Integrations

The ThreatConnect® Platform was built to be open and extensible. We strive to integrate with the tools and technologies in our customers’ existing ecosystem, and work with vendors across every category to make security easy and effective.

ThreatConnect Integrations Laptop with Logos Graphic
Product Product Category Company
Farsight Security DNSDB Playbooks
Farsight Security

Farsight Security DNSDB is the world’s largest DNS intelligence database that provides a unique, fact-based, multifaceted view of the configuration of the global Internet infrastructure. DNSDB leverages the richness of Farsight’s Security Information Exchange (SIE) data-sharing platform and is engineered and operated by leading DNS experts. Farsight collects Passive DNS data from its global sensor array. It then filters and verifies the DNS transactions before inserting them into the DNSDB, along with ICANN-sponsored zone file access download data. The end result is the highest-quality and most comprehensive DNS intelligence data service of its kind – with more than 100 billion DNS records since 2010.

Farsight DNSDB Enrichment Playbook App enables ThreatConnect Platform users to perform On-Demand Enrichment of Passive DNS using the Farsight DNSDB Enrichment source.

Recorded Future Risk List Threat Intelligence
Recorded Future

Recorded Future delivers real-time security intelligence powered by machine learning. Our patented technology automatically collects and analyzes information and provides invaluable context to lower risk. With this integration, users can ingest the IP, Domain, URL and Hash Risk Lists from Recorded Future into ThreatConnect.

Recorded Future Data Enrichment
Recorded Future
The Recorded Future Enrichment Playbook app will accept IP Address (Address), Domain (Host), and Hash (File) indicators and query the Recorded Future Connect API for on-demand enrichment of supported entities. Returned data is passed to downstream Playbook components in the form of output variables.
IntelFinder Threat Intelligence
IntelFinder

IntelFinder covers a wide variety of threats, including similar domain registration, rogue apps, leaked internal documents, leaked source code, exposed internal subdomains and much more, all provided at a fraction of the cost compared to existing services on the market. The integration includes all of the threats covered by the service, enabling ThreatConnect users to receive intelligence not normally available on threat intelligence platforms.

ThreatFabric Mobile Threat Intelligence Threat Intelligence
ThreatFabric

The ThreatFabric Mobile Threat Intelligence app allows the ingestion of the threat intelligence data provided in the ThreatFabric MTI feed into the ThreatConnect Platform.

This app was built and is supported by ThreatFabric. For more information or to install this app, please contact ThreatFabric or your ThreatConnect Customer Success Rep. 

Symantec Endpoint Detection & Response Endpoint Detection & Response
Symantec

This app allows users to perform a plethora of actions in Symantec EDR as part of SOC/IR processes. Some notable actions include adding IOCs to Blacklists, detonating files, and isolating infected hosts as part of an investigation.

This is a Playbooks-only enabled integration and is now available within the ThreatConnect App Catalogue.

Symantec Endpoint Protection Endpoint Detection & Response
Symantec
The app allows users to perform multiple actions in Symantec Endpoint Protection Management. Symantec Endpoint Protection offers a similar but slimmed down set of capabilities compared to Symantec EDR and those are reflected in the actions you can take.
This is a Playbooks-only enabled integration and is now available within the ThreatConnect App Catalogue.
Shodan Data Enrichment
Shodan

The Shodan app allows users to retrieve multiple types of enrichment information for IOCs and allows the users to craft custom Shodan searches to retrieve result sets based on many factors such as software versions being run, services running, open ports, etc. This is a great tool for organizations to monitor for their own potentially open and vulnerable infrastructure, among MANY other possible use cases.

This is a Playbooks-only enabled integration and is now available within the ThreatConnect App Catalogue.

Microsoft Azure Sentinel - Graph API SIEM & Analytics
Microsoft

This app allows you to automatically trigger a playbook based on a Graph Change Notification for Security Alerts from Azure Sentinel, Azure Security Center, Azure Active Directory Identity Protection, Cloud App Security, Azure Advanced Threat Protection, Azure Information Protection and more! The playbook will make a determination and either automatically resolve the alert or open a Case for further investigation. The alert can be updated with these details for tracking purposes.

This is a Playbooks-only enabled integration and is now available through the ThreatConnect App Catalogue.

Microsoft Office 365 - Graph API Collaboration & Messaging
Microsoft

This app enables you to automatically trigger a playbook based on a Graph Change Notification that an email has been received in a phishing mailbox in Office 365.

Additional remediation steps can be automated via the Graph Mail API.

This is a Playbooks-only enabled integration and is now available within the ThreatConnect App Catalogue.

Okta Identity & Access Management
Okta
 This app enables several key use cases for customers using Okta for identity and access management.

This is a Playbooks-only enabled integration and is now available within the ThreatConnect App Catalogue.

Twilio Programmable SMS Collaboration & Messaging
Twilio

This app provides actions to send SMS messages and check their status from Playbooks. These actions can be part of many security processes where notifying a team member of an escalation or tasking via SMS is critical.

This is a Playbooks-only enabled integration and is now available within the ThreatConnect App Catalogue.

Apache Kafka IT Infrastructure
Apache

Apache Kafka is an open-source stream-processing software platform and the use cases for this app are highly dependent and customizable with how Kafka is deployed in your environment. For example, this app enables ThreatConnect users to trigger and orchestrate security processes based on messages received on a Kafka Topic. Or, send indicators across Kafka Topics for consumption by other security tools or for live data stream monitoring.

This is a Playbooks-only enabled integration and is now available in the ThreatConnect App Catalogue.

