Creating Content Packs

20 Jun 2023
6 Minutes to read

Print
Dark

Light

Creating Content Packs

Updated on 20 Jun 2023
6 Minutes to read

Print
Dark

Light

Article summary

Did you find this summary helpful?

Thank you for your feedback

To create a Content Pack and obtain a .tcxp file that can be used to install the Content Pack in TC Exchange™, send a POST request to the following internal API endpoint, where {{baseUrl}} represents the URL of your ThreatConnect^® instance:

{{baseUrl}}/api/internal/contentpack/generate

In order to use this API endpoint and authenticate requests made to it, you must first generate a bearer token and then configure your preferred API tool to use bearer authentication.

Note

For a complete list of parameters that can be included in the body of a POST request to the /api/internal/contentpack/generate endpoint, see the “Available Parameters for API Requests” section.

API Configuration

Generating a Bearer Token

Log into ThreatConnect with an Organization Administrator account.
On the top navigation bar, hover over Settingsand select Org Settings. The Membership tab of the Organization Settings screen will be displayed.
Select the Apps tab. The Jobs view of the Apps screen will be displayed.
Click the vertical ellipsis at the top right of the Apps screen and select API Token from the menu that is displayed. The Get Developer Token window will be displayed, showing an auto-generated bearer token (Figure 1).

Important
The auto-generated token will expire after 4 hours.

Configuring Your API Tool to Use Bearer Authentication

After generating a bearer token, configure your preferred API tool to use bearer authentication and enter the token provided in the Get Developer Token window (Figure 1). For example, Figure 2 illustrates how to configure these settings on the Authorization tab of Postman™ for a request to the /api/internal/contentpack/generate endpoint:

Figure 2_Creating Content Packs_7.1.2

Type: Select Bearer Token as the authorization type.
Token: Enter the token displayed in the Get Developer Token window in ThreatConnect.
Click the Save button at the upper right of the screen.

Creating an Application Content Pack

Send an API request in the following format to create an Application Content Pack:

POST {{baseUrl}}/api/internal/contentpack/generate

{
    "name": "ContentPackApplication",
    "version": "1.0",
    "apps": [
        {
            "name": "SSH Client",
            "version": "1.0.10"
        }
    ]
}

name: <String> REQUIRED The Content Pack’s name.
version: <String> REQUIRED The Content Pack’s version number.
apps: <Array of Apps> A list of Apps installed on your ThreatConnect instance to add to the Content Pack.
- name: <String> REQUIRED The App’s name. A System Administrator can retrieve a list of installed Apps and each App’s name on the Installed tab of the TC Exchange Settings screen.
- version: <String> REQUIRED The App’s version number. A System Administrator can retrieve a list of installed Apps and each App’s version number on the Installed tab of the TC Exchange Settings screen.

If the API request is successful, you will receive a 200 response with the contents of a .tcxp file that can be downloaded onto your computer.

Creating an Artifact Content Pack

Important

You should add only Artifact types with a description to a Content Pack; otherwise, users may encounter an error when they try to install the Content Pack.

Send an API request in the following format to create an Artifact Content Pack:

POST {{baseUrl}}/api/internal/contentpack/generate

{
    "name": "ContentPackArtifacts",
    "version": "1.0",
    "artifacts": [
        {
            "name": "Bitcoin Wallet Address"
        },
        {
            "name": "Malware Threat"
        }
    ]
}

name: <String> REQUIRED The Content Pack’s name.
version: <String> REQUIRED The Content Pack’s version number.
artifacts: <Array of Artifact types> A list of System-level Artifact types to add to the Content Pack.
- name: <String> REQUIRED The Artifact type’s name. A System Administrator can retrieve a list of Artifact type names on the Artifacts tab of the System Settings screen.

If the API request is successful, you will receive a 200 response with the contents of a .tcxp file that can be downloaded onto your computer.

Creating an Attribute Content Pack

Important

You can add only System-level Attribute Types to a Content Pack. In addition, you should add only Attribute Types mapped to an Indicator or Group type to a Content Pack; otherwise, users may encounter an error when they try to install the Content Pack.

Send an API request in the following format to create an Attribute Content Pack:

POST {{baseUrl}}/api/internal/contentpack/generate

{
    "name": "ContentPackAttributes",
    "version": "1.0",
    "attributes": [
        {
            "name": "Additional Analysis and Context"
        },
        {
            "name": "Special Content Attribute"
        }
    ]
}

name: <String> REQUIRED The Content Pack’s name.
version: <String> REQUIRED The Content Pack’s version number.
attributes: <Array of Attribute Types> A list of System-level Attribute Types to add to the Content Pack.
- name: <String> REQUIRED The Attribute Type’s name. A System Administrator can retrieve a list of Attribute Type names on the Attribute Types tab of the System Settings screen.

If the API request is successful, you will receive a 200 response with the contents of a .tcxp file that you can download onto your computer.

