ThreatConnect Episode IV: A New Scope

What’s New in ThreatConnect 4.0?

A few months ago I was sitting with Wade, our VP of Strategy and Analytics, and Christine, our CMO, in a discussion on how we were going to talk about our latest release. Because of the company’s Star Wars fanboy/girl stance, the conversation naturally led into plays on that theme. ThreatConnect 4.0 became Episode IV. Naturally, due to the sweeping nature of the release and the new direction it signifies for the platform, it was termed “A New Scope.”

As proud of ourselves as we all are with our cleverness, the name actually is apt. We’ve taken TIP to the next level with this release. Let’s go through what we’ve done and how it can help you and your team.

Let the TI flow through you…yes, yes!


Threat Intelligence is a supporting function. That means threat intelligence doesn’t serve any purpose unless it is being applied to inform decisions, it serves the other functions of the security team. It should inform decisions for the SOC analyst and the Incident Responder, as well as the Risk team. Those decisions can be highly tactical, such as blocking a malicious website, or very strategic, such as aligning policies and staffing based on knowledge of a persistent threat’s intent and capability. So while it shouldn’t exist just for itself, it is like the force, it has the potential to assist every aspect of your security practice. It should flow to each function within your security team: IR, SOC, & Risk to help them operate smarter and more holistically.

Return on Investment for your Intelligence

Last month, Bhaskar gave you an introduction to the new dashboard that’s included with Episode IV.  What’s most interesting about the new functionality here is that it allows you in-a-glance to differentiate the composition of the various intelligence sources you have access to within ThreatConnect.

You’ll see this mature even more with our forthcoming releases. As a matter of fact, ROI for Intel will be a recurring theme you will see with our “New Scope.”


Analysis Made Easier

We have made several improvements to make analysis easier and more powerful in the platform including automated indicator enrichment with integrated apps, in platform visualizations, and a cleaner, responsive UI design.

Interactive Enrichment Apps

We’ve created interactive apps to show context from our partners, such as OpenDNS. With our new OpenDNS Enrichment App, any user with an OpenDNS Investigate API key can pull relevant context on IP, Host, and URL indicators live from OpenDNS. Since our apps are context aware and interactive, you can not only see the context, you can import relevant DNS resolutions or co-occurrences. This is just one of one example of enrichment apps we have planned.



Visualization App

We now also have a quick way to visualize the relationships within ThreatConnect easily using our new visualization app. Here you can pivot from indicator to incident, email, threat, signatures, tags, and back as relevant to your investigation. You can also leverage context from our linked enrichment apps like the OpenDNS app.


New Look and Feel Responsive UI

We gave the UI a much needed new look and feel, and with it a responsive design to make it more friendly with your mobile devices and tablets. This is just the beginning of our efforts in making ThreatConnect the easiest way to investigate, create, and make use of threat intelligence regardless of the source. You’ll see more visualizations and functions to make working in ThreatConnect a seamless experience for the threat intelligence Jedi Masters and Padawans alike.



New Spaces Application Feature

Last but certainly not least, ThreatConnect’s spaces feature is what really defines the new scope with this release. In the spirit of our true platform strategy, Episode IV gives our users the capability to use and create applications that create new UI elements inside of ThreatConnect. As a matter of fact, the interactive enrichment and visualization apps are all built using this underlying capability. Within the spaces feature you can create your own data visualizations, charts, graphics, or even your own dashboards all leveraging our powerful API and our new Javascript SDK.  

While threat intelligence should be as powerful as the Force, it doesn’t need to be as mysterious. With Episode IV’s new capabilities we’re making threat intelligence more accessible to all security teams that recognize the need to defend their networks using intelligence on the bad guys. New visualizations, more enrichment, and better ways to measure the value of your intelligence are all focused on making threat intelligence easier to use for all. The best part is, you don’t have to wait two years to see the next episode. We’ll be back very soon to show you what we’re working on next.  

Check out more of ThreatConnect 4.0 in the “Episode IV” playlist on the ThreatConnect YouTube channel. And, while you are there, subscribe to the channel so you don’t miss all the other new things that are coming.

About the Author
Andy Pendergast

Andy is a community respected analyst, innovator, and thought leader. He has over 15 years of experience working in the Intelligence and Computer Network Defense Communities from within the U.S. DoD and Fortune 500 companies. He brings his passion for intelligence-led defense to his role as Product Director for ThreatConnect. Andy is a co-founder of ThreatConnect, Inc. and is a co-author of “The Diamond Model for Intrusion Analysis“. Andy is a veteran of the U.S. Army, holds a Diploma in Chinese Mandarin and a Bachelor of Science from Excelsior University. He lives in Columbia, MD where he regularly climbs rocks and enjoys getting Thai Dynamite Chicken with his wife and three children.