Posted
When a critical alert lands on your desk, every second counts. Whether you’re triaging flagged IPs, investigating APT activity, or gathering intelligence for a report, the pressure to act quickly and accurately can feel relentless. The reality is clear: manual investigations are too slow, and incomplete data leaves room for error. You need tools that cut through the noise, streamline processes, and give you actionable insights—fast.
ThreatConnect TI Ops 7.8 introduces tools that help streamline investigations and eliminate bottlenecks. Bulk indicator searches, plain-language query generation with the TQL Generator, and integrated AbuseIP enrichment provide the insights we need faster. Features like Intel 360 enable better collaboration, ensuring our intelligence is actionable and validated. With these updates, we can focus on prioritizing and responding to threats more efficiently, improving outcomes while reducing manual effort.
Unleashing the Power of Actionable Search
As a security analyst, you may receive escalated alerts from your SIEM and other tools, including hundreds of flagged IP addresses and domains tied to potential malicious activity. Investigating data manually can be overwhelming (and boring!), and delays could give attackers more time to cause harm (and burn out analysts in the process!).
With Actionable Search, you can bulk import indicators that you get from other tools or colleagues and immediately see enriched data for each one. Advanced filters allow you to refine results based on dates, threat scores, and other critical criteria, helping you focus on the most pressing threats. Duplicate indicators are automatically removed, giving you a clean and actionable dataset.
Key Features:
- Bulk IOC Searches: Quickly analyze hundreds of indicators at once.
- Advanced Filtering: Pinpoint the most relevant threats with precision.
- Comprehensive Enrichment: Access detailed insights about each indicator for faster decisions.
By automating time-consuming tasks, Actionable Search gives you the context to act swiftly, helping you protect your organization with confidence and efficiency. Upcoming features will enable bulk actions like tagging, updating owners, adding notes, and exporting results in one step. Also, look for unstructured imports from PDFs and DOC files and a unified view of IoCs across multiple owners to enhance collaboration and visibility.
Simplifying Queries with the TQL Generator
Analysts need to search for a lot of stuff: APT insights, the latest vulnerabilities, which indicators georesolve to China in the past three months with a malware tag, etc. Crafting queries in various formats like SQL, SPL, etc. can feel daunting, especially if you need to familiarize yourself with the syntax.
That includes our own ThreatConnect Query Language (TQL): until now! With the new TQL Generator, you can type your query in plain language, such as “Find all Malware related to APT28 that has activity causing it to be updated in the last week.“ The feature automatically translates your input into the correct TQL syntax, runs the query, and delivers the data you need in seconds.
Why You’ll Love It:
- Ease of Use: Eliminate the hassle of learning complex syntax.
- Time Savings: Execute accurate queries instantly.
- Improved Access: Quickly uncover the intelligence needed to make informed decisions.
The TQL Generator removes barriers to querying, allowing you to focus on what matters—analyzing data and acting on threats. We are looking for future iterations of the feature to include adversary alias information and more.
Built-In Enrichment with AbuseIP
ThreatConnect 7.8 includes a new, built-in AbuseIP integration that ensures you have easy access to critical IP intelligence. Without creating manual playbooks or searching multiple websites, you can assess IP addresses with confidence using data such as confidence scores, ISP details, and geographical locations.
This streamlined access allows you to make faster decisions, improving your team’s ability to identify and respond to potential threats.
Enhanced Collaboration with Intel 360
Feedback and validation are critical components of the Evolved Threat Intelligence Lifecycle, ensuring that intelligence is actionable, relevant, and continually improved. ThreatConnect 7.8 introduces Intel 360, an ongoing initiative designed to facilitate this crucial step by enabling interactive feedback on intelligence reports.
With Intel 360, users can provide ratings and comments on reports, offering valuable insights that foster collaboration and enhance the quality of intelligence over time. This interactive mechanism helps analysts validate findings, refine intelligence products, and build trust across teams.
By incorporating Intel 360 into your workflow, ThreatConnect ensures that feedback isn’t just an afterthought—it’s a core part of the intelligence process, empowering your team to work with the most accurate and impactful insights. This release includes the ability for stakeholders to review Reports available to them in ThreatConnect. This makes it easier to collect feedback from people accessing finished intelligence. In a future ThreatConnect release, we intend to add more functionality to the Intel 360 featureset including the ability to collect metrics related to feedback submitted, adjust the priority of Intelligence Requirements based on stakeholder feedback, and support for additional object types beyond Reports. One of the goals of this effort is to ultimately help ThreatConnect users measure the effectiveness of the threat intelligence they are producing to ensure they are spending their time and resources on the things that will be the most impactful to their organizations.
ATT&CK v16 Update
ThreatConnect has enhanced its platform with the MITRE ATT&CK 16.0 update, which includes 19 new techniques like “Adversary-in-the-Middle: Evil Twin” and “Event Triggered Execution: Udev Rules,” 33 new software entries, and more. Customers can leverage these updates through features like the ATT&CK Visualizer, Document Import, the new Doc Analysis Playbook, and other features to help visualize relationships and streamline intelligence processes.
Other Key Enhancements
- Hourly Updates for ThreatConnect’s Automated Threat Library (ATL): Multiple blogs now updated hourly for quicker access to critical insight
- Details Page Updates: Easily copy and share data without reverting to legacy views, improving workflow efficiency.
- Hyperlinks in Reports: Add and manage hyperlinks in various report sections, enhancing usability and clarity.
Why ThreatConnect 7.8 is Built for You
With its focus on usability, efficiency, and actionable insights, ThreatConnect 7.8 addresses your daily challenges. Tools like Actionable Search and the TQL Generator eliminate tedious processes, giving you more time to focus on strategic tasks. Features like AbuseIP integration and Intel 360 help you collaborate and act confidently.
Stay one step ahead of threats and empower your team to work smarter. Explore ThreatConnect TI Ops Platform 7.8 today!