ThreatConnect
ThreatConnect is a Threat Intelligence Platform (TIP) that aggregates and operationalizes threat intelligence. You can bring group and indicator data from ThreatConnect into Brinqa to enrich your attack surface with threat-intelligence context, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with ThreatConnect and how to obtain that information from ThreatConnect. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select ThreatConnect from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate ThreatConnect with Brinqa:
-
Server URL: The ThreatConnect server URL.
-
Access ID: The API Access ID associated with the ThreatConnect account, which must have permissions to access the API and return data.
-
Secret Key: The API Secret Key associated with the Access ID.
The connector authenticates using HMAC-SHA256 request signing. It signs every API request with your Access ID and Secret Key, so no token exchange or session is required.
Additional settings
The ThreatConnect connector contains additional options for specific configuration:
- Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
- Parallel requests: The maximum number of parallel API requests. The default setting is the lesser of 4 or the number of available CPU cores.
- Skip certificate verification: Select this option to allow for untrusted certificates. Only enable this for development or testing environments.
Types of data to retrieve
The ThreatConnect connector can retrieve the following types of data from the ThreatConnect REST API:
Table 1: Data retrieved from ThreatConnect
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Group | No | Not mapped |
| Indicator | No | Not mapped |
The ThreatConnect connector does not currently support operation options for the types of data it retrieves.
For the connector objects that are not mapped, you must define the mappings yourself. See Data Consolidation for additional information.
For detailed steps on how to view the data retrieved from ThreatConnect in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Group
Table 2: Group attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
GroupResource.assignments[].user.userName | ASSIGNED_TO |
GroupResource.body | BODY |
GroupResource.createdBy.userName | CREATED_BY |
GroupResource.documentDateAdded | DOCUMENT_DATE_ADDED |
GroupResource.documentType | DOCUMENT_TYPE |
GroupResource.dueDate | DUE_DATE |
GroupResource.escalated | ESCALATED |
GroupResource.escalationDate | ESCALATION_DATE |
GroupResource.eventDate | EVENT_DATE |
GroupResource.fileName | FILE_NAME |
GroupResource.fileSize | FILE_SIZE |
GroupResource.fileText | FILE_TEXT |
GroupResource.fileType | FILE_TYPE |
GroupResource.firstSeen | FIRST_SEEN |
GroupResource.from | FROM |
GroupResource.status | GROUP_STATUS |
GroupResource.type | GROUP_TYPE |
GroupResource.header | HEADER |
| Generated (sync capture timestamp) | LAST_CAPTURED |
GroupResource.name | NAME |
GroupResource.overdue | OVERDUE |
GroupResource.ownerName | OWNER |
GroupResource.password | PASSWORD |
GroupResource.publishDate | PUBLISHED_DATE |
GroupResource.reminded | REMINDED |
GroupResource.reminderDate | REMINDER_DATE |
GroupResource.signatureDateAdded | SIGNATURE_DATE_ADDED |
GroupResource.dateAdded | SOURCE_CREATED_DATE |
GroupResource.lastModified | SOURCE_LAST_MODIFIED |
GroupResource.subject | SUBJECT |
GroupResource.id | UID |
GroupResource.webLink | URL |
GroupResource.xid | XID |
Indicator
Table 3: Indicator attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
IndicatorResource.active | ACTIVE |
IndicatorResource.activeLocked | ACTIVE_LOCKED |
IndicatorResource.address | ADDRESS |
IndicatorResource.asNumber | AS_NUMBER |
IndicatorResource.block | BLOCK |
IndicatorResource.confidence | CONFIDENCE |
IndicatorResource.description | DESCRIPTION |
IndicatorResource.dnsActive | DNS_ACTIVE |
IndicatorResource.associatedGroups[].id | GROUP_IDS |
IndicatorResource.hashtag | HASHTAG |
IndicatorResource.hostName | HOST_NAME |
IndicatorResource.ip | IP |
IndicatorResource.keyName | KEY_NAME |
| Generated (sync capture timestamp) | LAST_CAPTURED |
IndicatorResource.md5 | MD5 |
IndicatorResource.mutex | MUTEX |
IndicatorResource.ownerName | OWNER |
IndicatorResource.privateFlag | PRIVATE_FLAG |
IndicatorResource.rating | RATING |
IndicatorResource.sha1 | SHA1 |
IndicatorResource.sha256 | SHA256 |
IndicatorResource.size | SIZE |
IndicatorResource.source | SOURCE |
IndicatorResource.dateAdded | SOURCE_CREATED_DATE |
IndicatorResource.lastModified | SOURCE_LAST_MODIFIED |
IndicatorResource.subject | SUBJECT |
IndicatorResource.summary | SUMMARY |
IndicatorResource.text | TEXT |
IndicatorResource.threatAssessConfidence | THREAT_ASSESS_CONFIDENCE |
IndicatorResource.threatAssessRating | THREAT_ASSESS_RATING |
IndicatorResource.threatAssessScore | THREAT_ASSESS_SCORE |
IndicatorResource.type | TYPE |
IndicatorResource.id | UID |
IndicatorResource.userAgentString | USER_AGENT |
IndicatorResource.valueName | VALUE_NAME |
IndicatorResource.valueType | VALUE_TYPE |
IndicatorResource.webLink | URL |
IndicatorResource.whoisActive | WHO_IS_ACTIVE |
APIs
The ThreatConnect connector uses the ThreatConnect REST API v3. Specifically, it uses the following endpoints:
Table 4: ThreatConnect REST API Endpoints
| Connector Object | API Endpoint |
|---|---|
| Group | GET /api/v3/groups |
| Indicator | GET /api/v3/indicators |
Changelog
The ThreatConnect connector has undergone the following changes:
Table 5: ThreatConnect connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.0.0 | Improvements - Upgraded to the latest Brinqa connector framework, modernizing how ThreatConnect groups and indicators are modeled and synchronized. - Indicator records now include their 'associated group IDs' and 'ThreatAssess rating, confidence, and score', which were not previously retrieved from ThreatConnect. - Date fields (date added, last modified, first seen, event date, due/escalation/reminder dates, publish date, etc.) are now stored as proper timestamps rather than raw numbers, improving filtering and reporting. Bug Fixes - Group and indicator synchronization no longer fails when ThreatConnect returns a user record without an identifier (for example, on a group's 'created by' or an indicator's associated groups). Migration Required - 'Group' and 'Indicator': the attribute model has changed (date fields are now timestamps, the attribute set has been updated, and additional indicator data is captured). Re-sync both object types after upgrading so existing records pick up the new structure. | June 3rd, 2026 |