Release Notes


  • APP-1829 - [Session] Added logic to use http instead of https for proxy.


  • Update package_data to include STIX parser lark file.
  • APP-1829 - [Session] Added logic to attempt to handle “[SSL: WRONG_VERSION_NUMBER] wrong version number” error new to urllib3.


  • APP-1807, APP-1801 - [STIX] Remove dependency on Dendrol and replace with lark parser.


  • APP-891 - [STIX] Added additional support for consuming and producing STIX documents.
  • APP-1212 - [Testing] fixed output deletion issue for skipped test when –merge_outputs is used.
  • APP-1244 - [Testing] Added the is_json operator to assist in testing validation.
  • APP-1406 - [Testing] Fixed testing issue centered around the validation_criteria field present during bulk tests.
  • APP-1407 - [Testing] Fixed issue encountered when validation_criteria is set in a test profile (apps that use batch).
  • APP-1413 - [Testing] Converts option inputs that have a value of null to use #App:1234:null!String.
  • APP-1641 - [Batch] Fixed issue that batch delete that prevented single submission or last submission from working.
  • APP-1642 - [Service] Increased tc_svc_broker_conn_timeout arg to 60 to address disconnect issue in API service.
  • APP-1643 - [App Init] Added “no-commit-to-branch” feature to the pre-commit configuration.
  • APP-1760 - [KeyValueStore] Updated module to support new endpoint for PLAT-1237 in support of service Apps running on MEO.


  • APP-1394 - [Batch] Updated batch data processing to handle max sizes appropriately.


  • APP-1296 - [Session] Updated external session retry to accept a URL for retry mount.
  • APP-1366 - [Batch] Fixed issue in batch where self._file_threads was not getting updated appropriately.


  • APP-1126 - [Logger] Compress backup log files and increase backup count to 25.
  • APP-1127 - [Batch] Fixed issue with recursion when having a large number of associations.
  • APP-1128 - [Batch] Updated DEBUG feature to assist in testing batch module..
  • APP-1129 - [Batch] Added support for batch_max_size to truncate the batch job at ~75Mb.
  • APP-1130 - [Batch] Removed file_contents getter and setter method.
  • APP-1131 - [Session] Updated request_to_curl method in Utils module to truncate body and not write body to disk.
  • APP-1262 - [App Feature] Update advanced_request module to take output_prefix as an arg.
  • APP-1263 - [Session] Update session module to only log curl command when request receives an invalid response or enabled globally.
  • APP-1264 - [Logger] - Update logger modules to set default encoding to “UTF-8” when no value set at the OS level.
  • APP-1266 - [Utils] Update utils datetime module to include a chunk_date_range method to be used in job Apps that need to break request into smaller timeframes.
  • APP-1267 - [Batch] Add batch callback method to batch module to allow downloading/processing of data while batch job polls for status.
  • APP-1268 - Update the default temp directory to use an OS appropriate value.
  • APP-1272 - [App Feature] - Remove feature to update install.json and layout.json for advanced_request.
  • APP-1280 - [Session] Add ability to mask the body when logging curl command.


  • APP-1107 - Added MITRE ATTACK Utils methods to return the properly formatted tag value.
  • APP-1119 - Update to batch module to handle recursion issue with integrations that have a large number of group associations.


  • APP-890 - Added discoverTypes to Ready command for API Services.
  • APP-939 - Restructure of Service module to better support API Services.
  • APP-943, APP-1027, App-1036 - Updated ReadArg and IterateArgs decorators for better transform and validator support.
  • APP-944 - Added rate limit and 429 (too-many-requests) in external session module.
  • APP-964 - Updated inputs module to allow duplicate args (advanced request requirement).
  • SUP-8557 - Updated how the Threat Intelligence module was adding observations to ThreatConnect objects.
  • Multiple misc. enhancements (APP-865, APP-1021, APP-1030, APP-1086)

Testing framework

  • APP-921 - Updated default operator rule for test cases.
  • APP-926 - Updated profile generation to not add String type to all inputs.
  • APP-935 - Updated tcinit to include when missing.
  • APP-936 - Updated test handling when incorrect stage data is provided.


  • APP-849 - Updated request_to_curl method to handle proxy values properly.
  • APP-852 - Moved jmespath package from dev dependencies to standard dependencies.


  • APP-796 - Updated Advanced Request Method to always write output variable.
  • APP-813 - Updated datastore and cache modules; renamed ttl_minute to ttl_seconds, added handling of 0 or null ttl_second value.
  • APP-815 - Updated session_external to not raise RetryError.
  • APP-816 - Updated tcinit to not fail when no tcex.json file is present.


  • APP-780 - Added truncate method to Utils module.
  • APP-786 - Updated logger to addres TypeError exception.
  • APP-789 - Updated pre-commit configuration for App templates.
  • APP-790 - Added new Advance Request feature for App that utilize a remote API.
  • APP-791 - Updated session and session_external to not require an instance of tcex.
  • APP-792 - Updated services module to support sending failed message on ack.
  • APP-793 - Updated session to not create curl logs when sending API logs.

