Find Relevant Intelligence and Stay “In the Know”
TC Open™ is the free edition of ThreatConnect. It gives you access to intelligence from many open sources (OSINT), all aggregated in one place under a unified framework.
One of the most valuable sources is our “Technical Blogs and Reports” source, which scans hundreds of popular threat intelligence and security blogs and makes them easily searchable and actionable in TC Open.
A sampling of some of the sources available in TC Open
See 10 things security analysts can do in TC Open:
- Search OSINT for intel on indicators, CVEs, and adversaries
- Check out the latest intel from your favorite security blogs
- Find Indicators related to a specific malware family or CVE
- Subscribe to your favorite intel topics
- Scan a text file to uncover relevant intel
- Download a PDF report and share it
- Export indicators for use in another tool or for further analysis
- Grab some Snort and YARA rules you can use immediately
- Create some daily or weekly habits using dashboards
- Explore and contribute to our Common Community
Search OSINT for intel on indicators, CVEs, and adversaries
Click the magnifying glass in the upper right of any page in ThreatConnect. Enter an indicator* of compromise, the name of an adversary, a malware family, a CVE, and more. Get results!
From here, click “Technical Blogs and Reports” to get some context on this indicator.
It’s a scam!
Even if our free sources don’t return results, we’ll provide you links to dozens of popular enrichment sources so that your search doesn’t have to end.
Click an Investigation Link to uncover more about an Indicator, or select “Open All” to view them all at once.
*Supported Indicators include IP Address, Host/Domain, URL, File Hash (MD5, SHA1, SHA256), Email Address, CIDR, ASN, User Agent, Mutex, and Registry Key.
Check out the latest intel from your favorite security blogs
Our Technical Blogs and Reports source (a/k/a “Tech Blogs”) collects data from hundreds of popular security blogs and turns it into MRTI in ThreatConnect. To see what’s new, select “Browse” from the main navigation menu, select “Technical Blogs and Reports” from the My ThreatConnect dropdown, then sort by date added.
Browse is a tabular view of all the intelligence you can access in ThreatConnect. Using the options on this page, you can filter on Indicators, Adversaries, Incidents, and more. The OSINT Dashboard (available from the “Dashboard” dropdown in the main menu) also shows the latest intel reports from Tech Blogs.
A sampling of some of the blogs we collect. You can request new ones by emailing firstname.lastname@example.org
Find Indicators related to a specific malware family or CVE
Tags in ThreatConnect let us effectively categorize intel. Popular tags include specific CVEs, malware families, industry, and much more. You can filter the Browse screen by Tag by clicking the “Filters” button, entering a Tag (or Tags!) and clicking “Apply.”
All Incidents tagged “coinhive.”
You can also select the “Tags” option on the Browse screen to view a list of all Tags available to you, drill down on the Tag, and see all related intelligence.
Coinhive is a busy malware.
Subscribe to your favorite intel topics
If there’s a Tag you’re interested in, we’d recommend Following it so you can get notified whenever something new comes in. It’s like subscribing to a topic across dozens of blogs instead of just following one blog. Just click the “Follow” option in the upper right when viewing the details of a particular Tag or other piece of intelligence.
Try it! Check out the [coinhive] Tag and click “Follow Item”.
You can click on the Notification bell in the main navigation to adjust your notification preferences, e.g. instant email vs digest email.
Scan a text file to uncover relevant intel
Search lets you look for more than just one indicator or adversary or incident at a time: you can upload an entire file and have ThreatConnect scan it for indicators. For example, if you have a log file that’s full of IP addresses (among other things), just save it as a text file; ThreatConnect will recognize the IPs and correlate them to known intelligence.
Correlations between a log file and intelligence in ThreatConnect
Download a PDF report and share it
Indicators of Compromise are the atomic units of threat intelligence, and in ThreatConnect the “molecules” – the higher level objects like Adversary, Incident, Campaign, etc. – are called “Groups.” You can find Groups be selecting the Groups option on the Browse screen. Once you’ve opened up a Group, you can download it as a PDF report. This can be shared with colleagues or retained for future use.
Export indicators for use in another tool or for further analysis
Any data you find on the Browse screen can be exported to a CSV. For example, you can take all of the Indicators related to a particular CVE and export them for blocking and analysis. Or you can take all Indicators (up to 5,000 at a time) tied to an Adversary and graph them in a dataviz tool like Tableau to show activity over time.
An adversary activity report we created in Tableau from data exported for free from ThreatConnect.
Grab some Snort and YARA rules you can use immediately
Most of the intelligence is the Tech Blogs source will have Snort or YARA rules/signatures associated to it. Grab one of these signatures to easily deploy intel to your EDR, network monitoring, or threat hunting tools.
This Incident can be acted on pretty quickly.
Create some daily or weekly habits using dashboards
TC Open users get access to four free dashboards, accessible from the Dashboard dropdown on the main nav. Each dashboard presents some interesting opportunities for creating some daily habits that can make you a better security professional. See this blog for more on the importance of habits in security. Here are just a few suggested habits you can get into using these dashboards:
- My Dashboard – Once a week, take a look at some of the items in “My Recent History.” How have they changed? Has any new intel been uncovered?
- Operations Dashboard – Once a week, review the “Popular Tags” section. What’s changed? Why are different things trending week to week?
- OSINT Dashboard – Once a day, see what’s new in Tech Blogs!
Explore and contribute to our Common Community
TC Open is not limited to just consuming intelligence – you can create your own! We believe that, like life, threat intelligence is best when shared. We’ve written a lot on sharing in our Common Community, but in a nutshell: you can add Indicators and Groups, tell a story around an Incident or an Adversary, and most importantly get additional context from other TC Open users. And of course, you can Browse what others are doing and collaborate with them!