HTTP Client: Playbook Use Cases

Suggest Edits

Instructions for the "Multi-part Form/File Data" Field in the HTTP Client Playbook App:

Use the key/value list to post data to a multi-part form action. Both form data and files can be included. Form data can be a String, a StringArray (for multi-select form data), or Binary/BinaryArray (for files). If Binary/BinaryArray data are provided, the key will be used for the filename (e.g., report001.pdf), and the MIME type will be automatically determined from the filename. If the MIME type cannot be determined from the filename, it will default to application/octet-stream. Alternatively, a filename and MIME type can be provided using the format of <filename>[filename] and <filename>[mime-type] as the key (e.g., file1[filename] = 'report001.pdf' and file1[mime-type] = 'image/jpeg'). For BinaryArray data, the value should be a StringArray equal to the length of the BinaryArray for filenames and MIME types. If a single MIME type is provided, it will be used for all files in the BinaryArray. Duplicate key names should be avoided when possible.

Use Case

A user wishes to upload a YARA signature named WhiskeyAlpha.yara to a third-party Endpoint Security solution via its Application Programming Interface (API) (Figure 1).

270

Figure 1

By developing a Playbook with the UserAction Trigger, Get ThreatConnect Signature by ID, and HTTP Client Apps, it is possible to push the signature from the ThreatConnect Details screen to the destination API (Figure 2).

1410

Figure 2

Figure 3 demonstrates using output variables #tc.signature.file_data (binary) and #tc.signature.file_name (string) from the Get ThreatConnect Signature by ID App.

1945

Figure 3

This is in conjunction with the HTTP Client’s Multi-part Form/File Data fields (Figure 4).

937

Figure 4

Due to requirements specified by the Endpoint Security API, the name parameter on the Content-Disposition form must be set for Filedata for all three keys. (This parameter’s value may vary from one API to the next.) The binary data, filename, and mime-type values are all associated back to the form's name parameter.[1] Since the file extension .yara is not a standard mime type, it is statically set as text/plain for good measure.[2]

[1] IANA. (2016, June 22). Content Disposition Values and Parameters. Retrieved from: https://www.iana.org/assignments/cont-disp/cont-disp.xhtml

[2] IANA. (2019, July 11). Media Types. Retrieved from: https://www.iana.org/assignments/media-types/media-types.xhtml

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

Updated over 1 year ago