ThreatConnect_v2.yml

/Packs/ThreatConnect/Integrations/ThreatConnect_v2/ThreatConnect_v2.yml

https://github.com/demisto/content · YAML · 2100 lines · 2100 code · 0 blank · 0 comment · 0 complexity · b7b492765fdf58d7576c95f360e1470a MD5 · raw file
Large files are truncated click here to view the full file

commonfields:
  id: ThreatConnect v2
  version: -1
name: ThreatConnect v2
display: ThreatConnect v2
category: Data Enrichment & Threat Intelligence
description: ThreatConnect's intelligence-driven security operations solution with intelligence, automation, analytics, and workflows.
configuration:
- display: baseUrl
  name: baseUrl
  defaultvalue: https://api.threatconnect.com
  type: 0
  required: true
- display: Access ID
  name: accessId
  defaultvalue: ""
  type: 0
  required: true
- display: Secret Key
  name: secretKey
  defaultvalue: ""
  type: 4
  required: true
- display: Default Organization
  name: defaultOrg
  defaultvalue: ""
  type: 0
  required: false
- display: Rating threshold for Malicious Indicators
  name: rating
  defaultvalue: "3"
  type: 0
  required: false
- display: Confidence threshold for Malicious Indicators
  name: confidence
  defaultvalue: "50"
  type: 0
  required: false
- display: Indicator Reputation Freshness (in days)
  name: freshness
  defaultvalue: "7"
  type: 0
  required: false
- display: Use system proxy settings
  name: proxy
  required: false
  type: 8
script:
  script: '-'
  type: python
  commands:
  - name: ip
    arguments:
    - name: ip
      required: true
      default: true
      description: The IPv4 or IPv6 address.
    - name: owners
      description: A comma-separated list of a client's organizations, sources, or communities
        to which a user has permissions. For example, users with admin permissions
        can search for indicators belonging to all owners.
    - name: ratingThreshold
      description: A list of results filtered by indicators whose threat rating is
        greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious",
        "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".
    - name: confidenceThreshold
      description: A list of results filtered by indicators whose confidence rating
        is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited",
        "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%"
        - "Probable," or "90-100%" - "Confirmed".
    outputs:
    - contextPath: TC.Indicator.Name
      description: The name of the indicator.
      type: string
    - contextPath: TC.Indicator.Type
      description: The type of the indicator.
      type: string
    - contextPath: TC.Indicator.ID
      description: The ID of the indicator.
      type: string
    - contextPath: TC.Indicator.Description
      description: The description of the indicator.
      type: string
    - contextPath: TC.Indicator.Owner
      description: The owner of the indicator.
      type: string
    - contextPath: TC.Indicator.CreateDate
      description: The date on which the indicator was created.
      type: date
    - contextPath: TC.Indicator.LastModified
      description: The date on which the indicator was modified.
      type: date
    - contextPath: TC.Indicator.Rating
      description: The threat rating of the indicator.
      type: number
    - contextPath: TC.Indicator.Confidence
      description: The confidence rating of the indicator.
      type: number
    - contextPath: DBotScore.Indicator
      description: The value assigned by DBot for the indicator.
      type: string
    - contextPath: DBotScore.Type
      description: The type assigned by DBot for the indicator.
      type: string
    - contextPath: DBotScore.Score
      description: The score assigned by DBot for the indicator.
      type: number
    - contextPath: DBotScore.Vendor
      description: The vendor used to calculate the score.
      type: string
    - contextPath: IP.Address
      description: The IP address of the indicator.
      type: string
    - contextPath: IP.Malicious.Vendor
      description: For malicious IP addresses, the vendor that made the decision.
      type: string
    - contextPath: IP.Malicious.Description
      description: For malicious IP addresses, the full description.
      type: string
    description: Searches for an indicator of type IP address.
  - name: url
    arguments:
    - name: url
      required: true
      default: true
      description: The URL for which to search. For example, "www.demisto.com".
    - name: owners
      description: A comma-separated list of a client's organizations, sources, or communities
        to which a client’s API user has been granted permission. For example, "owner1",
        "owner2", or "owner3".
    - name: ratingThreshold
      description: A list of results filtered by indicators whose threat rating is
        greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious",
        "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".
    - name: confidenceThreshold
      description: A list of results filtered by indicators whose confidence rating
        is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited",
        "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%"
        - "Probable," or "90-100%" - "Confirmed".
    outputs:
    - contextPath: TC.Indicator.Name
      description: The name of the indicator.
      type: string
    - contextPath: TC.Indicator.Type
      description: The type of the indicator.
      type: string
    - contextPath: TC.Indicator.ID
      description: The ID of the indicator.
      type: string
    - contextPath: TC.Indicator.Description
      description: The description of the indicator.
      type: string
    - contextPath: TC.Indicator.Owner
      description: The owner of the indicator.
      type: string
    - contextPath: TC.Indicator.CreateDate
      description: The date on which the indicator was created.
      type: date
    - contextPath: TC.Indicator.LastModified
      description: The date on which the indicator was last modified.
      type: date
    - contextPath: TC.Indicator.Rating
      description: The threat rating of the indicator.
