Release Notes


  • APP-1829 - [Session] Added logic to use http instead of https for proxy.


  • Update package_data to include STIX parser lark file.

  • APP-1829 - [Session] Added logic to attempt to handle “[SSL: WRONG_VERSION_NUMBER] wrong version number” error new to urllib3.


  • APP-1807, APP-1801 - [STIX] Remove dependency on Dendrol and replace with lark parser.


  • APP-891 - [STIX] Added additional support for consuming and producing STIX documents.

  • APP-1212 - [Testing] fixed output deletion issue for skipped test when –merge_outputs is used.

  • APP-1244 - [Testing] Added the is_json operator to assist in testing validation.

  • APP-1406 - [Testing] Fixed testing issue centered around the validation_criteria field present during bulk tests.

  • APP-1407 - [Testing] Fixed issue encountered when validation_criteria is set in a test profile (apps that use batch).

  • APP-1413 - [Testing] Converts option inputs that have a value of null to use #App:1234:null!String.

  • APP-1641 - [Batch] Fixed issue that batch delete that prevented single submission or last submission from working.

  • APP-1642 - [Service] Increased tc_svc_broker_conn_timeout arg to 60 to address disconnect issue in API service.

  • APP-1643 - [App Init] Added “no-commit-to-branch” feature to the pre-commit configuration.

  • APP-1760 - [KeyValueStore] Updated module to support new endpoint for PLAT-1237 in support of service Apps running on MEO.


  • APP-1394 - [Batch] Updated batch data processing to handle max sizes appropriately.


  • APP-1296 - [Session] Updated external session retry to accept a URL for retry mount.

  • APP-1366 - [Batch] Fixed issue in batch where self._file_threads was not getting updated appropriately.


  • APP-1126 - [Logger] Compress backup log files and increase backup count to 25.

  • APP-1127 - [Batch] Fixed issue with recursion when having a large number of associations.

  • APP-1128 - [Batch] Updated DEBUG feature to assist in testing batch module..

  • APP-1129 - [Batch] Added support for batch_max_size to truncate the batch job at ~75Mb.

  • APP-1130 - [Batch] Removed file_contents getter and setter method.

  • APP-1131 - [Session] Updated request_to_curl method in Utils module to truncate body and not write body to disk.

  • APP-1262 - [App Feature] Update advanced_request module to take output_prefix as an arg.

  • APP-1263 - [Session] Update session module to only log curl command when request receives an invalid response or enabled globally.

  • APP-1264 - [Logger] - Update logger modules to set default encoding to “UTF-8” when no value set at the OS level.

  • APP-1266 - [Utils] Update utils datetime module to include a chunk_date_range method to be used in job Apps that need to break request into smaller timeframes.

  • APP-1267 - [Batch] Add batch callback method to batch module to allow downloading/processing of data while batch job polls for status.

  • APP-1268 - Update the default temp directory to use an OS appropriate value.

  • APP-1272 - [App Feature] - Remove feature to update install.json and layout.json for advanced_request.

  • APP-1280 - [Session] Add ability to mask the body when logging curl command.


  • APP-1107 - Added MITRE ATTACK Utils methods to return the properly formatted tag value.

  • APP-1119 - Update to batch module to handle recursion issue with integrations that have a large number of group associations.


  • APP-890 - Added discoverTypes to Ready command for API Services.

  • APP-939 - Restructure of Service module to better support API Services.

  • APP-943, APP-1027, App-1036 - Updated ReadArg and IterateArgs decorators for better transform and validator support.

  • APP-944 - Added rate limit and 429 (too-many-requests) in external session module.

  • APP-964 - Updated inputs module to allow duplicate args (advanced request requirement).

  • SUP-8557 - Updated how the Threat Intelligence module was adding observations to ThreatConnect objects.

  • Multiple misc. enhancements (APP-865, APP-1021, APP-1030, APP-1086)

Testing framework

  • APP-921 - Updated default operator rule for test cases.

  • APP-926 - Updated profile generation to not add String type to all inputs.

  • APP-935 - Updated tcinit to include when missing.

  • APP-936 - Updated test handling when incorrect stage data is provided.


  • APP-849 - Updated request_to_curl method to handle proxy values properly.

  • APP-852 - Moved jmespath package from dev dependencies to standard dependencies.


  • APP-796 - Updated Advanced Request Method to always write output variable.

  • APP-813 - Updated datastore and cache modules; renamed ttl_minute to ttl_seconds, added handling of 0 or null ttl_second value.

  • APP-815 - Updated session_external to not raise RetryError.

  • APP-816 - Updated tcinit to not fail when no tcex.json file is present.


  • APP-780 - Added truncate method to Utils module.

  • APP-786 - Updated logger to addres TypeError exception.

  • APP-789 - Updated pre-commit configuration for App templates.

  • APP-790 - Added new Advance Request feature for App that utilize a remote API.

  • APP-791 - Updated session and session_external to not require an instance of tcex.

  • APP-792 - Updated services module to support sending failed message on ack.

  • APP-793 - Updated session to not create curl logs when sending API logs.

Testing framework

  • APP-77 - Added mechanism to tell if Webhook service Apps fired in testing framework.

