📔
Defense
  • Defense
  • Getting Started
    • Introductory Networking
      • Introduction
      • The OSI Model: An Overview
        • Answers
      • Encapsulation
        • Answers
      • The TCP/IP Model
        • Answers
      • Wireshark
        • Answers
      • Networking Tools - Ping
        • Answers
      • Networking Tools - Traceroute
        • Answers
      • Networking Tools - WHOIS
        • Answers
      • Networking Tools Dig
        • Answers
      • Further Reading
    • Network Services
      • Understanding SMB
        • Answers
      • Enumerating SMB
        • Answers
        • Untitled
      • Exploiting SMB
        • Answers
        • Untitled
      • Understanding Telnet
        • Answers
      • Enumerating Telnet
        • Answers
        • Untitled
      • Exploiting Telnet
        • Answers
        • Untitled
      • Understanding FTP
        • Answers
      • Enumerating FTP
        • Answers
        • Untitled
      • Exploiting FTP
        • Answers
        • Untitled
      • Expanding Your Knowledge
    • Network Services 2
      • Understanding NFS
        • Answers
      • Enumerating NFS
        • Answers
        • Untitled
      • Exploiting NFS
        • Answers
        • Untitled
      • Understanding SMTP
        • Answers
      • Enumerating SMTP
        • Answers
        • Untitled
      • Exploiting SMTP
        • Answers
        • Untitled
      • Understanding MYSQL
        • Answers
      • Enumerating MYSQL
        • Answers
        • Untitled
      • Exploiting MYSQL
        • Answers
        • Untitled
      • Further Learning
    • Wireshark 101
      • Introduction
      • Installation
      • Wireshark Overview
      • Collection Methods
      • Filtering Packets
      • Packet Dissection
      • ARP Traffic
        • Answers
      • ICMP Overview
        • Answers
      • TCP Traffic
      • DNS Traffic
        • Answers
      • HTTP Traffic
        • Answers
      • HTTPS Traffic
        • Answers
      • Analyzing Exploit PCAPS
      • Conclusion
    • !Intro to Windows
    • Active Directory Basics
      • Introduction
      • Physical Active Directory
        • Answers
      • The Forest
        • Answers
      • Users + Groups
        • Answers
      • Trusts + Policies
        • Answers
      • Active Directory Domain Services + Authentication
        • Answers
      • AD in the Cloud
        • Answers
      • Hands-On Lab
        • Answers
        • Untitled
      • Conclusion
    • !Windows Core Processes
    • !SysInternals
  • Threat and Vulnerability Management
    • !Nessus
      • Introduction
      • Installation
      • !Navigation and Scans
        • Answers
      • !Scanning
      • !Scanning a Web Application
    • MITRE
      • Introduction to Mitre
      • Basic Terminology
      • ATT&CK Framework
        • Answers
      • CAR Knowledge Base
        • Answers
      • Shield Active Defense
        • Answers
      • ATT&CK EmulationPlans
        • Answers
      • ATT&CK® and Threat Intelligence
        • Answers
      • Conclusion
    • Yara
      • Introduction
      • What is Yara?
        • Answers
      • Installing Yara (Ubuntu/Debian & Windows)
      • Deploy
      • Introduction to Yara Rules
      • Expanding on Yara Rules
      • Yara Modules
      • Other Tools and Yara
      • Using LOKI and its Yara rule set
        • Answers
        • Untitled
      • Creating Yara rules with yarGen
        • Answers
        • Untitled
      • Valhalla
        • Answers
      • Conclusion
    • Intro to ISAC
      • Introduction
      • Basic Terminology
      • What is Threat Intelligence?
      • What are ISACs?
      • Using Threat Connect to create a Threat Intel dashboard
      • Introduction to AlienVault OTX
      • Using OTX to gather Threat Intelligence
      • Creating IOCs
      • Investigating IOCs
        • Answers
    • Zero Logon
      • The Zero Day Angle
      • Impacket Installation
      • The Proof of Concept
        • Answers
      • Lab it up!
        • Answers
        • Untitled
    • !OpenVAS
    • !MISP
  • Security Operations and Monitoring
    • Splunk
    • Windows Event Logs
    • Sysmon
    • Suricata
    • Osquery
    • Graylog
    • OpenEDR
  • Threat Emulation
    • Attacktive Directory
    • Attacking Kerberos
    • Atomic Red Team
  • Incident Response and Forensics
    • Volatility
    • Forensics
    • Investigating Windows
    • Windows Forensics
    • Redline
    • Autopsy
  • Malware Analysis and Reverse Engineering
    • History of Malware
    • Malware Introductory
    • Researching
    • Strings
    • Basic Malware RE
    • REMnux: The Redux
    • Reversing .NET Apps
Powered by GitBook
On this page

Was this helpful?

  1. Threat and Vulnerability Management
  2. Intro to ISAC

Using Threat Connect to create a Threat Intel dashboard

PreviousWhat are ISACs?NextIntroduction to AlienVault OTX

Last updated 4 years ago

Was this helpful?

Threat Connect Overview

Threat Connect focuses more on the information and new developments within cybersecurity and the threat landscape and connecting the landscape with indicators. This intelligence can help your team make better-informed decisions on what to prioritize. Threat Connect would fall under the tactical type of threat intelligence.

There is a free and open-source version of Threat Connect available but if you were actually using this on a security team you would want to pay for access to the full platform. Threat Connect is a very large platform with many capabilities but we will only be using it to create our threat intel dashboard and gather indicators from other ISACs like AlienVault OTX. It is important to have multiple sources for the information or intelligence that you collect.

Sign up for a free ThreatConnect account here.

Creating a Threat Intel Dashboard

Straight out of the box Threat Connect comes with a pre-configured dashboard you can use, as well as 4 other more specific dashboards: Operations Dashboard, Source Analysis, OSINT Overview, and Covid-19 Related Activity.

We will only be covering the default dashboard in-depth but feel free to play with other dashboards as much as you want to get familiar with them as well as the other features ThreatConnect has.

Breaking Down the Dashboard

We can break up the various sections of the dashboard to make it more digestible and see what each section has to offer.

  • Top Sources by Observations

This section sorts observations or indicators by the owner or source of the observation. This is helpful to find reliable sources for intelligence as a majority of threat intel is community-driven.

  • Latest Intelligence

Gives the latest intelligence that has been reported to the platform. This can be helpful if you want to stay on top of the newest rising threats.

  • Top Sources by False Positives

Similar to the Top Sources by Observations this will sort the owners by who has the most false positives. This can be useful to stay away from indicator owners who generate a lot of false positives and their intel may not be as high quality.

  • Top Tags

This is a collection of the top tags used to categorize indicators. This can be useful to quickly find a topic or to identify trends within the threat landscape.

  • Indicator Breakdown

A breakdown of all of their intelligence combined and what indicators make up the platform. This is not super helpful for most applications as it only gives a brief overview of the platform as a whole.

For the most part, the other sections of the dashboard could be ignored as they are just overviews of what is on the platform rather than specific threat intelligence.

Custom Dashboards

You can use all of these various parts of the default dashboard to create your own personalized dashboard that fits your liking.

For example, this is part of the Operations Dashboard I like to use.

Note: Threat Connect can go far beyond your normal ISAC including Incident Response Playbooks, Graphs, etc. However, these features are only available in the paid version. Let's move on to using Alienvault to gather a collection of IOCs.