Creating Content Packs
  • 20 Jun 2023
  • 6 Minutes to read
  • Dark
    Light

Creating Content Packs

  • Dark
    Light

Article summary

To create a Content Pack and obtain a .tcxp file that can be used to install the Content Pack in TC Exchange™, send a POST request to the following internal API endpoint, where {{baseUrl}} represents the URL of your ThreatConnect® instance:

{{baseUrl}}/api/internal/contentpack/generate

In order to use this API endpoint and authenticate requests made to it, you must first generate a bearer token and then configure your preferred API tool to use bearer authentication.

Note
For a complete list of parameters that can be included in the body of a POST request to the /api/internal/contentpack/generate endpoint, see the “Available Parameters for API Requests” section.

API Configuration

Generating a Bearer Token

  1. Log into ThreatConnect with an Organization Administrator account.
  2. On the top navigation bar, hover over SettingsSettings iconand select Org Settings. The Membership tab of the Organization Settings screen will be displayed.
  3. Select the Apps tab. The Jobs view of the Apps screen will be displayed.
  4. Click the vertical ellipsis at the top right of the Apps screen and select API Token from the menu that is displayed. The Get Developer Token window will be displayed, showing an auto-generated bearer token (Figure 1). Figure 1_Creating Content Packs_7.1.2

     

    Important
    The auto-generated token will expire after 4 hours.

Configuring Your API Tool to Use Bearer Authentication

After generating a bearer token, configure your preferred API tool to use bearer authentication and enter the token provided in the Get Developer Token window (Figure 1). For example, Figure 2 illustrates how to configure these settings on the Authorization tab of Postman™ for a request to the /api/internal/contentpack/generate endpoint:

Figure 2_Creating Content Packs_7.1.2

 

  • Type: Select Bearer Token as the authorization type.
  • Token: Enter the token displayed in the Get Developer Token window in ThreatConnect.
  • Click the Save button at the upper right of the screen.

Creating an Application Content Pack

Send an API request in the following format to create an Application Content Pack:

POST {{baseUrl}}/api/internal/contentpack/generate

{
    "name": "ContentPackApplication",
    "version": "1.0",
    "apps": [
        {
            "name": "SSH Client",
            "version": "1.0.10"
        }
    ]
}
  • name: <String> REQUIRED The Content Pack’s name.
  • version: <String> REQUIRED The Content Pack’s version number.
  • apps: <Array of Apps> A list of Apps installed on your ThreatConnect instance to add to the Content Pack.
    • name: <String> REQUIRED The App’s name. A System Administrator can retrieve a list of installed Apps and each App’s name on the Installed tab of the TC Exchange Settings screen.
    • version: <String> REQUIRED The App’s version number. A System Administrator can retrieve a list of installed Apps and each App’s version number on the Installed tab of the TC Exchange Settings screen.

If the API request is successful, you will receive a 200 response with the contents of a .tcxp file that can be downloaded onto your computer.

Creating an Artifact Content Pack

Important
You should add only Artifact types with a description to a Content Pack; otherwise, users may encounter an error when they try to install the Content Pack.

Send an API request in the following format to create an Artifact Content Pack:

POST {{baseUrl}}/api/internal/contentpack/generate

{
    "name": "ContentPackArtifacts",
    "version": "1.0",
    "artifacts": [
        {
            "name": "Bitcoin Wallet Address"
        },
        {
            "name": "Malware Threat"
        }
    ]
}
  • name: <String> REQUIRED The Content Pack’s name.
  • version: <String> REQUIRED The Content Pack’s version number.
  • artifacts: <Array of Artifact types> A list of System-level Artifact types to add to the Content Pack.
    • name: <String> REQUIRED The Artifact type’s name. A System Administrator can retrieve a list of Artifact type names on the Artifacts tab of the System Settings screen.

If the API request is successful, you will receive a 200 response with the contents of a .tcxp file that can be downloaded onto your computer.

Creating an Attribute Content Pack

Important
You can add only System-level Attribute Types to a Content Pack. In addition, you should add only Attribute Types mapped to an Indicator or Group type to a Content Pack; otherwise, users may encounter an error when they try to install the Content Pack.

Send an API request in the following format to create an Attribute Content Pack:

POST {{baseUrl}}/api/internal/contentpack/generate

{
    "name": "ContentPackAttributes",
    "version": "1.0",
    "attributes": [
        {
            "name": "Additional Analysis and Context"
        },
        {
            "name": "Special Content Attribute"
        }
    ]
}
  • name: <String> REQUIRED The Content Pack’s name.
  • version: <String> REQUIRED The Content Pack’s version number.
  • attributes: <Array of Attribute Types> A list of System-level Attribute Types to add to the Content Pack.
    • name: <String> REQUIRED The Attribute Type’s name. A System Administrator can retrieve a list of Attribute Type names on the Attribute Types tab of the System Settings screen.

If the API request is successful, you will receive a 200 response with the contents of a .tcxp file that you can download onto your computer.