  • APP-88 - Added “magic” variable expansion for tctest interactive mode.

  • APP-715 - Update validation for tags to be case insensitive in testing framework.

  • APP-746 - Update to address issue with email validation in testing framework.

  • APP-769 - Added rargs property to profile for custom methods in testing framework.


  • APP-79 - Added curl command to the log file at debug level to assist in troubleshooting.

  • APP-80 - Added support for __comment__ in testing profile.

  • APP-87 - Added check for invalid values in profile for Boolean inputs.

  • APP-102 - Addded pytest fixture for testing sessions.

  • APP-557 - Added update logic for profiles to convert static String inputs to Staged KVStore variables.

  • APP-561 - Updated precommit template file to support large files on commit.

  • APP-676 - Updated –interactive mode to support all input types.

  • APP-677 - Added –negative flag to tctest command to auto-generate negative test profiles.

  • Multiple enhancements for testing framework (APP-78, APP-82, APP-83, APP-84, APP-85, APP-86, APP-87, APP-106, APP-219)


  • Updated testing framework to decouple App version of TcEx and testing version.

  • Updated deepdiff validation method to better handle OrderedDicts.

  • Added simple caching to env_store.

  • Added session recording & playback for testing framework.

  • Added automatic staging of inputs to kvstore for testing framework.

  • Added additional support for batch in testing framework.


  • Updated decorator method logging.

  • Updated testing framework validation template to support dynamic output variable.

  • Updated testing framework validation template to validate output variable consistency.

  • Updated profile module to support variable from env store server.

  • Updated OnException decorator to log traceback.

  • Multiple enhancement and fixes to testing framework.


  • Added is_variable() method to Playbook module.

  • Updated ReadArgs decorator to return None when arg doesn’t exist.

  • Updated ReadArgs to not log input value.

  • Added new Permutations class to app_config_object module.

  • Added new Profile and ProfileInteractive Classes to app_config_object module.

  • Added new TcexJson Class to app_config_object module.

  • Moved all testing template generation/download logic to consolidated file.

  • Added schema management to InstallJson class.

  • Added schema management to LayoutJson class.

  • Multiple updates for App testing framework. + Updated testing framework to support permutations for Service Apps + Added –replace_exit_message CLI flag for pytest to replace outputs for test cases + Added –replace_outputs CLI flag for pytest to replace outputs for test cases + Added –merge_outputs CLI flag for pytest to merge new outputs with existing outputs for test cases + Profile schema is now managed and old profiles will be automatically updated + Changed default run method for Serice Apps to be subprocess instead of thread.

  • Updated tcinit CLI command. + Removed –action CLI arg + Added –update CLI arg to enable updates of non-customized template files + Added –migrate CLI arg to enable migration of non-compliant PB Apps + Added –layouts CLI arg to allow for dynamic creation of example layout.json based on install.json * The tcinit command now store the template in the tcex.json file to allow easier updates

  • Updated tcpackage CLI command. * Moved logic that updates the install.json to the InstallJson class * Updated to use InstallJson and LayoutJson objects

  • Updated tctest CLI command. + Added –interactive flag to allow for dynamic creation of testing profile. + Updated to use new Profile Class and Template Classes

  • Updated tcvalidate CLI command. * Updated to use InstallJson and LayoutJson objects * Updated validation logic for layout.json

  • Multiple updates to App templates to remove subprocess. + Added run() method to template for job and playbook Apps + Added dependencies for all App types + Updated to call run method of

  • Added logging of TcEx path.

  • Updated Utils Class to no longer require tcex instance.


  • Updated requirement for stdlib-list to >= 0.6.0 to support Python 3.8.

  • Updated test cases to call setup/teardown instead of start/done.

  • Added pydocstyle as a development dependency.

  • Removed isort from App template pre-commit file.

  • Multiple updates for templates and testing logic for Service Apps.

  • Issue-103 - added support for ThreatConnect ThreatIntelligence File Actions.

  • Issue-107 - added check for missing config file for external Apps.

  • Issue-110 - added example for associations using Threat Intelligence Module.

  • Issue-111 - updated trace logger method for Python 3.8.x changes.


  • Updated bin module to delete reference to removed profile and run files.

  • Updated for long_description.

  • Updated to include all dependencies.


  • Added support for ThreatConnect Case Management.

  • Added support for ThreatConnect Service Apps.

  • Updated templates to support changes in tcex 2.0.

  • Updated code to support Python 3.6+, removing support for all older versions of Python.

  • Removed old tcrun and tcprofile commands.

  • Breaking Change: Multiple updates to playbook module logic.

  • Breaking Change: Moved datetime methods in to

  • Breaking Change: Reworked App decorators to improve usability.

  • Breaking Change: Renamed start() and done() methods in templates to setup() and teardown().

  • Breaking Change: Removed tcex.s() method.

  • Breaking Change: Removed tcex.data_filter property and module.

  • Breaking Change: Removed tcex.request property and module.

  • Breaking Change: Removed tcex.resources property and module.

  • Breaking Change: Removed tcex.safetag() method.

  • Breaking Change: Removed tcex.safeurl() method.

