Playbooks Glossary

Last Updated: May 03, 2018 05:31PM EDT

A

Add to QRadar - This app adds Indicators to an IBM QRadar Reference Set.
Analyze File with ReversingLabs - The ReversingLabs API lets you submit a supported file type for analysis. Use this app to automate the submission of new malware files to ReversingLabs.
Analyze URL with LastLine - This app sends a URL to LastLine for analysis.

 

B

Binary to String - This app detects and extracts metadata and text from over a thousand different file types (such as PPT, XLS, and PDF). All of these file types can be parsed to text, making it useful for regex parsing, content analysis, translation, and much more.
Block with Cisco Umbrella - This app blocks Indicators with Cisco Umbrella.

 

C

Compress File - This app produces a compressed file with the given filename, contents, algorithm (zip, tar, or targz), and, optionally, a password.
Convert JSON<>XML - This app converts JSON <> XML strings.
Copy ThreatConnect Group - This app copies a Group to one or more other Organizations, with options to include Tags and Attributes.
Create Association - This app creates Indicator-to-Group or Group-to-disparate-Group Associations.
Create Custom Indicator Association - This app creates custom Indicator Associations.
Create IBM Resilient Artifact - This app creates an Artifact in IBM Resilient.
Create IBM Resilient Attachment - This app creates an Attachment in IBM Resilient.
Create IBM Resilient Incident - This app creates an Incident in IBM Resilient. It allows for a custom key–value mapping that enables the Playbook designer to use any fields (including custom) in Resilient.
Create IBM Resilient Note - This app creates a Note in IBM Resilient.
Create JIRA Issue - This app creates a JIRA Issue with optional fields pre-populated. All user-supplied values must already exist in JIRA.
Create ServiceNow Record - This app creates a ServiceNow Record with optional fields pre-populated.
Create ThreatConnect Address - This app creates an Address Indicator in ThreatConnect.
Create ThreatConnect Adversary - This app creates an Adversary Group in ThreatConnect.
Create ThreatConnect ASN - This app creates an ASN Indicator in ThreatConnect.
Create ThreatConnect Attribute - This app creates a ThreatConnect Attribute on an Indicator or Group with pre-defined fields.
Create ThreatConnect Campaign - This app creates a Campaign Group in ThreatConnect.
Create ThreatConnect CIDR - This app creates a CIDR Indicator in ThreatConnect.
Create ThreatConnect Document - This app creates a Document Group in ThreatConnect.
Create ThreatConnect Email - This app creates an E-mail Group in ThreatConnect.
Create ThreatConnect EmailAddress - This app creates an E-mail Address Indicator in ThreatConnect.
Create ThreatConnect File - This app creates a File Indicator in ThreatConnect.
Create ThreatConnect Group - This app creates a ThreatConnect Group with optional pre-defined fields.
Create ThreatConnect Host - This app creates a Host Indicator in ThreatConnect.
Create ThreatConnect Incident - This app creates an Incident Group in ThreatConnect.
Create ThreatConnect Indicator - This app creates a ThreatConnect Indicator with optional pre-defined fields.
Create ThreatConnect Mutex - This app creates a Mutex Indicator in ThreatConnect.
Create ThreatConnect Registry Key - This app creates a Registry Key Indicator in ThreatConnect.
Create ThreatConnect Signature - This app creates a Signature Group in ThreatConnect.
Create ThreatConnect Threat - This app creates a Threat Group in ThreatConnect.
Create ThreatConnect Tag - This app creates a ThreatConnect Tag with optional pre-defined fields.
Create ThreatConnect Task - This app creates a ThreatConnect Task with optional pre-defined fields.
Create ThreatConnect Url - This app creates a URL Indicator in ThreatConnect.
Create ThreatConnect User Agent - This app creates a User Agent Indicator in ThreatConnect.
Create ThreatConnect Victim - This app creates a Victim in ThreatConnect.
Create ThreatConnect Victim Asset Email - This app creates a Victim Asset Email in ThreatConnect.
Create ThreatConnect Victim Asset Network Account - This app creates a Victim Asset Network Account in ThreatConnect.
Create ThreatConnect Victim Asset Phone - This app creates a Victim Asset Phone in ThreatConnect.
Create ThreatConnect Victim Asset Social Network - This app creates a Victim Asset Social Network in ThreatConnect.
Create ThreatConnect Victim Asset Website - This app creates a Victim Asset Website in ThreatConnect.
CrowdStrike Falcon Host Delete - This app deletes the associated Indicator from CrowdStrike Falcon Host.
CSV Parser - This app parses each column of CSV input into string arrays. It can ignore header rows and use column names to select columns.

