ThreatConnect
Author: r | 2025-04-24
The ThreatConnect integration with ZeroFOX allows ThreatConnect customers to import threat intelligence domain feeds from ZeroFOX into ThreatConnect. This integration is available for download on the ThreatConnect Marketplace. tcex - ThreatConnect Exchange App Framework. The ThreatConnect TcEx App Framework provides functionality for writing ThreatConnect Exchange Apps.
Getting Started With the ThreatConnect
Home Marketplace Splunk Splunk Inc. (NASDAQ: SPLK) provides the leading software platform for real-time Operational Intelligence. Splunk® software and cloud services enable organizations to search, monitor, analyze and visualize machine-generated big data coming from websites, applications, servers, networks, sensors and mobile devices. More than 8,400 enterprises, government agencies, universities and service providers in more than 100 countries use Splunk software to deepen business and customer understanding, mitigate cybersecurity risk, prevent fraud, improve service performance and reduce cost. Splunk products include Splunk® Enterprise, Splunk Cloud™, Hunk®, Splunk MINT Express™ and premium Splunk Apps. Integrations How Splunk Enterprise Integrates With ThreatConnect's Threat Intelligence Platform SIEM and Analytics ThreatConnect provides the ability to aggregate threat intelligence from multiple sources (i.e., open source, commercial, communities, and internally created), analyze and track identified adversary infrastructure and capabilities, and put that refined knowledge to work in Splunk, identifying threats targeting organizations.The ThreatConnect App for Splunk provides Splunk users the ability to leverage customizable threat intelligence integrated into Splunk from their ThreatConnect accounts and trigger Playbooks directly from the Splunk interface. The App takes users' aggregated logs from Splunk and combines them with their threat intelligence in ThreatConnect. ThreatConnect provides context with indicators and enables their teams to easily spot abnormal trends and patterns to be able to act on them efficiently. Users can tie their data to Playbooks, ThreatConnect’s orchestration capability, to automate nearly any cybersecurity task and respond to threats faster directly from Splunk -- as well as send to other systems like Carbon Black, ServiceNow, Palo Alto, or Tenable. How Splunk and ThreatConnect Work TogetherUsing Splunk for threat intelligence management, you can:Automate the detection of Advanced Threats in your environment: Use ThreatConnect Query Language (TQL) to tailor the data you import into Splunk. Then, you can operationalize multi-source threat intelligence. Reduce False Positives to save time: Use timely, tailored, and accurate threat intelligence enriched and refined from several sources, such as our Collective Analytics Layer (CAL), to reduce false positives. Use intel from ThreatConnect communities against network data and logs in Splunk Enterprise. Prioritize events and respond to threats as they happen: Be proactive about threats and sort each by rating and confidence scores, relationship to known threats, past incidents, adversary groups, and tags. Get an overview of all ThreatConnect matches by intelligence source and data model search from your dashboard.How ThreatConnect Enhances SplunkThere are many reasons to incorporate Splunk into your threat intelligence feeds. Some of the ways ThreatConnect enhances Splunk include:Gives you the ability to apply tailored, relevant threat intelligence to your existing infrastructureAllows you to centralize threat intelligenceHelps you develop process consistencyAllows you to scale your operationsProvides context to threat intelligence so your security team can detect abnormal patterns and trends and take immediate action.Allows you to easily mark false positivesProvides the option to enrich and take action on your intel automaticallyEnables you to orchestrate security actions across your enterprise with PlaybooksDelivers alerts to block cyber threats and respond to incidentsHelps you correlate strategic and tactical threat intelligence with actionable machine-readable Ensure a shared understanding of the cybersecurity risk landscape. Organizations should examine their current security measures, consider the quantifiable impact of potential security investments, and align their cybersecurity strategy with broader business objectives.Check out ThreatConnect Buyer’s Guide for Cyber Risk Quantification Solutions to explore the different types of CRQ solutions. From semi-quantitative measurements to AI-powered solutions, CRQ techniques continue to evolve. Discover how these approaches streamline risk assessment processes and drive effective risk mitigation strategies.Explore ThreatConnect Risk Quantifier – designed to operationalize cyber risk quantification effortlessly. ThreatConnect RQ addresses common cyber risk management challenges and paves the way for superior decision-making and strategic planning. You can take the interactive tour here or reach out to our experts for a demo! About the Author Anjali Chauhan Anjali Chauhan, Content Marketing Manager at ThreatConnect has 4 years of experience in Marketing, Content Creation, and Digital Marketing. Her passion lies in creating meaningful and impactful content. Some of Anjali's favorite hobbies include listening to music from the 80s and 90s, dancing, and spending time with her younger sister. Subscribeto our EmailsThreatConnect Intelligence Anywhere – Get this