  • Breaking Change: Updated tcex.safe_indicator() method input params.

  • Breaking Change: Updated tcex.safe_url() method input params.

  • Breaking Change: Updated tcex.safe_tag() method input params.



  • Improved support for TI module to support creating files given a unique_id.

  • Updates to playbook modules to remove logging affecting environment servers.


  • Updates to testing framework for custom validation.

  • Updates to the docs for multiple modules.

  • Multiple updates to testing framework.


  • Updated deleted() method of TI module to yield results instead of returning raw response.

  • Updates to testing framework for custom methods when testing profiles.

  • Updated inputs to ensure args provided via sys.argv take precedent over all other args.

  • Added new service_id arg for service Apps.

  • Added POC of session_external. Python requests session with auto-proxy configuration.

  • Updated excludes for tcpackage command for pytest report folders.


  • Updated validation module to handle local imports and shared modules.


  • Added additional support for v2 API endpoints.

  • Added support for new appId field in the install.json.

  • Updated validation command to better handle packages with nested modules.

  • Updated PB module to handle execution with no requested output variables.

  • Updated PB module to handle null values in BinaryArray.

  • Updated TI modules to better handle conversion to and from TCEntity.

  • Updated external App template to allow passing configuration in on TcEx() initialization.

  • Multiple updates for testing framework.


  • Added cache handler to logging module.

  • Updated args module to use dict input over sys.argv when possible.

  • Updated args module replaced required args with a default value when possible.

  • Updated testing module for args changes and more.

  • Updated logging add handler calls in multiple modules.

  • Renamed args module to inputs.

  • Removed reference to args in logging module.


  • Updates to token and args modules to better support testing framework and external Apps.

  • Added kwargs on tcex init for external Apps.

  • Updates to testing templates.


  • Moved registration of default token to default_args method to address issue with secure params.

  • Updated template files.

  • Updated build process for wheel files.

  • Updated permutations generation to include hidden inputs.


  • Restructured tcex modules into individual directories.

  • Added services module for service Apps.

  • Added token module to manage tokens for all types of Apps.

  • Moved token renewal from session to new token module.

  • Updated multiple module to simplify testing.



  • Updated logging formatter for issue in py2.

  • Updated test_case to automatically create profile output.


  • Reworked logging for the TcEx framework to provide better flexibility.

  • Updated logging of batch sizes to not log when there is not content.

  • Moved the logging of App info to the args call.

  • Added trace logging level (unsupported in platform currently).

  • Added new testing module using pytest.


  • Updated arg parsing to better handle delimited input strings for secureParams/AOT input.

  • Updated TI module to better handle filters and retrieving generic indicator/group types.

  • Updated logging initialization to ensure user provided log path is available before adding file handler.


  • Updated datastore module to prevent creating of empty record on index creation.

  • Updated batch module to support additional debugging features.


  • Updated playbook read for \s replacement issue in Python 3.7.

  • Updated utils unix_time_to_datetime() method to handle unix timestamps with milliseconds that are not floats.

  • Updated TI module with changes for indicators data.

  • Updated tcinit for temporary proxy fields names.


  • Updated read_embedded to escape newline characters in embedded string values


  • Updated install.json schema validation to ensure that displayName contains a minimum of three characters

  • Updated read_embedded to cast data value to a string

  • Made minor updates to the TI module


  • Added new Threat Intel (TI) module to interact with ThreatConnect REST API

  • Added support of “s” characters to be replaced automatically with a space (” “) character on user string input in Playbook Apps

  • Added templates for external Apps

  • Updated read_embedded method to deserialize nested variables before replacement

  • Updated Utils module to better handle datetime timezone conversions



  • Updated ReadArg decorator to support fail_on parameter

  • Updated IterateOnArg decorator to support fail_on parameter and removed fail_on_empty

  • Updated Datastore module to support no ID for POST and GET methods


  • Added new FailOnInput decorator

  • Changed FailOn decorator to FailOnError with arg input changes to enable

  • Added additional logging to IterateOnArg decorator


  • Reverted change to Playbook module read() method for null value returned when Array is True


  • Updated App templates to call parse_args() from init method

  • Updated IterateOnArg decorator to take an addition default value

  • Updated IterateOnArg to exit or log when no data is retrieved from Redis

  • Updated TcExRun module to detect v3 profile args section by either optional or required field

  • Updated TcExProfile module to use new layout.json output logic and always display output variables unless display value exists and return negative validation


  • Added new Cache module

  • Added new DataStore module

  • Updated App templates to ignore or exclude definitions

  • Updated tcprofile permutation_id to handle 0 index

  • Updated tcpackage command to not add commitHash if value is None

  • Updated tcvalidate command to handle permission errors when using pkg_resources

  • Updated install.json schema to include commitHash


  • Fixed issue with sqlite being imported while not required for Apps

  • Updated tcprofile to better support App bundle projects


  • Updated tcex_args module to parse injected params using a = separator instead of a space+ Updated tcprofile command to support permutations logic for Apps with layout.json conditional input parameters

  • Updated tcprofile command to update the profile schema to v3. Note that app.arg is now app.arg.optional and app.arg.required.