 

D

Data Store - This app can read, create, update, and delete data in the Data Store in the specified Store at the specified path. See the "Data Store" item in the ThreatConnect Glossary for more information.
Date Formatter - This app accepts a date string and outputs it in the given format with the given GMT offset.
Decode Base64 - This app decodes a base64-encoded HTTP basic auth string and outputs the entire decoded string, the username, and the password.
Decode URL - This app accepts a URL and decodes any escaped characters in it.
Delay - The Delay Operator lets the user specify an amount of time to wait before executing additional operations in the Playbook. It is useful when using a third-party service that the user knows may take several seconds or minutes to return a response.
Delete from IBM QRadar - This app deletes Indicators from an IBM QRadar Reference Set.
Delete from Tanium IOC Detect - This app deletes an Indicator from a specified Tanium IOC Detect Group.
Delete ThreatConnect Attribute - This app deletes an Attribute from a Group, Indicator, or Victim by using the ID or the Type and Value of the Attribute in ThreatConnect.
Delete ThreatConnect Group by Association - This app deletes all Groups of a given type that are associated with a given object.
Delete ThreatConnect Group by ID - This app deletes all Groups of a given type with the given ID of the Group in ThreatConnect.
Delete ThreatConnect Group by Name - This app deletes all Groups of a given type with the given name.
Delete ThreatConnect Group by Tag - This app deletes all Groups of a given type with the given Tag.
Delete ThreatConnect Victim by Association - This app deletes all Victims that are associated with a given object.
Delete ThreatConnect Victim by ID - This app deletes all Victims with the given ID in ThreatConnect.
Delete ThreatConnect Victim by Name - This app deletes all Victims with the given name.
Delete ThreatConnect Victim by Tag - This app deletes all Victims with the given Tag.
Deploy to Crowdstrike Falcon Host - This app deploys the associated Indicator to CrowdStrike Falcon Host.
Deploy to FireEye TAP - This app deploys Indicator(s) to FireEye TAP.
Deploy to HPE Arcsight ESM - This app deploys Indicators to HPE ArcSight ESM.
Deploy to IBM QRadar - This app adds Indicators to an IBM QRadar Reference Set.
Deploy to McAfee SIEM - This app deploys Indicators to McAfee ESM SIEM.
Deploy to PaloAlto Networks - This app deploys Indicators on Palo Alto Network's NGFW or Panorama.
Deploy to Tanium IOC Detect - This app deploys Indicators to a group in Tanium's IOC Detect module in the form of OpenIOC objects.
Detonate file with LastLine - This app sends a file to LastLine for analysis.
Detonate File with Wildfire - This app submits a supported file type for Wildfire analysis. Use this app to automate the submission of new malware files. The app attempts to detect if a file is in ZIP format and automatically unzips it before sending it to the Wildfire API.
Detonate Link with Wildfire - This app submits a link for Wildfire analysis.
Detonate Url with Wildfire - This app submits a supported file type for Wildfire analysis. Use this app to automate the submission of URLs that point to a hosted file.
Detonate with Cisco Threat Grid - This app sends a file to Cisco AMP Threat Grid for analysis.
Detonate with VirusTotal - This app sends a file to VirusTotal for analysis.
Download ReversingLabs Sample - This app downloads a sample residing on A1000. If a sample is in the cloud, you will first need to upload it to the A1000 instance that you are using.

