Cybersecurity Heroes Wield the Power of ThreatConnect

BG Cybersecurity Heroes Wield the Power of ThreatConnect

Why ThreatConnect 4.4 Version Is Your Cybersecurity Excalibur

I believe that cybersecurity professionals are heroes. I mean it: SOC analysts, intel analysts, incident responders – they’re heroes in the true mythological sense. Let me explain and you’ll see why I’m not just blowing smoke.

The Hero’s Journey

In Hero with a Thousand Faces, Joseph Campbell describes an archetypal “hero’s journey” that heroes in myths undertake. This journey is common to many myths across countless cultures around the world: from Odysseus to King Arthur to Luke Skywalker. Campbell divides the journey into phases: first is the “Departure”: the hero gets a “Call to Adventure”: a message or event that acts as a call to head off into the unknown. Think Dorothy getting blown away by the tornado to Oz, or Artoo Detoo and See Threepio showing up on Luke’s doorstep…

…or a SIEM alert with an unknown indicator.

Eventually, after a series of trials, the hero comes to an “Ordeal” where they descend into a labyrinthine underworld where they come face-to-face with a great evil and learn some profound truth. Luke learns that Darth Vader is his father; Arthur uncovers the secret of the Grail; and Dorothy learns there’s no place like home…

…or discovering that the indicator is associated to a known adversary with known attack patterns or exploits.

The hero’s discovery is transformative and grants them immense power. The final phase is the “Return” where they journey back home and use this newfound power to help their compatriots. Luke returns to Tatooine -a full-fledged Jedi -to rescue Han Solo. Odysseus recovers his homeland. The Hobbits free the Shire.

…or re-prioritizing the patch schedule and setting up blocking rules based on the uncovered exploits.


Here’s how the mythologist Joseph Campbell sums it all up:
A hero ventures forth from the world of common day into a region of supernatural wonder: fabulous forces are there encountered and a decisive victory is won: the hero comes back from this mysterious adventure with the power to bestow boons on his fellow man.

Now think about it in terms of cybersecurity…


Cybersecurity Heroes

The Call to Adventure. SOC analysts, intel analysts, incident responders: they get alerts, they get tickets, they get notifications, and then the adventure begins.

The Ordeal. It’s time to address the alert!


As Campbell puts it:

The passage of the mythological hero… is inward—into depths where obscure resistances are overcome, and long lost, forgotten powers are revivified, to be made available for the transfiguration of the world.

Inward, obscure resistance – sounds like the obstacles cybersecurity pros need to deal with! Wading through SIEM logs, working with fragmented tools, reverse-engineering malware.

Finally, the hero must Return. Blocking indicators, patching machines, writing YARA rules: all are only possible because of the wisdom and power the analyst gained as part of their journey.

Campbell furthers:
Having found… enlightenment in the other world, the hero [must] return to the ordinary world to bestow the boon onto his fellow man.

The more adversaries the hero thwarts, the more adventures they go on, the more powerful they become. Every phishing email, SIEM alert, and IR ticket is an adventure that grows the knowledge of the cyberdefender.


The Hero’s Journey Luke Skywalker Cybersecurity
Departure / Call to Adventure
  • “Help me, Obi-Wan Kenobi. You’re my only hope.”
  • “Looks like a high priority SIEM alert.”
  • “We just got an email in our malware inbox and a task to investigate.”
The Ordeal
  • “I am your father.”
  • “Looks like they’re  trying to exploit CVE-1138.”
  • “This is the same malware family that got in last week.”
The Return
  • “I am a Jedi. Like my father before me.”
  • “I’m going to recommend we shift priorities in our patch schedule.”
  • “I’m going to tweak the YARA rule we set up for this.”


Supernatural Aid

There are countless other parallels, but there’s one in particular I want to focus on: heroes have help. They encounter wizened mentors like Merlin and Obi-Wan Kenobi. Often, these mentors bestow powerful supernatural artifacts and talismans upon the heroes: Excalibur, a lightsaber, ruby slippers.



