Threat Intelligence Connectors¶
Threat intelligence connectors enable AI agents to enrich indicators of compromise, query threat feeds, correlate observables against known threat databases, and manage intelligence sharing workflows. These connectors are foundational to investigation and triage workflows, providing the context agents need to assess severity and attribution.
The majority of operations in this category are LOW risk, consisting of read-only lookups and enrichment queries. Write operations that create or modify threat intelligence indicators carry MEDIUM to HIGH risk.
| Connector | Operations | Risk Levels | Description |
|---|---|---|---|
| VirusTotal | 20 | LOW, MEDIUM | VirusTotal operations for file hash lookups, URL scanning, domain reports, IP address analysis, and behavior report retrieval |
| Recorded Future | 18 | LOW, MEDIUM | Recorded Future operations for intelligence card lookups, risk score queries, alert management, and threat map correlation |
| Mandiant | 16 | LOW, MEDIUM | Mandiant Threat Intelligence operations for indicator lookups, threat actor profiles, malware family queries, and campaign analysis |
| Shodan | 20 | LOW, MEDIUM | Shodan operations for host lookups, internet-wide search queries, DNS resolution, vulnerability exposure checks, and network scan results |
| GreyNoise | 16 | LOW, MEDIUM | GreyNoise operations for IP context lookups, RIOT dataset queries, mass scanner identification, and internet noise classification |
| MISP | 30 | LOW, MEDIUM, HIGH | MISP threat sharing platform operations for event management, attribute queries, galaxy cluster lookups, feed synchronization, and sharing group administration |
| ThreatConnect | 23 | LOW, MEDIUM, HIGH | ThreatConnect operations for indicator management, group administration, tag queries, playbook execution, and intelligence enrichment |
| Hunter.io | 18 | LOW, MEDIUM | Hunter.io operations for email address verification, domain search, email finder, and organization email pattern discovery |
| Censys | 20 | LOW, MEDIUM | Censys operations for host and certificate search, internet asset discovery, protocol exposure queries, and attack surface enumeration |