Creating a Playbook Content Pack

Send an API request in the following format to create a Playbook Content Pack:

POST {{baseUrl}}/api/internal/contentpack/generate

{
    "name": "ContentPackPlaybooks",
    "version": "1.0",
    "playbooks": [
        {
            "groupXid": "qqpnZxBl"
        }
    ]
}
  • name: <String> REQUIRED The Content Pack’s name.
  • version: <String> REQUIRED The Content Pack’s version number.
  • playbooks: <Array of Playbooks> A list of Playbooks to add to the Content Pack.
    • groupXid: <String> REQUIRED The Playbook’s XID. You can obtain a Playbook’s XID by opening the Playbook in the Playbook Designer and copying the set of characters after designer/ in the URL. For example, if the URL is https://companyabc.threatconnect.com/#/playbooks/designer/qqpnZxBl, then qqpnZxBl is the Playbook’s XID.

If the API request is successful, you will receive a 200 response with the contents of a .tcxp file that you can download onto your computer.

Note
All dependencies for the Playbook will be resolved in the .tcxp file.

Creating a Workflow Content Pack

Send an API request in the following format to create a Workflow Content Pack:

POST {{baseUrl}}/api/internal/contentpack/generate

{
    "name": "ContentPackWorkflows",
    "version": "1.0",
    "workflowTemplates": [
        {
            "name": "Content Pack Workflow"
        }
    ]
}
  • name: <String> REQUIRED The Content Pack’s name.
  • version: <String> REQUIRED The Content Pack’s version number.
  • workflowTemplates: <Array of Workflows> A list of Workflows to add to the Content Pack.
    • name: <String> REQUIRED The Workflow’s name. You can retrieve a Workflow’s name on the Workflows screen.

If the API request is successful, you will receive a 200 response with the contents of a .tcxp file that you can download onto your computer.

Creating a Mixed Content Pack

In addition to creating individual Content Packs containing only Apps, Artifact types, Attribute Types, Playbooks, or Workflows, you can create Content Packs that utilize any combination of these elements.

Note
On your ThreatConnect instance, the Apps you want to use must be installed via TC Exchange, the Artifact types and Attribute Types you want to use must be created at the System level, and the Playbooks and Workflows you want to use must be created in your Organization.

For example, the following API request demonstrates how to create a mixed Content Pack containing one App, two Artifact types, two Attribute Types, one Playbook, and one Workflow.

POST {{baseUrl}}/api/internal/contentpack/generate

{
    "name": "ContentPackMixed",
    "version": "1.0",
    "apps": [
        {
            "name": "SSH Client",
            "version": "1.0.10"
        }
    ],
    "artifacts": [
        {
            "name": "Bitcoin Wallet Address"
        },
        {
            "name": "Malware Threat"
        }
    ],
    "attributes": [
        {
            "name": "Additional Analysis and Context"
        },
        {
            "name": "Special Content Attribute"
        }
    ],
    "playbooks": [
        {
            "groupXid": "qqpnZxBl"
        }
    ],
    "workflowTemplates": [
        {
            "name": "Content Pack Workflow"
        }
    ]
}

If the API request is successful, you will receive a 200 response with the contents of a .tcxp file that can be downloaded onto your computer.

Available Parameters for API Requests

Table 1 provides a complete list of parameters that you may include in the body of a POST request to the /api/internal/contentpack/generate endpoint.

 

NameDescriptionTypeRequired?
appsA list of Apps to add to the Content Pack.ArrayOptional
apps.nameThe name of the App to add to the Content Pack.StringRequired if apps is used
apps.versionThe version number of the App to add to the Content Pack.StringRequired if apps is used
artifactsA list of Artifact types to add to the Content Pack.ArrayOptional
artifacts.nameThe name of the Artifact type to add to the Content Pack.StringRequired if artifacts is used
attributesA list of System-level Attribute Types to add to the Content Pack.ArrayOptional
attributes.nameThe name of the Attribute Type to add to the Content Pack.StringRequired if attributes is used
autoIncludeDependencies1Specifies whether the Content Pack will gather dependencies automatically as it builds. The default value is true.BooleanOptional
descriptionThe Content Pack’s description. The description is displayed when a user views the Content Pack on TC Exchange and when they install the Content Pack using the .tcxp file.StringOptional
minServerVersionThe minimum ThreatConnect server version on which the Content Pack must be installed; otherwise, the Content Pack installation will fail.StringOptional
nameThe Content Pack’s name.StringRequired
playbooksA list of Playbooks to add to the Content Pack.ArrayOptional
playbooks.groupXidThe XID of the Playbook to add to the Content Pack.StringRequired if playbooks is used
versionThe Content Pack’s version number.StringRequired
workflowTemplatesA list of Workflows to add to the Content Pack.ArrayOptional
workflowTemplates.nameThe name of the Workflow to add to the Content Pack.StringRequired if workflowTemplates is used

1. You should not include the autoIncludeDependencies field in the request body unless there is an outstanding reason for doing so (e.g., a new version of an App contains significant changes that should not be included in the Content Pack).


ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
Postman™ is a trademark of Postman, Inc.

20152-02 v.01.A


Was this article helpful?