Creating a Playbook Content Pack

Send an API request in the following format to create a Playbook Content Pack:

POST {{baseUrl}}/api/internal/contentpack/generate

{
    "name": "ContentPackPlaybooks",
    "version": "1.0",
    "playbooks": [
        {
            "groupXid": "qqpnZxBl"
        }
    ]
}

name: <String> REQUIRED The Content Pack’s name.
version: <String> REQUIRED The Content Pack’s version number.
playbooks: <Array of Playbooks> A list of Playbooks to add to the Content Pack.
- groupXid: <String> REQUIRED The Playbook’s XID. You can obtain a Playbook’s XID by opening the Playbook in the Playbook Designer and copying the set of characters after designer/ in the URL. For example, if the URL is https://companyabc.threatconnect.com/#/playbooks/designer/qqpnZxBl, then qqpnZxBl is the Playbook’s XID.

If the API request is successful, you will receive a 200 response with the contents of a .tcxp file that you can download onto your computer.

Note

All dependencies for the Playbook will be resolved in the .tcxp file.

Creating a Workflow Content Pack

Send an API request in the following format to create a Workflow Content Pack:

POST {{baseUrl}}/api/internal/contentpack/generate

{
    "name": "ContentPackWorkflows",
    "version": "1.0",
    "workflowTemplates": [
        {
            "name": "Content Pack Workflow"
        }
    ]
}

name: <String> REQUIRED The Content Pack’s name.
version: <String> REQUIRED The Content Pack’s version number.
workflowTemplates: <Array of Workflows> A list of Workflows to add to the Content Pack.
- name: <String> REQUIRED The Workflow’s name. You can retrieve a Workflow’s name on the Workflows screen.

If the API request is successful, you will receive a 200 response with the contents of a .tcxp file that you can download onto your computer.

Creating a Mixed Content Pack

In addition to creating individual Content Packs containing only Apps, Artifact types, Attribute Types, Playbooks, or Workflows, you can create Content Packs that utilize any combination of these elements.

Note

On your ThreatConnect instance, the Apps you want to use must be installed via TC Exchange, the Artifact types and Attribute Types you want to use must be created at the System level, and the Playbooks and Workflows you want to use must be created in your Organization.

For example, the following API request demonstrates how to create a mixed Content Pack containing one App, two Artifact types, two Attribute Types, one Playbook, and one Workflow.

POST {{baseUrl}}/api/internal/contentpack/generate

{
    "name": "ContentPackMixed",
    "version": "1.0",
    "apps": [
        {
            "name": "SSH Client",
            "version": "1.0.10"
        }
    ],
    "artifacts": [
        {
            "name": "Bitcoin Wallet Address"
        },
        {
            "name": "Malware Threat"
        }
    ],
    "attributes": [
        {
            "name": "Additional Analysis and Context"
        },
        {
            "name": "Special Content Attribute"
        }
    ],
    "playbooks": [
        {
            "groupXid": "qqpnZxBl"
        }
    ],
    "workflowTemplates": [
        {
            "name": "Content Pack Workflow"
        }
    ]
}

If the API request is successful, you will receive a 200 response with the contents of a .tcxp file that can be downloaded onto your computer.

Available Parameters for API Requests

Table 1 provides a complete list of parameters that you may include in the body of a POST request to the /api/internal/contentpack/generate endpoint.

Name	Description	Type	Required?
apps	A list of Apps to add to the Content Pack.	Array	Optional
apps.name	The name of the App to add to the Content Pack.	String	Required if apps is used
apps.version	The version number of the App to add to the Content Pack.	String	Required if apps is used
artifacts	A list of Artifact types to add to the Content Pack.	Array	Optional
artifacts.name	The name of the Artifact type to add to the Content Pack.	String	Required if artifacts is used
attributes	A list of System-level Attribute Types to add to the Content Pack.	Array	Optional
attributes.name	The name of the Attribute Type to add to the Content Pack.	String	Required if attributes is used
autoIncludeDependencies¹	Specifies whether the Content Pack will gather dependencies automatically as it builds. The default value is true.	Boolean	Optional
description	The Content Pack’s description. The description is displayed when a user views the Content Pack on TC Exchange and when they install the Content Pack using the .tcxp file.	String	Optional
minServerVersion	The minimum ThreatConnect server version on which the Content Pack must be installed; otherwise, the Content Pack installation will fail.	String	Optional
name	The Content Pack’s name.	String	Required
playbooks	A list of Playbooks to add to the Content Pack.	Array	Optional
playbooks.groupXid	The XID of the Playbook to add to the Content Pack.	String	Required if playbooks is used
version	The Content Pack’s version number.	String	Required
workflowTemplates	A list of Workflows to add to the Content Pack.	Array	Optional
workflowTemplates.name	The name of the Workflow to add to the Content Pack.	String	Required if workflowTemplates is used

1. You should not include the autoIncludeDependencies field in the request body unless there is an outstanding reason for doing so (e.g., a new version of an App contains significant changes that should not be included in the Content Pack).

ThreatConnect^® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
Postman™ is a trademark of Postman, Inc.

20152-02 v.01.A

Was this article helpful?

What's Next

Installing and Configuring Content Packs

Table of contents

API Configuration
Creating an Application Content Pack
Creating an Artifact Content Pack
Creating an Attribute Content Pack
Creating a Playbook Content Pack
Creating a Workflow Content Pack
Creating a Mixed Content Pack
Available Parameters for API Requests