Introduction
This article describes the Intelligence Card Extension for ThreatConnect. ThreatConnect, Inc. provides a proactive and efficient approach to security by enabling enhanced detection, shortened response, and reduced risk. Designed by analysts but built for the entire team (security operations, threat intelligence, incident response and security leadership), ThreatConnect’s intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics, and workflows in a single platform.
This extension requires a ThreatConnect API key, API ID, and ThreatConnect base URL to enable. The extension is available on IP intelligence cards, domain intelligence cards, URL intelligence cards, hash intelligence cards, and email address intelligence cards.
Use Cases
These are some examples of how you can use the Intelligence Card Extension for ThreatConnect to expedite workflows.
Reviewing Malicious Indicators
Recorded Future Intelligence Cards provide context to facilitate decisions to take action. When you are investigating a malicious indicator in Recorded Future, it’s likely that ThreatConnect will provide your automation capabilities to enable prevention and detection actions. The Intelligence Card Extension for ThreatConnect retrieves the relevant information to give you an idea of if this indicator has met the requirements for your automation playbooks. For example, you may have automation to block indicators from a particular Owner with a high Confidence score. Since this information is provided with the extension, you can quickly validate that you are protected. By having this information in the single pane of glass, it reduces the need to pivot back and forth between platforms.
Identifying New Intelligence
ThreatConnect can be configured to pull the highest validity intelligence, and therefore it does not contain all Recorded Future Intelligence. There may be potentially malicious indicators that do not flow into ThreatConnect because of the configuration. You may find there are some indicators that are of particular interest to you or your organization. The Intelligence Card Extension for ThreatConnect can quickly tell you if the indicator exists in your ThreatConnect instance. If it does not, this may be an indication that you need to manually import it.
Compromised Credentials
Recorded Future provides insight into compromised account emails identified in the wild. With one click on am Email Account Intelligence Card, you can identify if a particular credential is already in your Threat Intelligence Platform with the Intelligence Card Extension for ThreatConnect. If you have a defined workflow in ThreatConnect for compromised credentials and the record does not exist, this may be an indication that you need to manually import it.
Supported Fields
The extension is available on IP intelligence cards, domain intelligence cards, URL intelligence cards, hash intelligence cards, and email address intelligence cards. The following fields are supported for enrichment from ThreatConnect:
- Owner Name
- Threat Assess Score
- Owner Confidence
- Owner Rating
- False Positive Count
- Last Modified on
- Link to ThreatConnect Portal
- All Owners
- Associated Groups
- Attributes
The default organization may not always have a record of the indicator. When this occurs, the integration will display the next available owner’s record.
Configuration
Please see the Getting Started With Intelligence Card Extensions page if this is your first time configuring an Intelligence Card Extension. For configuration, please enter your:
- API ID
- API Secret
- Base URL
- Public cloud in the format of https://yourbaseurlhere.com
- Private / Dedicated cloud in the format of https://yourbaseurl.com/api