ThreatConnect 101
Intel Handling & Document Analysis
This video explores the document analysis feature in the platform that allows users to upload unstructured content and transforms it into structured intelligence - such as PDFs, text files, Word documents, PowerPoints, Excel files, or TXT files.
Guide: Intel Handling & Document Analysis
Intelligence doesn't always arrive as a clean feed, sometimes it's a PDF from an ISAC, a Word document from a partner agency, or a plain-text summary from a blog. This guide covers Document Analysis (Doc Analysis) which extracts structured intelligence (IOCs, threat actors, malware, CVEs, and MITRE ATT&CK techniques) from unstructured content and maps it into ThreatConnect's data model automatically.
Key Steps:
- Click the Upload button at the top right of the platform, then choose Document Parsing to open the upload wizard.
- Choose which owner from the pick list to store the uploaded intel in.
- Check mark to parse for groups, IOCs or both.
- Upload a file (TXT, PDF, Word, PowerPoint, and Excel are all supported) or paste text directly. You can optionally run find-and-replace to clean up any strings before processing, though common defanging formats (like brackets around IP address dots) are already handled automatically.
- Wait for processing, then review the extraction preview showing the full text pulled from your document.
- Use the checkboxes to select which identified objects to include (IOCs, CVEs, malware families, ATT&CK patterns, threat actors, and more). For IOCs, decide whether to mark any as Private - this prevents them from being shared back into CAL, which matters for sensitive internal indicators or tracked adversary infrastructure. This decision is difficult to undo after upload, so make the call before moving on. If ThreatConnect flags that a similar report already exists, check whether it already has the right associations before creating a duplicate.
- Configure upload defaults by applying a default description and source URL.
- Set a default Threat Rating (0–5) and Confidence Rating (0–100), a threat rating around 3 and confidence around 65 is a reasonable starting point if you're unsure.
- For domain/host indicators, optionally enable WHOIS and DNS monitoring so ThreatConnect continuously tracks infrastructure changes going forward (this requires an integration to be configured - check with your admin if it doesn't activate).
- For group objects, enable CAL descriptions to auto-populate rich descriptions and save time.
- Apply a TLP security label (for example, TLP:GREEN for public sources, TLP:AMBER/RED for more sensitive intelligence) and add tags that will apply to everything in this upload (for example, “weekly-roundup” or an incident name) so the whole batch is easy to find later.
- Leave auto-association enabled so uploaded groups and IOCs link to each other and to any existing related intelligence. This is difficult to rebuild manually if skipped.
- If you uploaded a file, enable Create Document to store the original file in ThreatConnect as a permanent source-of-truth reference. Add any additional manual associations if needed, then save.
- Navigate to Groups to review what was created. Select the source you uploaded to, and open the new Document object. From there you can view the original file, see the full Associations tab (attack patterns, vulnerabilities, intrusion sets, and more), and click into any uploaded IOC to see its Threat Assess Score and enrichment.
- Optionally, open the Threat Graph from the document object to visualize the full web of relationships created by the upload.
Good to know:
- NLP-based TTP inference is powerful. Doc Analysis can identify ATT&CK techniques even from plain-language descriptions that don't use explicit technique IDs but it isn't perfect. Review extracted TTPs before finalizing, especially for reports using loose or metaphorical language.
- Tagging uploads at ingestion time (for example, by campaign or reporting period) makes entire intelligence batches easy to retrieve later.