  • Updated tcrun arg parsing logic to use a = separator instead of a space

  • Updated Batch module to support new 5.8+ merge of file hash feature


  • Added a fix for tcvalidate output display statement validation

  • Updated install.json schema file

  • Updated tclib to error when environment variables are not available

  • Updated Batch module to handle xid as str for py2 Apps


  • Enabled package_data in for JSON schema files


  • Switched from package_data to for JSON schema files


  • Added new tcvalidate command for App Builder

  • Added validation of layout.json schema, inputs, and outputs

  • Migrated JSON validation files from App to TcEx


  • Added new FailOn App decorator

  • Updated in Playbook templates to handle TypeError on incorrect action

  • Updated tcpackage command to suggest proper fix for missing modules

  • Updated tcrun to handle null value in args


  • Fixed issue in tcpackage with handling errors

  • Updated tcpackage command to validate import module for .py file in project-root directory

  • Updated tcpackage moving install.json validation to top level

  • Updated tcpackage to support --ignore_validation arg. Using this flag will cause the command to not exit on validation errors.

  • Updated install.json schema file to support new feedDeployer Boolean field

  • Updated template file to ensure proper paths are set for an App


  • Updated all optional args in Batch module for Group/Indicator objects to kwargs. This will allow easier updates for new values in the future.

  • Updated the decode arg on the read Binary/BinaryArray methods to be False by default. When set to True, the read() method cannot be used in some use cases.

  • Updated the Group and Indicator object in the Batch module to only produce random and unique xids when an xid is not provided. These objects will no longer produce a unique and reproducible xid.

  • Added new App templates and updated templates with new files and content

  • Added tcex_args module to include all args related methods from the tcex module

  • Updated request() method to include proxy settings

  • Updated tcprofile to include an epilog with command instructions on environment setup (> tcprofile -h)

  • Updated tcprofile to split the args section to support “default” args and “app” args

  • Updated tcinit to support templates instead of types

  • Updated tcinit to include an epilog with template definitions (> tcinit -h)

  • Updated tcinit to download additional files required for building Apps

  • Updated tcrun to support update args schema in profiles

  • Removed module

  • Removed tcex.request_external() method

  • Removed tcex.authorization() method

  • Removed tcex.authorization_hmac() method

  • Removed tcex._authorization_token_renew() method

  • Updated all code to standard formatting and structure

  • Updated and restructured Documents



  • Added decorator to provide common methods for Playbook Apps.

  • Added logic to tcpackage to do basic syntax validation of .py and .json files

  • Added add_output() and write_output() methods to provide an alternative way to write Playbook output data

  • Added access to resolved args

  • Updated tclib logic for lib_latest symbolic link


  • Updated tcinit to include migration as an action to help convert non-App Builder compliant Apps

  • Updated Utils module for additional method to determine local timezone

  • Updated Utils module to output correct total_weeks value


  • Updated tcinit command CLI option --upgrade to download additional files

  • Updated tcrun command to use dockerImage parameter from install.json or profile

  • Updated tcrun command to support new autoclear value in profile

  • Updated tclib to create a symbolic link to the latest Python lib directory

  • Updated tcpackage command to add commitHash value to install.json

  • Updated tcex module to log commitHash value

  • Updated the .gitignore file for App templates


  • Fixed GH issue #(60)

  • Updated App templates. Added tc_action logic to handle launching action methods in the App class

  • Added --docker flag to tcrun command to launch App in docker container


  • Updated Batch module to handle Attribute values of False

  • Added read_array method to Playbook module

  • Updated App templates to include start and done methods

  • Update tcprofile to create the tcex.d directory automatically


  • Removed __slots__ on Batch module due to issues with Python 2

  • Updated tcinit and corresponding App templates


  • Added PDF method to Resource module for supported Group types

  • Added task_id method for Task class

  • Added date_added property to Indicator and Groups objects

  • Added last_modified property to Indicator objects

  • Updated tcrun for handling Binary/BinaryArray validation


  • Fixed deletion in Batch module for TC instances < 5.7


  • Removed app.lock logic

  • Updated file_content logic for Documents and Reports

  • Added add_file() method for batch Group objects

  • Added playbook_triggers_enabled parameter to Batch module (requires ThreatConnect 5.7)


  • Made minor change to batch poll

  • Updated Batch module close() method to check for xids-saved file existence before deletion


  • Added app.lock file to temp directory to ensure single execution


  • Removed debugging flag from Batch module and replaced with logic to control debug externally

  • Updated batch-poll method logic to poll more frequently

  • Update Resource module to allow the addition of a body when reading from the datastore


  • Added signal handler to tcex to gracefully handle interrupts

  • Added new tcinit command to download files required for a new App or update files in an existing App

  • Updated batch-poll method to automatically calculate poll interval. REMOVED interval-method parameter