Testing framework

  • APP-77 - Added mechanism to tell if Webhook service Apps fired in testing framework.
  • APP-88 - Added “magic” variable expansion for tctest interactive mode.
  • APP-715 - Update validation for tags to be case insensitive in testing framework.
  • APP-746 - Update to address issue with email validation in testing framework.
  • APP-769 - Added rargs property to profile for custom methods in testing framework.


  • APP-79 - Added curl command to the log file at debug level to assist in troubleshooting.
  • APP-80 - Added support for __comment__ in testing profile.
  • APP-87 - Added check for invalid values in profile for Boolean inputs.
  • APP-102 - Addded pytest fixture for testing sessions.
  • APP-557 - Added update logic for profiles to convert static String inputs to Staged KVStore variables.
  • APP-561 - Updated precommit template file to support large files on commit.
  • APP-676 - Updated –interactive mode to support all input types.
  • APP-677 - Added –negative flag to tctest command to auto-generate negative test profiles.
  • Multiple enhancements for testing framework (APP-78, APP-82, APP-83, APP-84, APP-85, APP-86, APP-87, APP-106, APP-219)


  • Updated testing framework to decouple App version of TcEx and testing version.
  • Updated deepdiff validation method to better handle OrderedDicts.
  • Added simple caching to env_store.
  • Added session recording & playback for testing framework.
  • Added automatic staging of inputs to kvstore for testing framework.
  • Added additional support for batch in testing framework.


  • Updated decorator method logging.
  • Updated testing framework validation template to support dynamic output variable.
  • Updated testing framework validation template to validate output variable consistency.
  • Updated profile module to support variable from env store server.
  • Updated OnException decorator to log traceback.
  • Multiple enhancement and fixes to testing framework.


  • Added is_variable() method to Playbook module.
  • Updated ReadArgs decorator to return None when arg doesn’t exist.
  • Updated ReadArgs to not log input value.
  • Added new Permutations class to app_config_object module.
  • Added new Profile and ProfileInteractive Classes to app_config_object module.
  • Added new TcexJson Class to app_config_object module.
  • Moved all testing template generation/download logic to consolidated file.
  • Added schema management to InstallJson class.
  • Added schema management to LayoutJson class.
  • Multiple updates for App testing framework. + Updated testing framework to support permutations for Service Apps + Added –replace_exit_message CLI flag for pytest to replace outputs for test cases + Added –replace_outputs CLI flag for pytest to replace outputs for test cases + Added –merge_outputs CLI flag for pytest to merge new outputs with existing outputs for test cases + Profile schema is now managed and old profiles will be automatically updated + Changed default run method for Serice Apps to be subprocess instead of thread.
  • Updated tcinit CLI command. + Removed –action CLI arg + Added –update CLI arg to enable updates of non-customized template files + Added –migrate CLI arg to enable migration of non-compliant PB Apps + Added –layouts CLI arg to allow for dynamic creation of example layout.json based on install.json * The tcinit command now store the template in the tcex.json file to allow easier updates
  • Updated tcpackage CLI command. * Moved logic that updates the install.json to the InstallJson class * Updated to use InstallJson and LayoutJson objects
  • Updated tctest CLI command. + Added –interactive flag to allow for dynamic creation of testing profile. + Updated to use new Profile Class and Template Classes
  • Updated tcvalidate CLI command. * Updated to use InstallJson and LayoutJson objects * Updated validation logic for layout.json
  • Multiple updates to App templates to remove subprocess. + Added run() method to template for job and playbook Apps + Added dependencies for all App types + Updated to call run method of
  • Added logging of TcEx path.
  • Updated Utils Class to no longer require tcex instance.


  • Updated requirement for stdlib-list to >= 0.6.0 to support Python 3.8.
  • Updated test cases to call setup/teardown instead of start/done.
  • Added pydocstyle as a development dependency.
  • Removed isort from App template pre-commit file.
  • Multiple updates for templates and testing logic for Service Apps.
  • Issue-103 - added support for ThreatConnect ThreatIntelligence File Actions.
  • Issue-107 - added check for missing config file for external Apps.
  • Issue-110 - added example for associations using Threat Intelligence Module.
  • Issue-111 - updated trace logger method for Python 3.8.x changes.


  • Updated bin module to delete reference to removed profile and run files.
  • Updated for long_description.
  • Updated to include all dependencies.


  • Added support for ThreatConnect Case Management.
  • Added support for ThreatConnect Service Apps.
  • Updated templates to support changes in tcex 2.0.
  • Updated code to support Python 3.6+, removing support for all older versions of Python.
  • Removed old tcrun and tcprofile commands.
  • Breaking Change: Multiple updates to playbook module logic.
  • Breaking Change: Moved datetime methods in to
  • Breaking Change: Reworked App decorators to improve usability.
  • Breaking Change: Renamed start() and done() methods in templates to setup() and teardown().
  • Breaking Change: Removed tcex.s() method.
  • Breaking Change: Removed tcex.data_filter property and module.
  • Breaking Change: Removed tcex.request property and module.
  • Breaking Change: Removed tcex.resources property and module.
  • Breaking Change: Removed tcex.safetag() method.
  • Breaking Change: Removed tcex.safeurl() method.
  • Breaking Change: Updated tcex.safe_indicator() method input params.
  • Breaking Change: Updated tcex.safe_url() method input params.
  • Breaking Change: Updated tcex.safe_tag() method input params.



