Workflow Templates

Workflow Templates are codified procedures for the steps to be taken within a Case. ThreatConnect provides a set of Workflow Templates via TC Exchange™, or users and administrators with the requisite permissions can create Workflow Templates from scratch.

Endpoint: /api/v3/workflowTemplates

Available Fields

You can retrieve a list of available fields for the /v3/workflowTemplates endpoint, including the field’s name, description, and accepted data type, by using the following query:

OPTIONS /v3/workflowTemplates

Note

To view all fields, including read-only fields, include the ?show=readonly query parameter.

Create Workflow Templates

The basic format for creating a Workflow Template is:

POST /v3/workflowTemplates/
{
  "name": "Example Workflow Template"
}

Additional fields can be included when creating a Workflow Template. Refer to the following table for a list of available fields for the workflowTemplates object:

Field Description Required Type Example Value(s)
configAttribute The Attribute type that should be included in the Workflow Template FALSE String [{“attributeTypeId”: 3}]
description The description of the Workflow Template FALSE String “Template for phishing investigations”
name The name of the Workflow Template TRUE String “Phishing Workflow Template”
version The version of the Workflow Template FALSE Integer 1, 2, 3

Note

To view a list of available Attribute types, refer to the Attribute Types section of this documentation.

For example, the following query will create an Workflow Template with the name Example Workflow Template and a description of the template:

POST /v3/workflowTemplates/
{
  "name": "Example Workflow Template",
  "description": "A description for this Workflow Template."
}

JSON Response:

{
  "data": {
      "id": 1,
      "name": "Example Workflow Template",
      "description": "A description for this Workflow Template.",
      "active": false,
      "version": 1,
  },
  "message": "Created",
  "status": "Success"
}

Retrieve Workflow Templates

Retrieve All Workflow Templates

To retrieve all Workflow Templates, use the following query:

GET /v3/workflowTemplates/

JSON Response:

{
  "data": [{
    "id": 1,
      "name": "Example Workflow Template",
      "description": "A description for this Workflow Template.",
      "active": false,
      "version": 1,
      "configAttribute": [{
          "attributeTypeId": 23,
      }]
    }, {
      "id": 2,
      "name": "Phishing Analysis Template",
      "configTask": [{
        "configPlaybook": None,
        "fields": [],
        "name": "Analyze phishing email",
        "description": "Analyze phishing email",
        "required": true,
        "workflowPhase": 1,
        "workflowStep": 1,
        "assignee": None
    }, {
     "configPlaybook": None,
     "fields": [{
        "artifactType": "Email Subject",
        "dataType": "String",
        "intelType": "indicator-Email Subject",
        "name": "helloSubject",
        "required": false,
        "uiElement": "String",
        "uiLabel": "Subject Line"
        }, {
        "artifactType": "Email Body",
        "dataType": "String",
        "name": "helloBody",
        "required": true,
        "uiElement": "String",
        "uiLabel": "Email Body"
        }],
        "name": "Gather the subject line and email body",
        "description": "Description ",
        "required": true,
        "workflowPhase": 1,
        "workflowStep": 2,
        "assignee": {
            "id": None
        },
        "dependentOnTaskName": "Analyze Phishing Email"
    }, {
        "configPlaybook": {"playbookApp":{"name":"Example Workflow Escalation Demo","type":"Workflow","version":"1.1.0","updated":"2021-03-15T14:54:36.000Z","programName":"e974ff4b663ee7ac4a126793957305b5","id":619},"automatic":false,"io":{"inputs":[{"name":"escalationSubject","value":"${WORKFLOW:Gather the subject line and email body:helloSubject}"},{"name":"esclationBody","value":"${WORKFLOW:Gather the subject line and email body:helloBody}"}],"outputs":[{"intelTypes":[],"name":"emailReceipient","dataType":"String","optional":true,"failOnError":true,"artifactName":"helloRecipient","artifactType":"Email Address"}]}},
        "fields": [],
        "name": "Send Escalation Email",
        "description": "Notify Manager",
        "required": false,
        "workflowId": 13,
        "workflowPhase": 2,
        "workflowStep": 1,
        "assignee": {
            "id": None
        },
        "dependentOnTaskName": "Gather the subject line and email body"
    }],
    "active": true,
    "version": 1
    }],
  "status": "Success"
}

Retrieve a Single Workflow Template

To retrieve a specific Workflow Template, use a query in the following format:

GET /v3/workflowTemplates/{workflowTemplateId}

For example, the following query will return information about the Workflow template with ID 1:

GET /v3/workflowTemplates/1

JSON Response:

{
  "data": {
      "id": 1,
      "name": "Example Workflow Template",
      "description": "A description for this Workflow Template.",
      "active": false,
      "version": 1,
  },
  "status": "Success"
}

Request Additional Fields

To request additional fields not automatically provided with each returned object, refer to Include Additional Fields for Returned Objects.

Filter Results

To filter returned objects using ThreatConnect Query Language (TQL), refer to Filter Results with TQL.

Update Workflow Templates

The basic format for updating a Workflow Template is:

PUT /v3/workflowTemplates/{workflowTemplateId}
{
    {updatedField}: {updatedValue}
}

Refer to the following table for a list of available fields that can be updated for the workflowTemplates object:

Field Description Type Example Value(s)
configAttribute The Attribute type that should be included in the Workflow Template String “[{“attributeTypeId”: 3}]”
description The description of the Workflow Template String “Template for phishing investigations”
name The name of the Workflow Template String “Phishing Workflow Template”
version The version of the Workflow Template Integer 1, 2, 3

Note

To view a list of available Attribute types, refer to the Attribute Types section of this documentation.

For example, the following query will update the name and version number of the Workflow Template with ID 1:

PUT /v3/workflowTemplates/1
{
  "name": "Example Workflow Template Version 2.0",
  "version": 2
}

JSON Response:

{
  "data": {
      "id": 1,
      "name": "Example Workflow Template Version 2.0",
      "description": "A description for this Workflow Template.",
      "active": false,
      "version": 2,
  },
  "message": "Updated",
  "status": "Success"
}

Delete Workflow Templates

The basic format to delete a Workflow Template is:

DELETE /v3/workflowTemplates/{workflowTemplateId}

For example, the following query will delete the Workflow Template with ID 1:

DELETE /v3/workflowTemplates/1

JSON Response:

{
  "message": "Deleted",
  "status": "Success"
}

Delete Workflow Templates in Bulk

To delete Workflow Templates in bulk, refer to Delete Case Objects in Bulk.