Skip to main content
Download the Buyer’s Guide for Cyber Risk Quantification Solutions
Download Guide
Request a Demo

ThreatConnect and Cherwell: Better Record Management

ThreatConnect has released a Playbook App for joint customers to leverage Cherwell.  Cherwell is a comprehensive IT service desk solution for enterprise IT services and support. With the new Cherwell Playbook App, you can easily automate more tedious tasks, or create and manage incident records between Cherwell and ThreatConnect.

ThreatConnect and Cherwell: Better Record Management
Cherwell Service Management


This integration consists of a single Playbook app that will allow these actions:

  • Get Record – Retrieve Record
  • Create Record – Create a new Record
  • Update Record – Update an existing Record
  • Search Records – Search for a specific Record
  • Add Record Note – Create a note on a Record
  • Add Record Attachment – Upload an attachment to a record using a Business Object ID and record ID
  • Advanced Request – Advanced actions

Through this integration, the following capabilities are now available: 

Managing Records

  • As part of a security investigation, it may be necessary to create, retrieve, or update an Incident Record for another team to track work; such as an infrastructure change request.  The Create Record action can be used to create the Record in Cherwell as well as link it back to a Case in ThreatConnect. 

Record Investigation and Enrichment

  • During an investigation, you may want to download recent records from Cherwell and continue the investigation in ThreatConnect by using Workflow. With Playbooks, you can enrich the investigation by updating the record in Cherwell with further context to help prioritize response efforts.  

Cross-Team Collaboration

  • Cross-team collaboration is a fundamental part of security operations but can be challenging across disparate software applications. Now you can automate any collaboration process by creating Playbooks to do things like: 
  • Creating a record for a firewall team to put in a block at the network
  • Creating a record to have a vulnerability team patch a host 
  • A multitude of other similar security processes that require records and teamwork to ensure everyone is working with efficiency and transparency as necessary.

Intel Collection 

  • You may find that you want to bring certain types of closed records into ThreatConnect to be stored as Intelligence. Your internal incidents are one of your best sources of intelligence, and collecting this intelligence is invaluable. Automate the collection of this intelligence by creating a Playbook to query an incident from your platform in ThreatConnect. This enables you to associate all correlated intelligence and provide it to your team at their fingertips. 


Together, ThreatConnect and Cherwell help security teams easily manage records from ThreatConnect. If you’re a ThreatConnect customer, please reach out to your dedicated Customer Success Team for more information on deploying the Cherwell Apps. If you’re not yet a customer and are interested in ThreatConnect and this integration, please contact us at

About the Author


By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at