  • Improved support for TI module to support creating files given a unique_id.
  • Updates to playbook modules to remove logging affecting environment servers.


  • Updates to testing framework for custom validation.
  • Updates to the docs for multiple modules.
  • Multiple updates to testing framework.


  • Updated deleted() method of TI module to yield results instead of returning raw response.
  • Updates to testing framework for custom methods when testing profiles.
  • Updated inputs to ensure args provided via sys.argv take precedent over all other args.
  • Added new service_id arg for service Apps.
  • Added POC of session_external. Python requests session with auto-proxy configuration.
  • Updated excludes for tcpackage command for pytest report folders.


  • Updated validation module to handle local imports and shared modules.


  • Added additional support for v2 API endpoints.
  • Added support for new appId field in the install.json.
  • Updated validation command to better handle packages with nested modules.
  • Updated PB module to handle execution with no requested output variables.
  • Updated PB module to handle null values in BinaryArray.
  • Updated TI modules to better handle conversion to and from TCEntity.
  • Updated external App template to allow passing configuration in on TcEx() initialization.
  • Multiple updates for testing framework.


  • Added cache handler to logging module.
  • Updated args module to use dict input over sys.argv when possible.
  • Updated args module replaced required args with a default value when possible.
  • Updated testing module for args changes and more.
  • Updated logging add handler calls in multiple modules.
  • Renamed args module to inputs.
  • Removed reference to args in logging module.


  • Updates to token and args modules to better support testing framework and external Apps.
  • Added kwargs on tcex init for external Apps.
  • Updates to testing templates.


  • Moved registration of default token to default_args method to address issue with secure params.
  • Updated template files.
  • Updated build process for wheel files.
  • Updated permutations generation to include hidden inputs.


  • Restructured tcex modules into individual directories.
  • Added services module for service Apps.
  • Added token module to manage tokens for all types of Apps.
  • Moved token renewal from session to new token module.
  • Updated multiple module to simplify testing.



  • Updated logging formatter for issue in py2.
  • Updated test_case to automatically create profile output.


  • Reworked logging for the TcEx framework to provide better flexibility.
  • Updated logging of batch sizes to not log when there is not content.
  • Moved the logging of App info to the args call.
  • Added trace logging level (unsupported in platform currently).
  • Added new testing module using pytest.


  • Updated arg parsing to better handle delimited input strings for secureParams/AOT input.
  • Updated TI module to better handle filters and retrieving generic indicator/group types.
  • Updated logging initialization to ensure user provided log path is available before adding file handler.


  • Updated datastore module to prevent creating of empty record on index creation.
  • Updated batch module to support additional debugging features.


  • Updated playbook read for \s replacement issue in Python 3.7.
  • Updated utils unix_time_to_datetime() method to handle unix timestamps with milliseconds that are not floats.
  • Updated TI module with changes for indicators data.
  • Updated tcinit for temporary proxy fields names.


  • Updated read_embedded to escape newline characters in embedded string values


  • Updated install.json schema validation to ensure that displayName contains a minimum of three characters
  • Updated read_embedded to cast data value to a string
  • Made minor updates to the TI module


  • Added new Threat Intel (TI) module to interact with ThreatConnect REST API
  • Added support of “s” characters to be replaced automatically with a space (” “) character on user string input in Playbook Apps
  • Added templates for external Apps
  • Updated read_embedded method to deserialize nested variables before replacement
  • Updated Utils module to better handle datetime timezone conversions



  • Updated ReadArg decorator to support fail_on parameter
  • Updated IterateOnArg decorator to support fail_on parameter and removed fail_on_empty
  • Updated Datastore module to support no ID for POST and GET methods


  • Added new FailOnInput decorator
  • Changed FailOn decorator to FailOnError with arg input changes to enable
  • Added additional logging to IterateOnArg decorator


  • Reverted change to Playbook module read() method for null value returned when Array is True


  • Updated App templates to call parse_args() from init method
  • Updated IterateOnArg decorator to take an addition default value
  • Updated IterateOnArg to exit or log when no data is retrieved from Redis
  • Updated TcExRun module to detect v3 profile args section by either optional or required field
  • Updated TcExProfile module to use new layout.json output logic and always display output variables unless display value exists and return negative validation


  • Added new Cache module
  • Added new DataStore module
  • Updated App templates to ignore or exclude definitions
  • Updated tcprofile permutation_id to handle 0 index
  • Updated tcpackage command to not add commitHash if value is None
  • Updated tcvalidate command to handle permission errors when using pkg_resources
  • Updated install.json schema to include commitHash


  • Fixed issue with sqlite being imported while not required for Apps
  • Updated tcprofile to better support App bundle projects


  • Updated tcex_args module to parse injected params using a = separator instead of a space+ Updated tcprofile command to support permutations logic for Apps with layout.json conditional input parameters
  • Updated tcprofile command to update the profile schema to v3. Note that app.arg is now app.arg.optional and app.arg.required.
  • Updated tcrun arg parsing logic to use a = separator instead of a space
  • Updated Batch module to support new 5.8+ merge of file hash feature


