Loginsoft builds expertise in integrating Threat Intelligence sources into ThreatConnect (SOAR) platform

Introduction

Loginsoft’s experience in operationalizing multiple Threat Intelligence sources within the ThreatConnect (SOAR) platform. It explains how effective integration of threat intelligence is critical for automating security workflows, improving incident response, and enabling informed decision-making. The article focuses on how Loginsoft helps organizations streamline threat intelligence ingestion, correlation, and orchestration within ThreatConnect to enhance overall security operations.

Key Takeaways

• Loginsoft developed reusable Python-based On-Demand Enrichment Apps using ThreatConnect's Exchange Framework.
• Apps enable Playbooks for automating enrichment of entities like IP, Domain, URL, Hash, and Email.
• Integrations query threat intelligence sources and process JSON responses with full QA and documentation.
• Apps undergo ThreatConnect vetting and are published on GitHub for standardized SOAR enrichment.

With both Security Orchestration Automation and Response (SOAR) and Threat Intelligence Platform (TIP) capabilities, ThreatConnect unites intelligence, automation, orchestration and response to enable organizations to be more predictive, proactive and efficient. ThreatConnect creates a holistic view with all the essential elements needed for a security operations team in one central platform, in order to gather information on threats and assist with the decision-making process.

Loginsoft developed On-demand enrichment App used for creating Playbooks which automates handling of virtually any action an analyst would want to take. Every playbook starts when an event is triggered.

Loginsoft used ThreatConnect's Exchange Framework to create this App. This Framework provides Built-in Python development to create an app, rather than having to spin up a development environment, dramatically reducing overhead. It is designed to run inside ThreatConnect, making it easier to create apps.

Loginsoft, a leading provider of cyber engineering services for Threat Intel Platform Companies has built the expertise in creating these Playbooks for ThreatConnect Users.

Integration Highlights:

1. Solution Discovery:

• Loginsoft's expertise in analyzing different Source Feed API endpoint responses to create a Solution Design Document with Indicators such as Domain, IP as per ThreatConnect's design guidelines for On-Demand enrichment

2. Integration Development:

• Develop Re-usable Python based Playbook Application that can be used for On-Demand Enrichment
• This Python application will query the threat intelligence source endpoint based on the entity type (e.g. Domain, IP Address, Hash, URL and Email) selected by the user
• JSON response returned by the threat intelligence source is passed to other playbook components for further processing
• Complete Quality Assurance (QA) process
• Create User Documentation
• Package deliverables appropriately

3. Integration Vetting:

• Integration is submitted to the ThreatConnect Solutions team for vetting. This includes review of the integration architecture, implementation, quality assurance plan and limited functional testing of any deliverables by ThreatConnect Solutions team

4. Integration Release:

• Publish integration on ThreatConnect's GitHub repository

Here is a look inside ThreatConnect Platform to configure the Playbook using Python Application that calls the SOURCE API Enrichment endpoints like Whois, Dynamic DNS and Passive DNS.

1. Create a new Playbook

2. Select Enrichment Type (e.g. Domain, IP Address, Hash, URL and Email)

3. Provide API Key for the Intelligence Source

4. Provide value for the selected Enrichment Type

Example: Playbook workflow diagram

Conclusion

The blog demonstrates that integrating multiple Threat Intelligence sources into the ThreatConnect (SOAR) platform is essential for building mature, intelligence-driven security operations. Loginsoft’s expertise helps organizations transform raw threat data into automated, orchestrated actions that strengthen detection and response capabilities. By enabling efficient ingestion, correlation, and automation within ThreatConnect, Loginsoft supports faster decision-making and more resilient incident response processes.

FAQ

Q1. What are Threat Intelligence sources?

Threat intelligence draws from a wide array of sources to fuel proactive defense:

Internal: Firewall/network logs and SIEM data for organization-specific insights. Open-source (OSINT): social media, forums, blogs, plus platforms like CISA alerts, Abuse.ch, AlienVault OTX, PhishTank, and

MISP communities. In Commercial Premium feeds from providers like Recorded Future and ThreatConnect. For Specialized: Dark web monitoring and government agency reports.

Q2. What is the ThreatConnect (SOAR) platform?

ThreatConnect is a SOAR platform that enables organizations to centralize threat intelligence, automate workflows, and orchestrate incident response, which integrates tools, enriches threat context, automates responses, and streamlines workflows empowering teams to turn data into actionable decisions and stronger defenses.

Q3. Why is integrating threat intelligence into SOAR important?

Threat Intelligence (TI) provides the essential external context and actionable insights that enable SOAR to automate and accelerate the detection, investigation, and response to cyber threats effectively

Q4. How does Loginsoft support ThreatConnect integrations?

Loginsoft helps integrate multiple threat intelligence sources into ThreatConnect, ensuring proper normalization, correlation, and workflow automation.