 

E

Encode Base64 - This app accepts a username and password and produces a base64-encoded value that can be used with HTTP basic authorization.
Encode Hash - This app produces MD5, SHA1, and SHA256 hashes of its input.
Encode HMAC256 - This app accepts a message and key and produces an HMAC256-encoded message.
Encode URL - This app encodes a URL to escape special characters.
Extract Metadata - This app extracts metadata from a file.
Extract OLE Streams - This app extracts OLE streams from a file.

 

F

Fail on Error - This app configuration parameter is a checkbox that determines whether an app will fail or continue upon error. If it is selected, the app will fail when an error is encountered. If it is not selected, the app will continue when an error is encountered.
Fill Array - This app fills an array of the specified length with the specified value.
Filter JSON Path - This app uses JsonPath expressions to query a JSON structure in the same way as an XPath expression is used to query an XML document.
Filter Regex - This app applies a regular expression to a String. The grouped results will be available as an output.
Find and Replace - This app runs a find-and-replace operation on the given input string. It can take regular expressions, and its search can be case sensitive.

 

G

Get Array Length - This app outputs the length of an array input.
Get Binary Hashes - This app calculates the hashes of one or more binary inputs.
Get Binary Size - This app outputs the size of binary inputs.
Get Cisco Threat Grid Report - This app gets a File Report from Cisco AMP Threat Grid.
Get Cisco Umbrella Investigate Enrichment - This app requests Cicso Umbrella Investigate to enrich the associated Indicator.
Get Custom Indicator Association - This app gets Custom Indicator Associations.
Get Domain Tools Enrichment - This app requests Domain Tools Enrichment for the associated Indicator.
Get IBM Resilient Artifact - This app gets an Artifact from IBM Resilient. The main use for this app is to retrieve binary files or other extra fields for certain Artifact types that may not be retrieved using Search IBM Resilient.
Get LastLine Report - This app gets a File Report from LastLine.
Get OpenDNS Investigate Enrichment - This app requests OpenDNS Investigate Enrichment for the associated Indicator.
Get Recorded Future Enrichment - This app gets enrichment data from Recorded Future Cyber API.
Get ReversingLabs Extracted Files - This app uses the TitaniumCore engine to get a list of all extracted files from a sample.
Get ReversingLabs Goodware - This app retrieves the Goodware data for a given hash.
Get ReversingLabs Summary Report - This app uses hash_value(s) to get a summary classification report and details for a sample or list of samples.
Get ReversingLabs TitaniumCloud File Reputation - This app gets TitaniumCloud File Reputation results for files stored on the A1000 instance. Please note that the file has to be on the A1000 instance. If it is not, you must first upload it and send it to the cloud.
Get ReversingLabs TitaniumCore Results - This app gets TitaniumCore analysis for a given sample hash value. The file has to be uploaded to the A1000 instance beforehand.
Get Strings - This app extracts string-type data from executable files for analysis.
Get ThreatConnect Address By Association - This app returns all ThreatConnect Address Indicators associated with the given object.
Get ThreatConnect Address By Tag - This app returns all ThreatConnect Address Indicators that have the given Tag.
Get ThreatConnect Address By Value - This app returns all ThreatConnect Address Indicators that have the given value.
Get ThreatConnect Adversary by Association - This app returns all Adversaries associated with the given object.
Get ThreatConnect Adversary by ID - This app returns all Adversaries that have the given ID.