  • Added a fix for tcvalidate output display statement validation
  • Updated install.json schema file
  • Updated tclib to error when environment variables are not available
  • Updated Batch module to handle xid as str for py2 Apps


  • Enabled package_data in for JSON schema files


  • Switched from package_data to for JSON schema files


  • Added new tcvalidate command for App Builder
  • Added validation of layout.json schema, inputs, and outputs
  • Migrated JSON validation files from App to TcEx


  • Added new FailOn App decorator
  • Updated in Playbook templates to handle TypeError on incorrect action
  • Updated tcpackage command to suggest proper fix for missing modules
  • Updated tcrun to handle null value in args


  • Fixed issue in tcpackage with handling errors
  • Updated tcpackage command to validate import module for .py file in project-root directory
  • Updated tcpackage moving install.json validation to top level
  • Updated tcpackage to support --ignore_validation arg. Using this flag will cause the command to not exit on validation errors.
  • Updated install.json schema file to support new feedDeployer Boolean field
  • Updated template file to ensure proper paths are set for an App


  • Updated all optional args in Batch module for Group/Indicator objects to kwargs. This will allow easier updates for new values in the future.
  • Updated the decode arg on the read Binary/BinaryArray methods to be False by default. When set to True, the read() method cannot be used in some use cases.
  • Updated the Group and Indicator object in the Batch module to only produce random and unique xids when an xid is not provided. These objects will no longer produce a unique and reproducible xid.
  • Added new App templates and updated templates with new files and content
  • Added tcex_args module to include all args related methods from the tcex module
  • Updated request() method to include proxy settings
  • Updated tcprofile to include an epilog with command instructions on environment setup (> tcprofile -h)
  • Updated tcprofile to split the args section to support “default” args and “app” args
  • Updated tcinit to support templates instead of types
  • Updated tcinit to include an epilog with template definitions (> tcinit -h)
  • Updated tcinit to download additional files required for building Apps
  • Updated tcrun to support update args schema in profiles
  • Removed module
  • Removed tcex.request_external() method
  • Removed tcex.authorization() method
  • Removed tcex.authorization_hmac() method
  • Removed tcex._authorization_token_renew() method
  • Updated all code to standard formatting and structure
  • Updated and restructured Documents



  • Added decorator to provide common methods for Playbook Apps.
  • Added logic to tcpackage to do basic syntax validation of .py and .json files
  • Added add_output() and write_output() methods to provide an alternative way to write Playbook output data
  • Added access to resolved args
  • Updated tclib logic for lib_latest symbolic link


  • Updated tcinit to include migration as an action to help convert non-App Builder compliant Apps
  • Updated Utils module for additional method to determine local timezone
  • Updated Utils module to output correct total_weeks value


  • Updated tcinit command CLI option --upgrade to download additional files
  • Updated tcrun command to use dockerImage parameter from install.json or profile
  • Updated tcrun command to support new autoclear value in profile
  • Updated tclib to create a symbolic link to the latest Python lib directory
  • Updated tcpackage command to add commitHash value to install.json
  • Updated tcex module to log commitHash value
  • Updated the .gitignore file for App templates


  • Fixed GH issue #(60)
  • Updated App templates. Added tc_action logic to handle launching action methods in the App class
  • Added --docker flag to tcrun command to launch App in docker container


  • Updated Batch module to handle Attribute values of False
  • Added read_array method to Playbook module
  • Updated App templates to include start and done methods
  • Update tcprofile to create the tcex.d directory automatically


  • Removed __slots__ on Batch module due to issues with Python 2
  • Updated tcinit and corresponding App templates


  • Added PDF method to Resource module for supported Group types
  • Added task_id method for Task class
  • Added date_added property to Indicator and Groups objects
  • Added last_modified property to Indicator objects
  • Updated tcrun for handling Binary/BinaryArray validation


  • Fixed deletion in Batch module for TC instances < 5.7


  • Removed app.lock logic
  • Updated file_content logic for Documents and Reports
  • Added add_file() method for batch Group objects
  • Added playbook_triggers_enabled parameter to Batch module (requires ThreatConnect 5.7)


  • Made minor change to batch poll
  • Updated Batch module close() method to check for xids-saved file existence before deletion


  • Added app.lock file to temp directory to ensure single execution


  • Removed debugging flag from Batch module and replaced with logic to control debug externally
  • Updated batch-poll method logic to poll more frequently
  • Update Resource module to allow the addition of a body when reading from the datastore


  • Added signal handler to tcex to gracefully handle interrupts
  • Added new tcinit command to download files required for a new App or update files in an existing App
  • Updated batch-poll method to automatically calculate poll interval. REMOVED interval-method parameter
  • Updated Batch module to raise error on batch-status poll timeout
  • Updated to version 1.0.2
  • Moved and added supporting file to app_init directory


  • Added close() method to allow cleanup of temp files when batch job is done
  • Added global overrides for halt_on_error in Batch module
  • Fixed issue with token renewal not failing properly on error
  • Updated logging method to ensure all messages are logged to file
  • Updated logging method to skip API logging during token renewal
  • Changed tcrun to not use shell on Windows systems


  • Updated Batch module to use Submit Job/Submit Data for deletes
  • Replaced tcex_develop arg with branch arg for tclib command
  • Added generate_xid() method to help generate a unique and/or reproducible xid
  • Added default value for Email score in Batch module


  • Added active property to Indicator type objects
  • Updated save() method be best effort
  • Updated submit_file() to handle None value being returned
  • Updated attribute() methods to handle unique values when using a formatter
  • Fixed issue with –unmask arg not working on tcrun command


  • Merged AOT feature in prep for 5.7
  • Added install_json() method to load install.json, which is used in the injection method to determine the structure on the param values
  • Added save() method to save batch data to disk to reduce memory usage of the App
  • Updated the logic in default_args() method to handle both injecting secureParams and AOT params depending, on selected feature.
  • Updated inject_params() method to be public and generic and to allow params to be injected manually
  • Updated tcex_redis module to support additional Redis methods required for AOT
  • Updated read_binary() and read_binary_array() methods to support b64decode and decode params
  • Updated Report() module to make the Report file name optional for updates in 5.7
  • Updated examples in Documents
  • Fixed validation issues in tcrun


  • Updated submit_create_and_upload method to clear raw list after submission
  • Rewrote results_tc method to handle updates to key/value pairs
  • Updated tcrun to automatically create required directories
  • Updated tclib to support building tcex develop version with –tcex_develop CLI flag


  • Rewrote tcrun and tcprofile commands
  • Removed tcdata commands
  • Changed logging of unsupported args to only show when App retrieves args
  • Changed read_binary_array method to decode Redis data automatically


  • Updated exit() methods to treat exit code of 3 as non-failure
  • Updated v2 Batch createAndUpload


  • Updated secure params injection to handle pipe-delimited multiple-choice values


  • Fixed issue with API logging not working when secure params are enabled
  • Fixed issue with API logging timestamp precision


  • Updated tcdata for Playbook variable creation during staging testing data
  • Updated tcex logging for level and removal of stream logger once API logger is initialized


  • Updated tcdata to handle binary array
  • Updated tclib command to support environment variables in tcex.json file
  • Added initial functionality for v2 Batch create and upload


  • Updated regex for Playbook variables


  • Updated Tcdata module for local testing
  • Updated Batch v2 API


  • Updated secureParams loading order
  • Updated tcex_logger module
  • Updated tcex module to only import modules when required
  • Moved inflect() to the Utils module
  • Updated documents for Metrics, Notifications, and Batch


  • Added tcex.session to provide access to the ThreatConnect API using Requests’ native interface
  • Added tcex_batch_v2 module to replace the Jobs module starting in ThreatConnect 5.6
  • Added msg to exit() methods
  • Changed exit_code() method to a property with a setter
  • Changed request() property to a method
  • Updated multiple methods to use tcex_session instead of tcex_request
  • Renamed Logger module to be consistent with other modules
  • Removed second arg from expand_indicators() method
  • Removed owner parameter from Datastore module
  • Added deprecation warning for the following methods: bulk_enabled(), job(), request_tc(), epoch_seconds(), and to_string(). These methods will be removed in version 0.9.0.
  • Cleaned up code, comments, and documentation
  • Added error code/message for all RuntimeError exceptions




  • Updated logging to log App name and other data
  • Added Notifications module for ThreatConnect 5.6+


  • Updated secure params injection to treat string value of True as Boolean/flag
  • Updated secure params to handle unicode values in py2
  • Updated Jobs module to use batch settings from args on init and to allow programmatic override of batch settings
  • Updated token renewal to handle issue with newstr


  • Updated Jobs module to not call safetag method when using Resource module
  • Updated Intrusion Set class in Resource module
  • Updated Group list to include new Group types
  • Added upload() and download() methods to Report class in resource module.
  • Added Task as a group type.
  • Added new secure params feature


  • Updated Utils module for handling naive datetime in py2
  • Added to_bool() method back to Utils module


  • Updated utils datetime methods to not require a timezone
  • Updated Tag class to urlencode tag value so slashes are supported
  • Updated safetag method to strip ^ from tag values
  • Changed modules dependency to use latest version instead of restricting to current version
  • Added Event, Intrusion Set, and Report Group types in preparation for TC > 5.6.0
  • Added metrics module to create and add metrics to ThreatConnect.
  • Added deleted endpoint for Indicators.