To an Indicator that exists in one of your ThreatConnect owners. If no such node is on the graph, pivot in ThreatConnect to add one.Click View Table in the Threat Graph header to open the Graph Objects drawer.Select objects in the table on the Graph Objects drawer using the following methods:Select individual objects: Select the checkbox to the left of an object’s value in the Type column to select the object.Select multiple objects at once: Select the checkbox to the left of the Type column header to select all objects on the current table page.HintSelections on one page persist when you navigate to another page, allowing you to select items across multiple pages.Click Selection Actions at the top left of the Graph Objects drawer and select Run Playbook….On the Select Playbook window (Figure 1), select a Playbook by clicking in the Description column for its entry, and then click Run Playbook to run the Playbook. If you select Indicators of multiple types on the Graph Objects drawer, the Select Playbook window will show all active Playbooks containing a UserAction Trigger configured for all selected Indicator types. For example, if you select a Host Indicator and an Address Indicator in the Graph Objects drawer, the Select Playbook window will show all active Playbooks containing a UserAction Trigger configured for both Indicator types; it will not show Playbooks containing a UserAction Trigger configured for only one of the Indicator types.NoteIf you select an Indicator that does not exist in ThreatConnect in the table on the Graph Objects drawer, the Select Playbook window will show no Playbooks. However, you can run Playbooks for these Indicators by first importing them into ThreatConnect with Threat Graph’s import feature.NoteWhen you select one or more objects in the table on the Graph Objects drawer, the Selected button at the top left of the table will show the current number of selected objects. To view only the objects currently selected in the table, click Selected.Options MenuFollow these steps to use an Indicator’s ⋯ menu in the Graph Objects drawer to run a UserAction Trigger–based Playbook for the Indicator in Threat Graph:Open Threat Graph.Ensure there is at least one node on the graph that corresponds to an Indicator that exists in one of your ThreatConnect owners. If no such node is on the graph, pivot in ThreatConnect to add one.Click View Table in the Threat Graph header to open. The ThreatConnect integration with ZeroFOX allows ThreatConnect customers to import threat intelligence domain feeds from ZeroFOX into ThreatConnect. This integration is available for download on the ThreatConnect Marketplace. tcex - ThreatConnect Exchange App Framework. The ThreatConnect TcEx App Framework provides functionality for writing ThreatConnect Exchange Apps.ThreatConnect Log in to your account
Data from trusted communitiesProvides built-in dashboards and reports to expedite time to valueThe ThreatConnect App for Splunk allows you to integrate threat intelligence into Splunk directly from your ThreatConnect account. You can also trigger Playbooks directly from the Splunk interface. To find the app, search for either Splunk (Playbook) or Splunk (Custom Trigger) in the ThreatConnect App Catalog. You can also find the app in Splunkbase as ThreatConnect App for SplunkContact Us Today to Learn More About Splunk Threat IntelligenceUsing the ThreatConnect App for Splunk, you can apply relevant threat intelligence to your infrastructure, mark false positives, and take immediate and automatic action on your intel. Request a demo today to learn more. Keep Reading Built By ThreatConnect Splunk Attack Analyzer Malware Analysis The Polarity Integration searches the Splunk Attack Analyzer API for Attack Chain data for Domains, URLs, IPs, SHA256 Hashes and MD5 Hashes for phishing related activity and a Score Assessment. Keep Reading Built By Polarity Splunk with Polarity Incident Response and Ticketing SIEM and Analytics Threat Intelligence Polarity's Splunk integration allows a user to connect and search a Splunk Enterprise or Splunk Cloud instance with a customized search string. Additionally, the integration supports running an "Index discovery" meta search, as well as Splunk KVStore data. Enabling analysts to quickly run their Splunk searches without having to pivot from what they are working on.The Polarity- Splunk integration can be installed multiple times to support running multiple different searches across different indexes.ExamplesSplunk SearchesSummary Tags: The summary tags for Splunk are completely customizable by your or your Polarity Admin. Any returned information from a search can be added as a summary tag in the summary fields option.Earliest Search Time: Get a complete understanding of the search by understanding the time frame the search uses.Data from Search: In this section you can view the data that comes back from the search that was specified in the integration. This data will change depending on the index searched. You can view the data multiple ways: in field form, json form, table form or source form.Splunk Index SearchesSummary Tags: When using the Splunk integration for index discovery metasearch capability the Polarity summary tags inform users on the number of indexes the indicator is located in.Index Information: When looking at the details view in Polarity users can see the index information the indicator