Tanium Platform Endpoint Detection & Response
Tanium
The new Tanium Platform app allows users to ask questions and retrieve results in Tanium as part of an automated Threat Intelligence or Incident Response process in Playbooks.
The following actions are available in the app:
  • Create Question (with option to Save Question)
  • Get Question Results By ID
  • Get Saved Question Results By ID
  • Get Saved Question Results By Name

This app is now available in the ThreatConnect App Catalogue.

HYAS Insight Data Enrichment
HYAS

With the HYAS Insight integration for ThreatConnect, SOC, CSIRT, and threat intel teams can connect specific attack instances and campaigns to billions of historical and current indicators of compromise faster than ever before, bringing invaluable new insights and visibility to your security efforts. The ThreatConnect-HYAS combination enables further automation of proactive cyber threat operations and can inform risk assessments, profile attackers, guide online fraud investigations, and map attacker infrastructure. 

For more information or to obtain Enterprise trial access, contact https://www.hyas.com/contact

This integration was built and is supported by HYAS. 

BlackBerry Protect Endpoint Detection & Response
BlackBerry

The BlackBerry Protect Playbook App will allow you to immediately deploy new high-risk indicators from ThreatConnect to BlackBerry Protect’s Global Block List anytime that a new threat is received.

This is a playbooks-only enabled integration that is now available in the ThreatConnect App Catalogue. Please contact your ThreatConnect Customer Success Rep for more information.

BlackBerry Optics Endpoint Detection & Response
BlackBerry

The BlackBerry Optics Playbook App allows you to download recent detections from BlackBerry Optics and run them against validated Threat Intelligence from ThreatConnect.

This is a playbooks-only integration that is now available in the ThreatConnect App Catalogue. For more information, please contact your ThreatConnect Customer Success Rep. 

Plyara for Playbooks Data Enrichment
Plyara

Plyara is an open source library for parsing Yara Rules. This Playbook app aids Threat Hunters in categorizing and managing Yara rules much easier within the ThreatConnect Platform.

This is a Playbooks-only enabled integration and is currently available in the ThreatConnect App Catalogue.

Spur Context API Playbook Data Enrichment
Spur

The Spur Context API integration allows a ThreatConnect user to fetch IP address enrichments from the remote Spur Context API using an existing Spur Context API access token.

For more information, or to download this Playbook, please visit the ThreatConnect GitHub.

This is a Playbooks-only enabled integration.

RSA Netwitness Platform - Respond SIEM & Analytics
RSA

The ThreatConnect integration with RSA Netwitness Platform – Respond is a series of playbooks apps that allow users to build processes around incidents and alerts from the RSA Netwitness Platform.

This is a series of Playbooks-only enabled integrations which are currently available in the ThreatConnect App Catalogue.

Jira Service Desk Incident Response & Ticketing
Jira

This Playbook app provides a set of actions to Get, Create and Update Jira Issues and Service Desk Requests of any type as well as Add Attachments and Comments. These actions provide the key building blocks for automating cross-team processes within the Security organization wherever Jira is utilized.

This is a Playbooks-only enabled integration and is currently available in the ThreatConnect App Catalogue.

Jira Core Incident Response & Ticketing
Jira

This Playbook app provides a set of actions to Get, Create and Update Jira Issues and Service Desk Requests of any type as well as Add Attachments and Comments. These actions provide the key building blocks for automating cross-team processes within the Security organization wherever Jira is utilized.

This is a Playbooks-only enabled integration and is currently available in the ThreatConnect App Catalogue.

Polarity Data Enrichment
Polarity

With the Polarity-Threatconnect integration, an analyst is made aware of threat information relevant to what they are currently working on regardless of the application. In addition to reviewing threat intelligence information from the Overlay Window, analysts can also take actions on indicators such as marking it as a false positive, changing its severity or confidence level, or editing its associated tags.

For more information or to download this integration, please visit the Polarity GitHub.

Recorded Future Intelligence Card Extension Threat Intelligence
Recorded Future

The Recorded Future Intelligence Card Extension for ThreatConnect allows users to expedite workflows by reviewing malicious indicators, identifying new intelligence, and providing insights into compromised credentials.

Please contact Recorded Future for more information about this integration.

Cybereason Endpoint Protection Platform Endpoint Detection & Response
Cybereason

This Component allows a user to retrieve reputation information from Cybereason for a specified Address, File, or Host IOC. The raw JSON API response is exposed as an output variable.

This is a Playbooks-only enabled integration.

Zscaler ZIA Network Security
Zscaler

ThreatConnect® and Zscaler® have partnered to provide users with multi-sourced, normalized and correlated threat intelligence from ThreatConnect for use within Zscaler Internet Access (ZIA). This integration enables security teams to proactively protect their network from today’s sophisticated attacks.

PolySwarm Malware Intelligence & Enrichment Data Enrichment
PolySwarm

PolySwarm’s integration with ThreatConnect’s SOAR Platform analyzes suspicious artifacts, at scale, millions of times per day. Get real-time threat intelligence from a crowdsourced network of security experts and antivirus companies.

Sixgill DarkFeed Threat Intelligence Threat Intelligence
Sixgill

Sixgill’s cyber threat intelligence solution focuses on customers’ intelligence needs, helping them mitigate risk to their organizations more effectively and more efficiently. Using an agile and automatic collection methodology, Sixgill provides broad coverage of exclusive-access deep and dark web sources, as well as relevant surface web sources. Sixgill utilizes artificial intelligence and machine learning to automate the production cycle of cyber intelligence from monitoring through extraction to production.

