Skip to main content

Incident ResponderIncident Responder Documentation

Configure the ThreatConnect API Service

Configure ThreatConnect as a service to get entity and artifact reputations and run other ThreatConnect actions.

  • Create a ThreatConnect API key.

  • Note the access ID of the API user you use to make requests.

  • Note your ThreatConnect base API URL; for example, https://app.threatconnect.com/api or https://sandbox.threatconnect.com/api/

  • Note your organization's name as it appears in ThreatConnect.

  • If you use a proxy, ensure that you whitelist your ThreatConnect base API URL.

  1. In the navigation bar, click the menu The menu icon in the navigation bar; three white lines on a green background., select Settings, then select Core.

  2. Under SERVICE INTEGRATIONS, select Services.

  3. Select a service:

    • To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.

    • To manually provide the relevant information for a service, click Configure a new serviceA blue circle with a white plus sign..

    • To view all actions for a service, hover over a service, then click the information icon An icon of a grey i inside a grey circle..

  4. Enter information about the service:

    • Service Name – Enter a unique name for the service. By default, the service name is Splunk.

    • (Optional) Description – Describe the service.

    • (Optional) Owner – Enter the email address of the person or group responsible for the service. 

    • API ID – Enter the ID of the API user you use to make requests.

    • API Key – Enter the ThreatConnect API key you created.

    • API URL – Enter your ThreatConnect base API URL.

    • API ORG – Enter your organization's name, as it appears in ThreatConnect.

  5. To validate the source, select TEST CONNECTIVITY.

  6. Select CREATE SERVICE.