Getting Started - FAQ

Owned by John Hall (Unlicensed)
Last updated: Mar 30, 2020
2 min read

Overview

This page provides information on frequently asked questions related to the Developer Partner Program.

Questions

General

  • Is the ThreatConnect Platform a TIP or a SOAR?

    • The ThreatConnect Platform is both a TIP and a SOAR. Depending on the type of integration you’re creating, you may interface with features that fall into one or both of these areas. Your ThreatConnect Solutions Engineer can guide you on this further based on your specific situation.

Threat Intelligence Feed Integrations

  • Is it possible to use a Playbook to ingest indicators from a Threat Intelligence source?

    • While this is possible, it is not recommended. We encourage the design of Playbook Apps to be short and simple so that the overall execution of a Playbook is not considered long (5 minutes or less as a goal). Operations that require more execution time are best implemented as scheduled Jobs using a Runtime App.

  • I’m looking to provide Threat Intelligence data to the ThreatConnect Platform. How will users of your Platform identify that the data was provided by my organization?

    • Data within the ThreatConnect Platform is organized by Owners. For each Threat Intelligence Feed, a unique Owner (Source type) is typically created and all data provided by that feed is represented in the Platform by that Owner name.

  • I’m looking to provide Threat Intelligence data to the ThreatConnect Platform and want to make sure that my data will remain unique within the Platform. How do you ensure this?

    • Because data is separated into unique Owners, you control all of the data within the owner associated with your Threat Intelligence Feed. Modifications to your data will typically take place by way of copying the Indicators you provide into another Owner and making modifications there.

  • I can contribute false-positive or whitelist data along with my feed. How should I add this to the ThreatConnect Platform?

    • At this time, we do not accept false-positive or whitelist data in a feed (where malicious data is provided) from Developer Partners. There are other options for handling this data and your ThreatConnect Solutions Engineer can guide you on this further.