Get ThreatConnect Adversary by Name - This app returns all Adversaries that have the given name.
Get ThreatConnect Adversary by Tag - This app returns all Adversaries that have the given Tag.
Get ThreatConnect ASN by Association - This app returns all ASNs associated with the given object.
Get ThreatConnect ASN by Tag - This app returns all ASNs that have the given Tag.
Get ThreatConnect ASN by Value - This app returns all ASNs that have the given value.
Get ThreatConnect Campaign by Association - This app returns all Campaigns associated with the given object.
Get ThreatConnect Campaign by ID - This app returns all Campaigns that have the given ID.
Get ThreatConnect Campaign by Name - This app returns all Campaigns that have the given name.
Get ThreatConnect Campaign by Tag - This app returns all Campaigns that have the given Tag.
Get ThreatConnect CIDR by Association - This app returns all CIDRs associated with the given object.
Get ThreatConnect CIDR by Tag - This app returns all CIDRs that have the given Tag.
Get ThreatConnect CIDR by Value - This app returns all CIDRs that have the given value.
Get ThreatConnect Document - This app downloads the file attached to a Document.
Get ThreatConnect Document by Association - This app returns all Documents associated with the given object.
Get ThreatConnect Document by ID - This app returns all Documents that have the given ID.
Get ThreatConnect Document by Name - This app returns all Documents that have the given name.
Get ThreatConnect Document by Tag - This app returns all Documents that have the given Tag.
Get ThreatConnect Email by Association - This app returns all Emails associated with the given object.
Get ThreatConnect Email by ID - This app returns all Emails that have the given ID.
Get ThreatConnect Email by Name - This app returns all Emails that have the given name.
Get ThreatConnect Email by Tag - This app returns all Emails that have the given Tag.
Get ThreatConnect Email Address by Association - This app returns all Email Addresses associated with the given object.
Get ThreatConnect Email Address by Tag - This app returns all Email Addresses that have the given Tag.
Get ThreatConnect Email Address by Value - This app returns all Email Addresses that have the given value.
Get ThreatConnect File by Association - This app returns all Files associated with the given object.
Get ThreatConnect File by Tag - This app returns all Files that have the given Tag.
Get ThreatConnect File by Value - This app returns all Files that have the given value.
Get ThreatConnect Group - This app retrieves a ThreatConnect Group based on a Name or Tag.
Get ThreatConnect Group by Group Association - This app retrieves a ThreatConnect Group based on an associated Group.
Get ThreatConnect Group by Indicator Association - This app retrieves a ThreatConnect Group based on an associated Indicator.
Get ThreatConnect Host by Association - This app returns all Hosts associated with the given object.
Get ThreatConnect Host by Tag - This app returns all Hosts that have the given Tag.
Get ThreatConnect Host by Value - This app returns all Hosts that have the given value.
Get ThreatConnect Incident by Association - This app returns all Incidents associated with the given object.
Get ThreatConnect Incident by ID - This app returns all Incidents that have the given ID.
Get ThreatConnect Incident by Name - This app returns all Incidents that have the given name.
Get ThreatConnect Incident by Tag - This app returns all Incidents that have the given Tag.
Get ThreatConnect Indicator - This app retrieves a ThreatConnect Indicator based on a Name or Tag.
Get ThreatConnect Indicator by Association - This app returns all Indicators associated with the given object.
Get ThreatConnect Indicator by Tag - This app returns all Indicators that have the given Tag.
