Skip to content
Parse indicators of compromise using the ioc-finder package.
Perform operations and get data from a CIDR range.
Perform operations and get data from an IP address.
Perform operations and get data from a URL.
Spaces app to create and manage profiles for ThreatConnect DoubleCheck.
Store attributes for the unstructured indicator importer in the datastore.
Library for validating the contents and structure of data in ThreatConnect. Think unit-tests for ThreatConnect data.
Submit a host or URL to urlscan.io for enrichment.
Unstructured import for humans. Quickly and easily import and edit/update indicators in an unstructured format.
Reports a false positive, turns off all monitors, resets all ratings, waits 25 hours for CAL to pick up the change, and finally deletes the indicator and republishes all groups associated with the indicator.
This playbook is designed to verify when a new IOC (Address, URL, Host, File, or Email Address) comes in, whether it already exists in the platform in a different owner.
Generate a Bro Intelligence Framework signature from an indicator.
Structured import for humans. Quickly and easily import and edit/update indicators in a structured format (currently JSON, but more formats coming).
This playbook presents a User Action trigger that when pressed, will query Shodan's API for a given indicator then pull back enrichments and store them as an attribute on said indicator.
This Playbook will create a mailbox to ingest emails. When an email is sent to this mailbox, it will save the attachment and associate it to the email item that was created. It will additionally extract indicators as save them as associations to the email as well.
Add an attribute and/or tag to all indicators associated with a given group.
Read a Google Alerts RSS feed and create indicators from the links. This playbook pulls the content from an RSS feed of Google alerts, finds the URLs from the alerts, and creates those URLs as indicators in ThreatConnect.
These playbooks allow users to turn the DNS on or off for all indicators associated with a group.
This playbook lets you query Cymon for an IP Address or Host.
Create and copy the link to an Indicator in two clicks.
Fang indicators of compromise in text.
Defang indicators of compromise so they don't become links in documents, emails, tasks, slack messages, etc.
Parse indicators from text using the system regexes available via the API.