      type: number
    - contextPath: TC.Indicator.Confidence
      description: The confidence rating of the indicator.
      type: number
    - contextPath: DBotScore.Indicator
      description: The value assigned by DBot for the indicator.
      type: string
    - contextPath: DBotScore.Type
      description: The type assigned by DBot for the indicator.
      type: string
    - contextPath: DBotScore.Score
      description: The score assigned by DBot for the indicator.
      type: number
    - contextPath: DBotScore.Vendor
      description: The vendor used to calculate the score.
      type: string
    - contextPath: URL.Data
      description: The data of the URL indicator.
      type: string
    - contextPath: URL.Malicious.Vendor
      description: For malicious URLs, the vendor that made the decision.
      type: string
    - contextPath: URL.Malicious.Description
      description: For malicious URLs, the full description.
      type: string
    description: Searches for an indicator of type URL.
  - name: file
    arguments:
    - name: file
      required: true
      default: true
      description: The hash of the file. Can be "MD5", "SHA-1", or "SHA-256".
    - name: owners
      description: A comma-separated list of a client's organizations, sources, or communities
        to which a user has permissions. For example, users with admin permissions
        can search for indicators belonging to all owners.
    - name: ratingThreshold
      description: A list of results filtered by indicators whose threat rating is
        greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious",
        "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".
    - name: confidenceThreshold
      description: A list of results filtered by indicators whose confidence rating
        is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited",
        "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%"
        - "Probable," or "90-100%" - "Confirmed".
    outputs:
    - contextPath: TC.Indicator.Name
      description: The name of the indicator.
      type: string
    - contextPath: TC.Indicator.Type
      description: The type of the indicator.
      type: string
    - contextPath: TC.Indicator.ID
      description: The ID of the indicator.
      type: string
    - contextPath: TC.Indicator.Description
      description: The description of the indicator.
      type: string
    - contextPath: TC.Indicator.Owner
      description: The owner of the indicator.
      type: string
    - contextPath: TC.Indicator.CreateDate
      description: The date on which the indicator was created.
      type: date
    - contextPath: TC.Indicator.LastModified
      description: The last date on which the indicator was modified.
      type: date
    - contextPath: TC.Indicator.Rating
      description: The threat rating of the indicator.
      type: number
    - contextPath: TC.Indicator.Confidence
      description: The confidence rating of the indicator.
      type: number
    - contextPath: TC.Indicator.File.MD5
      description: The MD5 hash of the indicator.
      type: string
    - contextPath: TC.Indicator.File.SHA1
      description: The SHA1 hash of the indicator.
      type: string
    - contextPath: TC.Indicator.File.SHA256
      description: The SHA256 hash of the indicator.
      type: string
    - contextPath: DBotScore.Indicator
      description: The value assigned by DBot for the indicator.
      type: string
    - contextPath: DBotScore.Type
      description: The type assigned by DBot for the indicator.
      type: string
    - contextPath: DBotScore.Score
      description: The score assigned by DBot for the indicator.
      type: number
    - contextPath: DBotScore.Vendor
      description: The vendor used to calculate the score.
      type: string
    - contextPath: File.MD5
      description: The MD5 hash of the indicator.
      type: string
    - contextPath: File.SHA1
      description: The SHA1 hash of the indicator.
      type: string
    - contextPath: File.SHA256
      description: The SHA256 hash of the indicator.
      type: string
    - contextPath: File.Malicious.Vendor
      description: For malicious files, the vendor that made the decision.
      type: string
    - contextPath: File.Malicious.Description
      description: For malicious files, the full description.
      type: string
    description: Searches for an indicator of type file.
  - name: tc-owners
    arguments: []
    outputs:
    - contextPath: TC.Owner.Name
      description: The name of the owner.
      type: string
    - contextPath: TC.Owner.ID
      description: The ID of the owner.
      type: string
    - contextPath: TC.Owner.Type
      description: The type of the owner.
      type: string
    description: Retrieves all owners for the current account.
  - name: tc-indicators
    arguments:
    - name: owner
      description: A list of results filtered by the owner of the indicator.
    - name: limit
      description: The maximum number of results that can be returned. The default
        is 500.
    outputs:
    - contextPath: TC.Indicator.Name
      description: The name of the indicator.
      type: string
    - contextPath: TC.Indicator.Type
      description: The type of the indicator.
      type: string
    - contextPath: TC.Indicator.ID
      description: The ID of the indicator.
      type: string
    - contextPath: TC.Indicator.Description
      description: The description of the indicator.
      type: string
    - contextPath: TC.Indicator.Owner
      description: The owner of the indicator.
      type: string
    - contextPath: TC.Indicator.CreateDate
      description: The date on which the indicator was created.
      type: date
    - contextPath: TC.Indicator.LastModified
      description: The last date on which the indicator was modified.
      type: date
    - contextPath: TC.Indicator.Rating
      description: The threat rating of the indicator.
      type: number
    - contextPath: TC.Indicator.Confidence
      description: The confidence rating of the indicator.
      type: number
    - contextPath: TC.Indicator.WhoisActive
      description: The active indicator (for domains only).