                “An elegant weapon… for a more civilized age.”

Cybersecurity heroes have help, too in malware sandboxes, enrichment tools, and mentors. But there’s one magical artifact that trumps them all: ThreatConnect. One platform that brings all the other tools together. And it’s just been imbued with more power than ever with the release of ThreatConnect version 4.4.

Custom Indicator Types

Very often, the artifact the hero receives is a perfect match to the evil they’re going to face, even if they might not know why they need it yet: Luke gets a lightsaber to battle the Sith, Perseus gets Athena’s polished shield to fight Medusa, and Harry Potter gets the Deathly Hallows to resist Voldemort. And now, with ThreatConnect 4.4, you’re armed with the perfect counter to the threats you’re facing with Custom Indicator Types.


                             The gods gave Perseus exactly what he needed. So does ThreatConnect.

Out of the box, ThreatConnect has always supported Addresses, Hosts, Email Addresses, File Hashes, and URLs. Now, customers with an on-prem or dedicated cloud license of ThreatConnect can support whatever indicator types you need: Registry Keys, Mutexes, Autonomous System Numbers (ASNs), and even highly purpose-driven indicator types like credit card numbers for use by anti-fraud teams. The critical piece is that you can define things like validation rules, custom attributes, and even associate different indicators together.


 Create your own Indicator types and use ThreatConnect as your system of record.

You have total control over the weapons you wield in ThreatConnect.

Revamped Browse Screen

Sometimes, the hero needs to metaphorically “die” in order to unlock their true power. In the Matrix, Neo has to die before he becomes the One. Aeneas dies by descending into the underworld to receive a vision of the future of Rome. And ThreatConnect’s old Browse Screen has died to be replaced by something far more powerful.



The old gives way to the Neo.

One of the core features of the ThreatConnect platform is the ability to browse the data that’s come in either from your analysts and intel team or from open source and premium intel feeds. In 4.4, we’ve significantly reduced the number of clicks it takes to extract meaningful data from the platform and made it easier than ever to find what you’re looking for. Here are just a few of the improvements we’ve made to the Browse Screen.


Search by nearly any field in ThreatConnect: including ones you create.


  • Search by custom fields
  • Bookmark your searches
  • View multiple data types at once
  • Perform advanced searches and complex queries
  • Browse by new fields like Observations, False Positives, and Tags
  • View associated Indicators and Intelligence without leaving the Browse Screen


                                                                    Nearly everything the hero needs to fight evil – on one page.

STIX Parser

Heroes have help. Luke has Han and Chewie. The Avengers have each other. Jason had his Argonauts. Cybersecurity heroes have a global host of compatriots enabled with common standards for sharing, like STIX. In ThreatConnect 4.4, our platform is now even more open to the world of STIX with the introduction of our STIX parser.


The original Styx taxi. 

We’ve changed how STIX feeds are set up so that our STIX parsing capability can now be extended via Apps. Among other things, this allows users to install STIX parsers (i.e. for different STIX feeds). The Software Development Kit (SDK) has also been updated to support this new functionality.


                    ThreatConnect’s STIX parser lets you connect to just about any STIX feed. No need to pay Charon.

Continue Your Hero’s Journey

Heroes of cybersecurity: This is your hour! Draw the sword of ThreatConnect and go do glorious battle and return with even greater power. The number of new features we’ve added in version 4.4 is beyond the scope of this post: Incident Status management, Associated Intelligence, multiple API improvements, and much more. For a full copy of the release notes, please contact For product feedback, please contact me directly at



Dan Cole
About the Author
Dan Cole

Dan Cole, Director of Product Management at ThreatConnect, has spent the last decade as a product manager working to create awesome software that gets to the core of solving the unique problems faced by a myriad of industry verticals. From large financial and insurance providers, to global telecom carriers, to federal agencies, Dan believes that the right software can free companies and users to focus on and enable their key missions.