Get ThreatConnect Indicator by Value - This app returns all Indicators that have the given value.
Get ThreatConnect Indicator by Group Association - This app retrieves a ThreatConnect Indicator based on an associated Group.
Get ThreatConnect Indicator by Indicator Association - This app retrieves a ThreatConnect Indicator based on an associated Indicator.
Get ThreatConnect Indicator CSV - This app retrieves a customized ThreatConnect CSV.
Get ThreatConnect Mutex by Association - This app returns all Mutexes associated with the given object.
Get ThreatConnect Mutex by Tag - This app returns all Mutexes that have the given Tag.
Get ThreatConnect Mutex by Value - This app returns all Mutexes that have the given value.
Get ThreatConnect Registry Key by Association - This app returns all Registry Keys associated with the given object.
Get ThreatConnect Registry Key by Tag - This app returns all Registry Keys that have the given Tag.
Get ThreatConnect Registry Key by Value - This app returns all Registry Keys that have the given value.
Get ThreatConnect Signature by Association - This app returns all Signatures associated with the given object.
Get ThreatConnect Signature by ID - This app returns all Signatures that have the given ID.
Get ThreatConnect Signature by Name - This app returns all Signatures that have the given name.
Get ThreatConnect Signature by Tag - This app returns all Signatures that have the given Tag.
Get ThreatConnect Task - This app retrieves a ThreatConnect Task based on a Name or Tag.
Get ThreatConnect Threat by Association - This app returns all Threats associated with the given object.
Get ThreatConnect Threat by ID - This app returns all Threats that have the given ID.
Get ThreatConnect Threat by Name - This app returns all Threats that have the given name.
Get ThreatConnect Threat by Tag - This app returns all Threats that have the given Tag.
Get ThreatConnect URL by Association - This app returns all URLs associated with the given object.
Get ThreatConnect URL by Tag - This app returns all URLs that have the given Tag.
Get ThreatConnect URL by Value - This app returns all URLs that have the given value.
Get ThreatConnect User Agent by Association - This app returns all User Agents associated with the given object.
Get ThreatConnect User Agent by Tag - This app returns all User Agents that have the given Tag.
Get ThreatConnect User Agent by Value - This app returns all User Agents that have the given value.
Get ThreatConnect Victim - This app retrieves a ThreatConnect Victim based on a Name or Tag.
Get ThreatConnect Victim by Association - This app returns all Victims associated with the given object.
Get ThreatConnect Victim by ID - This app returns all Victims that have the given ID.
Get ThreatConnect Victim by Name - This app returns all Victims that have the given name.
Get ThreatConnect Victim by Tag - This app returns all Victims that have the given Tag.
Get VirusTotal Behavior Report -& This app gets File Behavior Report results from VirusTotal.
Get VirusTotal File Report - This app gets File Report results from VirusTotal.
Get Wildfire Pcap - This app requests a packet capture (PCAP) recorded during analysis of a particular sample. Use either the MD5 or SHA-256 hash of the sample file as a search query. You can optionally specify the platform of the desired PCAP to indicate which PCAP should be returned. PCAPs are available 90 days from the date of analysis for samples that have a malware Wildfire verdict.
Get Wildfire Report - This app gets a WildFire Analysis report for a specified sample hash value.
Get Wildfire Sample - This app downloads sample files based on the MD5 or SHA-256 hash value. Malware and grayware files are available indefinitely to download, while benign files are not available to download.
Get Wildfire Verdict - This app gets a verdict for a sample based on the MD5 or SHA-256 hash.

