ThreatLens Logo
ThreatLens
DETECTANALYZEDEFEND
DocsQuickstart Guide
30–60 Minutes

ThreatLens Core Quickstart

From zero to your first AI-augmented investigation.

The Goal

By the end of this guide, you will have:

  • Connect 1 SIEM & 1 EDR.
  • Ingest live alerts.
  • Generate your first Analyst-Grade Summary.

Prerequisites

You need Admin access to ThreatLens Core and API credentials for at least one SIEM (Splunk/Sentinel) and one EDR (CrowdStrike/Defender).

The Step-by-Step Walkthrough

1

Create Workspace

Set up your ThreatLens Core environment.

Action:

  • • Create Tenant (e.g., Acme-Prod)
  • • Set Timezone
  • • Enable Audit Logs
2

Connect SIEM

Connect your primary data source for alerts.

Action:

Navigate to Integrations > SIEM. Enter your API credentials.

Success Signal: Incidents start arriving in the dashboard.
3

Connect EDR

Add endpoint detection for context enrichment.

Action:

Navigate to Integrations > EDR. Test Connection.

Success Signal: Endpoint context links to SIEM alerts.
4

Enable Intel

Activate threat intelligence for enrichment.

Action:

Enable Google TI or Microsoft TI.

Success Signal: Enrichment returns reputation scores.
5

Run First Investigation

THE "AHA" MOMENT

Experience the power of AI-augmented analysis.

Action:

Open an alert → Click Analyze.

Result:

ThreatLens extracts entities, correlates signals, and maps to MITRE ATT&CK.

Validation Checklist

Confirm each milestone to complete your setup:

Next Steps

Add More Integrations

Connect additional SIEM, EDR, or Intel sources.

Read the FAQ

Common questions about ThreatLens Core.