ThreatConnect 101
Intro: Platform Overview, Terminology & Logging In
This video provides an overview of the ThreatConnect platform, outlining key features for navigating and leveraging threat intelligence data, platform navigation, and dashboards.
Guide: Platform Overview, Terminology & Logging In
Before you start working in ThreatConnect, it helps to understand what a Threat Intelligence Platform (TIP) is, how to log in, and the core building blocks you'll see everywhere in the platform. This guide covers logging in, the dashboard, global search, the core object types, and a quick look at Playbooks, Workflows, TC Exchange, and account settings.
Key Steps:
- Go to your ThreatConnect login page. Enter your username and password, plus your MFA code if your organization has MFA configured. If your organization uses SSO, you'll be redirected to your SSO provider instead.
- After logging in, you'll land on a default dashboard (for example, a ransomware or threat actor tracking dashboard). Dashboards give you a quick view of the latest threats you need to review. You can change your default landing page at any time in Account Settings (see step 11).
- Locate the Search bar at the top of the screen. This is the fastest way to look something up — it searches across indicators, groups, and reports, and even the text inside uploaded PDFs and documents.
- Try a search; for example, type an actor name like “APT28.” The preview panel shows a short list of top matches, including intrusion set objects (threat actor profiles) and related intelligence reports.
- Click “View All Results” to see the full list. From here you can filter by object name, object type, or intelligence source (called an “owner” in ThreatConnect).
- Note the object type categories on the left sidebar — Cases, Indicators, Groups, and Tags. These are the core building blocks of everything in ThreatConnect (see “Good to know” below for what each one means).
- Click through a few Group objects to see the range of subtypes available — reports, campaigns, incidents, vulnerabilities, actor profiles, and more.
- At the top of the screen, navigate to Automations & Feeds → Playbooks for a quick look at ThreatConnect's custom integration and automation builder. This is covered in depth in a separate advanced session.
- Navigate to Tools → Workflow to see the case management interface, which lets teams combine manual and automated steps to standardize CTI, SOC, and IR processes.
- Located in the top right corner, navigate to Settings → TC Exchange → Catalog. Try searching for a common tool (for example, “Google”) to see the breadth of pre-built integrations available. It's worth checking here before building anything custom.
- Open My Account under settings to review your personal settings: display name, time zone, logout timeout, TQL timeout, MFA, and dark mode.
Good to know:
- If your instance looks empty when you first log in, it may be a new instance without feeds configured yet. Please reach out to support so we can help get you set up.
- “Owners” is the field that scopes your search results by intelligence source. If results ever look incomplete, check whether the right owners/sources are selected — this is one of the most common points of confusion.
- Indicators vs. Groups: an IP address is an indicator; the report that says an actor used that IP is a group. Indicators are atomic data points (IPs, hashes, domains, URLs) and have limited value on their own. Groups (reports, campaigns, incidents, vulnerabilities, actor profiles, ATT&CK techniques) provide the context that turns them into intelligence.
- Tags vs. Attributes: tags are simple metadata labels you can apply to any indicator, group, or case for fast filtering and automation triggers. Attributes are structured metadata fields (source, description, confidence). Both matter, but they serve different purposes.