

Retrieve a Single Workflow Template

To retrieve a specific Workflow Template, use a query in the following format:

GET /v3/workflowTemplates/{workflowTemplateId}

For example, the following query will return information about the Workflow template with ID 1:

GET /v3/workflowTemplates/1

JSON Response:

{
    "data": {
        "id": 1,
        "name": "Example Template",
        "description": "A description for this Workflow Template.",
        "active": false,
        "version": 1,
        "configAttribute": [{
            "attributeTypeId": 86
        }]
    },
    "status": "Success"
}

Request Additional Fields

To request additional fields not automatically included with each returned object, refer to Include Additional Fields for Returned Objects.

Filter Results

To filter returned objects using ThreatConnect Query Language (TQL), refer to Filter Results with TQL.

Update Workflow Templates

The basic format for updating a Workflow Template is:

PUT /v3/workflowTemplates/{workflowTemplateId}
{
    {updatedField}: {updatedValue}
}

For example, the following query will update the name and version number of the Workflow Template with ID 3 and add an Attribute Type to the Workflow Template:

PUT /v3/workflowTemplates/3
{
    "name": "Example Workflow Template Version 2.0",
    "version": 2,
    "configAttribute": [{"attributeTypeId": 3}]
}

JSON Response:

{
    "data": {
        "name": "Example Workflow Template Version 2.0",
        "description": "Template for phishing investigations.",
        "active": false,
        "version": 2,
        "configAttribute": [{
                "attributeTypeId": 3
        }]
    },
    "message": "Updated",
    "status": "Success"
}

Refer to the Available Fields and section for a list of available fields that can be included in the body of a PUT request for the workflowTemplates object.

Delete Workflow Templates

The basic format to delete a Workflow Template is:

DELETE /v3/workflowTemplates/{workflowTemplateId}

For example, the following query will delete the Workflow Template with ID 1:

DELETE /v3/workflowTemplates/1

JSON Response:

{
    "message": "Deleted",
    "status": "Success"
}

Delete Workflow Templates in Bulk

To delete Workflow Templates in bulk, refer to Delete Case Objects in Bulk.