      type: string
    - contextPath: TC.Indicator.File.MD5
      description: The MD5 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA1
      description: The SHA1 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA256
      description: The SHA256 hash of the indicator of the file.
      type: string
    - contextPath: DBotScore.Indicator
      description: The value assigned by DBot for the indicator.
      type: string
    - contextPath: DBotScore.Type
      description: The type assigned by DBot for the indicator.
      type: string
    - contextPath: DBotScore.Score
      description: The score assigned by DBot for the indicator.
      type: number
    - contextPath: DBotScore.Vendor
      description: The vendor used to calculate the score.
      type: string
    - contextPath: IP.Address
      description: The IP address of the indicator.
      type: string
    - contextPath: IP.Malicious.Vendor
      description: For malicious IP addresses, the vendor that made the decision.
      type: string
    - contextPath: IP.Malicious.Description
      description: For malicious IP addresses, the full description.
      type: string
    - contextPath: URL.Data
      description: The data of the URL of the indicator.
      type: string
    - contextPath: URL.Malicious.Vendor
      description: For malicious URLs, the vendor that made the decision.
      type: string
    - contextPath: URL.Malicious.Description
      description: For malicious URLs, the full description.
      type: string
    - contextPath: Domain.Name
      description: The name of the domain.
      type: string
    - contextPath: Domain.Malicious.Vendor
      description: For malicious domains, the vendor that made the decision.
      type: string
    - contextPath: Domain.Malicious.Description
      description: For malicious domains, the full description.
      type: string
    - contextPath: File.MD5
      description: The MD5 hash of the file.
      type: string
    - contextPath: File.SHA1
      description: The SHA1 hash of the file.
      type: string
    - contextPath: File.SHA256
      description: The SHA256 hash of the file.
      type: string
    - contextPath: File.Malicious.Vendor
      description: For malicious files, the vendor that made the decision.
      type: string
    - contextPath: File.Malicious.Description
      description: For malicious files, the full description.
      type: string
    description: Retrieves a list of all indicators.
  - name: tc-get-tags
    arguments: []
    outputs:
    - contextPath: TC.Tags
      description: A list of tags.
      type: Unknown
    description: Returns a list of all ThreatConnect tags.
  - name: tc-tag-indicator
    arguments:
    - name: tag
      required: true
      description: The name of the tag.
    - name: indicator
      required: true
      description: The indicator to tag. For example, for an IP indicator, "8.8.8.8".
    - name: owner
      description: A list of indicators filtered by the owner.
    description: Adds a tag to an existing indicator.
  - name: tc-get-indicator
    arguments:
    - name: indicator
      required: true
      default: true
      description: The name of the indicator by which to search. The command retrieves
        information from all owners. Can be an IP address, a URL, or a file hash.
    - name: indicator_type
      description: Only for custom. Leave empty for standard ones
    - name: owners
      description: Indicator Owner(s)
    - name: ratingThreshold
      description: A list of results filtered by indicators whose threat rating is
        greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious",
        "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".
    - name: confidenceThreshold
      description: A list of results filtered by indicators whose confidence rating
        is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited",
        "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%"
        - "Probable," or "90-100%" - "Confirmed".
    - name: group_associations
      required: true
      auto: PREDEFINED
      predefined:
      - "true"
      - "false"
      description: Retrieve Indicator Group Associations
      defaultValue: "false"
    - name: indicator_associations
      auto: PREDEFINED
      predefined:
      - "true"
      - "false"
      description: Retrieve Indicator Associations
      defaultValue: "false"
    - name: indicator_observations
      auto: PREDEFINED
      predefined:
      - "true"
      - "false"
      description: Retrieve Indicator Observations
      defaultValue: "false"
    - name: indicator_tags
      auto: PREDEFINED
      predefined:
      - "true"
      - "false"
      description: Retrieve Indicator Tags
      defaultValue: "false"
    outputs:
    - contextPath: TC.Indicator.Name
      description: The name of the indicator.
      type: string
    - contextPath: TC.Indicator.Type
      description: The type of the indicator.
      type: string
    - contextPath: TC.Indicator.ID
      description: The ID of the indicator.
      type: string
    - contextPath: TC.Indicator.Description
      description: The description of the indicator.
      type: string
    - contextPath: TC.Indicator.Owner
      description: The owner of the indicator.
      type: string
    - contextPath: TC.Indicator.CreateDate
      description: The date on which the indicator was created.
      type: date
    - contextPath: TC.Indicator.LastModified
      description: The last date on which the indicator was modified.
      type: date
    - contextPath: TC.Indicator.Rating
      description: The threat rating of the indicator.
      type: number
    - contextPath: TC.Indicator.Confidence
      description: The confidence rating of the indicator.
      type: number
    - contextPath: TC.Indicator.WhoisActive
      description: The active indicator (for domains only).
      type: string
    - contextPath: TC.Indicator.File.MD5
      description: The MD5 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA1
      description: The SHA1 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA256
      description: The SHA256 hash of the indicator of the file.
      type: string
    - contextPath: DBotScore.Indicator
      description: The value assigned by DBot for the indicator.
