close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

10 Things Security Analysts Can Do for Free in TC Open

Find Relevant Intelligence and Stay "In the Know"

TC Open™ is the free edition of ThreatConnect. It gives you access to intelligence from many open sources (OSINT), all aggregated in one place under a unified framework.

One of the most valuable sources is our "Technical Blogs and Reports" source, which scans hundreds of popular threat intelligence and security blogs and makes them easily searchable and actionable in TC Open.

A sampling of some of the sources available in TC Open

 

See 10 things security analysts can do in TC Open:

  1. Search OSINT for intel on indicators, CVEs, and adversaries
  2. Check out the latest intel from your favorite security blogs
  3. Find Indicators related to a specific malware family or CVE
  4. Subscribe to your favorite intel topics
  5. Scan a text file to uncover relevant intel
  6. Download a PDF report and share it
  7. Export indicators for use in another tool or for further analysis
  8. Grab some Snort and YARA rules you can use immediately
  9. Create some daily or weekly habits using dashboards
  10. Explore and contribute to our Common Community

 

Search OSINT for intel on indicators, CVEs, and adversaries

Click the magnifying glass in the upper right of any page in ThreatConnect. Enter an indicator* of compromise, the name of an adversary, a malware family, a CVE, and more. Get results!

From here, click "Technical Blogs and Reports" to get some context on this indicator.

 

It's a scam!

Even if our free sources don't return results, we'll provide you links to dozens of popular enrichment sources so that your search doesn't have to end.

 

Click an Investigation Link to uncover more about an Indicator, or select "Open All" to view them all at once.

*Supported Indicators include IP Address, Host/Domain, URL, File Hash (MD5, SHA1, SHA256), Email Address, CIDR, ASN, User Agent, Mutex, and Registry Key.

Check out the latest intel from your favorite security blogs

Our Technical Blogs and Reports source (a/k/a "Tech Blogs") collects data from hundreds of popular security blogs and turns it into MRTI in ThreatConnect. To see what's new, select "Browse" from the main navigation menu, select "Technical Blogs and Reports" from the My ThreatConnect dropdown, then sort by date added.

Browse is a tabular view of all the intelligence you can access in ThreatConnect. Using the options on this page, you can filter on Indicators, Adversaries, Incidents, and more. The OSINT Dashboard (available from the "Dashboard" dropdown in the main menu) also shows the latest intel reports from Tech Blogs.

 

A sampling of some of the blogs we collect. You can request new ones by emailing research@threatconnect.com

 

Find Indicators related to a specific malware family or CVE

Tags in ThreatConnect let us effectively categorize intel. Popular tags include specific CVEs, malware families, industry, and much more. You can filter the Browse screen by Tag by clicking the "Filters" button, entering a Tag (or Tags!) and clicking "Apply."

 

All Incidents tagged "coinhive."

 

You can also select the "Tags" option on the Browse screen to view a list of all Tags available to you, drill down on the Tag, and see all related intelligence.

 

Coinhive is a busy malware.

 

Subscribe to your favorite intel topics

If there's a Tag you're interested in, we'd recommend Following it so you can get notified whenever something new comes in. It's like subscribing to a topic across dozens of blogs instead of just following one blog. Just click the "Follow" option in the upper right when viewing the details of a particular Tag or other piece of intelligence.

 

Try it! Check out the [coinhive] Tag and click "Follow Item".

You can click on the Notification bell in the main navigation to adjust your notification preferences, e.g. instant email vs digest email.

 

Scan a text file to uncover relevant intel

Search lets you look for more than just one indicator or adversary or incident at a time: you can upload an entire file and have ThreatConnect scan it for indicators. For example, if you have a log file that's full of IP addresses (among other things), just save it as a text file; ThreatConnect will recognize the IPs and correlate them to known intelligence.

 

Correlations between a log file and intelligence in ThreatConnect

 

Download a PDF report and share it

Indicators of Compromise are the atomic units of threat intelligence, and in ThreatConnect the "molecules" - the higher level objects like Adversary, Incident, Campaign, etc. - are called "Groups." You can find Groups be selecting the Groups option on the Browse screen. Once you've opened up a Group, you can download it as a PDF report. This can be shared with colleagues or retained for future use.


Export indicators for use in another tool or for further analysis

Any data you find on the Browse screen can be exported to a CSV. For example, you can take all of the Indicators related to a particular CVE and export them for blocking and analysis. Or you can take all Indicators (up to 5,000 at a time) tied to an Adversary and graph them in a dataviz tool like Tableau to show activity over time.

 

An adversary activity report we created in Tableau from data exported for free from ThreatConnect.

 

Grab some Snort and YARA rules you can use immediately

Most of the intelligence is the Tech Blogs source will have Snort or YARA rules/signatures associated to it. Grab one of these signatures to easily deploy intel to your EDR, network monitoring, or threat hunting tools.

 

This Incident can be acted on pretty quickly.

 

Create some daily or weekly habits using dashboards

TC Open users get access to four free dashboards, accessible from the Dashboard dropdown on the main nav. Each dashboard presents some interesting opportunities for creating some daily habits that can make you a better security professional. See this blog for more on the importance of habits in security. Here are just a few suggested habits you can get into using these dashboards:

  • My Dashboard - Once a week, take a look at some of the items in "My Recent History." How have they changed? Has any new intel been uncovered?
  • Operations Dashboard - Once a week, review the "Popular Tags" section. What's changed? Why are different things trending week to week?
  • OSINT Dashboard - Once a day, see what's new in Tech Blogs!

 

Explore and contribute to our Common Community

TC Open is not limited to just consuming intelligence - you can create your own! We believe that, like life, threat intelligence is best when shared. We've written a lot on sharing in our Common Community, but in a nutshell: you can add Indicators and Groups, tell a story around an Incident or an Adversary, and most importantly get additional context from other TC Open users. And of course, you can Browse what others are doing and collaborate with them!

ABOUT THE AUTHOR

Dan Cole, Director of Product Management at ThreatConnect, has spent the last decade as a product manager working to create awesome software that gets to the core of solving the unique problems faced by a myriad of industry verticals. From large financial and insurance providers, to global telecom carriers, to federal agencies, Dan believes that the right software can free companies and users to focus on and enable their key missions.