SlashNext Phishing Incident Response Playbook Incident Response & Ticketing
SlashNext

SlashNext threat detection uses browsers in a purpose-built cloud to dynamically inspect page contents and site behavior in real-time.. The SlashNext Phishing Incident Response Playbook app enables ThreatConnect SOAR users to fully automate analysis of suspicious URLs.

This is a Playbooks-only enabled integration.

Silobreaker Data Enrichment
Silobreaker

The Silobreaker Spaces App allows customers to quickly investigate indicators, threat actors, malware and numerous other entity types or topics from across more than a million different sources.

Bitdefender Advanced Threat Intelligence Threat Intelligence
Bitdefender

The Bitdefender Advanced Threat Intelligence integration with the ThreatConnect® Platform allows users to import threat feeds and services into the Platform for triaging, managing, enriching and scoring data from a centralized location.

The solution delivers up-to-date, contextual intelligence on URLs, IPs, domains, certificates, files, Command and Control servers and Advanced Persistent Threats to Security Operation Centers (SOCs), Managed Security Service Providers (MSSPs), Managed Detection & Response (MDR) companies, IT security and investigation consultancy companies as well as large enterprises that need to block ingenious threats.

Infoblox Network Security
Infoblox
• Block Address With InfoBlox: This Component will allow a user to add an IP address IOC to a specified Infoblox Response Policy Zone (RPZ) with the policy set to “Block IP Address”. The response HTTP status code and raw JSON API response are exposed as output variables.
• Block Host With InfoBlox: This Component will allow a user to add a host IOC to a specified Infoblox Response Policy Zone (RPZ) with the policy set to “Block Domain Name”. The response HTTP status code and raw JSON API response are exposed as output variables.
These are Playbooks-only enabled integrations.
ServiceNow Security Operations Data Enrichment
ServiceNow

The ThreatConnect app for ServiceNow Security Operations provides Threat Lookup and Observable Enrichment capabilities against ThreatConnect intelligence and analytics collections .  These features give analysts working inside ServiceNow the information they need to get relevant and actionable insights from intelligence sources within the ThreatConnect Platform.

ServiceNow Orchestration Orchestration
ServiceNow

The ThreatConnect Activity Pack for ServiceNow Orchestration provides a set of activities that can be leveraged from ServiceNow Orchestration workflows to interact with ThreatConnect’s API and Playbooks.  These activities provide a broad set of functionality that can be used for automating Threat Intel and SOC/IR processes.

Proofpoint ET Intelligence Reputation List Threat Intelligence
Proofpoint

This runtime integration with Proofpoint ET Intelligence Reputation List allows users to ingest Address and Host based reputation lists as IOCs along with all available context from Proofpoint into the ThreatConnect Platform.

SlashNext Real-Time Phishing Threat Intelligence Threat Intelligence
SlashNext

This integration enables quick operationalization of SlashNext phishing threat intel feed to protect employees from zero-hour phishing threats. SlashNext phishing and C2 feeds inform threat hunting, enabling ThreatConnect users to identify more threats in network logs. 

SpyCloud Data Enrichment
SpyCloud
This component with SpyCloud allows a user to retrieve breach data for a given host, IP address, or email address from SpyCloud. All available data is parsed out and exposed as output variables. Additionally, the raw JSON API response is exposed as an output variable.
Fortinet FortiSIEM SIEM & Analytics
Fortinet

In FortiSIEM 5.2.4, users can download IOCs from ThreatConnect and receive alerts on matches in logs. Since ThreatConnect aggregates threat feeds from multiple sources, large numbers of automatically downloaded IOCs can cause false positives, increase processing needs and filling storage.

This release also enables the user to mark a ThreatConnect IOC as a False positive. This action can be taken when an incident triggers matching a ThreatConnect IOC, and the user determines that it is a false positive

This is a Partner Built & Supported integration.

OPSWAT MetaDefender Cloud Data Enrichment
OPSWAT

These Components allow users to retrieve enrichment information for OPSWAT MetaDefender Cloud. All available information returned from MetaDefender is parsed out and exposed as output variables in addition to the raw JSON API response.

Actions available in these Components are:

  • Get OPSWAT MetaDefender Cloud File Enrichment
  • Get OPSWAT MetaDefender Cloud File Scan History
  • Scan File with OPSWAT MetaDefender Cloud

These apps are Playbooks-only supported Components.

Joe Sandbox Malware Analysis
Joe Security
This app contains multiple actions for analyzing files and URLs as well as retrieving the results in various formats.  In addition, this app returns the MITRE ATT&CK data from Joe Sandbox in the ThreatConnect tag format as an output variable adding instant value when the results are saved in ThreatConnect and associated across the ATT&CK framework.
Actions available in this app include:
Analyze File – Submit a binary file for analysis
Analyze URL – Submit a URL for analysis
Get Info – Get the raw and parsed Report details from a previous analysis
Get Download – Download the analysis Report in HTML, JSON, or PDF Format. Also, download the sample binary.
Bandura Cyber Threat Intelligence Gateway (TIG) Network Security
Bandura Cyber
The Bandura Cyber Threat Intelligence Gateway (TIG) is purpose-built to filter network traffic using massive volumes of third-party threat intelligence indicators.  The Bandura Cyber ThreatConnect plug-in enables the Bandura Cyber TIG to automatically ingest, detect, and block malicious IP and domain indicators from the ThreatConnect Platform.  The Bandura Cyber TIG enables ThreatConnect customers to detect and block threats on the network in an easier, more scalable, and automated way than can be done using existing network security controls like Next Generation Firewalls.
Microsoft Windows Remote Management Data Enrichment
Microsoft
This integration allows users to run commands, PowerShell commands, and remote PowerShell scripts and leverage the power of the WinRM protocol from ThreatConnect Playbooks.
Some examples include:
• Execute an IR PowerShell script for collecting logs and artifacts from an endpoint under investigation
• Terminate a running process on a host
• List running process or open network connections on a host
• Shutdown or restart a host
• Get a file from a host for further analysis
This is a Playbooks-only enabled integration.
Flashpoint Technical Indicators Threat Intelligence
Flashpoint

ThreatConnect’s Flashpoint integration now includes the Flashpoint’s Technical Indicators along with support for MITRE ATT&CK tags. With this latest release, joint customers will now see Incidents and actionable Indicators associated to Reports in ThreatConnect along with helpful context such as MITRE ATT&CK tags and scoring.