      type: string
    - contextPath: DBotScore.Type
      description: The type assigned by DBot for the indicator.
      type: string
    - contextPath: DBotScore.Score
      description: The score assigned by DBot for the indicator.
      type: number
    - contextPath: DBotScore.Vendor
      description: The vendor used to calculate the score.
      type: string
    - contextPath: IP.Address
      description: The IP address of the indicator.
      type: string
    - contextPath: IP.Malicious.Vendor
      description: For malicious IP addresses, the vendor that made the decision.
      type: string
    - contextPath: IP.Malicious.Description
      description: For malicious IP addresses, the full description.
      type: string
    - contextPath: URL.Data
      description: The data of the indicator of the URL.
      type: string
    - contextPath: URL.Malicious.Vendor
      description: For malicious URLs, the vendor that made the decision.
      type: string
    - contextPath: URL.Malicious.Description
      description: For malicious URLs, the full description.
      type: string
    - contextPath: Domain.Name
      description: The domain name of the indicator.
      type: string
    - contextPath: Domain.Malicious.Vendor
      description: For malicious domains, the vendor that made the decision.
      type: string
    - contextPath: Domain.Malicious.Description
      description: For malicious domains, the full description.
      type: string
    - contextPath: File.MD5
      description: The MD5 hash of the file.
      type: string
    - contextPath: File.SHA1
      description: The SHA1 hash of the file.
      type: string
    - contextPath: File.SHA256
      description: The SHA256 hash of the file.
      type: string
    - contextPath: File.Malicious.Vendor
      description: For malicious files, the vendor that made the decision.
      type: string
    - contextPath: File.Malicious.Description
      description: For malicious files, the full description.
      type: string
    description: Retrieves information about an indicator.
  - name: tc-get-indicators-by-tag
    arguments:
    - name: tag
      required: true
      default: true
      description: The name of the tag by which to filter.
    - name: owner
      description: A list of indicators filtered by the owner.
    outputs:
    - contextPath: TC.Indicator.Name
      description: The name of the tagged indicator.
      type: string
    - contextPath: TC.Indicator.Type
      description: The type of the tagged indicator.
      type: string
    - contextPath: TC.Indicator.ID
      description: The ID of the tagged indicator.
      type: string
    - contextPath: TC.Indicator.Description
      description: The description of the tagged indicator.
      type: string
    - contextPath: TC.Indicator.Owner
      description: The owner of the tagged indicator.
      type: string
    - contextPath: TC.Indicator.CreateDate
      description: The date on which the tagged indicator was created.
      type: date
    - contextPath: TC.Indicator.LastModified
      description: The last date on which the tagged indicator was modified.
      type: date
    - contextPath: TC.Indicator.Rating
      description: The threat rating of the tagged indicator.
      type: number
    - contextPath: TC.Indicator.Confidence
      description: The confidence rating of the tagged indicator.
      type: number
    - contextPath: TC.Indicator.WhoisActive
      description: The active indicator (for domains only).
      type: string
    - contextPath: TC.Indicator.File.MD5
      description: The MD5 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA1
      description: The SHA1 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA256
      description: The SHA256 hash of the indicator of the file.
      type: string
    - contextPath: DBotScore.Indicator
      description: The value assigned by DBot for the tagged indicator.
      type: string
    - contextPath: DBotScore.Type
      description: The type assigned by DBot for the tagged indicator.
      type: string
    - contextPath: DBotScore.Score
      description: The score assigned by DBot for the tagged indicator.
      type: number
    - contextPath: DBotScore.Vendor
      description: The vendor used to calculate the score.
      type: string
    - contextPath: IP.Address
      description: The IP address of the tagged indicator.
      type: string
    - contextPath: IP.Malicious.Vendor
      description: For malicious IP addresses, the vendor that made the decision.
      type: string
    - contextPath: IP.Malicious.Description
      description: For malicious IP addresses, the full description.
      type: string
    - contextPath: URL.Data
      description: The data of the URL of the tagged indicator.
      type: string
    - contextPath: URL.Malicious.Vendor
      description: For malicious URLs, the vendor that made the decision.
      type: string
    - contextPath: URL.Malicious.Description
      description: For malicious URLs, the full description.
      type: string
    - contextPath: Domain.Name
      description: The domain name of the tagged indicator.
      type: string
    - contextPath: Domain.Malicious.Vendor
      description: For malicious domains, the vendor that made the decision.
      type: string
    - contextPath: Domain.Malicious.Description
      description: For malicious domains, the full description.
      type: string
    - contextPath: File.MD5
      description: The MD5 hash of the file.
      type: string
    - contextPath: File.SHA1
      description: The SHA1 hash of the file.
      type: string
    - contextPath: File.SHA256
      description: The SHA256 hash of the file.
      type: string
    - contextPath: File.Malicious.Vendor
      description: For malicious files, the vendor that made the decision.
      type: string
    - contextPath: File.Malicious.Description
      description: For malicious files, the full description.
      type: string
    description: Fetches all indicators that have a tag.
  - name: tc-add-indicator
    arguments:
    - name: indicator
      required: true
      description: The indicator to add.