  • Updated Batch module to raise error on batch-status poll timeout

  • Updated to version 1.0.2

  • Moved and added supporting file to app_init directory


  • Added close() method to allow cleanup of temp files when batch job is done

  • Added global overrides for halt_on_error in Batch module

  • Fixed issue with token renewal not failing properly on error

  • Updated logging method to ensure all messages are logged to file

  • Updated logging method to skip API logging during token renewal

  • Changed tcrun to not use shell on Windows systems


  • Updated Batch module to use Submit Job/Submit Data for deletes

  • Replaced tcex_develop arg with branch arg for tclib command

  • Added generate_xid() method to help generate a unique and/or reproducible xid

  • Added default value for Email score in Batch module


  • Added active property to Indicator type objects

  • Updated save() method be best effort

  • Updated submit_file() to handle None value being returned

  • Updated attribute() methods to handle unique values when using a formatter

  • Fixed issue with –unmask arg not working on tcrun command


  • Merged AOT feature in prep for 5.7

  • Added install_json() method to load install.json, which is used in the injection method to determine the structure on the param values

  • Added save() method to save batch data to disk to reduce memory usage of the App

  • Updated the logic in default_args() method to handle both injecting secureParams and AOT params depending, on selected feature.

  • Updated inject_params() method to be public and generic and to allow params to be injected manually

  • Updated tcex_redis module to support additional Redis methods required for AOT

  • Updated read_binary() and read_binary_array() methods to support b64decode and decode params

  • Updated Report() module to make the Report file name optional for updates in 5.7

  • Updated examples in Documents

  • Fixed validation issues in tcrun


  • Updated submit_create_and_upload method to clear raw list after submission

  • Rewrote results_tc method to handle updates to key/value pairs

  • Updated tcrun to automatically create required directories

  • Updated tclib to support building tcex develop version with –tcex_develop CLI flag


  • Rewrote tcrun and tcprofile commands

  • Removed tcdata commands

  • Changed logging of unsupported args to only show when App retrieves args

  • Changed read_binary_array method to decode Redis data automatically


  • Updated exit() methods to treat exit code of 3 as non-failure

  • Updated v2 Batch createAndUpload


  • Updated secure params injection to handle pipe-delimited multiple-choice values


  • Fixed issue with API logging not working when secure params are enabled

  • Fixed issue with API logging timestamp precision


  • Updated tcdata for Playbook variable creation during staging testing data

  • Updated tcex logging for level and removal of stream logger once API logger is initialized


  • Updated tcdata to handle binary array

  • Updated tclib command to support environment variables in tcex.json file

  • Added initial functionality for v2 Batch create and upload


  • Updated regex for Playbook variables


  • Updated Tcdata module for local testing

  • Updated Batch v2 API


  • Updated secureParams loading order

  • Updated tcex_logger module

  • Updated tcex module to only import modules when required

  • Moved inflect() to the Utils module

  • Updated documents for Metrics, Notifications, and Batch


  • Added tcex.session to provide access to the ThreatConnect API using Requests’ native interface

  • Added tcex_batch_v2 module to replace the Jobs module starting in ThreatConnect 5.6

  • Added msg to exit() methods

  • Changed exit_code() method to a property with a setter

  • Changed request() property to a method

  • Updated multiple methods to use tcex_session instead of tcex_request

  • Renamed Logger module to be consistent with other modules

  • Removed second arg from expand_indicators() method

  • Removed owner parameter from Datastore module

  • Added deprecation warning for the following methods: bulk_enabled(), job(), request_tc(), epoch_seconds(), and to_string(). These methods will be removed in version 0.9.0.

  • Cleaned up code, comments, and documentation

  • Added error code/message for all RuntimeError exceptions



  • Fixed issue with newstr when using quote() method in safe_indicator()


  • Updated logging to log App name and other data

  • Added Notifications module for ThreatConnect 5.6+


  • Updated secure params injection to treat string value of True as Boolean/flag

  • Updated secure params to handle unicode values in py2

  • Updated Jobs module to use batch settings from args on init and to allow programmatic override of batch settings

  • Updated token renewal to handle issue with newstr


  • Updated Jobs module to not call safetag method when using Resource module

  • Updated Intrusion Set class in Resource module

  • Updated Group list to include new Group types

  • Added upload() and download() methods to Report class in resource module.

  • Added Task as a group type.

  • Added new secure params feature


  • Updated Utils module for handling naive datetime in py2

  • Added to_bool() method back to Utils module


  • Updated utils datetime methods to not require a timezone

  • Updated Tag class to urlencode tag value so slashes are supported

  • Updated safetag method to strip ^ from tag values

  • Changed modules dependency to use latest version instead of restricting to current version

  • Added Event, Intrusion Set, and Report Group types in preparation for TC > 5.6.0

  • Added metrics module to create and add metrics to ThreatConnect.

  • Added deleted endpoint for Indicators.