AlienVault ThreatCrowd Data Enrichment
AlienVault
This Playbooks Component allows the user to retrieve enrichment information from ThreatCrowd for a given IP Address, Domain, Email Address, or File Hash. The API response is parsed and all values are exposed as output variables. Additionally, the raw JSON API response is exposed as an output variable.
This is a Playbooks-only enabled app.
AlienVault OTX Data Enrichment
AlienVault

This Playbooks Component allows a user to retrieve enrichment information from AlienVault OTX for a given indicator. The raw JSON response is returned as well as the number of related Pulses along with their names and IDs.

This is a Playbooks-only enabled app.

Censys.io Data Enrichment
Censys

This integration with Censys.io is a series of Playbooks Components that allow users to Create Censys Search and Get Censys Enrichment.

This is a Playbooks-only enabled app.

GreyNoise.io Enterprise Data Enrichment
GreyNoise

This integration with GreyNoise.io Enterprise is a series of Playbooks Enrichment Components that allow users to Create GreyNoise GNQL Query and Get GreyNoise Enterprise Enrichment.

This is a Playbooks-only enabled app.

Microsoft Azure Directory IT Infrastructure
Microsoft
This integration with Microsoft Azure Directory is a series of Playbooks Components that allow users to disable and enable Azure Active Directory Users via Microsoft’s Graph API. An additional Playbooks Component allows users to retrieve the details for a given Azure Active Directory User via Microsoft’s Graph API.
This is a Playbooks-only enabled app.
Microsoft Defender ATP Data Enrichment
Microsoft

This ThreatConnect Playbooks app allows Playbook users to list, add, update and remove indicators on WD ATP for alerting and blocking purposes.

This is a Playbooks-only enabled app.

Microsoft Graph Security API IT Infrastructure
Microsoft

This app with Microsoft Graph Security enables ThreatConnect Playbook users to perform Get, Create, Update and Delete actions against the Graph Security TI API.  This API is currently consumed by Microsoft Sentinel for alerting and monitoring.

This app requires v5.8 of ThreatConnect and is a Playbooks-only enabled app.

RiskIQ Data Enrichment
RiskIQ

This integration is a series of Components that allow users to submit a URL to RiskIQ’s Landing Page API endpoint as well as allow a user to create an event in RiskIQ’s Platform.

Exabeam Data Lake Data Enrichment
Exabeam

This app is designed to allow you to query an Address or Host IOCs in Exabeam’s Data Lake for matched events. This is useful when you would like to see if a particular IOC has been active in your environment.

This integration was built and is supported by Exabeam.

Secureworks Attacker Database Threat Intelligence
Secureworks

Secureworks (NASDAQ: SCWX) is a leading global cybersecurity company that keeps organizations safe in a digitally connected world. We combine visibility from thousands of clients, artificial intelligence and automation from our industry-leading Secureworks Counter Threat Platform, and actionable insights from our team of elite researchers and analysts to create a powerful network effect that provides increasingly strong protection for our clients. By aggregating and analyzing data from any source, anywhere, we prevent security breaches, detect malicious activity in real time, respond rapidly, and predict emerging threats. We offer our clients a cyber-defense that is Collectively Smarter. Exponentially Safer.

Slack Collaboration & Messaging
Slack

With this integration, users have the ability to send customizable messages and attachments to Slack via ThreatConnect.

This is a Playbooks-enabled integration.

Accenture iDefense IntelGraph Threat Intelligence
Accenture

The Accenture iDefense® IntelGraph integration with ThreatConnect® allows customers to ingest the IntelGraph feed into ThreatConnect for analysis and response actions. The integration downloads the 21 Fundamentals, as well as Intel Alerts and Intel Reports, into ThreatConnect.

Booz Allen Hamilton Cyber4Sight Threat Intelligence
Booz Allen Hamilton

Cyber4Sight® delivers customers the comfort of knowing that our comprehensive and context-rich threat intelligence enables them with everything they need to prioritize strategic security decisions and to detect, understand, and mitigate risks.

With Cyber4Sight, you have the tools to react more swiftly to the biggest threats, better anticipate emerging ones, improve your decision-making and resource allocation, help you decrease risk, and better protect your enterprise. To learn more, visit https://www.boozallen.com/s/product/cyber4sight.html.

BAE Systems Threat Intelligence Threat Intelligence
BAE Systems

The ThreatConnect® integration with BAE Systems Threat Intelligence® enables ThreatConnect customers to import Events and Attributes from the BAE MISP instance into ThreatConnect as Incidents and Indicators (Address, Host, Email Address, URL, CIDR, File, ASN, and User Agent), respectively.

Carbon Black Cb Response Endpoint Detection & Response
Carbon Black

Cb Response is an industry-leading incident response and threat hunting solution designed for security operations center (SOC) teams. Cb Response continuously records and stores unfiltered endpoint data, so that security professionals can hunt threats in real time and visualize the complete attack kill chain. It leverages the Cb Predictive Security Cloud’s aggregated threat intelligence, which is applied to the endpoint activity system of record for evidence and detection of these identified threats and patterns of behavior.

