The ThreatConnect® Platform was built to be open and extensible. We strive to integrate with the tools and technologies in our customers’ existing ecosystem, and work with vendors across every category to make security easy and effective.

ThreatConnect Integrations Laptop with Logos Graphic
Product Product Category Company
Plyara for Playbooks Enrichment & Analysis

Plyara is an open source library for parsing Yara Rules. This Playbook app aids Threat Hunters in categorizing and managing Yara rules much easier within the ThreatConnect Platform.

This is a Playbooks-only enabled integration and is currently available in the ThreatConnect App Catalogue.

Spur Context API Playbook Enrichment & Analysis

The Spur Context API integration allows a ThreatConnect user to fetch IP address enrichments from the remote Spur Context API using an existing Spur Context API access token.

For more information, or to download this Playbook, please visit the ThreatConnect GitHub.

This is a Playbooks-only enabled integration.

RSA Netwitness Platform - Respond SIEM & Analytics

The ThreatConnect integration with RSA Netwitness Platform – Respond is a series of playbooks apps that allow users to build processes around incidents and alerts from the RSA Netwitness Platform.

This is a series of Playbooks-only enabled integrations which are currently available in the ThreatConnect App Catalogue.

Jira Service Desk Incident Response & Ticketing

This Playbook app provides a set of actions to Get, Create and Update Jira Issues and Service Desk Requests of any type as well as Add Attachments and Comments. These actions provide the key building blocks for automating cross-team processes within the Security organization wherever Jira is utilized.

This is a Playbooks-only enabled integration and is currently available in the ThreatConnect App Catalogue.

Jira Core Incident Response & Ticketing

This Playbook app provides a set of actions to Get, Create and Update Jira Issues and Service Desk Requests of any type as well as Add Attachments and Comments. These actions provide the key building blocks for automating cross-team processes within the Security organization wherever Jira is utilized.

This is a Playbooks-only enabled integration and is currently available in the ThreatConnect App Catalogue.

Polarity Enrichment & Analysis

With the Polarity-Threatconnect integration, an analyst is made aware of threat information relevant to what they are currently working on regardless of the application. In addition to reviewing threat intelligence information from the Overlay Window, analysts can also take actions on indicators such as marking it as a false positive, changing its severity or confidence level, or editing its associated tags.

For more information or to download this integration, please visit the Polarity GitHub.

Recorded Future Intelligence Card Extension Threat Intelligence
Recorded Future

The Recorded Future Intelligence Card Extension for ThreatConnect allows users to expedite workflows by reviewing malicious indicators, identifying new intelligence, and providing insights into compromised credentials.

Please contact Recorded Future for more information about this integration.

Cybereason Endpoint Protection Platform Endpoint Detection & Response

This Component allows a user to retrieve reputation information from Cybereason for a specified Address, File, or Host IOC. The raw JSON API response is exposed as an output variable.

This is a Playbooks-only enabled integration.

Zscaler ZIA Network Security

ThreatConnect® and Zscaler® have partnered to provide users with multi-sourced, normalized and correlated threat intelligence from ThreatConnect for use within Zscaler Internet Access (ZIA). This integration enables security teams to proactively protect their network from today’s sophisticated attacks.

PolySwarm Malware Intelligence & Enrichment Enrichment & Analysis

PolySwarm’s integration with ThreatConnect’s SOAR Platform analyzes suspicious artifacts, at scale, millions of times per day. Get real-time threat intelligence from a crowdsourced network of security experts and antivirus companies.

Sixgill DarkFeed Threat Intelligence Threat Intelligence

Sixgill’s cyber threat intelligence solution focuses on customers’ intelligence needs, helping them mitigate risk to their organizations more effectively and more efficiently. Using an agile and automatic collection methodology, Sixgill provides broad coverage of exclusive-access deep and dark web sources, as well as relevant surface web sources. Sixgill utilizes artificial intelligence and machine learning to automate the production cycle of cyber intelligence from monitoring through extraction to production.

SlashNext Phishing Incident Response Playbook Incident Response & Ticketing

SlashNext threat detection uses browsers in a purpose-built cloud to dynamically inspect page contents and site behavior in real-time.. The SlashNext Phishing Incident Response Playbook app enables ThreatConnect SOAR users to fully automate analysis of suspicious URLs.

This is a Playbooks-only enabled integration.

Silobreaker Enrichment & Analysis

The Silobreaker Spaces App allows customers to quickly investigate indicators, threat actors, malware and numerous other entity types or topics from across more than a million different sources.

Bitdefender Advanced Threat Intelligence Threat Intelligence

The Bitdefender Advanced Threat Intelligence integration with the ThreatConnect® Platform allows users to import threat feeds and services into the Platform for triaging, managing, enriching and scoring data from a centralized location.

The solution delivers up-to-date, contextual intelligence on URLs, IPs, domains, certificates, files, Command and Control servers and Advanced Persistent Threats to Security Operation Centers (SOCs), Managed Security Service Providers (MSSPs), Managed Detection & Response (MDR) companies, IT security and investigation consultancy companies as well as large enterprises that need to block ingenious threats.

Infoblox Network Security
• Block Address With InfoBlox: This Component will allow a user to add an IP address IOC to a specified Infoblox Response Policy Zone (RPZ) with the policy set to “Block IP Address”. The response HTTP status code and raw JSON API response are exposed as output variables.
• Block Host With InfoBlox: This Component will allow a user to add a host IOC to a specified Infoblox Response Policy Zone (RPZ) with the policy set to “Block Domain Name”. The response HTTP status code and raw JSON API response are exposed as output variables.
These are Playbooks-only enabled integrations.
ServiceNow Security Operations Enrichment & Analysis

The ThreatConnect app for ServiceNow Security Operations provides Threat Lookup and Observable Enrichment capabilities against ThreatConnect intelligence and analytics collections .  These features give analysts working inside ServiceNow the information they need to get relevant and actionable insights from intelligence sources within the ThreatConnect Platform.

ServiceNow Orchestration Orchestration

The ThreatConnect Activity Pack for ServiceNow Orchestration provides a set of activities that can be leveraged from ServiceNow Orchestration workflows to interact with ThreatConnect’s API and Playbooks.  These activities provide a broad set of functionality that can be used for automating Threat Intel and SOC/IR processes.

Proofpoint ET Intelligence Reputation List Threat Intelligence

This runtime integration with Proofpoint ET Intelligence Reputation List allows users to ingest Address and Host based reputation lists as IOCs along with all available context from Proofpoint into the ThreatConnect Platform.

SlashNext Real-Time Phishing Threat Intelligence Threat Intelligence

This integration enables quick operationalization of SlashNext phishing threat intel feed to protect employees from zero-hour phishing threats. SlashNext phishing and C2 feeds inform threat hunting, enabling ThreatConnect users to identify more threats in network logs. 

SpyCloud Enrichment & Analysis
This component with SpyCloud allows a user to retrieve breach data for a given host, IP address, or email address from SpyCloud. All available data is parsed out and exposed as output variables. Additionally, the raw JSON API response is exposed as an output variable.
Fortinet FortiSIEM SIEM & Analytics

In FortiSIEM 5.2.4, users can download IOCs from ThreatConnect and receive alerts on matches in logs. Since ThreatConnect aggregates threat feeds from multiple sources, large numbers of automatically downloaded IOCs can cause false positives, increase processing needs and filling storage.

This release also enables the user to mark a ThreatConnect IOC as a False positive. This action can be taken when an incident triggers matching a ThreatConnect IOC, and the user determines that it is a false positive

This is a Partner Built & Supported integration.

OPSWAT MetaDefender Cloud Enrichment & Analysis

These Components allow users to retrieve enrichment information for OPSWAT MetaDefender Cloud. All available information returned from MetaDefender is parsed out and exposed as output variables in addition to the raw JSON API response.

Actions available in these Components are:

  • Get OPSWAT MetaDefender Cloud File Enrichment
  • Get OPSWAT MetaDefender Cloud File Scan History
  • Scan File with OPSWAT MetaDefender Cloud

These apps are Playbooks-only supported Components.

Joe Sandbox Malware Analysis
Joe Security
This app contains multiple actions for analyzing files and URLs as well as retrieving the results in various formats.  In addition, this app returns the MITRE ATT&CK data from Joe Sandbox in the ThreatConnect tag format as an output variable adding instant value when the results are saved in ThreatConnect and associated across the ATT&CK framework.
Actions available in this app include:
Analyze File – Submit a binary file for analysis
Analyze URL – Submit a URL for analysis
Get Info – Get the raw and parsed Report details from a previous analysis
Get Download – Download the analysis Report in HTML, JSON, or PDF Format. Also, download the sample binary.
Bandura Cyber Threat Intelligence Gateway (TIG) Network Security
Bandura Cyber
The Bandura Cyber Threat Intelligence Gateway (TIG) is purpose-built to filter network traffic using massive volumes of third-party threat intelligence indicators.  The Bandura Cyber ThreatConnect plug-in enables the Bandura Cyber TIG to automatically ingest, detect, and block malicious IP and domain indicators from the ThreatConnect Platform.  The Bandura Cyber TIG enables ThreatConnect customers to detect and block threats on the network in an easier, more scalable, and automated way than can be done using existing network security controls like Next Generation Firewalls.
Microsoft Windows Remote Management Enrichment & Analysis
This integration allows users to run commands, PowerShell commands, and remote PowerShell scripts and leverage the power of the WinRM protocol from ThreatConnect Playbooks.
Some examples include:
• Execute an IR PowerShell script for collecting logs and artifacts from an endpoint under investigation
• Terminate a running process on a host
• List running process or open network connections on a host
• Shutdown or restart a host
• Get a file from a host for further analysis
This is a Playbooks-only enabled integration.
Flashpoint Technical Indicators Threat Intelligence

ThreatConnect’s Flashpoint integration now includes the Flashpoint’s Technical Indicators along with support for MITRE ATT&CK tags. With this latest release, joint customers will now see Incidents and actionable Indicators associated to Reports in ThreatConnect along with helpful context such as MITRE ATT&CK tags and scoring.

AlienVault ThreatCrowd Enrichment & Analysis
This Playbooks Component allows the user to retrieve enrichment information from ThreatCrowd for a given IP Address, Domain, Email Address, or File Hash. The API response is parsed and all values are exposed as output variables. Additionally, the raw JSON API response is exposed as an output variable.
This is a Playbooks-only enabled app.
AlienVault OTX Enrichment & Analysis

This Playbooks Component allows a user to retrieve enrichment information from AlienVault OTX for a given indicator. The raw JSON response is returned as well as the number of related Pulses along with their names and IDs.

This is a Playbooks-only enabled app. Enrichment & Analysis

This integration with is a series of Playbooks Components that allow users to Create Censys Search and Get Censys Enrichment.

This is a Playbooks-only enabled app. Enterprise Enrichment & Analysis

This integration with Enterprise is a series of Playbooks Enrichment Components that allow users to Create GreyNoise GNQL Query and Get GreyNoise Enterprise Enrichment.

This is a Playbooks-only enabled app.

Microsoft Azure Directory IT Infrastructure
This integration with Microsoft Azure Directory is a series of Playbooks Components that allow users to disable and enable Azure Active Directory Users via Microsoft’s Graph API. An additional Playbooks Component allows users to retrieve the details for a given Azure Active Directory User via Microsoft’s Graph API.
This is a Playbooks-only enabled app.
Microsoft Windows Defender ATP Enrichment & Analysis

This ThreatConnect Playbooks app allows Playbook users to list, add, update and remove indicators on WD ATP for alerting and blocking purposes.

This is a Playbooks-only enabled app.

Microsoft Graph Security API IT Infrastructure

This app with Microsoft Graph Security enables ThreatConnect Playbook users to perform Get, Create, Update and Delete actions against the Graph Security TI API.  This API is currently consumed by Microsoft Sentinel for alerting and monitoring.

This app requires v5.8 of ThreatConnect and is a Playbooks-only enabled app.

RiskIQ Enrichment & Analysis

This integration is a series of Components that allow users to submit a URL to RiskIQ’s Landing Page API endpoint as well as allow a user to create an event in RiskIQ’s Platform.

Exabeam Data Lake Enrichment & Analysis

This app is designed to allow you to query an Address or Host IOCs in Exabeam’s Data Lake for matched events. This is useful when you would like to see if a particular IOC has been active in your environment.

This integration was built and is supported by Exabeam.

Secureworks Attacker Database Threat Intelligence

Secureworks (NASDAQ: SCWX) is a leading global cybersecurity company that keeps organizations safe in a digitally connected world. We combine visibility from thousands of clients, artificial intelligence and automation from our industry-leading Secureworks Counter Threat Platform, and actionable insights from our team of elite researchers and analysts to create a powerful network effect that provides increasingly strong protection for our clients. By aggregating and analyzing data from any source, anywhere, we prevent security breaches, detect malicious activity in real time, respond rapidly, and predict emerging threats. We offer our clients a cyber-defense that is Collectively Smarter. Exponentially Safer.

Slack Incident Response & Ticketing

With this integration, users have the ability to send customizable messages and attachments to Slack via ThreatConnect.

This is a Playbooks-enabled integration.

Accenture iDefense IntelGraph Threat Intelligence

The Accenture iDefense® IntelGraph integration with ThreatConnect® allows customers to ingest the IntelGraph feed into ThreatConnect for analysis and response actions. The integration downloads the 21 Fundamentals, as well as Intel Alerts and Intel Reports, into ThreatConnect.

Booz Allen Hamilton Cyber4Sight Threat Intelligence
Booz Allen Hamilton

Cyber4Sight® delivers customers the comfort of knowing that our comprehensive and context-rich threat intelligence enables them with everything they need to prioritize strategic security decisions and to detect, understand, and mitigate risks.

With Cyber4Sight, you have the tools to react more swiftly to the biggest threats, better anticipate emerging ones, improve your decision-making and resource allocation, help you decrease risk, and better protect your enterprise. To learn more, visit

BAE Systems Threat Intelligence Threat Intelligence
BAE Systems

The ThreatConnect® integration with BAE Systems Threat Intelligence® enables ThreatConnect customers to import Events and Attributes from the BAE MISP instance into ThreatConnect as Incidents and Indicators (Address, Host, Email Address, URL, CIDR, File, ASN, and User Agent), respectively.

Carbon Black Cb Response Endpoint Detection & Response
Carbon Black

Cb Response is an industry-leading incident response and threat hunting solution designed for security operations center (SOC) teams. Cb Response continuously records and stores unfiltered endpoint data, so that security professionals can hunt threats in real time and visualize the complete attack kill chain. It leverages the Cb Predictive Security Cloud’s aggregated threat intelligence, which is applied to the endpoint activity system of record for evidence and detection of these identified threats and patterns of behavior.

RH-ISAC Threat Intelligence

The Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) is the cybersecurity community for all retailers and commercial services entities, connecting all aspects of consumer products, goods, and services industries throughout the ecosystem and supply chain. Forming a trusted arena for the sharing of critical strategic and tactical information between members and industry partners across the globe for the purpose of collaborative and innovative problem solving, the RH-ISAC is the information sharing source for cybersecurity risk management.

Threat Connect-RH-ISAC - Logo@0,5x
Recorded Future Enrichment & Analysis
Recorded Future

The Recorded Future Enrichment playbook app will accept address and host indicators and will query the Recorded Future Cyber API for enrichment. Returned data is passed to downstream playbook components in the form of output variables.

Recorded Future Risk List Threat Intelligence
Recorded Future

Recorded Future arms security teams with the only complete threat intelligence solution powered by patented machine learning to lower cyber risk. Our technology automatically collects and analyzes information from an unrivaled breadth of sources and provides invaluable context in real time and packaged for human analysis or integration with security technologies.

This Recorded Future Risk List integration takes advantage of new API endpoints and ingests the IP, Domain and Hash Risk Lists from Recorded Future into ThreatConnect as a source called “Recorded Future Risk List”. For more information, visit

Qualys Vulnerability Management

The Qualys Vulnerability Management integration compares CVE tags from sources in ThreatConnect and matches against Qualys scan results. Any matching unpatched vulnerabilities found within Qualys are associated with relevant intel in ThreatConnect. Additionally, tasks can be automatically created with necessary details for further action to be taken.

To learn more about Qualys, visit

Palo Alto Networks Wildfire Malware Analysis
Palo Alto Networks

This integration with Palo Alto Wildfire is available as a series of Playbook Apps and Templates.

With the Playbooks Apps and Templates, users are automatically able to take the following actions:

For more information about Palo Alto Wildfire, please visit:

This is a Playbooks-enabled integration.

ReversingLabs A1000 Malware Analysis

The A1000 Malware Analysis Platform supports advanced hunting and investigations through the TitaniumCore high-speed automated static analysis engine. It is integrated with file reputation services to provide in-depth rich context and threat classification on over 8 billion files and across all file types. The A1000 supports visualization, APIs for integration with automated workflows, a dedicated database for malware search, global and local YARA Rules matching, as well as integration with 3rd party sandbox tools.

This is a Playbooks-enabled integration.

ReversingLabs TiCloud Malware Analysis

ReversingLabs’ TitaniumCloud Reputation Services are powerful threat intelligence solutions with up-to-date, threat classification and rich context on over 8 billion goodware and malware files. ReversingLabs does not depend on crowd-sourced collection but instead curates the harvesting of files from software vendors and diverse malware sources. All files are processed using unique ReversingLabs File Decomposition Technology, combined with other dynamic and detection information to provide industry reputation consensus. TitaniumCloud supports a powerful set of REST API query and feed functions that deliver targeted file and malware intelligence for threat identification, analysis, intelligence development and hunting.

This is a Playbooks-enabled integration.

RSA Archer Incident Response & Ticketing

This integration with RSA Archer is a series of Playbooks Apps and Templates. With these Playbooks, RSA Archer users can automatically take the following actions:

For more information about RSA Archer, please visit:

This is a Playbooks-enabled integration.

Palo Alto Networks NGFW Network Security
Palo Alto Networks

Palo Alto Networks is the next-generation security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for tens of thousands of organizations worldwide. Built with an innovative approach and highly differentiated cyberthreat prevention capabilities, Palo Alto Networks’ game-changing security platform delivers security far superior to legacy or point products, safely enables daily business operations, and protects an organization’s most valuable assets.

Find out more at

Accenture Deepsight Intelligence Threat Intelligence

The ThreatConnect integration with Accenture’s DeepSight Intelligence leverages the information provided by the DeepSight feed. The integration allows customers to seamlessly analyze and act on Accenture DeepSight Advanced IP and Advanced Domain/URL Datafeeds inside ThreatConnect.

Tanium Connect Endpoint Detection & Response

The Tanium™ Connect™ Reputation Blacklist integration for ThreatConnect® enables the upload of File hashes in ThreatConnect to the Reputation Blacklist in Tanium Connect.

Tanium Threat Response Endpoint Detection & Response
This app allows users to deploy and delete Indicator and Signature Intel Packages to Tanium Threat Response with some additional customization options such as Package Name, Description, Author, etc.
The following actions are available:
  1. Deploy Indicator Intel Package
  2. Deploy Signature Intel Package
  3. Delete Intel Package
MISP Threat Intelligence

This MISP Import app integration enables ThreatConnect customers to run a scheduled import of MISP Events and Attributes into ThreatConnect as Incidents and Indicators (Address, Host, Email Address, and File), respectively.

McAfee ESM SIEM & Analytics

McAfee Enterprise Security Manager is a security information and event management (SIEM) solution that delivers actionable intelligence and integrations to prioritize, investigate, and respond to threats.

McAfee ATD Malware Analysis

McAfee Advanced Threat Defense enhances protection from network edge to endpoint and enables investigation.

This is a Playbooks-enabled integration.

Maltego Enrichment & Analysis

Maltego is a visual link analysis tool that, out the box, comes with open source intelligence (OSINT) plugins – called transforms. The tool offers real-time data mining and information gathering as well as the representation of this information on a node based graph making patterns and multiple order connections between said information easily identifiable.

Lastline Analyst Malware Analysis

Lastline Analyst™ provides your threat analysts and incident response teams with the advanced malware inspection and isolation environment they need to safely execute advanced malware samples and understand their behavior.

This integration allows users to identify threats and act on your threat intelligence by integrating Lastline technology and ThreatConnect Threat Intelligence Platform

This is a Playbooks-enabled integration.

King & Union Avalon Enrichment & Analysis
King & Union

King & Union is outsmarting cyber adversaries by uniting security professionals and amplifying the power of the cybersecurity analyst. The company’s flagship product, Avalon, is a threat analytics platform built with collaboration at its core. Avalon provides a dynamic workspace where security operators and analysts can lean in, cut through the noise, and reduce the time to address threats from hours to minutes. The platform provides access to exclusive data sources, automates repetitive workflows, and leverages real-time collaboration to deliver unparalleled insight and full context based on facts.

Learn more:

This integration was built and is supported by King & Union.

Intel 471 Threat Intelligence
Intel 471

Intel 471 provides an actor-centric intelligence collection capability for their customers. Their intelligence collection focuses on infiltrating and maintaining access to closed sources where threat actors collaborate, communicates and plan cyber attacks. Intel 471 is active in places where entry is highly guarded such as underground marketplaces and chat rooms. The team is comprised of skilled and experienced professionals from intelligence services, military, law enforcement and private threat intelligence companies.

The mission of Intel 471 is to protect your organization, your products, your assets and your people.

IBM X-Force Enrichment & Analysis

IBM X-Force produces many thought leadership security research assets to help customers, fellow researchers and the public at large better understand the latest security risks, and stay ahead of emerging threats.

This is a Playbooks-enabled integration.

IBM QRadar SIEM & Analytics

IBM® QRadar® Security Information and Event Management (SIEM) helps security teams accurately detect and prioritize threats across the enterprise, and it provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents. By consolidating log events and network flow data from thousands of devices, endpoints and applications distributed throughout your network, QRadar correlates all this different information and aggregates related events into single alerts to accelerates incident analysis and remediation. QRadar SIEM is available on premises and in a cloud environment.

Flashpoint Risk Intelligence Observables Threat Intelligence

Flashpoint illuminates the Deep and Dark Web. A pioneer in providing intelligence from these regions of the Internet, Flashpoint’s software and data services help companies, governments, and consumers enhance their cyber and physical security. The company’s unique blend of subject matter expertise and software engineering has changed the way meaningful and actionable intelligence is gleaned from the previously unmapped regions of the Internet.

For more information please go to:

FireEye Threat Intelligence Threat Intelligence

FireEye Threat Intelligence is forward-looking threat intelligence with highly contextual analysis. FireEye Threat Intelligence is unique in the industry, with more than 150 FireEye security researchers and experts around the globe apply decades of experience to gathering forward-looking, high-fidelity, adversary-focused intelligence. With an unmatched view into adversaries, victims and networks worldwide, FireEye Threat Intelligence delivers visibility across the extended cyber-attack lifecycle to all levels of your business.

FireEye Helix Incident Response & Ticketing

FireEye Helix is a cloud-hosted security operations platform that allows organizations to take control of any incident from alert to fix.

This is a Playbooks-enabled integration.

Fidelis Cybersecurity Network Network Security
Fidelis Cybersecurity

ThreatConnect® and Fidelis Cybersecurity have partnered to provide users with ThreatConnect intelligence for use within Fidelis Network™. This integration allows automatic synchronization of ThreatConnect indicators to Fidelis Network, enabling users to easily – and quickly – investigate current and historic network activity for the latest threats.

Farsight Security DNSDB Enrichment & Analysis
Farsight Security

Farsight offers the most comprehensive, searchable database of passive DNS record information for investigations and research. Security analysts, fraud investigators, Security Operations Center (SOC) and Incident Response (IR) teams use Farsight to investigate incidents and cybercrime, protect their assets and monitor online activity. Leveraging its superior telemetry data collection and processing capabilities, Farsight provides its clients with cloud-based, real-time network observability and reporting solutions.

Farsight also provides cyber situational awareness that helps organizations protect against attacks and know unknowns, in the form of newly observed domains, and loss of brand and reputational integrity. For further information, please visit

Dragos Worldview Threat Intelligence

Dragos WorldView™ threat intelligence feeds, alerts, reports, and briefings focus on Industrial Control Systems (ICS) threat intelligence, providing information and context that identify the malicious actors and activity targeting industrial control networks globally. The ThreatConnect® integration with Dragos WorldView allows ThreatConnect users to import Reports and Indicators, along with all of their context, from the Dragos WorldView API into ThreatConnect.

Dragos Platform Network Security

Dragos Security develops tools to enable the Industrial Control System and IT community, focusing on ICS and IoT cyber situational awareness. Dragos and ThreatConnect are partnering to combine threat intelligence with network collection, aggregation and analytics to provide customers with a real-time, relevant, and actionable feed of cyber events in ICS environments.

This integration is built and supported by Dragos. For questions about the integration, contact Dragos support. For more information about Dragos, please visit

DomainTools Enrichment & Analysis

DomainTools offers the most comprehensive searchable database of domain name registration, Whois records and hosting data for online investigations and research. Cyber security analysts, fraud investigators, domain professionals and marketers use DomainTools to investigate cybercrime, protect their assets and monitor online activity. DomainTools has 12 years of history on domain name ownership, Whois records, hosting data, screenshots and other DNS records. That’s why customers say, “Every online investigation starts with DomainTools.” DomainTools customers include many Fortune 1000 companies, leading vendors in the Security and Threat Intelligence community and most crime-fighting government agencies. Individual users can start with an online Free Trial available at

Enterprise accounts are available from

Crowdstrike Falcon Intelligence Threat Intelligence

The global CrowdStrike Falcon Intelligence™ team tracks adversaries of all types — nation-state, criminal, hacktivist — to provide the customized and actionable intelligence you need to stay ahead of disruptive threat actors targeting your organization.

Crowdstrike Falcon Host Endpoint Detection & Response

CrowdStrike is the leader in next-generation endpoint protection, threat intelligence and response services. CrowdStrike’s core technology, the CrowdStrike Falcon™ platform, stops breaches by preventing and responding to all types of attacks – both malware and malware-free. CrowdStrike has revolutionized endpoint protection by being the first and only company to unify three crucial elements: next-generation antivirus, endpoint detection and response (EDR), and a 24/7 managed hunting service — uniquely delivered via the cloud in a single lightweight sensor. Falcon uses the patent-pending CrowdStrike Threat Graph™ to analyze and correlate billions of events in real time, providing complete protection and five-second visibility across all endpoints. The company leads threat prevention with its potent combination of signature-less machine learning and behavioral-based analytics.

Cofense Intelligence Threat Intelligence

Cofense, formerly PhishMe, is the leading provider of human-driven phishing defense solutions worldwide. We deliver a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines best-in class incident response technologies with timely attack intelligence sourced from employees. Cofense solutions quickly mitigate the impacts from spear phishing, ransomware, malware, and business email compromise.

For more information about Cofense, please visit

To view or download this app, please visit our Github page here.

This integration was built and is supported by Cofense. 

Cisco Umbrella Investigate Enrichment & Analysis

Cisco Umbrella Investigate provides the most complete view of the relationships and evolution of Internet domains, IP addresses, and autonomous systems to pinpoint attackers’ infrastructures and predict future threats.

Cisco Umbrella Network Security

The Cisco Umbrella integration allows Host and URL Indicators in ThreatConnect to be added and removed from the Cisco Umbrella Platform over the Cisco Umbrella Enforcement API.

Cisco Threat Grid Malware Analysis

Threat Grid combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. With a robust, context-rich malware knowledge base, you will understand what malware is doing, or attempting to do, how large a threat it poses, and how to defend against it.

This is a Playbooks-enabled integration.

Cisco Firepower Management Center Network Security

Cisco Firepower Management Center is your administrative nerve center for managing critical Cisco network security solutions. It provides complete and unified management over firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. Easily go from managing a firewall to controlling applications to investigating and remediating malware outbreaks.

Centripetal Networks Network Security
Centripetal Networks

Centripetal Networks Inc. is a cyber-security solutions provider specializing in Real-Time Active Network Defense. Centripetal has achieved several breakthroughs in the scale and speed of network protection. Centripetal’s RuleGate® product is the first and only system able to action threat indicators at scale, at full line-rate speed, and with agility. Threat intelligence can now directly drive an active cyber defense without negatively impacting network performance or user experience. Centripetal’s offering includes the RuleGate® a unique ultra high performance network appliance, QuickThreat™ the industry’s first real-time threat visualization and analytics platform, and the Advanced Cyber Threat (ACT) service. Please visit

This integration was built and is supported by Centripetal Networks.

BluVector Cortex Network Security

BluVector is empowering security teams to get answers about real threats. Our next generation IDS is transforming how security teams gain situational awareness, detect, triage and respond to security events. To learn more, visit us at

This integration was built and is supported by BluVector.

Attivo Networks ThreatMatrix Deception
Attivo Networks

Attivo Networks® is an award-winning leader in deception-based threat detection. The Attivo ThreatMatrix™ platform provides in-network threat detection and continuous response using dynamically deployed deceptions, attack and attack path analysis, and automations for accelerated incident handling.

This integration was built and is supported by Attivo Networks.

ArcSight ESM SIEM & Analytics
Micro Focus

Micro Focus helps organizations run and transform its business through digital transformation. Our software provides the critical tools they need to build, operate, secure, and analyze their enterprise. By design, these tools bridge the gap between existing and emerging technologies – enabling faster innovation, with less risk, in the race to digital transformation.

Zerofox Threat Intelligence
ZeroFOX, the social media & digital security category leader, protects modern organizations from dynamic security, brand and physical risks across social, mobile, web and collaboration platforms. Using diverse data sources and artificial intelligence-based analysis, ZeroFOX protects modern organizations from targeted phishing attacks, credential compromise, data exfiltration, brand hijacking, executive and location threats and more. Recognized as a Leader in Digital Risk Protection by Forrester, the patented ZeroFOX SaaS platform processes and protects millions of posts, messages and accounts daily across the social and digital landscape, spanning LinkedIn, Facebook, Slack, Twitter, Instagram, Pastebin, YouTube, mobile app stores, the deep & dark web, domains and more.
To find out more information about ZeroFOX or to join our team, please visit:
Securonix SIEM & Analytics
Securonix is redefining the next generation of cyber-threat detection using the power of machine learning and big data. Our purpose-built security analytics solution uses machine learning to track and create baselines of user, account, and system behavior and detects the most advanced insider threats, cyber threats, and fraud activities in real time. Securonix extends threat detection with threat-hunting and automated incident response. SOC analysts can hunt across data sources, and respond with pre-built, automated playbooks. Globally, customers use Securonix to address their insider threat, cyber threat, cloud security, fraud, and application security monitoring requirements.
For more information, please visit:
This integration was built and is supported by Securonix.
Siemplify Orchestration

Siemplify provides a holistic Security Operations Platform that empowers security analysts to work smarter and respond faster. It uniquely combines security orchestration and automation with patented contextual investigation and case management to deliver intuitive, consistent and measurable security operations processes. By utilizing Siemplify with ThreatConnect, security teams are able to seamlessly integrate threat intelligence in security playbooks, enabling them to easily prioritize their workload, quickly understand intelligence-driven context, and provide feedback to ThreatConnect in order to fine-tune and enhance the accuracy of their intelligence. Learn more at This integration was built and is supported by Siemplify.

Kaspersky Threat Intelligence

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at

This integration was built and is supported by Kaspersky.

IBM Resilient Incident Response & Ticketing

IBM Resilient Incident Response Platform (IRP) is the leading platform for orchestrating and automating incident response processes. IBM Resilient IRP quickly and easily integrates with your organization’s existing security and IT investments. It makes security alerts instantly actionable, provides valuable intelligence and incident context, and enables adaptive response to complex cyber threats.

The latest innovation to IBM Resilient IRP, Dynamic Playbooks, provides the agility, intelligence, and sophistication needed to contend with complex attacks.

This is a Playbooks-enabled integration.

DF Labs Incident Response & Ticketing
DF Labs

The integration will allow the DFLabs and ThreatConnect platforms to dynamically exchange data, providing customers with increased visibility to threats and the ability to effectively respond to incidents. With this integration, users will also be able to quickly integrate DFLabs’ IncMan™ with ThreatConnect and execute automated and semi-automated actions, from triage to enrichment, to remediation.

This integration is built and supported by DFLabs. For questions about the integration, please contact DFLabs support. For more information about DFLabs, visit

LogRhythm SIEM & Analytics

ThreatConnect® and LogRhythm® have partnered to enable users to detect and act on ThreatConnect intelligence in LogRhythm SIEM. With this integration, users are able to aggregate their internal logs and combine them with validated threat intelligence. This allows them to easily spot trends or patterns that are out of the ordinary and act on them efficiently.

For more information about LogRhythm, please visit

RSA NetWitness SIEM & Analytics

ThreatConnect is a software platform that unites your entire security team, your partners, and your industry peers together behind a cohesive, intelligence-driven defense. Working together in ThreatConnect, everyone benefits from the collective talents and knowledge of the group. By making ThreatConnect intelligence data available in RSA Security Analytics, you’re able to build processes to identify the most relevant threats, proactively protect your network, and quickly respond to incidents in a measurable way.

For more information, please visit:

Flashpoint Intelligence Reports Threat Intelligence

Flashpoint illuminates the Deep and Dark Web. A pioneer in providing intelligence from these regions of the Internet, Flashpoint’s software and data services help companies, governments, and consumers enhance their cyber and physical security. The company’s unique blend of subject matter expertise and software engineering has changed the way meaningful and actionable intelligence is gleaned from the previously unmapped regions of the Internet.

For more information please go to:

Digital Shadows Searchlight Threat Intelligence
Digital Shadows

Digital Shadows provides cyber situational awareness that helps organizations protect against cyber attacks, loss of intellectual property, and loss of brand and reputational integrity. Its flagship solution, Digital Shadows SearchLight™, is a scalable and easy-to-use data analysis platform that provides a holistic view of an organization’s digital footprint and the profile of its attackers. It is complemented with security analyst expertise to ensure extensive coverage, tailored intelligence and frictionless deployment. SearchLight continually monitors more than 100 million data sources in 27 languages across the visible, deep and dark web and other online sources to create an up-to-the minute view of an organization and the risks requiring mitigation. The company is jointly headquartered in London and San Francisco.

For more information, visit

VMRay Analyzer Malware Analysis

VMRay Analyzer’s hypervisor-based malware analysis offers best-in-class threat detection and mitigation capabilities. Its revolutionary 3rd generation technology analyzes any piece of malware, including the newest and most dangerous threats like 64-bit rootkits, quickly and reliably. And, unlike traditional malware analysis systems, VMRay Analyzer cannot be evaded. This is the only way to defend against today’s rapidly evolving threat landscape. Sophisticated analyses are generated at multiple abstraction levels and can easily be utilized by forensic specialists, non-security experts as well as business executives. Full Visibility. High Performance. Evasion-Proof.

Please visit for more information.

This is a Playbooks-enabled integration.

Logo-ThreatConnect-Partner-VMRay Vulnerability Management

Tenable Network Security, the leader in real-time vulnerability management,  is relied upon by more than 17,000 organizations in over 100 countries, including the entire U.S. Department of Defense and many of the world’s largest companies and governments, to stay ahead of emerging vulnerabilities, threats and compliance-related risks. Its Nessus and SecurityCenter solutions continue to set the standard for identifying vulnerabilities, preventing attacks and complying with a multitude of regulatory requirements.

For more information, please visit

Splunk SIEM & Analytics

Splunk Inc. (NASDAQ: SPLK) provides the leading software platform for real-time Operational Intelligence. Splunk® software and cloud services enable organizations to search, monitor, analyze and visualize machine-generated big data coming from websites, applications, servers, networks, sensors and mobile devices. More than 8,400 enterprises, government agencies, universities and service providers in more than 100 countries use Splunk software to deepen business and customer understanding, mitigate cybersecurity risk, prevent fraud, improve service performance and reduce cost. Splunk products include Splunk® Enterprise, Splunk Cloud™, Hunk®, Splunk MINT Express™ and premium Splunk Apps. To learn more, please visit

Splunk Logo