  • Updated Jobs module to delete by name when using replace for Groups

  • Updated token renewal to log more information on failure

  • Updated Playbooks read-binary array to better handle null values


  • Updated file Indicator class for proper handling of Attributes, Tags, and Labels

  • Updated expand_indicators() method to use a new regex to handle more formats for file hashes and custom Indicators


  • Fixed issue with embedded variable matching during exact variable check


  • Updated Resource for py2 unicode issue in ipAddress module


  • Updated Resource module to automatically handle files hashes in format “md5 : sha1 : sha256”

  • Updated Resource module to reformat ipv6 addresses to same format as TC


  • Updated template with better logic to detect Python lib directory version

  • Updated regex patterns for variable matching in Playbook module

  • Updated Playbook module function in handling variables


  • Updated read_embedded() method to better support embedded variables

  • Added –report arg to tcrun to output a JSON Report of profiles and run data

  • Added new JSON string comparison operator (jc/json compare) to tcdata to compare two JSON strings (requires DeepDiff to be installed locally)


  • Added KeyValueArray operator to tcdata, which allows searching for a single key/value entry in array

  • Updated functionality to replace non-quoted embedded variable to handle duplicate variables in KeyValueArray


  • Added new string comparison operator (sc) to tcdata that strips all white space before eq comparison

  • Added new functionality to TcExPlaybook to replace non-quoted embedded variables in Read KeyValueArrays

  • Updated Create KeyValue/KeyValueArray methods to not JSON load when passed a string

  • Added any_to_datetime() method to return datetime.datetime object

  • Added timedelta() method to return delta object from two provided datetime expressions


  • Fixed issue with _newstr_ and dynamic-class generation


  • Updated all TcEx framework command-line interface (CLI) commands to use utf-8 encoding by default

  • Replaced usage of unicode with built-in str (Python 2/3 compatible

  • Replaced usage of long with built-in int (Python 2/3 compatible)

  • Update usage of urllib.quote to be Python 2/3 compatible


  • Updated association_custom() to handle boolean values that are passed as strings

  • Updated _resource() method to handle boolean returned as strings from the API

  • Updated tcdata to properly delete Indicators when using --clear arg

  • Update the Log module to use tcex instead of tcapp


  • Added TcExUtils module with date functions to handle common date-use cases

  • Added DeepDiff functionality to tcdata for validating unsorted dictionaries and list

  • Updated tcdata to pull item from lists by index for easier comparison

  • Updated read() method to allow disabling of automatically resolving embedded variables

  • Updated association_custom() method to support file actions

  • Updated file_action() method as alias to association_custom()


  • Updated tcdata command for issue on sorting list in Python 3

  • Added update for tcex.json file to allow the App version to be specified instead of using programVersion from install.json


  • Added stub support for associatedGroup in Batch Indicator JSON

  • Updated the TcEx Job module to better handle Document uploads in Python 3

  • Updated TcEx Resource module to support query parameter list in the add_payload() method

  • Updated TcEx Request module to support query parameter list in the add_payload() method

  • Updated tclib to remove the old lib directory before creating the lib directory


  • Updated the TcEx framework to only build custom Indicator classes when working with custom Indicators

  • Updated TcEx Jobs module Group add logic to fix issue with skipping existing Groups

  • Updated TcEx Jobs module to handle associatedGroup passed as string or int when using /v2


Breaking change to any App that uses the Direct Access method with a Custom Indicator type.



  • Fixed issue in tcdata when validating that data is not string type

  • Updated tcprofile to set type check to binary on binary data


  • Updated Playbook create_binary and create_binary array for to better support py3.

  • Updated tcdata to support Security Labels in staged data

  • Updated tcdata to support adding associations

  • Updated tcdata to support variable reference #App:4768:tc.address!TCEntity::value during validation


  • Updated tcdata to validate string as string_types for “is type” check using six modules

  • Added fix for code font not matching line numbers in the documents


  • Added CustomMetric module to Resource module

  • Renamed _args variable in to default_args

  • Renamed _parser variable in to parser

  • Cleaned up code (removed any Python 2.5-specific code)



  • Replaced use of str() in TcEx Playbook module

  • Updated tcrun to pass data_owner for each action on tcdata

  • Updated tcdata to stage TC data via /v2 instead of batch

  • Updated tcdata write entity out as variable


  • Updated tcprofile to support new parameters

  • Updated tcdata to properly handle older tcex.json files

  • Updated read_embedded() method to handle unicode error

  • Added additional logging to TcEx Job for logging API response


  • Added job() association feature to handle Group-> Indicator and Group-> Group associations

  • Added safe_group_name() method to ensure Group meets the required length

  • Added tcdata initial feature to stage Groups and Indicators in ThreatConnect

  • Updated tcrun to use new parameter for logging

  • Updated job() to support upload of file to Document Group


  • Updated token renewal URL

  • Updated tcprofile to include api_default_org, tc_proxy_external, tc_proxy_host, tc_proxy_port, tcp_proxy_password, tc_proxy_tc, tc_proxy_username

  • Updated tcprofile changing tc_playbook_db_path and tc_playbook_db_port parameters to environment variables by default

  • Updated tcprofile changing logging to tc_log_level

  • Updated tclib to check for requirements.txt


  • Updated tcex.playbook, tcrun, and tcdata to support deleting data from Redis from previous runs


  • Updated tcrun to handle issue where install_json is not defined in the tcex.json file so that script name was improperly being set


  • Updated create_output() method to fix issue when using output variables of the same name and different type


  • Updated tcrun to not check for the program main file for Java Apps


  • Updated tcrun to support running Java Apps

  • Added support for install_json profile parameter to tcex.json. This should be included in all tcex.json files going forward.