is in and then pivot out to the index for further investigation. Keep Reading Built By Polarity Splunk SOAR with Polarity Incident Response and Ticketing Security Operations Threat Intelligence The Polarity - Splunk Soar integration enables analysts to quickly query indicators in Splunk Soar to determine if it has been associated with a previous event and what the event was. The integration also enables analysts to quickly execute playbooks allowing them to block or update information on the fly.ExamplesSplunk Soar Data Overview - EventsSummary Tags: When an analyst runs a search with the Splunk Soar integration they will quickly be able to tell if the indicator searched has been associated with an Did you find this summary helpful? Thank you for your feedback OverviewThe Threat Graph feature in ThreatConnect® provides a graph-based interface that you can use to discover, visualize, and contextualize associations and relationships between Indicators, Groups, Cases, and Tags. The Run Playbook… option in Threat Graph, available for Indicators that exist in ThreatConnect only, lets you run UserAction Trigger–based Playbooks for Indicators, allowing you to perform automated analysis of Indicators without needing to leave Threat Graph. You may access the Run Playbook… option in two places in Threat Graph: an Indicator node’s menu and the Graph Objects drawer.Before You StartUser RolesTo run Playbooks in Threat Graph, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.PrerequisitesTo run Playbooks in Threat Graph, turn on Playbooks for your ThreatConnect instance (must be a System Administrator to perform this action).Follow these steps to run a UserAction Trigger–based Playbook for an Indicator in Threat Graph from an Indicator node’s menu:Open Threat Graph.Select a node on the graph that corresponds to an Indicator that exists in one of your ThreatConnect owners. If no such node is on the graph, pivot in ThreatConnect to add one.Select Run Playbook… in the node’s menu.ImportantThe Run Playbook… option will not be available for nodes corresponding to Indicators that do not exist in one of your owners.On the Select Playbook window (Figure 1), select a Playbook by clicking in the Description column for its entry, and then click Run Playbook to run the Playbook. The Select Playbook window shows all active Playbooks with a UserAction Trigger configured for the Indicator’s type.NoteTo open a Playbook in the Playbook Designer, click the UserAction Trigger’s name in the Trigger Name column on the Select Playbook window.ImportantTo view the results of the Playbook execution, open the Playbook in the Playbook Designer, and then open the Executions pane.Running a Playbook From the Graph Objects DrawerThe Graph Objects drawer (Figure 2) provides two ways to run a UserAction Trigger–based Playbook for Indicators in Threat Graph:The Selection Actions menu (run Playbook on one or more Indicators)The Options (⋯) menu for an Indicator (run Playbook on one Indicator)Selection Actions MenuFollow these steps to use the Selection Actions menu in the Graph Objects drawer to run a UserAction Trigger–based Playbook for one or more Indicators in Threat Graph:Open Threat Graph.Ensure there is at least one node on the graph that correspondsWorking with ThreatConnect IOCs - help.fortinet.com
The ambiguity in the SEC guidelines was intentional but will most likely be updated in the future to be more specific.These discussions provide valuable insights into the SEC’s cybersecurity regulations and their implications for companies. For example, ThreatConnect Risk Quantifier (RQ) helps manage these issues by illustrating financial exposure to attacks and quickly addressing the materiality question.As secure investment planning emerges as a critical business factor, materiality thresholds become vital in determining which instances warrant attention. Adopting structured risk quantification constructs will aid businesses in making informed investment decisions. Companies face the continual challenge of measuring and appropriately conveying their assessment or outcomes to the board.In conclusion, this webinar underlined the evolving landscape of cyber risk management in response to stringent SEC guidelines. While organizations may initially perceive these SEC regulations as burdensome, seeing them as beneficial guidelines will change their perspective. After all, the regulations aim to ensure transparency in managing cyber risks, promote best practices, drive investor confidence, and ultimately lead to a more secure market. Myrna and Jerry’s insights into quantifiable risk measures, internal discussion of materiality thresholds, and the value of scenario planning offer a strategic roadmap for organizations navigating these regulatory complexities. Aligning cybersecurity measures with quantifiable risk management practices not only aids in making informed security investment decisions but also fosters a stronger case in discussions with boards or during unfortunate incidents.To get started on your cyber risk quantification journey – explore tools and frameworks that enable risk quantification and engage with leadership to7.4 Release Notes - ThreatConnect
. The ThreatConnect integration with ZeroFOX allows ThreatConnect customers to import threat intelligence domain feeds from ZeroFOX into ThreatConnect. This integration is available for download on the ThreatConnect Marketplace. tcex - ThreatConnect Exchange App Framework. The ThreatConnect TcEx App Framework provides functionality for writing ThreatConnect Exchange Apps.7.5 Release Notes - ThreatConnect
