Load ThreatConnect data in Python using dltHub
Build a ThreatConnect-to-database or-dataframe pipeline in Python using dlt with automatic Cursor support.
In this guide, we'll set up a complete ThreatConnect data pipeline from API credentials to your first data load in just 10 minutes. You'll end up with a fully declarative Python pipeline based on dlt's REST API connector, like in the partial example code below:
Example code
Why use dltHub Workspace with LLM Context to generate Python pipelines?
- Accelerate pipeline development with AI-native context
- Debug pipelines, validate schemas and data with the integrated Pipeline Dashboard
- Build Python notebooks for end users of your data
- Low maintenance thanks to Schema evolution with type inference, resilience and self documenting REST API connectors. A shallow learning curve makes the pipeline easy to extend by any team member
- dlt is the tool of choice for Pythonic Iceberg Lakehouses, bringing mature data loading to pythonic Iceberg with or without catalogs
What you’ll do
We’ll show you how to generate a readable and easily maintainable Python script that fetches data from threatconnect’s API and loads it into Iceberg, DataFrames, files, or a database of your choice. Here are some of the endpoints you can load:
- Metrics Endpoint:
/v2/owners/metrics?resultLimit=500- Retrieves metrics related to owners with a specified result limit. - Adversaries Group:
/v2/groups/adversaries/?createActivityLog=false&resultLimit=500&resultStart=0&owner=Example+Community- Fetches groups of adversaries for a specific owner with options to limit results. - Security Labels:
/v2/securityLabels?resultLimit=500&owner=Example+Community- Retrieves security labels associated with a specific owner. - Adversary Detail:
/auth/adversary/adversary.xhtml?adversary=<id>- Provides detailed information about a specific adversary identified by its ID. - Indicators by Address:
/v2/indicators/addresses?owner=Example+Community- Fetches indicators related to addresses for a specified owner. - Victims Data:
/api/v2/victims?resultLimit=500&owner=Example+Community- Retrieves data on victims for a specified owner with a result limit. - Tasks:
/v2/tasks?resultLimit=500&owner=Example+Community- Lists tasks associated with a specific owner. - Tags:
/v2/tags- Retrieves available tags for categorization. - TAXII Discovery:
/taxii/discovery- Endpoint for discovering TAXII services. - TAXII Polling:
/taxii/poll- Used for polling TAXII collections for data. - TAXII Collection Management:
/taxii/collection-management- Manages TAXII collections.
You will then debug the ThreatConnect pipeline using our Pipeline Dashboard tool to ensure it is copying the data correctly, before building a Notebook to explore your data and build reports.
Setup & steps to follow
💡Before getting started, let's make sure Cursor is set up correctly:
- We suggest using a model like Claude 3.7 Sonnet or better
- Index the REST API Source tutorial: https://dlthub.com/docs/dlt-ecosystem/verified-sources/rest_api/ and add it to context as @dlt rest api
- Read our full steps on setting up Cursor
Now you're ready to get started!
-
⚙️ Set up
dltWorkspaceInstall dlt with duckdb support:
pip install "dlt[workspace]"Initialize a dlt pipeline with ThreatConnect support.
dlt init dlthub:threatconnect duckdbThe
initcommand will setup the necessary files and folders for the next step. -
🤠 Start LLM-assisted coding
Here’s a prompt to get you started:
PromptPlease generate a REST API Source for ThreatConnect API, as specified in @threatconnect-docs.yaml Start with endpoints hosts and addresses and skip incremental loading for now. Place the code in threatconnect_pipeline.py and name the pipeline threatconnect_pipeline. If the file exists, use it as a starting point. Do not add or modify any other files. Use @dlt rest api as a tutorial. After adding the endpoints, allow the user to run the pipeline with python threatconnect_pipeline.py and await further instructions. -
🔒 Set up credentials
The snippets mention that an API key is required for the enrichment service, which should be provided by the System Administrator.
To get the appropriate API keys, please visit the original source at https://docs.threatconnect.com/en/latest/rest_api/v3/indicator_enrichment/indicator_enrichment.html. If you want to protect your environment secrets in a production environment, look into setting up credentials with dlt.
-
🏃♀️ Run the pipeline in the Python terminal in Cursor
python threatconnect_pipeline.pyIf your pipeline runs correctly, you’ll see something like the following:
Pipeline threatconnect load step completed in 0.26 seconds 1 load package(s) were loaded to destination duckdb and into dataset threatconnect_data The duckdb destination used duckdb:/threatconnect.duckdb location to store data Load package 1749667187.541553 is LOADED and contains no failed jobs -
📈 Debug your pipeline and data with the Pipeline Dashboard
Now that you have a running pipeline, you need to make sure it’s correct, so you do not introduce silent failures like misconfigured pagination or incremental loading errors. By launching the dlt Workspace Pipeline Dashboard, you can see various information about the pipeline to enable you to test it. Here you can see:
- Pipeline overview: State, load metrics
- Data’s schema: tables, columns, types, hints
- You can query the data itself
dlt pipeline threatconnect_pipeline show -
🐍 Build a Notebook with data explorations and reports
With the pipeline and data partially validated, you can continue with custom data explorations and reports. To get started, paste the snippet below into a new marimo Notebook and ask your LLM to go from there. Jupyter Notebooks and regular Python scripts are supported as well.
import dlt data = dlt.pipeline("threatconnect_pipeline").dataset() # get "hosts" table as Pandas frame data."hosts".df().head()