Accenture iDefense Intelligence Engine Integration User Guide
  • 30 Nov 2023
  • 6 Minutes to read
  • Dark
    Light

Accenture iDefense Intelligence Engine Integration User Guide

  • Dark
    Light

Article summary

Software Version
This guide applies to the Accenture iDefense Intelligence Engine App version 2.0.x.

Overview

The ThreatConnect® integration with Accenture™ iDefense® ingests data from the Accenture iDefense intel collection into ThreatConnect for analysis and response actions. The integration downloads intel Indicators (Domain, File, IPv4, IPv6, and URL), Campaigns, Malware, Reports, Signatures (YARA), Threat Actors, Tools, and Vulnerabilities.

Accenture iDefense delivers data in the STIX™ 2.1 format via a TAXII™ 2.1 server.

Dependencies

ThreatConnect Dependencies

  • Active ThreatConnect Application Programming Interface (API) key
  • ThreatConnect instance with version 7.0 or newer installed
Note
All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.

Accenture iDefense Dependencies

  • Active subscription to Accenture iDefense with username and password credentials

Application Setup and Configuration

Installing the App

  1. Log into ThreatConnect with a System Administrator account.
  2. Install the Accenture iDefense Intelligence Engine App via TC Exchange™.
  3. Use the ThreatConnect Feed Deployer to set up and configure the Accenture iDefense Intelligence Engine App.

Configuration Parameters

Parameter Definitions

The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the App.

 

NameDescriptionRequired?
Source Tab
Sources to CreateThe name of the Source to be created.Yes
OwnerThe Organization in which the Source will be created.Yes
Parameters Tab
Launch ServerSelect tc-job as the launch server for the Service corresponding to the Feed API Service App.Yes
Indicator TypesSelect one or more Accenture iDefense Indicator types to ingest. Available choices include the following:
  • Indicator (Domain, IPV4, IPV6, URL)
  • File MD5
  • File SHA-1
  • File SHA-256
Yes
Group TypesSelect one or more Accenture iDefense Group types to ingest. Available choices include the following:
  • Campaign
  • Malware
  • Report
  • Signature
  • Threat-Actor
  • Tool
  • Vulnerability
Yes
Schedule Interval (Hours)The number of hours between each scheduled update interval for the App. The default value is 1.Yes
Variables Tab
Accenture iDefense PasswordThe Accenture iDefense account password.Yes
Accenture iDefense UsernameThe Accenture iDefense account username.Yes

Accenture iDefense Intelligence Engine

After successfully configuring and activating the Feed API Service, you can access the Accenture iDefense Intelligence Engine user interface (UI). This UI allows you to interact with and manage the Accenture iDefense integration.

Follow these steps to access the UI:

  1. Log into ThreatConnect with a System Administrator account.
  2. On the top navigation bar, hover over Playbooks and select Services. The Services tab of the Playbooks screen will be displayed. 
  3. Locate the Accenture iDefense Intelligence Engine Feed API Service and then click the link in the Service’s API Path field. The DASHBOARD screen of the Accenture iDefense Intelligence Engine UI will open in a new browser tab.

The following screens are available in the Accenture iDefense Intelligence Engine UI:

  • DASHBOARD
  • JOBS
  • TASKS
  • DOWNLOAD
  • REPORT

DASHBOARD

The DASHBOARD screen (Figure 1) provides an overview of the total number of Indicators (Domain, File, IPv4, IPv6, and URL), Campaigns, Malware, Reports, Signatures (YARA), Threat Actors, Tools, and Vulnerabilities retrieved from Accenture iDefense. Depending on the data available to you, cards representing all or a subset of these object types will be displayed on the DASHBOARD screen.

Figure 2_Flashpoint Intelligence Engine Integration User Guide_Software Version 1.0

 

Note
The numbers displayed on the DASHBOARD screen represent the count of threat intelligence objects that were processed by the App, including objects that were updated or processed again, and may not match the count of objects ingested into ThreatConnect.

JOBS

The JOBS screen (Figure 2) breaks down the ingestion of Accenture iDefense data into manageable Job-like tasks.