  • Added support for java_path config parameter to tcex.json for custom Java path. Default behavior is to use the default version of Java from user path.

  • Added support for class_path profile parameter to tcex.json for custom Java paths. By default, ./target/ will be used as the class_pass value.

  • Updated tcpackage to grab minor version from programVersion in install.json. If no programVersion is found, the default version of an App is 1.0.0.

  • Cleaned up PEP8


  • Updated json() method to use proper entity value

  • Updated tcprofile to use default env values for API credentials

  • Added Groups parameter to tcex.json so that a profile can be part of multiple Groups


  • Added additional exclude values for IDE directories

  • Added app_name parameter to tcex.json for App built on system where App directory is not the App name

  • Updated tcpackage to use new app_name, if it exists, and to default back to App directory name

  • Updated tcprofile to only output Redis variable for Playbook Apps

  • Updated tclib to have default config value for instance where there is not tcex.json file


  • Update Building Apps section of the documentation

  • Updated required module versions (requests, python-dateutil, and Redis)

  • Fixed issue with sleep parameter being ignored in tcrun.

  • Updated tclib to automatically read tcex.json

  • Updated tcpackage to output Apps zip files with .tcx extension


  • Added support for binary data type in tcdata for staging


  • Added platform for docker support


  • Added platform check for subprocess calls

  • Added additional error logging for tcrun command


  • Added better support for build and test commands on Windows platform


  • Removed pip as a dependency


  • Updated tcdata to support multiple operators for validation

  • Added tcprofile command to automatically build testing profiles from install.json

  • Updated tcrun to create log, out, and temp directories for testing output

  • Updated tcpackage to exclude .pyc files and __pycache__ directory


  • Updated tcpackage to append version number to zip file

  • Added a bundle_name parameter to tcex.json file for systems where the directory name does not represent the App name


  • Updated tcdata for issue with bytes string in Python 3


  • Added new tcdata, tclib, tcpackage, and tcrun commands for App testing and packaging (The will be deprecated in the future.)

  • Updated for new lib directory structure created with pip (replaced easy_install)

  • Changed method so that Apps are now built with requirements.txt instead of


  • Updated association_custom() method to support DELETE/POST methods

  • Added _association_types() method to load Custom Association types from API

  • Added indicator_types_data property with full Indicator Type data

  • Added indicator_associations_types_data property with full Indicator Association Type data


  • Update playbookdb variable name

  • Updated template for proper exit code


  • Added support for output variable of the same name, but different types

  • Added support for new TCKeyValueAPI DB types in Playbook Apps. This is a seamless change to the Apps.

  • Updated authorization() method to return properly formatted header when no token_expires is provided

  • Added automatic authorization to request_tc() method

  • Updated documentation for Request module



  • Changed proxy variable to proxies in request_external() method

  • Changed proxy variable to proxies in request_tc() method

  • Added assignees() method for Tasks

  • Added escalatees() method for Tasks

  • Added 201 as valid status code for Task


  • Added victims() method to Resource module

  • Added victim_assets() method to Resource module

  • Added observations() methods to Resource module

  • Added observation_count() methods to Resource module

  • Added observed() methods to Resource module

  • Changed private _copy() method to public copy() in the Resource module

  • Updated occurrence() method Indicator parameter to be optional

  • Added resolution() methods to Resource module to retrieve DNS resolutions on Host Indicators


  • Added download() method to download Signature data

  • Added urlencoding to proxy user and password


  • Added job() method to allow multiple jobs to run in an App

  • Update s() method to fix issues in Python 3


  • Updated create_binary_array() method to properly handle binary array data

  • Updated read_binary_array() method to properly handle binary array data


  • Updated indicator_body() to support missing hashes

  • Added false_positive() endpoint for Indicators

  • Merged pull requests for better native Python 3 support

  • Added Campaign to Group types

  • Increased request timeout to 300 second.


  • Updated read_embedded() method logic for null values and better support of mixed values


  • Updated TcEx Job module for file hashes updates using v2/indicators/files


  • Updated TcExJob module for file hashes updates using v2/indicators/files


  • Updated read_embedded() method to support different formatting dependent on the parent variable type

  • Updated Resource module to address issue in which copying the instance causes errors with request instance in Python 3

  • Updated T**cExLocal** run() method to better format error output


  • Added add_payload() method to DataStore class

  • Fixed issue with TcExJob module in which batch Indicator POST with chunking would fail after first chunk

  • Added safe_indicator() method to urlencode and cleaned up Indicator before associations, etc.

  • Updated expand_indicators() method to use a regex instead of split for better support of custom Indicators

  • Updated _process_indicators_v2 to better handle custom Indicator types

  • Updated read_embedded() method to strip off double quote from JSON string on mixed types and to decode escaped strings

  • Updated Resource module so that all Indicator are URL encoded before adding to the URI

  • Updated Indicator_body() method to only include items in the JSON body if not None.

  • Updated indicators() method to handle extra white spaces on the boundary

  • Added additional standard args of api_default_org and tc_in_path


  • Updated Resource module. All _pivot() and associations() methods now take an instance of Resource and return a copy of the current Resource instance. Other methods such as security_label() and tags() now return a copy of the current Resource instance.

