Parse STIX XML

Parse a STIX XML file from the File Post spaces app.

This playbook is intended to parse a STIX XML file from the File Post spaces app. See https://kb.threatconnect.com/customer/portal/articles/2920045 for how to configure and use the File Post app.

Once the playbook receives a file from the File Post app it will run the file through the STIX Parser playbook app and then import the data in ThreatConnect with the ThreatConnect Import app. Additionally, it can save the uploaded file as a Document and associate the file to the indicators and groups that were created. Results are returned to the user in the HTTP response.

Documentation

Triggers

  • HttpLink

This playbook uses an HTTP trigger; the parts of the HTTP request below are used by the following apps:

  • body: used in the “STIX 1.1.1 Parser 1” app
  • header: used in the “Parse HTTP Header 1” app
  • body: used in the “Create ThreatConnect Document 1” app