When working with the datastore, I think of it like a file system with three levels:
The datastore Playbook app provides a field for each of these levels:
If you are trying to retrieve content from the datastore, you can leave the
entity field empty; if you are trying to write/update content, place the new data in the
entity field as valid json. If you are creating new content, you should use the
POST http method. If you are updating existing content, you should use the
PUT http method. For example, if you wanted to record the value of the ETag of a domain, the datastore app would look something like:
In order to access the datastore outside of playbooks, you will need a developer token. You can get a developer token in the ThreatConnect UI by hovering over the gear icon in the upper right corner > Org Settings > Apps. Then click the menu with three vertical dots on the right side of the screen and select Get Developer Token. This is necessary if you are trying to access the datastore via a REST client or a script outside of playbooks (which is helpful when testing/designing playbooks).
There are 'gotchas' to keep in mind when using the datastore here.