RH-ISAC Threat Intelligence
RH-ISAC

The Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) is the cybersecurity community for all retailers and commercial services entities, connecting all aspects of consumer products, goods, and services industries throughout the ecosystem and supply chain. Forming a trusted arena for the sharing of critical strategic and tactical information between members and industry partners across the globe for the purpose of collaborative and innovative problem solving, the RH-ISAC is the information sharing source for cybersecurity risk management.

Threat Connect-RH-ISAC - Logo@0,5x
Qualys Vulnerability Management
Qualys

The Qualys Vulnerability Management integration compares CVE tags from sources in ThreatConnect and matches against Qualys scan results. Any matching unpatched vulnerabilities found within Qualys are associated with relevant intel in ThreatConnect. Additionally, tasks can be automatically created with necessary details for further action to be taken.

To learn more about Qualys, visit https://www.qualys.com/suite/vulnerability-management/.

Palo Alto Networks Wildfire Malware Analysis
Palo Alto Networks

This integration with Palo Alto Wildfire is available as a series of Playbook Apps and Templates.

With the Playbooks Apps and Templates, users are automatically able to take the following actions:

For more information about Palo Alto Wildfire, please visit: https://www.paloaltonetworks.com/products/secure-the-network/wildfire/.

This is a Playbooks-enabled integration.

ReversingLabs A1000 Malware Analysis
ReversingLabs

The A1000 Malware Analysis Platform supports advanced hunting and investigations through the TitaniumCore high-speed automated static analysis engine. It is integrated with file reputation services to provide in-depth rich context and threat classification on over 8 billion files and across all file types. The A1000 supports visualization, APIs for integration with automated workflows, a dedicated database for malware search, global and local YARA Rules matching, as well as integration with 3rd party sandbox tools.

This is a Playbooks-enabled integration.

Logo-ThreatConnect-Partner-Reversing-Labs
ReversingLabs TiCloud Malware Analysis
ReversingLabs

ReversingLabs’ TitaniumCloud Reputation Services are powerful threat intelligence solutions with up-to-date, threat classification and rich context on over 8 billion goodware and malware files. ReversingLabs does not depend on crowd-sourced collection but instead curates the harvesting of files from software vendors and diverse malware sources. All files are processed using unique ReversingLabs File Decomposition Technology, combined with other dynamic and detection information to provide industry reputation consensus. TitaniumCloud supports a powerful set of REST API query and feed functions that deliver targeted file and malware intelligence for threat identification, analysis, intelligence development and hunting.

This is a Playbooks-enabled integration.

Logo-ThreatConnect-Partner-Reversing-Labs
RSA Archer Incident Response & Ticketing
RSA

This integration with RSA Archer is a series of Playbooks Apps and Templates. With these Playbooks, RSA Archer users can automatically take the following actions:

For more information about RSA Archer, please visit: https://www.rsa.com/en-us/products/integrated-risk-management/archer-platform.

This is a Playbooks-enabled integration.

Palo Alto Networks NGFW Network Security
Palo Alto Networks

Palo Alto Networks is the next-generation security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for tens of thousands of organizations worldwide. Built with an innovative approach and highly differentiated cyberthreat prevention capabilities, Palo Alto Networks’ game-changing security platform delivers security far superior to legacy or point products, safely enables daily business operations, and protects an organization’s most valuable assets.

Find out more at www.paloaltonetworks.com.

Accenture Deepsight Intelligence Threat Intelligence
Accenture

The ThreatConnect integration with Accenture’s DeepSight Intelligence leverages the information provided by the DeepSight feed. The integration allows customers to seamlessly analyze and act on Accenture DeepSight Advanced IP and Advanced Domain/URL Datafeeds inside ThreatConnect.

Tanium Connect Endpoint Detection & Response
Tanium

The Tanium™ Connect™ Reputation Blacklist integration for ThreatConnect® enables the upload of File hashes in ThreatConnect to the Reputation Blacklist in Tanium Connect.

Tanium Threat Response Endpoint Detection & Response
Tanium
This app allows users to deploy and delete Indicator and Signature Intel Packages to Tanium Threat Response with some additional customization options such as Package Name, Description, Author, etc.
The following actions are available:
  1. Deploy Indicator Intel Package
  2. Deploy Signature Intel Package
  3. Delete Intel Package
MISP Threat Intelligence
MISP

This MISP Import app integration enables ThreatConnect customers to run a scheduled import of MISP Events and Attributes into ThreatConnect as Incidents and Indicators (Address, Host, Email Address, and File), respectively.

ThreatConnect-Integrations-MISP-Logo
McAfee ESM SIEM & Analytics
McAfee

McAfee Enterprise Security Manager is a security information and event management (SIEM) solution that delivers actionable intelligence and integrations to prioritize, investigate, and respond to threats.

McAfee ATD Malware Analysis
McAfee

McAfee Advanced Threat Defense enhances protection from network edge to endpoint and enables investigation.

This is a Playbooks-enabled integration.

Maltego Data Enrichment
Paterva

Maltego is a visual link analysis tool that, out the box, comes with open source intelligence (OSINT) plugins – called transforms. The tool offers real-time data mining and information gathering as well as the representation of this information on a node based graph making patterns and multiple order connections between said information easily identifiable.

