- 20 Jun 2023
- 4 Minutes to read
-
Print
-
DarkLight
Content Packs FAQ and Known Issues
- Updated on 20 Jun 2023
- 4 Minutes to read
-
Print
-
DarkLight
Content Packs aim to make implementing popular ThreatConnect® use cases quicker and easier for customers. This article provides a list of frequently asked questions and known issues related to Content Packs.
Frequently Asked Questions (FAQ)
What happens when you install a Content Pack that includes a Playbook using variables?
The Content Pack will be installed as normal, and the Playbook will be installed as a System-level Playbook Template. When you import the Playbook Template as a Playbook into your Organization, you will be prompted to provide values for the variables used in the Playbook.
How are dependencies handled when installing Content Packs?
- If a Content Pack contains an App, the latest version of the App, up to the latest minor version (e.g., 1.0.1, 1.1.0, etc.), will be installed if the App is available on TC Exchange™; otherwise, the version of the App specified in the Content Pack will be installed. For example, if a Content Pack contains an App whose version is 1.0.6, but the latest version of the App on TC Exchange is 1.0.7, then the 1.0.7 version of the App will be installed.
- If a Content Pack contains an App whose major version (e.g., 1.0.0, 2.0.0, etc.) is older than the version of the App available on TC Exchange, the version of the App specified in the Content Pack will be installed. This is because the previous major version of the App remains on TC Exchange, even though it is deprecated. To use the current major version of the App, you must update the App’s version number in the Content Pack, re-create the Content Pack, and reinstall it using the new .tcxp file. For example, if a Content Pack contains an App whose version is 1.0.0, but the latest version of the App on TC Exchange is 2.0.0, then the 1.0.0 version of the App will be installed. To use version 2.0.0 of the App, you would need to generate a new API request and update the value of the version parameter within the apps parameter for that App to 2.0.0, submit the request to the /api/internal/contentpack/generate endpoint to re-create the Content Pack, and reinstall the Content Pack using the new .tcxp file.
- If a Content Pack contains an App whose minor version is newer than the version of the App installed on your ThreatConnect instance, the App will be updated during the Content Pack installation process. In this scenario, a message stating that there is an App that needs to be updated will be displayed in the Install a new file drawer when you try to install the Content Pack.
Where can I view Content Packs in TC Exchange?
You can view Content Packs on the Installed and Catalog tabs of the TC Exchange Settings screen. To display only Content Packs on these tabs, select Content Packs from the dropdown to the left of the search bar on the TC Exchange Settings screen.
Are Content Packs installed at the System or Organization level?
Content Packs and the items they contain are installed at the System level. Specifically, Playbooks are installed as System-level Playbook Templates that users can import into their Organization; Workflows are installed as System-level Workflow Templates that users can copy into their Organization; Attribute Types and Artifact types are created at the System level; and Apps are installed at the System level via TC Exchange.
Known Issues
Known Issues With Attribute Content Packs
If a Content Pack contains an Attribute Type that is not mapped to an Indicator or Group type, an error message stating “At least 1 entry must exist in either the indicators or groups array” will be displayed on the Install a new file drawer when you try to install the Content Pack (Figure 1). In this scenario, a green checkmark will not be displayed in the Installed column for the affected Attribute Type.
To resolve this issue, contact the Content Pack creator and ask them to map the affected Attribute Type to an Indicator or Group type, re-create the Content Pack, and provide you with the new .tcxp file. You can then use that file to install the updated Content Pack.
Known Issues With Artifact Content Packs
- If a Content Pack contains an Artifact type that does not contain a description, the Artifact type may not be installed properly during the Content Pack installation process. In this scenario, an error message stating “com.cyber2.tc.util.ValidationException: No description was provided” will be displayed on the Install a new file drawer, and a red exclamation symbol will be displayed in the Installed column for the affected Artifact type (Figure 2). To resolve this issue, contact the Content Pack creator and ask them to add a description to the Artifact type, re-create the Content Pack, and provide you with the new .tcxp file. You can then use that file to install the updated Content Pack.
- If an Artifact type is created at the System level, but cannot be found when trying to create the Content Pack, delete and re-create the Artifact type and then retry creating the Content Pack.
- Currently, Artifact types that are created manually will be assigned a version number of 0. Versioning for Artifact types will be addressed in a future release.
ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
20152-05 v.01.A