  • Updated Jobs module to delete by name when using replace for Groups
  • Updated token renewal to log more information on failure
  • Updated Playbooks read-binary array to better handle null values


  • Updated file Indicator class for proper handling of Attributes, Tags, and Labels
  • Updated expand_indicators() method to use a new regex to handle more formats for file hashes and custom Indicators


  • Fixed issue with embedded variable matching during exact variable check


  • Updated Resource for py2 unicode issue in ipAddress module


  • Updated Resource module to automatically handle files hashes in format “md5 : sha1 : sha256”
  • Updated Resource module to reformat ipv6 addresses to same format as TC


  • Updated template with better logic to detect Python lib directory version
  • Updated regex patterns for variable matching in Playbook module
  • Updated Playbook module function in handling variables


  • Updated read_embedded() method to better support embedded variables
  • Added –report arg to tcrun to output a JSON Report of profiles and run data
  • Added new JSON string comparison operator (jc/json compare) to tcdata to compare two JSON strings (requires DeepDiff to be installed locally)


  • Added KeyValueArray operator to tcdata, which allows searching for a single key/value entry in array
  • Updated functionality to replace non-quoted embedded variable to handle duplicate variables in KeyValueArray


  • Added new string comparison operator (sc) to tcdata that strips all white space before eq comparison
  • Added new functionality to TcExPlaybook to replace non-quoted embedded variables in Read KeyValueArrays
  • Updated Create KeyValue/KeyValueArray methods to not JSON load when passed a string
  • Added any_to_datetime() method to return datetime.datetime object
  • Added timedelta() method to return delta object from two provided datetime expressions


  • Fixed issue with _newstr_ and dynamic-class generation


  • Updated all TcEx framework command-line interface (CLI) commands to use utf-8 encoding by default
  • Replaced usage of unicode with built-in str (Python 2/3 compatible
  • Replaced usage of long with built-in int (Python 2/3 compatible)
  • Update usage of urllib.quote to be Python 2/3 compatible


  • Updated association_custom() to handle boolean values that are passed as strings
  • Updated _resource() method to handle boolean returned as strings from the API
  • Updated tcdata to properly delete Indicators when using --clear arg
  • Update the Log module to use tcex instead of tcapp


  • Added TcExUtils module with date functions to handle common date-use cases
  • Added DeepDiff functionality to tcdata for validating unsorted dictionaries and list
  • Updated tcdata to pull item from lists by index for easier comparison
  • Updated read() method to allow disabling of automatically resolving embedded variables
  • Updated association_custom() method to support file actions
  • Updated file_action() method as alias to association_custom()


  • Updated tcdata command for issue on sorting list in Python 3
  • Added update for tcex.json file to allow the App version to be specified instead of using programVersion from install.json


  • Added stub support for associatedGroup in Batch Indicator JSON
  • Updated the TcEx Job module to better handle Document uploads in Python 3
  • Updated TcEx Resource module to support query parameter list in the add_payload() method
  • Updated TcEx Request module to support query parameter list in the add_payload() method
  • Updated tclib to remove the old lib directory before creating the lib directory


  • Updated the TcEx framework to only build custom Indicator classes when working with custom Indicators
  • Updated TcEx Jobs module Group add logic to fix issue with skipping existing Groups
  • Updated TcEx Jobs module to handle associatedGroup passed as string or int when using /v2


Breaking change to any App that uses the Direct Access method with a Custom Indicator type.



  • Fixed issue in tcdata when validating that data is not string type
  • Updated tcprofile to set type check to binary on binary data


  • Updated Playbook create_binary and create_binary array for to better support py3.
  • Updated tcdata to support Security Labels in staged data
  • Updated tcdata to support adding associations
  • Updated tcdata to support variable reference #App:4768:tc.address!TCEntity::value during validation


  • Updated tcdata to validate string as string_types for “is type” check using six modules
  • Added fix for code font not matching line numbers in the documents


  • Added CustomMetric module to Resource module
  • Renamed _args variable in to default_args
  • Renamed _parser variable in to parser
  • Cleaned up code (removed any Python 2.5-specific code)



  • Replaced use of str() in TcEx Playbook module
  • Updated tcrun to pass data_owner for each action on tcdata
  • Updated tcdata to stage TC data via /v2 instead of batch
  • Updated tcdata write entity out as variable


  • Updated tcprofile to support new parameters
  • Updated tcdata to properly handle older tcex.json files
  • Updated read_embedded() method to handle unicode error
  • Added additional logging to TcEx Job for logging API response


  • Added job() association feature to handle Group-> Indicator and Group-> Group associations
  • Added safe_group_name() method to ensure Group meets the required length
  • Added tcdata initial feature to stage Groups and Indicators in ThreatConnect
  • Updated tcrun to use new parameter for logging
  • Updated job() to support upload of file to Document Group


  • Updated token renewal URL
  • Updated tcprofile to include api_default_org, tc_proxy_external, tc_proxy_host, tc_proxy_port, tcp_proxy_password, tc_proxy_tc, tc_proxy_username
  • Updated tcprofile changing tc_playbook_db_path and tc_playbook_db_port parameters to environment variables by default
  • Updated tcprofile changing logging to tc_log_level
  • Updated tclib to check for requirements.txt


  • Updated tcex.playbook, tcrun, and tcdata to support deleting data from Redis from previous runs


  • Updated tcrun to handle issue where install_json is not defined in the tcex.json file so that script name was improperly being set


  • Updated create_output() method to fix issue when using output variables of the same name and different type