ThreatConnect-Integrations-Paterva-logo
Lastline Analyst Malware Analysis
Lastline

Lastline Analyst™ provides your threat analysts and incident response teams with the advanced malware inspection and isolation environment they need to safely execute advanced malware samples and understand their behavior.

This integration allows users to identify threats and act on your threat intelligence by integrating Lastline technology and ThreatConnect Threat Intelligence Platform

This is a Playbooks-enabled integration.

Logo-ThreatConnect-Partner-LastLine
King & Union Avalon Data Enrichment
King & Union

King & Union is outsmarting cyber adversaries by uniting security professionals and amplifying the power of the cybersecurity analyst. The company’s flagship product, Avalon, is a threat analytics platform built with collaboration at its core. Avalon provides a dynamic workspace where security operators and analysts can lean in, cut through the noise, and reduce the time to address threats from hours to minutes. The platform provides access to exclusive data sources, automates repetitive workflows, and leverages real-time collaboration to deliver unparalleled insight and full context based on facts.

Learn more: www.kingandunion.com.

This integration was built and is supported by King & Union.

ThreatConnect-Integrations-King-and-Union-Logo
Intel 471 Adversary Intelligence Threat Intelligence
Intel 471

The ThreatConnect® integration with Intel 471 Adversary Intelligence ingests Reports, Adversaries, and Indicators from Intel 471 into ThreatConnect. These Groups and Indicators are stored and associated in ThreatConnect with all their relevant context. This integration is now available within the ThreatConnect App Catalogue.

IBM X-Force Data Enrichment
IBM

IBM X-Force produces many thought leadership security research assets to help customers, fellow researchers and the public at large better understand the latest security risks, and stay ahead of emerging threats.

This is a Playbooks-enabled integration.

threatconnect-integrations-ibm-logo
IBM QRadar SIEM & Analytics
IBM

IBM® QRadar® Security Information and Event Management (SIEM) helps security teams accurately detect and prioritize threats across the enterprise, and it provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents. By consolidating log events and network flow data from thousands of devices, endpoints and applications distributed throughout your network, QRadar correlates all this different information and aggregates related events into single alerts to accelerates incident analysis and remediation. QRadar SIEM is available on premises and in a cloud environment.

threatconnect-integrations-ibm-logo
Flashpoint Risk Intelligence Observables Threat Intelligence
Flashpoint

Flashpoint illuminates the Deep and Dark Web. A pioneer in providing intelligence from these regions of the Internet, Flashpoint’s software and data services help companies, governments, and consumers enhance their cyber and physical security. The company’s unique blend of subject matter expertise and software engineering has changed the way meaningful and actionable intelligence is gleaned from the previously unmapped regions of the Internet.

For more information please go to: www.flashpoint-intel.com.

FireEye Threat Intelligence Threat Intelligence
FireEye

FireEye Threat Intelligence is forward-looking threat intelligence with highly contextual analysis. FireEye Threat Intelligence is unique in the industry, with more than 150 FireEye security researchers and experts around the globe apply decades of experience to gathering forward-looking, high-fidelity, adversary-focused intelligence. With an unmatched view into adversaries, victims and networks worldwide, FireEye Threat Intelligence delivers visibility across the extended cyber-attack lifecycle to all levels of your business.

FireEye Helix Incident Response & Ticketing
FireEye

FireEye Helix is a cloud-hosted security operations platform that allows organizations to take control of any incident from alert to fix.

This is a Playbooks-enabled integration.

Fidelis Cybersecurity Network Network Security
Fidelis Cybersecurity

ThreatConnect® and Fidelis Cybersecurity have partnered to provide users with ThreatConnect intelligence for use within Fidelis Network™. This integration allows automatic synchronization of ThreatConnect indicators to Fidelis Network, enabling users to easily – and quickly – investigate current and historic network activity for the latest threats.

Farsight Security DNSDB Data Enrichment
Farsight Security

Farsight offers the most comprehensive, searchable database of passive DNS record information for investigations and research. Security analysts, fraud investigators, Security Operations Center (SOC) and Incident Response (IR) teams use Farsight to investigate incidents and cybercrime, protect their assets and monitor online activity. Leveraging its superior telemetry data collection and processing capabilities, Farsight provides its clients with cloud-based, real-time network observability and reporting solutions.

Farsight also provides cyber situational awareness that helps organizations protect against attacks and know unknowns, in the form of newly observed domains, and loss of brand and reputational integrity. For further information, please visit www.farsightsecurity.com.

Dragos Worldview Threat Intelligence
Dragos

Dragos WorldView™ threat intelligence feeds, alerts, reports, and briefings focus on Industrial Control Systems (ICS) threat intelligence, providing information and context that identify the malicious actors and activity targeting industrial control networks globally. The ThreatConnect® integration with Dragos WorldView allows ThreatConnect users to import Reports and Indicators, along with all of their context, from the Dragos WorldView API into ThreatConnect.

Dragos Platform Network Security
Dragos

Dragos Security develops tools to enable the Industrial Control System and IT community, focusing on ICS and IoT cyber situational awareness. Dragos and ThreatConnect are partnering to combine threat intelligence with network collection, aggregation and analytics to provide customers with a real-time, relevant, and actionable feed of cyber events in ICS environments.

This integration is built and supported by Dragos. For questions about the integration, contact Dragos support. For more information about Dragos, please visit https://dragos.com/.

DomainTools Iris Data Enrichment
DomainTools

The DomainTools Iris Investigate Playbook app has multiple actions to interact with the Iris Investigate API. Automate intel processes, investigations, alert triage and response actions and more.

This is a Playbooks-only enabled integration and is now available within the ThreatConnect App Catalogue.