    - name: rating
      description: The threat rating of the indicator. Can be "0" - "Unknown", "1"
        - "Suspicious", "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".
    - name: confidence
      description: The confidence rating of the indicator. Can be "0%" - "Unknown,"
        "1% " - "Discredited", "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%"
        - "Possible", "70-89%" - "Probable," or "90-100%" - "Confirmed".
    - name: owner
      description: The owner of the new indicator. The default is the "defaultOrg"
        parameter.
    outputs:
    - contextPath: TC.Indicator.Name
      description: The name the indicator.
      type: string
    - contextPath: TC.Indicator.Type
      description: The type of indicator.
      type: string
    - contextPath: TC.Indicator.ID
      description: The ID of the indicator.
      type: string
    - contextPath: TC.Indicator.Description
      description: The description of the indicator.
      type: string
    - contextPath: TC.Indicator.Owner
      description: The owner of the indicator.
      type: string
    - contextPath: TC.Indicator.CreateDate
      description: The date on which the added indicator was created.
      type: date
    - contextPath: TC.Indicator.LastModified
      description: The last date on which the added indicator was modified.
      type: date
    - contextPath: TC.Indicator.Rating
      description: The threat rating of the indicator.
      type: number
    - contextPath: TC.Indicator.Confidence
      description: The confidence rating of the indicator.
      type: number
    - contextPath: TC.Indicator.WhoisActive
      description: The active indicator (for domains only).
      type: string
    - contextPath: TC.Indicator.File.MD5
      description: The MD5 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA1
      description: The SHA1 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA256
      description: The SHA256 hash of the indicator of the file.
      type: string
    - contextPath: IP.Address
      description: The IP address of the indicator.
      type: string
    - contextPath: IP.Malicious.Vendor
      description: For malicious IP addresses, the vendor that made the decision.
      type: string
    - contextPath: IP.Malicious.Description
      description: For malicious IP addresses, the full description.
      type: string
    - contextPath: URL.Data
      description: The data of the URL of the indicator.
      type: string
    - contextPath: URL.Malicious.Vendor
      description: For malicious URLs, the vendor that made the decision.
      type: string
    - contextPath: URL.Malicious.Description
      description: For malicious URLs, the full description.
      type: string
    - contextPath: Domain.Name
      description: The name of the added indicator of the domain.
      type: string
    - contextPath: Domain.Malicious.Vendor
      description: For malicious domains, the vendor that made the decision.
      type: string
    - contextPath: Domain.Malicious.Description
      description: For malicious domains, the full description.
      type: string
    - contextPath: File.MD5
      description: The MD5 hash of the file.
      type: string
    - contextPath: File.SHA1
      description: The SHA1 hash of the file.
      type: string
    - contextPath: File.SHA256
      description: The SHA256 hash of the file.
      type: string
    - contextPath: File.Malicious.Vendor
      description: For malicious files, the vendor that made the decision.
      type: string
    - contextPath: File.Malicious.Description
      description: For malicious files, the full description.
      type: string
    description: Adds a new indicator to ThreatConnect.
  - name: tc-create-incident
    arguments:
    - name: owner
      description: The owner of the new incident. The default is the "defaultOrg"
        parameter.
    - name: incidentName
      required: true
      default: true
      description: The name of the incident group.
    - name: eventDate
      description: The creation time of an incident in the "2017-03-21T00:00:00Z"
        format.
    - name: tag
      description: The tag applied to the incident.
    - name: securityLabel
      auto: PREDEFINED
      predefined:
      - TLP:RED
      - TLP:GREEN
      - TLP:AMBER
      - TLP:WHITE
      description: The security label applied to the incident. Can be "TLP:RED", "TLP:GREEN",
        "TLP:AMBER", or "TLP:WHITE".
    - name: description
      description: The description of the incident.
    outputs:
    - contextPath: TC.Incident.Name
      description: The name of the new incident group.
      type: string
    - contextPath: TC.Incident.Owner
      description: The owner of the new incident.
      type: string
    - contextPath: TC.Incident.EventDate
      description: The date on which the event that indicates an incident occurred.
      type: date
    - contextPath: TC.Incident.Tag
      description: The name of the tag of the new incident.
      type: string
    - contextPath: TC.Incident.SecurityLabel
      description: The security label of the new incident.
      type: string
    - contextPath: TC.Incident.ID
      description: The ID of the new incident.
      type: Unknown
    description: Creates a new incident group.
  - name: tc-fetch-incidents
    arguments:
    - name: incidentId
      default: true
      description: The fetched incidents filtered by ID.
    - name: owner
      description: The fetched incidents filtered by owner.
    - name: incidentName
      description: The fetched incidents filtered by incident name.
    outputs:
    - contextPath: TC.Incident
      description: The name of the group of fetched incidents.
      type: string
    - contextPath: TC.Incident.ID
      description: The ID of the fetched incidents.
      type: string
    - contextPath: TC.Incident.Owner
      description: The owner of the fetched incidents.
      type: string
    description: Fetches incidents from ThreatConnect.