Comments
Home Marketplace Splunk Splunk Inc. (NASDAQ: SPLK) provides the leading software platform for real-time Operational Intelligence. Splunk® software and cloud services enable organizations to search, monitor, analyze and visualize machine-generated big data coming from websites, applications, servers, networks, sensors and mobile devices. More than 8,400 enterprises, government agencies, universities and service providers in more than 100 countries use Splunk software to deepen business and customer understanding, mitigate cybersecurity risk, prevent fraud, improve service performance and reduce cost. Splunk products include Splunk® Enterprise, Splunk Cloud™, Hunk®, Splunk MINT Express™ and premium Splunk Apps. Integrations How Splunk Enterprise Integrates With ThreatConnect's Threat Intelligence Platform SIEM and Analytics ThreatConnect provides the ability to aggregate threat intelligence from multiple sources (i.e., open source, commercial, communities, and internally created), analyze and track identified adversary infrastructure and capabilities, and put that refined knowledge to work in Splunk, identifying threats targeting organizations.The ThreatConnect App for Splunk provides Splunk users the ability to leverage customizable threat intelligence integrated into Splunk from their ThreatConnect accounts and trigger Playbooks directly from the Splunk interface. The App takes users' aggregated logs from Splunk and combines them with their threat intelligence in ThreatConnect. ThreatConnect provides context with indicators and enables their teams to easily spot abnormal trends and patterns to be able to act on them efficiently. Users can tie their data to Playbooks, ThreatConnect’s orchestration capability, to automate nearly any cybersecurity task and respond to threats faster directly from Splunk -- as well as send to other systems like Carbon Black, ServiceNow, Palo Alto, or Tenable. How Splunk and ThreatConnect Work TogetherUsing Splunk for threat intelligence management, you can:Automate the detection of Advanced Threats in your environment: Use ThreatConnect Query Language (TQL) to tailor the data you import into Splunk. Then, you can operationalize multi-source threat intelligence. Reduce False Positives to save time: Use timely, tailored, and accurate threat intelligence enriched and refined from several sources, such as our Collective Analytics Layer (CAL), to reduce false positives. Use intel from ThreatConnect communities against network data and logs in Splunk Enterprise. Prioritize events and respond to threats as they happen: Be proactive about threats and sort each by rating and confidence scores, relationship to known threats, past incidents, adversary groups, and tags. Get an overview of all ThreatConnect matches by intelligence source and data model search from your dashboard.How ThreatConnect Enhances SplunkThere are many reasons to incorporate Splunk into your threat intelligence feeds. Some of the ways ThreatConnect enhances Splunk include:Gives you the ability to apply tailored, relevant threat intelligence to your existing infrastructureAllows you to centralize threat intelligenceHelps you develop process consistencyAllows you to scale your operationsProvides context to threat intelligence so your security team can detect abnormal patterns and trends and take immediate action.Allows you to easily mark false positivesProvides the option to enrich and take action on your intel automaticallyEnables you to orchestrate security actions across your enterprise with PlaybooksDelivers alerts to block cyber threats and respond to incidentsHelps you correlate strategic and tactical threat intelligence with actionable machine-readable
2025-04-13Ensure a shared understanding of the cybersecurity risk landscape. Organizations should examine their current security measures, consider the quantifiable impact of potential security investments, and align their cybersecurity strategy with broader business objectives.Check out ThreatConnect Buyer’s Guide for Cyber Risk Quantification Solutions to explore the different types of CRQ solutions. From semi-quantitative measurements to AI-powered solutions, CRQ techniques continue to evolve. Discover how these approaches streamline risk assessment processes and drive effective risk mitigation strategies.Explore ThreatConnect Risk Quantifier – designed to operationalize cyber risk quantification effortlessly. ThreatConnect RQ addresses common cyber risk management challenges and paves the way for superior decision-making and strategic planning. You can take the interactive tour here or reach out to our experts for a demo! About the Author Anjali Chauhan Anjali Chauhan, Content Marketing Manager at ThreatConnect has 4 years of experience in Marketing, Content Creation, and Digital Marketing. Her passion lies in creating meaningful and impactful content. Some of Anjali's favorite hobbies include listening to music from the 80s and 90s, dancing, and spending time with her younger sister. Subscribeto our Emails
