Skip to content
Store attributes for the unstructured indicator importer in the datastore.
Create an RSA Archer record from an incident in ThreatConnect
Download and parse an RSA Archer record into a ThreatConnect incident.
Parse a STIX XML file from the File Post spaces app.
These playbooks will allow you to define a set of keywords in a JSON Array to parse a document for. Upon ingestion of a document the playbook will parse the documents in the specified owners for the given keywords. Should a match be found the group name as well as the identified keywords will be added as tags on the triggering document.
Reports a false positive, turns off all monitors, resets all ratings, waits 25 hours for CAL to pick up the change, and finally deletes the indicator and republishes all groups associated with the indicator.
This playbook receives a webhook from a feed collector and then resets the dead hand entry in the datastore. This prevents the dead hand timer from sending a fault notification. This playbook also checks for indicator and group counts and sends an appropriate notification if groups or indicators are not collected.
This playbook checks the status of a feed and sends a notification if there is a fault in the feed status.
Playbook which creates a task on a given interval. This is a good starting point for automating the creation of recurring tasks in ThreatConnect.
This playbook is designed to verify when a new IOC (Address, URL, Host, File, or Email Address) comes in, whether it already exists in the platform in a different owner.
Given an array, this playbook sends each item in the array one at a time to another playbook. This allows you to run a playbook on each item of an array.
Generate a Bro Intelligence Framework signature from an indicator.
Periodically capture the content of a website and send an alert if the content changes.
This playbook attempts an action until it is successful. In this sense, it is a bit like a 'pause' or 'wait' command that will wait until the given action is successful before moving on.
Request a PDF from a given URL and return the text from the PDF.
Request the content of the given website and return the text of the website's content.
This playbook presents a User Action trigger that when pressed, will query Shodan's API for a given indicator then pull back enrichments and store them as an attribute on said indicator.
The purpose of this playbook is to check to see if a newly created host or address indicator belongs to the user's organization.
This Playbook will create a mailbox to ingest emails. When an email is sent to this mailbox, it will save the attachment and associate it to the email item that was created. It will additionally extract indicators as save them as associations to the email as well.
These 2 Playbooks will query the Recorded Future API for any alerts for the specified timed period from the "Timer" in the RF Alerts Query Playbook. The secondary Playbook (RF Incident Create) will then create incidents from the Recorded Future API.
This playbook redirects you to a browse screen view of all URL Indicators with the same URL path and query strings. It is triggered with a user action.
Add an attribute and/or tag to all indicators associated with a given group.
Read a Google Alerts RSS feed and create indicators from the links. This playbook pulls the content from an RSS feed of Google alerts, finds the URLs from the alerts, and creates those URLs as indicators in ThreatConnect.
These playbooks allow users to turn the DNS on or off for all indicators associated with a group.
Turn on or off the DNS for all indicators associated with a group.
This playbook lets you query Cymon for an IP Address or Host.
Create and copy the link to a Group in two clicks.
Create and copy the link to an Indicator in two clicks.
Query Robtex for an IP or ASN.
This Playbook template lets users detonate a file in Palo Alto Wildfire from ThreatConnect.