  - name: tc-incident-associate-indicator
    arguments:
    - name: indicatorType
      required: true
      auto: PREDEFINED
      predefined:
      - ADDRESSES
      - EMAIL_ADDRESSES
      - URLS
      - HOSTS
      - FILES
      - CUSTOM_INDICATORS
      description: The type of the indicator. Can be "ADDRESSES", "EMAIL_ADDRESSES",
        "URLS", "HOSTS", "FILES", or "CUSTOM_INDICATORS".
    - name: incidentId
      required: true
      description: The ID of the incident to which the indicator is associated.
    - name: indicator
      required: true
      default: true
      description: The name of the indicator.
    - name: owner
      description: A list of indicators filtered by the owner.
    outputs:
    - contextPath: TC.Indicator.Name
      description: The name of the indicator.
      type: string
    - contextPath: TC.Indicator.Type
      description: The type of the indicator.
      type: string
    - contextPath: TC.Indicator.ID
      description: The ID of the indicator.
      type: string
    - contextPath: TC.Indicator.Description
      description: The description of the indicator.
      type: string
    - contextPath: TC.Indicator.Owner
      description: The owner of the indicator.
      type: string
    - contextPath: TC.Indicator.CreateDate
      description: The date on which the indicator associated was created.
      type: date
    - contextPath: TC.Indicator.LastModified
      description: The last date on which the indicator associated was modified.
      type: date
    - contextPath: TC.Indicator.Rating
      description: The threat rating of the indicator.
      type: number
    - contextPath: TC.Indicator.Confidence
      description: The confidence rating of the indicator.
      type: number
    - contextPath: TC.Indicator.WhoisActive
      description: The active indicator (for domains only).
      type: string
    - contextPath: TC.Indicator.File.MD5
      description: The MD5 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA1
      description: The SHA1 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA256
      description: The SHA256 hash of the indicator of the file.
      type: string
    - contextPath: IP.Address
      description: IP address of the associated indicator of the file.
      type: string
    - contextPath: IP.Malicious.Vendor
      description: For malicious IP addresses, the vendor that made the decision.
      type: string
    - contextPath: IP.Malicious.Description
      description: For malicious IP addresses, the full description.
      type: string
    - contextPath: URL.Data
      description: The data of the URL of the associated indicator of the file.
      type: string
    - contextPath: URL.Malicious.Vendor
      description: For malicious URLs, the vendor that made the decision.
      type: string
    - contextPath: URL.Malicious.Description
      description: For malicious URLs, the full description.
      type: string
    - contextPath: Domain.Name
      description: The name of the indicator of the domain.
      type: string
    - contextPath: Domain.Malicious.Vendor
      description: For malicious domains, the vendor that made the decision.
      type: string
    - contextPath: Domain.Malicious.Description
      description: For malicious domains, the full description.
      type: string
    - contextPath: File.MD5
      description: The MD5 hash of the file.
      type: string
    - contextPath: File.SHA1
      description: The SHA1 hash of the file.
      type: string
    - contextPath: File.SHA256
      description: The SHA256 hash of the file.
      type: string
    - contextPath: File.Malicious.Vendor
      description: For malicious files, the vendor that made the decision.
      type: string
    - contextPath: File.Malicious.Description
      description: For malicious files, the full description.
      type: string
    description: Associates an indicator with an existing incident. The indicator
      must exist before running this command. To add an indicator, run the tc-add-indicator
      command.
  - name: domain
    arguments:
    - name: domain
      required: true
      default: true
      description: The name of the domain.
    - name: owners
      description: A comma-separated list of a client's organizations, sources, or communities
        to which a user has permissions. For example, users with admin permissions
        can search for indicators belonging to all owners.
    - name: ratingThreshold
      description: A list of results filtered by indicators whose threat rating is
        greater than the specified value. Can be "0" - "Unknown", "1" - "Suspicious",
        "2" - "Low", "3" - Moderate, "4" - High, or "5" - "Critical".
    - name: confidenceThreshold
      description: A list of results filtered by indicators whose confidence rating
        is greater than the specified value. Can be "0%" - "Unknown," "1% " - "Discredited",
        "2-29%" - "Improbable," "30-49%" - "Doubtful," "50-69%" - "Possible", "70-89%"
        - "Probable," or "90-100%" - "Confirmed".
    outputs:
    - contextPath: TC.Indicator.Name
      description: The name of the of the indicator.
      type: string
    - contextPath: TC.Indicator.Type
      description: The type of the domain.
      type: string
    - contextPath: TC.Indicator.ID
      description: The ID of the domain.
      type: string
    - contextPath: TC.Indicator.Description
      description: The description of the domain.
      type: string
    - contextPath: TC.Indicator.Owner
      description: The owner of the domain.
      type: string
    - contextPath: TC.Indicator.CreateDate
      description: The date on which the indicator of the domain was created.
      type: date
    - contextPath: TC.Indicator.LastModified
      description: The last date on which the indicator of the domain was modified.
      type: date
    - contextPath: TC.Indicator.Rating
      description: The threat rating of the domain.
      type: number
    - contextPath: TC.Indicator.Confidence
      description: The confidence rating of the domain.
