Loginsoft builds expertise in integrating Threat Intelligence sources into ThreatConnect (SOAR) platform

Loginsoft builds expertise in integrating Threat Intelligence sources into ThreatConnect (SOAR) platform

July 8, 2020
Profile Icon

Jason Franscisco

With both Security Orchestration Automation and Response (SOAR) and Threat Intelligence Platform (TIP) capabilities, ThreatConnect unites intelligence, automation, orchestration and response to enable organizations to be more predictive, proactive and efficient. ThreatConnect creates a holistic view with all the essential elements needed for a security operations team in one central platform, in order to gather information on threats and assist with the decision-making process.

Loginsoft developed On-demand enrichment App used for creating Playbooks which automates handling of virtually any action an analyst would want to take. Every playbook starts when an event is triggered.

Loginsoft used ThreatConnect's Exchange Framework to create this App. This Framework provides Built-in Python development to create an app, rather than having to spin up a development environment, dramatically reducing overhead. It is designed to run inside ThreatConnect, making it easier to create apps.

Loginsoft, a leading provider of cyber engineering services for Threat Intel Platform Companies has built the expertise in creating these Playbooks for ThreatConnect Users.

Integration Highlights:

1. Solution Discovery:

  • Loginsoft's expertise in analyzing different Source Feed API endpoint responses to create a Solution Design Document with Indicators such as Domain, IP as per ThreatConnect's design guidelines for On-Demand enrichment

2. Integration Development:

  • Develop Re-usable Python based Playbook Application that can be used for On-Demand Enrichment
  • This Python application will query the threat intelligence source endpoint based on the entity type (e.g. Domain, IP Address, Hash, URL and Email) selected by the user
  • JSON response returned by the threat intelligence source is passed to other playbook components for further processing
  • Complete Quality Assurance (QA) process
  • Create User Documentation
  • Package deliverables appropriately

3. Integration Vetting:

  • Integration is submitted to the ThreatConnect Solutions team for vetting. This includes review of the integration architecture, implementation, quality assurance plan and limited functional testing of any deliverables by ThreatConnect Solutions team

4. Integration Release:

  • Publish integration on ThreatConnect's GitHub repository

Here is a look inside ThreatConnect Platform to configure the Playbook using Python Application that calls the SOURCE API Enrichment endpoints like Whois, Dynamic DNS and Passive DNS.

1. Create a new Playbook

Create a new Playbook on ThreatConnect

2. Select Enrichment Type (e.g. Domain, IP Address, Hash, URL and Email)

Select Enrichment Type on ThreatConnect

3. Provide API Key for the Intelligence Source

Provide API Key for the Intelligence Source on ThreatConnect

4. Provide value for the selected Enrichment Type

Provide value for the selected Enrichment Type on ThreatConnect

Example: Playbook workflow diagram

ThreatConnect - Playbook Workflow Diagram

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Learn more
white arrow pointing top right

About Loginsoft

For over 16 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media and more have come to rely on Loginsoft as a trusted resource for technology talent. Whether Onsite, Offsite, or Offshore, we deliver.

Loginsoft is a leading Cybersecurity services company providing Security Advisory Research to generate metadata for vulnerabilities in Open source components, Discovering ZeroDay Vulnerabilities, Developing Vulnerability Detection signatures using MITRE OVAL Language.

Expertise in Integrations with Threat Intelligence and Security Products, integrated more than 200+ integrations with leading TIP, SIEM, SOAR and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar, IBM Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency APIs with Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet and so on.

Interested to learn more? Let’s start a conversation.

Book a meeting


Latest Articles

Get practical solutions to real-world challenges, straight from experts who conquered them.

View all our articles

Sign up to our Newsletter