 

H

HTTP Client - This app connects to an external HTTP-based client using standard HTTP methods, customized headers, and URLs. It supports proxy authentication, allowing support for the System Settings for proxy user and password credentials.
HttpLink Trigger - The HttpLink Trigger creates an HTTP endpoint that can process nearly any piece of information that can be sent via HTTP. This functionality can be useful for building integrations and getting disparate systems to interact via Playbooks. For example, a SIEM can post a series of Indicators to the URL provided by the HttpLink Trigger, the Playbook can enrich the Indicators with additional context, and then the context can be sent back to the same URL.

 

I

If / Else - The If/Else Operator compares two variables in order to perform logical operations on the data. It can be used to determine whether an Indicator's threat rating is over a certain threshold, to see if a string of text exists in information returned by an integration, etc.

 

J

Join Array - This app accepts a String Array input and produces a single String joined by the given value.
Json Path - This app uses JsonPath expressions to query a JSON structure in the same way as an XPath expression is used to query an XML document.

 

L

LDAP Actions - LDAP is a commonly used directory access protocol. This app allows intelligence gathered in ThreatConnect to be acted upon with specific individuals, files, or devices on a network.
Logger - This app writes output to the Playbook log.

 

M

Mailbox - The Mailbox Trigger lets users create a mailbox to send information to a Playbook. This functionality will fire whenever an email is received in the inbox the user creates. It can be used to parse Indicators from an email, send an attachment to a malware analysis tool, or coordinate communication across teams, among other things.
Merge - The Merge Operator allows Playbooks to guarantee an outcome in cases of path failures. For instance, an HTTP Client request might fail, but the Playbook Designer may still want to continue a path regardless of success or failure. In general, the Merge Operator should be used with the Set Variable app to define a failure path. Once both failure and success have been defined, the Merge Operator can be used to continue the Playbook branch.
MultipleIndicator Trigger - The MultipleIndicator Trigger enables users to select more than one Indicator type for a single Trigger so that any of the selected Indicator types will cause the Trigger to initiate the Playbook actions. The Indicator type that actually caused the Trigger to initiate is provided as one of the output variables (#trg.tc.type).

 

P

Parse EML - This app parses email attachments in .eml format. It is used primarily with the Mailbox Trigger to convert attachments into email messages.
PDF Extractor - This app extracts embedded documents, links, and metadata from PDF files.
PE Info - This app extracts information from Portable Executable (PE) files.

 

R

Regex Extract - This app applies a regular expression to a String. The grouped results will be available as an output.
Remove from FireEye TAP - This app removes Indicator(s) from FireEye TAP.
Report False Positive - This app increments the false-postive count for each Indicator passed to the app.
Report File Occurrence - This app adds one or more new occurrence records for an existing File Indicator.
Report Observation - This app increments the observation count for each Indicator passed to the app. The given value is added to the current count. The default value is 1.
RSS Parser - This app parses an XML document from an RSS feed to extract titles, links, descriptions, published dates, and authors.

 

S

Search IBM Resilient - This app gets Incidents that match a search query or specific Incidents by ID. Associated Artifacts are also returned and can be leveraged from this app.
Send Email - This app sends a customizable message via email.
Send Slack Message - This app sends a customizable message via Slack.
Set Variable - This app assigns its input to a variable that can be used by other apps.
Split String - This app splits a String into a String Array on the given separator.
SSH Client - This app allows execution of commands on a remote server using Secure Shell (SSH). With this app, users can execute a program, list processes, reboot a system, log off a user, block an IP, and perform other shell commands. Note: Some commands may require root privileges.
STIX Parser - This app accepts a STIX XML file as input, parses the file for Groups and Indicators, and adds them into the configured ThreatConnect source.

 

T

ThreatConnect API - This app enables direct use of the ThreatConnect API by allowing users to define a path, method, and optional JSON body to post data. Users can perform any API action, with authentication automatically handled by the app. For more details on the ThreatConnect API, see https://docs.threatconnect.com/en/latest/rest_api/rest_api.html.
Timer - The Timer Trigger allows users to trigger a Playbook on a set schedule (e.g., once a day; on the 15th of the month). It is useful for replicating the existing “jobs” functionality.

 

U

Unblock with Cisco Umbrella - This app unblocks Indicators with Cisco Umbrella.
Uncompress File - This app uncompresses a zip, tar, or targz file and produces its contents in binary and string form.
Upload a file to a Document - This app uploads a file to a Document object.
User Action - The UserAction Trigger allows users to run Playbooks on demand from the Details page of Indicators, Groups, Tracks, or Victims. This Trigger is similar to the HttpLink Trigger, except that it is contextually aware and user driven, and it allows a customized response (HTTP or Plain Text).

 

V

Value Lookup - This app selects values from a key/value array and exposes them as output variables.

 

X

XPath Parser - This app extracts data from an XML or HTML document and map it to a key–value array.

 

Y

YARA Analyze - This app runs YARA rules against a file.

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us



https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete