What is a Workflow in ThreatConnect?

Workflows Increase Efficiency and Accuracy During Analysis, Investigation, and Response

Workflow allows security teams to investigate, track, and collaborate on information related to threats and incidents with automated and manual tasks and standardized, consistent processes — all from a central location.

Workflow functionality
Empower your team
How workflows help

ThreatConnect’s combination of security orchestration, automation, and response (SOAR) plus threat intelligence, provides the ability to enhance human and machine-driven security processes with internal and external intelligence on threat actors, attack techniques using MITRE ATT&CK™, and traditional indicators of compromise.

Security team members using the ThreatConnect Platform now have a mechanism that correlates artifacts from an investigation to existing intelligence, as well as historical case data from past incidents and investigations. The Platform allows users to not only enrich cases with both internal and external threat intelligence, but also generate intelligence from those cases to be used to enhance detection, prevention, and to build out a library of relevant threats facing the organization. This leads to a more complete picture and better understanding of an organization’s own internal threats.

Our Workflow functionality reduces the risk of missing critical steps and relevant artifacts, and decreases the time it takes to uncover relevant intelligence.

ThreatConnect Workflow functionality Infographic

Workflow lets analysts, security architects, and managers combine manual and automated operations to define consistent and standardized processes for your security teams:

  • Case management
  • Malware analysis
  • Phishing triage
  • Alert triage
  • Intel requirement development
  • Escalation procedures
  • Breach SOP
  • And much more!

Processes and procedures previously kept in binders (i.e., runbooks), case management tools, ticket systems, (and just in your brain) can now all be codified in ThreatConnect. The artifacts from investigations can be promoted to threat intel. In fact, we’ve designed Workflow explicitly to reduce the time it takes to uncover relevant threat intel when working a case or investigation.

The combination of automation, orchestration, threat intelligence, and case management empowers your security team to:

  • Improve response times with consistent and documented processes
  • Reduce the risk of missing critical steps and relevant artifacts
  • Decrease the time it takes to uncover relevant threat intelligence
  • Maximize the amount of threat intelligence obtained from day-to-day operations
  • Assign Tasks to Specific Analysts or Playbooks

    Separate Workflows into manual or automatic tasks; including assigning users responsible for completing them as well as determining requirements and dependencies

  • Automate Task Completion and Artifact Creation

    Automatically complete Tasks with Playbooks and save any relevant information back to the Case as artifacts for further usage and analysis.

  • Completely Customizable Processes

    Design Workflow templates or leverage ThreatConnect-built templates, then import those templates into your organization’s instance for further customization and usage.

  • Correlate Cases to Historic Data and Patterns

    Categorize Cases with a Platform-wide tagging system to group similar Cases and related threat intelligence in ThreatConnect.