  • Updated tcrun to not check for the program main file for Java Apps


  • Updated tcrun to support running Java Apps
  • Added support for install_json profile parameter to tcex.json. This should be included in all tcex.json files going forward.
  • Added support for java_path config parameter to tcex.json for custom Java path. Default behavior is to use the default version of Java from user path.
  • Added support for class_path profile parameter to tcex.json for custom Java paths. By default, ./target/ will be used as the class_pass value.
  • Updated tcpackage to grab minor version from programVersion in install.json. If no programVersion is found, the default version of an App is 1.0.0.
  • Cleaned up PEP8


  • Updated json() method to use proper entity value
  • Updated tcprofile to use default env values for API credentials
  • Added Groups parameter to tcex.json so that a profile can be part of multiple Groups


  • Added additional exclude values for IDE directories
  • Added app_name parameter to tcex.json for App built on system where App directory is not the App name
  • Updated tcpackage to use new app_name, if it exists, and to default back to App directory name
  • Updated tcprofile to only output Redis variable for Playbook Apps
  • Updated tclib to have default config value for instance where there is not tcex.json file


  • Update Building Apps section of the documentation
  • Updated required module versions (requests, python-dateutil, and Redis)
  • Fixed issue with sleep parameter being ignored in tcrun.
  • Updated tclib to automatically read tcex.json
  • Updated tcpackage to output Apps zip files with .tcx extension


  • Added support for binary data type in tcdata for staging


  • Added platform for docker support


  • Added platform check for subprocess calls
  • Added additional error logging for tcrun command


  • Added better support for build and test commands on Windows platform


  • Removed pip as a dependency


  • Updated tcdata to support multiple operators for validation
  • Added tcprofile command to automatically build testing profiles from install.json
  • Updated tcrun to create log, out, and temp directories for testing output
  • Updated tcpackage to exclude .pyc files and __pycache__ directory


  • Updated tcpackage to append version number to zip file
  • Added a bundle_name parameter to tcex.json file for systems where the directory name does not represent the App name


  • Updated tcdata for issue with bytes string in Python 3


  • Added new tcdata, tclib, tcpackage, and tcrun commands for App testing and packaging (The will be deprecated in the future.)
  • Updated for new lib directory structure created with pip (replaced easy_install)
  • Changed method so that Apps are now built with requirements.txt instead of


  • Updated association_custom() method to support DELETE/POST methods
  • Added _association_types() method to load Custom Association types from API
  • Added indicator_types_data property with full Indicator Type data
  • Added indicator_associations_types_data property with full Indicator Association Type data


  • Update playbookdb variable name
  • Updated template for proper exit code


  • Added support for output variable of the same name, but different types
  • Added support for new TCKeyValueAPI DB types in Playbook Apps. This is a seamless change to the Apps.
  • Updated authorization() method to return properly formatted header when no token_expires is provided
  • Added automatic authorization to request_tc() method
  • Updated documentation for Request module



  • Changed proxy variable to proxies in request_external() method
  • Changed proxy variable to proxies in request_tc() method
  • Added assignees() method for Tasks
  • Added escalatees() method for Tasks
  • Added 201 as valid status code for Task


  • Added victims() method to Resource module
  • Added victim_assets() method to Resource module
  • Added observations() methods to Resource module
  • Added observation_count() methods to Resource module
  • Added observed() methods to Resource module
  • Changed private _copy() method to public copy() in the Resource module
  • Updated occurrence() method Indicator parameter to be optional
  • Added resolution() methods to Resource module to retrieve DNS resolutions on Host Indicators


  • Added download() method to download Signature data
  • Added urlencoding to proxy user and password


  • Added job() method to allow multiple jobs to run in an App
  • Update s() method to fix issues in Python 3


  • Updated create_binary_array() method to properly handle binary array data
  • Updated read_binary_array() method to properly handle binary array data


  • Updated indicator_body() to support missing hashes
  • Added false_positive() endpoint for Indicators
  • Merged pull requests for better native Python 3 support
  • Added Campaign to Group types
  • Increased request timeout to 300 second.


  • Updated read_embedded() method logic for null values and better support of mixed values


  • Updated TcEx Job module for file hashes updates using v2/indicators/files


  • Updated TcExJob module for file hashes updates using v2/indicators/files


  • Updated read_embedded() method to support different formatting dependent on the parent variable type
  • Updated Resource module to address issue in which copying the instance causes errors with request instance in Python 3
  • Updated T**cExLocal** run() method to better format error output


  • Added add_payload() method to DataStore class
  • Fixed issue with TcExJob module in which batch Indicator POST with chunking would fail after first chunk
  • Added safe_indicator() method to urlencode and cleaned up Indicator before associations, etc.
  • Updated expand_indicators() method to use a regex instead of split for better support of custom Indicators
  • Updated _process_indicators_v2 to better handle custom Indicator types
  • Updated read_embedded() method to strip off double quote from JSON string on mixed types and to decode escaped strings
  • Updated Resource module so that all Indicator are URL encoded before adding to the URI
  • Updated Indicator_body() method to only include items in the JSON body if not None.
  • Updated indicators() method to handle extra white spaces on the boundary
  • Added additional standard args of api_default_org and tc_in_path