      type: number
    - contextPath: TC.Indicator.WhoisActive
      description: The active indicator (for domains only).
      type: string
    - contextPath: DBotScore.Indicator
      description: The value assigned by DBot for the indicator.
      type: string
    - contextPath: DBotScore.Type
      description: The type assigned by DBot for the indicator.
      type: string
    - contextPath: DBotScore.Score
      description: The score assigned by DBot for the indicator.
      type: number
    - contextPath: DBotScore.Vendor
      description: The vendor used to calculate the score.
      type: string
    - contextPath: Domain.Name
      description: The name of the domain.
      type: string
    - contextPath: Domain.Malicious.Vendor
      description: For malicious domains, the vendor that made the decision.
      type: string
    - contextPath: Domain.Malicious.Description
      description: For malicious domains, the full description.
      type: string
    description: Searches for an indicator of type domain.
  - name: tc-get-incident-associate-indicators
    arguments:
    - name: incidentId
      required: true
      default: true
      description: The ID of the incident.
    - name: owner
      description: A list of indicators filtered by the owner.
    outputs:
    - contextPath: TC.Indicator.Name
      description: The name of the returned indicator.
      type: string
    - contextPath: TC.Indicator.Type
      description: The type of the returned indicator.
      type: string
    - contextPath: TC.Indicator.ID
      description: The ID of the returned indicator.
      type: string
    - contextPath: TC.Indicator.Description
      description: The description of the returned indicator.
      type: string
    - contextPath: TC.Indicator.Owner
      description: The owner of the returned indicator.
      type: string
    - contextPath: TC.Indicator.CreateDate
      description: The date on which the returned indicator was created.
      type: date
    - contextPath: TC.Indicator.LastModified
      description: The last date on which the returned indicator was modified.
      type: date
    - contextPath: TC.Indicator.Rating
      description: The threat rating of the returned indicator.
      type: number
    - contextPath: TC.Indicator.Confidence
      description: The confidence rating of the returned indicator.
      type: number
    - contextPath: TC.Indicator.WhoisActive
      description: The active indicator (for domains only).
      type: string
    - contextPath: TC.Indicator.File.MD5
      description: The MD5 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA1
      description: The SHA1 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA256
      description: The SHA256 hash of the indicator of the file.
      type: string
    - contextPath: DBotScore.Indicator
      description: The value assigned by DBot for the indicator.
      type: string
    - contextPath: DBotScore.Type
      description: The type assigned by DBot for the indicator.
      type: string
    - contextPath: DBotScore.Score
      description: The score assigned by DBot for the indicator.
      type: number
    - contextPath: DBotScore.Vendor
      description: The vendor used to calculate the score.
      type: string
    - contextPath: IP.Address
      description: The IP address of the returned indicator.
      type: string
    - contextPath: IP.Malicious.Vendor
      description: For malicious IP addresses, the vendor that made the decision.
      type: string
    - contextPath: IP.Malicious.Description
      description: For malicious IP addresses, the full description.
      type: string
    - contextPath: URL.Data
      description: The data of the URL of the returned indicator.
      type: string
    - contextPath: URL.Malicious.Vendor
      description: For malicious URLs, the vendor that made the decision.
      type: string
    - contextPath: URL.Malicious.Description
      description: For malicious URLs, the full description.
      type: string
    - contextPath: Domain.Name
      description: The name of the domain.
      type: string
    - contextPath: Domain.Malicious.Vendor
      description: For malicious domains, the vendor that made the decision.
      type: string
    - contextPath: Domain.Malicious.Description
      description: For malicious domains, the full description.
      type: string
    - contextPath: File.MD5
      description: The MD5 hash of the file.
      type: string
    - contextPath: File.SHA1
      description: The SHA1 hash of the file.
      type: string
    - contextPath: File.SHA256
      description: The SHA256 hash of the file.
      type: string
    - contextPath: File.Malicious.Vendor
      description: For malicious files, the vendor that made the decision.
      type: string
    - contextPath: File.Malicious.Description
      description: For malicious files, the full description.
      type: string
    description: Returns indicators that are related to a specific incident.
  - name: tc-update-indicator
    arguments:
    - name: indicator
      required: true
      description: The name of the updated indicator.
    - name: rating
      description: The threat rating of the updated indicator.
    - name: confidence
      description: The confidence rating of the updated indicator.
    - name: size
      description: The size of the file of the updated indicator.
    - name: dnsActive
      description: The active DNS indicator (only for hosts).
    - name: whoisActive
      description: The active indicator (only for hosts).
    - name: updatedValues
      description: A comma-separated list of field:value pairs to update. For example, "rating=3",
        "confidence=42", and "description=helloWorld".
    - name: falsePositive
      auto: PREDEFINED
      predefined:
      - "True"
      - "False"
      description: The updated indicator set as a false positive. Can be "True" or
        "False".
    - name: observations
      description: The number observations on the updated indicator.
    - name: securityLabel
      auto: PREDEFINED
      predefined:
      - TLP:RED
      - TLP:GREEN
      - TLP:AMBER
      - TLP:WHITE
      description: The security label applied to the incident. Can be "TLP:RED", "TLP:GREEN",
        "TLP:AMBER", or "TLP:WHITE".