  • Added Tag Resource class

  • Added resource() method to get instance of Resource instance

  • Added Datastore Resource class to the Resource module

  • Updated TcExJob module for changes in the Resource module



  • Added logic around retrieving Batch errors to handle 404

  • Added new exit() method for Playbook Apps (exit code of 3 to 1 for partial success)


  • Added group_results and indicator_results properties to TcEx Job module

  • Added request_external() and request_tc() methods

  • Updated read_embedded() method with a better regex for matching variables

  • Updated TcExPlaybook() module with better error handling with JSON loads

  • Updated TcExLocal run() method to sleep after subprocess executes the first time


  • Updated TcEx Job module to allow Indicators to be added via /v2/indicators/<type>

  • Updated structure for Attributes/Tags on Groups to use singular version (Attribute/Tag) in Jobs modules to match format used for Indicators

  • Added custom case_preference and parsable properties to Resource module

  • Added logic to cleanup temporary JSON bulk file. When logging is debug, a compressed copy of the file will remain.


  • Fixed issue in tcex_resources module with pagination stopping before all results are retrieved


  • Added s() method to replace the to_string() method (handle bad unicode in Python 2 and still support Python 3)

  • Updated read_embedded() method to better handle embedded vars


  • Added indicators() method to allow iteration over Indicator values in Indicator response JSON


  • Updated set_basic_auth() method to use proper unicode method

  • Updated tcex_playbook create and read methods to warn when None value is passed


  • Added json() method that accepts a dictionary and automatically sets content-type and body

  • Updated safeurl() and safetag() to use to_string()

  • Update set_basic_auth() for Python 2/3 compatibility



  • Updated add_payload() method to not force the value to string

  • Updated files() method

  • Added set_basic_auth() method for instance where normal method does not work


  • Added files() property to tcex_request module


  • Fixed issue with boolean parameters having an extra space at the end


  • Updated _parameters() method to build a list for subprocess.popen instead of a string

  • Updated install.json schema to support note field


  • Removed hiredis as a dependency

  • Added hvac as a dependency for vault-credential storage

  • Added ability to use vault as a credential store for local testing

  • Fixed args wrapper for Windows (’ to “)


  • Added sleep option for test profiles that take time to complete


  • Updated tcex_local module to change tc.json profiles to list instead of dictionary to maintain order of profiles

  • Added feature to tcex_local to read environment variables for value in tc.json (e.g., $evn.my_api_key)


  • Handled None type returned by Redis module


  • Added to_string() method to replace old uni() method (handled Python 2/3 encoding for Apps)


  • Updated string/unicode/bytes issue between Python 2 and 3


  • Updated tcex_local module for Python 2/3 support

  • Updated binary methods in tcex_playbook module for Python 2/3 support


  • Reworked tcex_local run() logic to support updated tc.json schema

  • Changed –test arg to –profile in _required_arguments()

  • Added script field to tc.json that matches –script arg to support predefined script names

  • Added Group field to tc.json that matches –group arg in _required_arguments() to support running multiple profiles

  • Added inflect requirement to version 0.2.5

  • Changed python-dateutil requirement to version 2.6.10

  • Changed requests requirement to version 2.13.0



  • Added accepted status code of 201 for Custom Indicator POST on dynamic class creation


  • Added entity_body() method to tcex_resources for generating Indicator body

  • Added indicator_body() method to tcex_resources for generating Indicator body


  • Fixed issue with Job group_cache() method


  • Updated TcExJob module to use new pagination functionality in tcex_resources module

  • Updated and labeled paginate() method as deprecated


  • Updated tcex_local for additional parameter support during build process


  • Updated tcex_local for exit code when is called (maven build issue)

  • Added new log event for proxy settings


  • Reworked iterator logic in tcex_resources module



  • Updated documentation

  • Changed tcex_resources to allow iteration over the instance to retrieve paginated results

  • Updated support-persistent args when running App locally

  • Updated Playbook module for Python 3

  • Added logging of platform for debugging purposes

  • Updated Pep 8


  • Updated file_occurrence() in the TcEx Job module

  • Added tcex_data_filter module access via tcex.data_filter(data)

  • Added epoch_seconds() method to return epoch seconds with optional delta period

  • Added python-dateutil==2.4.2 as a Python dependency


  • Added paginate() method to tcex_resources module

  • Updated group_cache() module to use paginate() method


  • Updated TcExJob module for tcex_resources modules renamed methods and changes


  • Changed logging level logic to use logging over tc_logging_level, if it exists

  • Added App version logging attempt


  • Updated _resources() method to handle TC version without custom Indicators

  • Updated logging to better debug API request failures

  • Updated package command to create lib directory with Python version (e.g., lib_3.6.0)

  • Updated logging the Logging Level, Python, and TcEx versions for additional debugging


  • Updated open call for bytes issue on Python 3


  • Updated to for Python 3 support


  • Updated Campaign Resource type Class

  • Added building_apps section to documentation


  • Added Campaign() Class

  • Updated documentation


  • Updated for build


  • Initial Public Release