Playbook Fridays: Query API

This Playbook queries API, which tracks malware, phishing, botnets, spam, and more

ThreatConnect developed the Playbooks capability to help analysts automate time consuming and repetitive tasks so they can focus on what is most important. And in many cases, to ensure the analysis process can occur consistently and in real time, without human intervention.

Happy Friday! This Friday, we are featuring a Playbook which queries Cymon’s API. Cymon, run by eSentire, is an open service which tracks “malware, phishing, botnets, spam, and more” (from

The Playbook is pretty simple:

The Playbook starts with a user-action trigger (which means you can trigger this Playbook from an indicator’s page).

The Playbook then determines whether the given data is an IP Address indicator or a host indicator, queries Cymon’s API, and returns the response to the indicator’s page so you can see the results with one click and without leaving the page! This Playbook does require a Cymon API Token which is stored as a keychain variable. You can register for a Cymon API Token here.

You can download the playbook from our Playbooks repository: If you have any questions, feedback, or run into any problems, feel free to raise an issue.

Happy hunting!

About the Author

With ThreatConnect, security analysts can simultaneously coordinate with incident response, security operations and risk management teams while aggregating data from trusted communities. Your team will be better equipped to protect the organization from modern cyber threats, mitigate risk and address strategic business needs all thorough a single, robust platform.