    - name: threatAssessConfidence
      description: Assesses the confidence rating of the indicator.
    - name: threatAssessRating
      description: Assesses the threat rating of the indicator.
    outputs:
    - contextPath: TC.Indicator.Name
      description: The name of the indicator.
      type: string
    - contextPath: TC.Indicator.Type
      description: The type of the indicator.
      type: string
    - contextPath: TC.Indicator.ID
      description: The ID of the indicator.
      type: string
    - contextPath: TC.Indicator.Description
      description: The description of the indicator.
      type: string
    - contextPath: TC.Indicator.Owner
      description: The owner of the indicator.
      type: string
    - contextPath: TC.Indicator.CreateDate
      description: The date on which the indicator was created.
      type: date
    - contextPath: TC.Indicator.LastModified
      description: The last date on which the indicator was modified.
      type: date
    - contextPath: TC.Indicator.Rating
      description: The threat rating of the indicator.
      type: number
    - contextPath: TC.Indicator.Confidence
      description: The confidence rating of the indicator.
      type: number
    - contextPath: TC.Indicator.WhoisActive
      description: The active indicator (for domains only).
      type: string
    - contextPath: TC.Indicator.File.MD5
      description: The MD5 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA1
      description: The SHA1 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA256
      description: The SHA256 hash of the indicator of the file.
      type: string
    - contextPath: IP.Address
      description: The IP address of the indicator.
      type: string
    - contextPath: IP.Malicious.Vendor
      description: For malicious IP addresses, the vendor that made the decision.
      type: string
    - contextPath: IP.Malicious.Description
      description: For malicious IP addresses, the full description.
      type: string
    - contextPath: URL.Data
      description: The data of the URL of the indicator.
      type: string
    - contextPath: URL.Malicious.Vendor
      description: For malicious URLs, the vendor that made the decision.
      type: string
    - contextPath: URL.Malicious.Description
      description: For malicious URLs, the full description.
      type: string
    - contextPath: Domain.Name
      description: The domain name of the indicator.
      type: string
    - contextPath: Domain.Malicious.Vendor
      description: For malicious domains, the vendor that made the decision.
      type: string
    - contextPath: Domain.Malicious.Description
      description: For malicious domains, the full description.
      type: string
    - contextPath: File.MD5
      description: The MD5 hash of the file.
      type: string
    - contextPath: File.SHA1
      description: The SHA1 hash of the file.
      type: string
    - contextPath: File.SHA256
      description: The SHA256 hash of the file.
      type: string
    - contextPath: File.Malicious.Vendor
      description: For malicious files, the vendor that made the decision.
      type: string
    - contextPath: File.Malicious.Description
      description: For malicious files, the full description.
      type: string
    description: Updates the indicator in ThreatConnect.
  - name: tc-delete-indicator-tag
    arguments:
    - name: indicator
      required: true
      description: The name of the indicator from which to remove a tag.
    - name: tag
      required: true
      description: The name of the tag to remove from the indicator.
    outputs:
    - contextPath: TC.Indicator.Name
      description: The name of the indicator.
      type: string
    - contextPath: TC.Indicator.Type
      description: The type of the indicator.
      type: string
    - contextPath: TC.Indicator.ID
      description: The ID of the indicator.
      type: string
    - contextPath: TC.Indicator.Description
      description: The description of the indicator.
      type: string
    - contextPath: TC.Indicator.Owner
      description: The owner of the indicator.
      type: string
    - contextPath: TC.Indicator.CreateDate
      description: The date on which the indicator was created.
      type: date
    - contextPath: TC.Indicator.LastModified
      description: The last date on which the indicator was modified.
      type: date
    - contextPath: TC.Indicator.Rating
      description: The threat rating of the indicator.
      type: number
    - contextPath: TC.Indicator.Confidence
      description: The confidence rating of the indicator.
      type: number
    - contextPath: TC.Indicator.WhoisActive
      description: The active indicator (for domains only).
      type: string
    - contextPath: TC.Indicator.File.MD5
      description: The MD5 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA1
      description: The SHA1 hash of the indicator of the file.
      type: string
    - contextPath: TC.Indicator.File.SHA256
      description: The SHA256 hash of the indicator of the file.
      type: string
    - contextPath: IP.Address
      description: The IP address of the indicator.
      type: string
    - contextPath: IP.Malicious.Vendor
      description: For malicious IP addresses, the vendor that made the decision.
      type: string
    - contextPath: IP.Malicious.Description
      description: For malicious IP addresses, the full description.
      type: string
    - contextPath: URL.Data
      description: The data of the URL of the indicator.
      type: string
    - contextPath: URL.Malicious.Vendor
      description: For malicious URLs, the vendor that made the decision.
      type: string
    - contextPath: URL.Malicious.Description
      description: For malicious URLs, the full description.
      type: string
    - contextPath: Domain.Name
      description: The domain name of the indicator.
      type: string
    - contextPath: Domain.Malicious.Vendor
      description: For malicious domains, the vendor that made the decision.
      type: string
    - contextPath: Dom…