Crowdstrike Falcon Intelligence Threat Intelligence
Crowdstrike

The global CrowdStrike Falcon Intelligence™ team tracks adversaries of all types — nation-state, criminal, hacktivist — to provide the customized and actionable intelligence you need to stay ahead of disruptive threat actors targeting your organization.

Crowdstrike Falcon Host Endpoint Detection & Response
Crowdstrike

CrowdStrike is the leader in next-generation endpoint protection, threat intelligence and response services. CrowdStrike’s core technology, the CrowdStrike Falcon™ platform, stops breaches by preventing and responding to all types of attacks – both malware and malware-free. CrowdStrike has revolutionized endpoint protection by being the first and only company to unify three crucial elements: next-generation antivirus, endpoint detection and response (EDR), and a 24/7 managed hunting service — uniquely delivered via the cloud in a single lightweight sensor. Falcon uses the patent-pending CrowdStrike Threat Graph™ to analyze and correlate billions of events in real time, providing complete protection and five-second visibility across all endpoints. The company leads threat prevention with its potent combination of signature-less machine learning and behavioral-based analytics.

Cofense Intelligence Threat Intelligence
Cofense

Cofense, formerly PhishMe, is the leading provider of human-driven phishing defense solutions worldwide. We deliver a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines best-in class incident response technologies with timely attack intelligence sourced from employees. Cofense solutions quickly mitigate the impacts from spear phishing, ransomware, malware, and business email compromise.

For more information about Cofense, please visit https://cofense.com/.

To view or download this app, please visit our Github page here.

This integration was built and is supported by Cofense. 

Cisco Umbrella Investigate Data Enrichment
Cisco

Cisco Umbrella Investigate provides the most complete view of the relationships and evolution of Internet domains, IP addresses, and autonomous systems to pinpoint attackers’ infrastructures and predict future threats.

Cisco Umbrella Network Security
Cisco

The Cisco Umbrella integration allows Host and URL Indicators in ThreatConnect to be added and removed from the Cisco Umbrella Platform over the Cisco Umbrella Enforcement API.

Cisco Threat Grid Malware Analysis
Cisco

Threat Grid combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. With a robust, context-rich malware knowledge base, you will understand what malware is doing, or attempting to do, how large a threat it poses, and how to defend against it.

This is a Playbooks-enabled integration.

Cisco Firepower Management Center Network Security
Cisco

Cisco Firepower Management Center is your administrative nerve center for managing critical Cisco network security solutions. It provides complete and unified management over firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. Easily go from managing a firewall to controlling applications to investigating and remediating malware outbreaks.

Centripetal Networks Network Security
Centripetal Networks

Centripetal Networks Inc. is a cyber-security solutions provider specializing in Real-Time Active Network Defense. Centripetal has achieved several breakthroughs in the scale and speed of network protection. Centripetal’s RuleGate® product is the first and only system able to action threat indicators at scale, at full line-rate speed, and with agility. Threat intelligence can now directly drive an active cyber defense without negatively impacting network performance or user experience. Centripetal’s offering includes the RuleGate® a unique ultra high performance network appliance, QuickThreat™ the industry’s first real-time threat visualization and analytics platform, and the Advanced Cyber Threat (ACT) service. Please visit www.centripetalnetworks.com.

This integration was built and is supported by Centripetal Networks.

ThreatConnect-Integrations-Centripetal-Logo
BluVector Cortex Network Security
BluVector

BluVector is empowering security teams to get answers about real threats. Our next generation IDS is transforming how security teams gain situational awareness, detect, triage and respond to security events. To learn more, visit us at https://www.bluvector.io

This integration was built and is supported by BluVector.

Attivo Networks ThreatMatrix Deception
Attivo Networks

Attivo Networks® is an award-winning leader in deception-based threat detection. The Attivo ThreatMatrix™ platform provides in-network threat detection and continuous response using dynamically deployed deceptions, attack and attack path analysis, and automations for accelerated incident handling.

This integration was built and is supported by Attivo Networks.

ArcSight ESM SIEM & Analytics
Micro Focus

Micro Focus helps organizations run and transform its business through digital transformation. Our software provides the critical tools they need to build, operate, secure, and analyze their enterprise. By design, these tools bridge the gap between existing and emerging technologies – enabling faster innovation, with less risk, in the race to digital transformation.

Zerofox Threat Intelligence
Zerofox
ZeroFOX, the social media & digital security category leader, protects modern organizations from dynamic security, brand and physical risks across social, mobile, web and collaboration platforms. Using diverse data sources and artificial intelligence-based analysis, ZeroFOX protects modern organizations from targeted phishing attacks, credential compromise, data exfiltration, brand hijacking, executive and location threats and more. Recognized as a Leader in Digital Risk Protection by Forrester, the patented ZeroFOX SaaS platform processes and protects millions of posts, messages and accounts daily across the social and digital landscape, spanning LinkedIn, Facebook, Slack, Twitter, Instagram, Pastebin, YouTube, mobile app stores, the deep & dark web, domains and more.
To find out more information about ZeroFOX or to join our team, please visit: https://www.zerofox.com.
Securonix SIEM & Analytics
Securonix
Securonix is redefining the next generation of cyber-threat detection using the power of machine learning and big data. Our purpose-built security analytics solution uses machine learning to track and create baselines of user, account, and system behavior and detects the most advanced insider threats, cyber threats, and fraud activities in real time. Securonix extends threat detection with threat-hunting and automated incident response. SOC analysts can hunt across data sources, and respond with pre-built, automated playbooks. Globally, customers use Securonix to address their insider threat, cyber threat, cloud security, fraud, and application security monitoring requirements.
For more information, please visit: https://www.securonix.com/.
This integration was built and is supported by Securonix.
Siemplify Orchestration
Siemplify

Siemplify provides a holistic Security Operations Platform that empowers security analysts to work smarter and respond faster. It uniquely combines security orchestration and automation with patented contextual investigation and case management to deliver intuitive, consistent and measurable security operations processes. By utilizing Siemplify with ThreatConnect, security teams are able to seamlessly integrate threat intelligence in security playbooks, enabling them to easily prioritize their workload, quickly understand intelligence-driven context, and provide feedback to ThreatConnect in order to fine-tune and enhance the accuracy of their intelligence. Learn more at https://www.siemplify.co/. This integration was built and is supported by Siemplify.