2025-04-21To an Indicator that exists in one of your ThreatConnect owners. If no such node is on the graph, pivot in ThreatConnect to add one.Click View Table in the Threat Graph header to open the Graph Objects drawer.Select objects in the table on the Graph Objects drawer using the following methods:Select individual objects: Select the checkbox to the left of an object’s value in the Type column to select the object.Select multiple objects at once: Select the checkbox to the left of the Type column header to select all objects on the current table page.HintSelections on one page persist when you navigate to another page, allowing you to select items across multiple pages.Click Selection Actions at the top left of the Graph Objects drawer and select Run Playbook….On the Select Playbook window (Figure 1), select a Playbook by clicking in the Description column for its entry, and then click Run Playbook to run the Playbook. If you select Indicators of multiple types on the Graph Objects drawer, the Select Playbook window will show all active Playbooks containing a UserAction Trigger configured for all selected Indicator types. For example, if you select a Host Indicator and an Address Indicator in the Graph Objects drawer, the Select Playbook window will show all active Playbooks containing a UserAction Trigger configured for both Indicator types; it will not show Playbooks containing a UserAction Trigger configured for only one of the Indicator types.NoteIf you select an Indicator that does not exist in ThreatConnect in the table on the Graph Objects drawer, the Select Playbook window will show no Playbooks. However, you can run Playbooks for these Indicators by first importing them into ThreatConnect with Threat Graph’s import feature.NoteWhen you select one or more objects in the table on the Graph Objects drawer, the Selected button at the top left of the table will show the current number of selected objects. To view only the objects currently selected in the table, click Selected.Options MenuFollow these steps to use an Indicator’s ⋯ menu in the Graph Objects drawer to run a UserAction Trigger–based Playbook for the Indicator in Threat Graph:Open Threat Graph.Ensure there is at least one node on the graph that corresponds to an Indicator that exists in one of your ThreatConnect owners. If no such node is on the graph, pivot in ThreatConnect to add one.Click View Table in the Threat Graph header to open
2025-04-19Data from trusted communitiesProvides built-in dashboards and reports to expedite time to valueThe ThreatConnect App for Splunk allows you to integrate threat intelligence into Splunk directly from your ThreatConnect account. You can also trigger Playbooks directly from the Splunk interface. To find the app, search for either Splunk (Playbook) or Splunk (Custom Trigger) in the ThreatConnect App Catalog. You can also find the app in Splunkbase as ThreatConnect App for SplunkContact Us Today to Learn More About Splunk Threat IntelligenceUsing the ThreatConnect App for Splunk, you can apply relevant threat intelligence to your infrastructure, mark false positives, and take immediate and automatic action on your intel. Request a demo today to learn more. Keep Reading Built By ThreatConnect Splunk Attack Analyzer Malware Analysis The Polarity Integration searches the Splunk Attack Analyzer API for Attack Chain data for Domains, URLs, IPs, SHA256 Hashes and MD5 Hashes for phishing related activity and a Score Assessment. Keep Reading Built By Polarity Splunk with Polarity Incident Response and Ticketing SIEM and Analytics Threat Intelligence Polarity's Splunk integration allows a user to connect and search a Splunk Enterprise or Splunk Cloud instance with a customized search string. Additionally, the integration supports running an "Index discovery" meta search, as well as Splunk KVStore data. Enabling analysts to quickly run their Splunk searches without having to pivot from what they are working on.The Polarity- Splunk integration can be installed multiple times to support running multiple different searches across different indexes.ExamplesSplunk SearchesSummary Tags: The summary tags for Splunk are completely customizable by your or your Polarity Admin. Any returned information from a search can be added as a summary tag in the summary fields option.Earliest Search Time: Get a complete understanding of the search by understanding the time frame the search uses.Data from Search: In this section you can view the data that comes back from the search that was specified in the integration. This data will change depending on the index searched. You can view the data multiple ways: in field form, json form, table form or source form.Splunk Index SearchesSummary Tags: When using the Splunk integration for index discovery metasearch capability the Polarity summary tags inform users on the number of indexes the indicator is located in.Index Information: When looking at the details view in Polarity users can see the index information the indicator is in and then pivot out to the index for further investigation. Keep Reading Built By Polarity Splunk SOAR with Polarity Incident Response and Ticketing Security Operations Threat Intelligence The Polarity - Splunk Soar integration enables analysts to quickly query indicators in Splunk Soar to determine if it has been associated with a previous event and what the event was. The integration also enables analysts to quickly execute playbooks allowing them to block or update information on the fly.ExamplesSplunk Soar Data Overview - EventsSummary Tags: When an analyst runs a search with the Splunk Soar integration they will quickly be able to tell if the indicator searched has been associated with an
2025-04-07