  • Updated Resource module. All _pivot() and associations() methods now take an instance of Resource and return a copy of the current Resource instance. Other methods such as security_label() and tags() now return a copy of the current Resource instance.
  • Added Tag Resource class
  • Added resource() method to get instance of Resource instance
  • Added Datastore Resource class to the Resource module
  • Updated TcExJob module for changes in the Resource module



  • Added logic around retrieving Batch errors to handle 404
  • Added new exit() method for Playbook Apps (exit code of 3 to 1 for partial success)


  • Added group_results and indicator_results properties to TcEx Job module
  • Added request_external() and request_tc() methods
  • Updated read_embedded() method with a better regex for matching variables
  • Updated TcExPlaybook() module with better error handling with JSON loads
  • Updated TcExLocal run() method to sleep after subprocess executes the first time


  • Updated TcEx Job module to allow Indicators to be added via /v2/indicators/<type>
  • Updated structure for Attributes/Tags on Groups to use singular version (Attribute/Tag) in Jobs modules to match format used for Indicators
  • Added custom case_preference and parsable properties to Resource module
  • Added logic to cleanup temporary JSON bulk file. When logging is debug, a compressed copy of the file will remain.


  • Fixed issue in tcex_resources module with pagination stopping before all results are retrieved


  • Added s() method to replace the to_string() method (handle bad unicode in Python 2 and still support Python 3)
  • Updated read_embedded() method to better handle embedded vars


  • Added indicators() method to allow iteration over Indicator values in Indicator response JSON


  • Updated set_basic_auth() method to use proper unicode method
  • Updated tcex_playbook create and read methods to warn when None value is passed


  • Added json() method that accepts a dictionary and automatically sets content-type and body
  • Updated safeurl() and safetag() to use to_string()
  • Update set_basic_auth() for Python 2/3 compatibility



  • Updated add_payload() method to not force the value to string
  • Updated files() method
  • Added set_basic_auth() method for instance where normal method does not work


  • Added files() property to tcex_request module


  • Fixed issue with boolean parameters having an extra space at the end


  • Updated _parameters() method to build a list for subprocess.popen instead of a string
  • Updated install.json schema to support note field


  • Removed hiredis as a dependency
  • Added hvac as a dependency for vault-credential storage
  • Added ability to use vault as a credential store for local testing
  • Fixed args wrapper for Windows (’ to “)


  • Added sleep option for test profiles that take time to complete


  • Updated tcex_local module to change tc.json profiles to list instead of dictionary to maintain order of profiles
  • Added feature to tcex_local to read environment variables for value in tc.json (e.g., $evn.my_api_key)


  • Handled None type returned by Redis module


  • Added to_string() method to replace old uni() method (handled Python 2/3 encoding for Apps)


  • Updated string/unicode/bytes issue between Python 2 and 3


  • Updated tcex_local module for Python 2/3 support
  • Updated binary methods in tcex_playbook module for Python 2/3 support


  • Reworked tcex_local run() logic to support updated tc.json schema
  • Changed –test arg to –profile in _required_arguments()
  • Added script field to tc.json that matches –script arg to support predefined script names
  • Added Group field to tc.json that matches –group arg in _required_arguments() to support running multiple profiles
  • Added inflect requirement to version 0.2.5
  • Changed python-dateutil requirement to version 2.6.10
  • Changed requests requirement to version 2.13.0



  • Added accepted status code of 201 for Custom Indicator POST on dynamic class creation


  • Added entity_body() method to tcex_resources for generating Indicator body
  • Added indicator_body() method to tcex_resources for generating Indicator body


  • Fixed issue with Job group_cache() method


  • Updated TcExJob module to use new pagination functionality in tcex_resources module
  • Updated and labeled paginate() method as deprecated


  • Updated tcex_local for additional parameter support during build process


  • Updated tcex_local for exit code when is called (maven build issue)
  • Added new log event for proxy settings


  • Reworked iterator logic in tcex_resources module



  • Updated documentation
  • Changed tcex_resources to allow iteration over the instance to retrieve paginated results
  • Updated support-persistent args when running App locally
  • Updated Playbook module for Python 3
  • Added logging of platform for debugging purposes
  • Updated Pep 8


  • Updated file_occurrence() in the TcEx Job module
  • Added tcex_data_filter module access via tcex.data_filter(data)
  • Added epoch_seconds() method to return epoch seconds with optional delta period
  • Added python-dateutil==2.4.2 as a Python dependency


  • Added paginate() method to tcex_resources module
  • Updated group_cache() module to use paginate() method


  • Updated TcExJob module for tcex_resources modules renamed methods and changes


  • Changed logging level logic to use logging over tc_logging_level, if it exists
  • Added App version logging attempt


  • Updated _resources() method to handle TC version without custom Indicators
  • Updated logging to better debug API request failures
  • Updated package command to create lib directory with Python version (e.g., lib_3.6.0)
  • Updated logging the Logging Level, Python, and TcEx versions for additional debugging


  • Updated open call for bytes issue on Python 3


  • Updated to for Python 3 support


  • Updated Campaign Resource type Class
  • Added building_apps section to documentation


  • Added Campaign() Class
  • Updated documentation


  • Updated for build


  • Initial Public Release