 

  • Job Type: If desired, select a Job type by which to filter Jobs. Available types include ad-hoc and scheduled
  • Status:If desired, select a Job status by which to filter Jobs. Available statuses include the following:
    1. Download In Progress
    2. Download Complete
    3. Convert In Progress
    4. Convert Complete
    5. Upload In Progress
    6. Upload Complete
  • Request ID: If desired, enter text into this box to search for a specific Job by its request ID.
  • + Add Request: Click this button to display the ADD REQUEST window (Figure 4). On this window, you can specify the date range and object types for an ad-hoc Job request. After a Job request is added, it will be displayed in the table on the JOBS screen (Figure 2), and its Job type will be listed as ad-hoc.

     

TASKS

The TASKS screen (Figure 4) is where you can view and manage the Tasks for each Job.

 

DOWNLOADS

The DOWNLOADS screen (Figure 5) is where you can download data exactly as they appear in Accenture iDefense.

 

  • ID(s): Enter the Accenture iDefense ID(s) for the object(s) to download. Data will be retrieved in JavaScript® Object Notation (JSON) format.
  • Convert: Select this checkbox to convert the threat intelligence data to ThreatConnect batch format.
  • Enrich: Select this checkbox to submit the threat intelligence data to the ThreatConnect Batch API.

REPORTS

The REPORTS screen provides a BATCH ERRORS view (Figure 6) that displays batch errors for each request in a tabular format. Details provided for each error include the error’s code, message, and reason.

 

Data Mappings

The data mappings in Table 2 through Table 13 illustrate how data are mapped from Accenture iDefense API endpoints into the ThreatConnect data model.

IPv4

ThreatConnect object type: Address Indicator

 

Accenture iDefense API FieldThreatConnect Field
confidenceThreat Rating
createdAttribute: "External Date Created"
idAttribute: "External ID"
labelsTags
modifiedAttribute: "External Date Modified"
nameIP Address
object_marking_ref/nameSecurity Labels
revokedIndicator Status (set to active if revoked is false; set to inactive if revoked is true)

IPv6

ThreatConnect object type: Address Indicator

 

Accenture iDefense API FieldThreatConnect Field
confidenceThreat Rating
createdAttribute: "External Date Created"
idAttribute: "External ID"
labelsTags
modifiedAttribute: "External Date Modified"
nameIP Address
object_marking_ref/nameSecurity Labels
revokedIndicator Status (set to active if revoked is false; set to inactive if revoked is true)

URL

ThreatConnect object type: URL Indicator

 

Accenture iDefense API FieldThreatConnect Field
confidenceThreat Rating
createdAttribute: "External Date Created"
idAttribute: "External ID"
labelsTags
modifiedAttribute: "External Date Modified"
nameURL
object_marking_ref/nameSecurity Labels
revokedIndicator Status (set to active if revoked is false; set to inactive if revoked is true)

Domain

ThreatConnect object type: Host Indicator

 

Accenture iDefense API FieldThreatConnect Field
confidenceThreat Rating
createdAttribute: "External Date Created"
idAttribute: "External ID"
labelsTags
modifiedAttribute: "External Date Modified"
nameHost Name
object_marking_ref/nameSecurity Labels
revokedIndicator Status (set to active if revoked is false; set to inactive if revoked is true)

File

ThreatConnect object type: File Indicator

Note
In ThreatConnect, a file may be represented by three hash algorithms: MD5, SHA1, and SHA256. When Accenture iDefense data is ingested into ThreatConnect, a separate File Indicator is created for each hash algorithm of the same file.

 

Accenture iDefense API FieldThreatConnect Field
confidenceThreat Rating
createdAttribute: "External Date Created"
idAttribute: "External ID"
labelsTags
modifiedAttribute: "External Date Modified"
object_marking_ref/nameSecurity Labels
patternHash Value
revokedIndicator Status (set to active if revoked is false; set to inactive if revoked is true)

Threat Actor

ThreatConnect object type: Adversary Group

 

Accenture iDefense API FieldThreatConnect Field
aliasesAttribute: "Alias"
confidenceAttribute: "Confidence"
createdAttribute: "External Date Created"
descriptionDescription
external_referencesAttribute: "External Reference"
first_seenAttribute: "First Seen"
goalsAttribute: "Goal"
idAttribute: "External ID"
labelsTags
last_seenAttribute: "Last Seen"
modifiedAttribute: "External Date Modified"
nameName/Summary
object_marking_ref/nameSecurity Labels
personal_motivationsAttribute: "Personal Motivation"
primary_motivationAttribute: "Adversary Motivation Type"
resource_levelAttribute: "Resource Level"
rolesAttribute: "Role"
secondary_motivationsAttribute: "Secondary Motivation Type"
sophisticationAttribute: "Sophistication"
threat_actor_typesAttribute: "Threat Actor Type"

