Skip to main content
ThreatConnect Acquires Polarity to Transform How Security Uses Intelligence
Press Release
Request a Demo

Take a Deep Dive into ThreatConnect’s Workflow Capabilities

Interested in learning more about ThreatConnect’s Workflow capability for case management? With Workflow, you can continuously improve security processes with a single Platform for process documentation, team collaboration, and artifact enrichment.

Sure, tell me more…
In our most recent product release, we added the Workflow capability to our Platform, which enables analysts and their teams to define and operationalize consistent, standardized processes for managing threat intelligence and performing security operations. This function is essential in any security orchestration, automation and response (SOAR) platform. Analysts and administrators can use Workflow to investigate, track, and collaborate on information related to threats and incidents, all from within one central location in ThreatConnect. A primary use case for Workflow is case management, in which data tied to specific events and incidents are collected, distributed, and analyzed for effective and efficient completion of critical tasks.

If you didn’t see the blog article that started it all, please read: How to Build a Basic Workflow in ThreatConnect. From a simple notification email to threat-bending phishing triage, this is your first step.

Ok, what now?
We have five (5) Knowledge Base articles that provide step-by-step instruction and description on how to best use ThreatConnect’s Workflow.

  • Workflow Overview provides a high-level overview of Workflow, covering terminology and process flow.
  • Workflow Templates – are codified procedures for the steps to be taken within a Case. ThreatConnect provides a set of out-of-the-box Workflow Templates via TC Exchange™, or users and administrators with the requisite permissions can create Workflow Templates from scratch. This article demonstrates how to view and build Workflow Templates, covering topics such as how to add and configure Tasks and Phases and how to define Artifacts to be collected.
  • Workflow Tasks – provides instruction on the features of the Tasks tab, covering viewing, assigning, removing, sorting, and filtering Tasks. The Tasks tab of the Workflow screen serves as a dashboard where users can monitor and track Tasks across all Workflow Cases in their Organization. This article provides instruction on the features of the Tasks tab, covering viewing, assigning, removing, sorting, and filtering Tasks.
  • Workflow Playbooks – discusses how to create a Workflow Playbook. Workflow Playbooks are configured in a manner similar to that for Playbook Components, and they operate similarly to Playbooks in general.
  • Workflow Cases – discusses how to view, build, configure, and administrate Workflow Cases. A Workflow Case is a single instance of an investigation, inquiry, or other procedure. Within a Case, manual and automated Tasks are assigned and run, Artifacts are collected, freeform notes are taken, and a timeline of all events is maintained.

If you are a current ThreatConnect customer and have questions or need help, please reach out to your customer success representative. If not, these articles are really good resources for anyone evaluating the ThreatConnect Platform.

About the Author


By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at