Kaspersky Threat Intelligence
Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

This integration was built and is supported by Kaspersky.

IBM Resilient Incident Response & Ticketing
IBM

IBM Resilient Incident Response Platform (IRP) is the leading platform for orchestrating and automating incident response processes. IBM Resilient IRP quickly and easily integrates with your organization’s existing security and IT investments. It makes security alerts instantly actionable, provides valuable intelligence and incident context, and enables adaptive response to complex cyber threats.

The latest innovation to IBM Resilient IRP, Dynamic Playbooks, provides the agility, intelligence, and sophistication needed to contend with complex attacks.

This is a Playbooks-enabled integration.

threatconnect-integrations-ibm-logo
DF Labs Incident Response & Ticketing
DF Labs

The integration will allow the DFLabs and ThreatConnect platforms to dynamically exchange data, providing customers with increased visibility to threats and the ability to effectively respond to incidents. With this integration, users will also be able to quickly integrate DFLabs’ IncMan™ with ThreatConnect and execute automated and semi-automated actions, from triage to enrichment, to remediation.

This integration is built and supported by DFLabs. For questions about the integration, please contact DFLabs support. For more information about DFLabs, visit https://www.dflabs.com/.

LogRhythm SIEM & Analytics
LogRhythm

ThreatConnect® and LogRhythm® have partnered to enable users to detect and act on ThreatConnect intelligence in LogRhythm SIEM. With this integration, users are able to aggregate their internal logs and combine them with validated threat intelligence. This allows them to easily spot trends or patterns that are out of the ordinary and act on them efficiently.

For more information about LogRhythm, please visit https://logrhythm.com/.

RSA NetWitness SIEM & Analytics
RSA

ThreatConnect is a software platform that unites your entire security team, your partners, and your industry peers together behind a cohesive, intelligence-driven defense. Working together in ThreatConnect, everyone benefits from the collective talents and knowledge of the group. By making ThreatConnect intelligence data available in RSA Security Analytics, you’re able to build processes to identify the most relevant threats, proactively protect your network, and quickly respond to incidents in a measurable way.

For more information, please visit: www.community.rsa.com.

Flashpoint Intelligence Reports Threat Intelligence
Flashpoint

Flashpoint illuminates the Deep and Dark Web. A pioneer in providing intelligence from these regions of the Internet, Flashpoint’s software and data services help companies, governments, and consumers enhance their cyber and physical security. The company’s unique blend of subject matter expertise and software engineering has changed the way meaningful and actionable intelligence is gleaned from the previously unmapped regions of the Internet.

For more information please go to: www.flashpoint-intel.com.

Digital Shadows Searchlight Threat Intelligence
Digital Shadows

Digital Shadows provides cyber situational awareness that helps organizations protect against cyber attacks, loss of intellectual property, and loss of brand and reputational integrity. Its flagship solution, Digital Shadows SearchLight™, is a scalable and easy-to-use data analysis platform that provides a holistic view of an organization’s digital footprint and the profile of its attackers. It is complemented with security analyst expertise to ensure extensive coverage, tailored intelligence and frictionless deployment. SearchLight continually monitors more than 100 million data sources in 27 languages across the visible, deep and dark web and other online sources to create an up-to-the minute view of an organization and the risks requiring mitigation. The company is jointly headquartered in London and San Francisco.

For more information, visit www.digitalshadows.com.

Logo-ThreatConnect-Partner-Digital-Shadows
VMRay Analyzer Malware Analysis
VMRay

This app allows users to send malware to be sandboxed with VMRay Analyzer and retrieve results as part of SOC/IR or Threat Intelligence processes such as Phishing Email Triage, Endpoint Investigation, or Malware Hunting.

This is a Playbooks-enabled integration and is now available within the ThreatConnect App Catalogue

Logo-ThreatConnect-Partner-VMRay
Tenable.sc Vulnerability Management
Tenable

Tenable®️®, Inc. is the Cyber Exposure company. Over 30,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®®️, Tenable extended its expertise in vulnerabilities to deliver the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include more than 50 percent of the Fortune 500, more than 30 percent of the Global 2000 and large government agencies.

Learn more at www.tenable.com.

Splunk SIEM & Analytics
Splunk

Splunk Inc. (NASDAQ: SPLK) provides the leading software platform for real-time Operational Intelligence. Splunk® software and cloud services enable organizations to search, monitor, analyze and visualize machine-generated big data coming from websites, applications, servers, networks, sensors and mobile devices. More than 8,400 enterprises, government agencies, universities and service providers in more than 100 countries use Splunk software to deepen business and customer understanding, mitigate cybersecurity risk, prevent fraud, improve service performance and reduce cost. Splunk products include Splunk® Enterprise, Splunk Cloud™, Hunk®, Splunk MINT Express™ and premium Splunk Apps. To learn more, please visit http://www.splunk.com/company.

Splunk Logo