Malware

ThreatConnect object type: Malware Group

 

Accenture iDefense API FieldThreatConnect Field
aliasesAttribute: "Alias"
confidenceAttribute: "Confidence"
createdAttribute: "External Date Created"
descriptionDescription
first_seenAttribute: "First Seen"
idAttribute: "External ID"
kill_chain_phasesAttribute: "Phase of Intrusion"
labelsTags
last_seenAttribute: "Last Seen"
modifiedAttribute: "External Date Modified"
nameName/Summary
object_marking_ref/nameSecurity Labels

Report

ThreatConnect object type: Report Group

 

Accenture iDefense API FieldThreatConnect Field
confidenceAttribute: "Confidence"
createdAttribute: "External Date Created"
descriptionDescription
idAttribute: "External ID"
labelsTags
modifiedAttribute: "External Date Modified"
nameName/Summary
object_marking_ref/nameSecurity Labels
object_refs/nameTags
publishedPublished Date
report_typeAttribute: "Report Type"

Tool

ThreatConnect object type: Tool Group

 

Accenture iDefense API FieldThreatConnect Field
aliasesAttribute: "Alias"
confidenceAttribute: "Confidence"
createdAttribute: "External Date Created"
descriptionDescription
idAttribute: "External ID"
kill_chain_phasesAttribute: "Phase of Intrusion"
labelsTags
modifiedAttribute: "External Date Modified"
nameName/Summary
object_marking_ref/nameSecurity Labels
tool_typesAttribute: "Tool Type"
tool_versionAttribute: "Tool Version"

Campaign

ThreatConnect object type: Campaign Group

 

Accenture iDefense API FieldThreatConnect Field
aliasesAttribute: "Alias"
confidenceAttribute: "Confidence"
createdAttribute: "External Date Created"
external_referenceAttribute: "External Reference"
first_seenAttribute: "First Seen"
idAttribute: "External ID"
labelsTags
last_seenAttribute: "Last Seen"
modifiedAttribute: "External Date Modified"
nameName/Summary
object_marking_ref/nameSecurity Labels
objectiveAttribute: "Campaign Objective"

Vulnerability

ThreatConnect object type: Vulnerability Group

 

Accenture iDefense API FieldThreatConnect Field
confidenceAttribute: "Confidence"
createdAttribute: "External Date Created"
descriptionDescription
idAttribute: "External ID"
labelsTags
modifiedAttribute: "External Date Modified"
nameName/Summary
object_marking_ref/nameSecurity Labels

Signature (YARA)

ThreatConnect object type: Signature Group

 

Accenture iDefense API FieldThreatConnect Field
confidenceAttribute: "Confidence"
createdAttribute: "External Date Created"
descriptionDescription
idAttribute: "External ID"
kill_chain_phasesAttribute: "Phase of Intrusion"
labelsTags
modifiedAttribute: "External Date Modified"
nameName/Summary
object_marking_ref/nameSecurity Labels
revokedAttribute: "Active"

Frequently Asked Questions (FAQ)

How does the Accenture iDefense Intelligence Engine App differ from the Accenture iDefense IntelGraph Intelligence Engine App?

Accenture changed its intel delivery from IntelGraph to a TAXII 2.1 server solution. This means the integration data are formatted with the STIX 2.1 standard format.

Between the two Apps, users can expect differences in the data ingested by each one. These data differences, which are due to limitations of the STIX 2.1 data format, mean that there are fewer intel data points in Accenture's new implementation for intel delivery.

Accenture will end support of its iDefense IntelGraph solution on October 16, 2023. After the end-of-support date, the Accenture iDefense IntelGraph Intelligence Engine App will not be able to collect data from Accenture iDefense.


ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
Accenture™ is a trademark of Accenture Global Services Limited.
iDefense® is a registered trademark of Accenture.
JavaScript® is a registered trademark of Oracle Corporation.
STIX™ and TAXII™ is a trademark of The MITRE Corporation.

30081-02 EN Rev. A


Was this article helpful?