--- title: "Accenture iDefense Intelligence Engine Integration User Guide" slug: "accenture-idefense-intelligence-engine-integration-user-guide" description: "This article is a user guide for the Accenture iDefense Intelligence Engine integration with ThreatConnect." updated: 2023-11-30T18:10:00Z published: 2023-11-30T18:10:00Z canonical: "knowledge.threatconnect.com/accenture-idefense-intelligence-engine-integration-user-guide" --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Accenture iDefense Intelligence Engine Integration User Guide Software VersionThis guide applies to the **Accenture iDefense Intelligence Engine******App version 2.0.*x*. ## Overview The ThreatConnect® integration with Accenture™ iDefense® ingests data from the Accenture iDefense intel collection into ThreatConnect for analysis and response actions. The integration downloads intel Indicators (Domain, File, IPv4, IPv6, and URL), Campaigns, Malware, Reports, Signatures (YARA), Threat Actors, Tools, and Vulnerabilities. Accenture iDefense delivers data in the STIX™ 2.1 format via a TAXII™ 2.1 server. ## Dependencies ### ThreatConnect Dependencies - Active ThreatConnect Application Programming Interface (API) key - ThreatConnect instance with version 7.0 or newer installed NoteAll ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the **Account Settings** screen within their ThreatConnect instance. ### Accenture iDefense Dependencies - Active subscription to Accenture iDefense with username and password credentials ### Application Setup and Configuration ### Installing the App 1. Log into ThreatConnect with a System Administrator account. 2. Install the **Accenture iDefense Intelligence Engine**App via TC Exchange™. 3. Use the ThreatConnect Feed Deployer to [set up and configure](https://knowledge.threatconnect.com/docs/feed-api-services) the **Accenture iDefense Intelligence Engine**App. ## Configuration Parameters ### Parameter Definitions The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the App. | Name | Description | Required? | | --- | --- | --- | | **Source**Tab | | Sources to Create | The name of the Source to be created. | Yes | | Owner | The Organization in which the Source will be created. | Yes | | **Parameters**Tab | | Launch Server | Select **tc-job**as the launch server for the Service corresponding to the Feed API Service App. | Yes | | Indicator Types | Select one or more Accenture iDefense Indicator types to ingest. Available choices include the following: - Indicator (Domain, IPV4, IPV6, URL) - File MD5 - File SHA-1 - File SHA-256 | Yes | | Group Types | Select one or more Accenture iDefense Group types to ingest. Available choices include the following: - Campaign - Malware - Report - Signature - Threat-Actor - Tool - Vulnerability | Yes | | Schedule Interval (Hours) | The number of hours between each scheduled update interval for the App. The default value is **1**. | Yes | | **Variables**Tab | | Accenture iDefense Password | The Accenture iDefense account password. | Yes | | Accenture iDefense Username | The Accenture iDefense account username. | Yes | ## Accenture iDefense Intelligence Engine After successfully configuring and activating the [Feed API Service](https://knowledge.threatconnect.com/docs/feed-api-services), you can access the Accenture iDefense Intelligence Engine user interface (UI). This UI allows you to interact with and manage the Accenture iDefense integration. Follow these steps to access the UI: 1. Log into ThreatConnect with a System Administrator account. 2. On the top navigation bar, hover over **Playbooks**and select **Services.**The [**Services** tab of the **Playbooks** screen](https://knowledge.threatconnect.com/docs/playbook-services) will be displayed. 3. Locate the**Accenture iDefense Intelligence Engine**Feed API Service and then click the link in the Service’s **API Path**field. The **DASHBOARD**screen of the Accenture iDefense Intelligence Engine UI will open in a new browser tab. The following screens are available in the Accenture iDefense Intelligence Engine UI: - **DASHBOARD** - **JOBS** - **TASKS** - **DOWNLOAD** - **REPORT** ### DASHBOARD The **DASHBOARD**screen (Figure 1) provides an overview of the total number of Indicators (Domain, File, IPv4, IPv6, and URL), Campaigns, Malware, Reports, Signatures (YARA), Threat Actors, Tools, and Vulnerabilities retrieved from Accenture iDefense. Depending on the data available to you, cards representing all or a subset of these object types will be displayed on the **DASHBOARD**screen. ![Figure 2_Flashpoint Intelligence Engine Integration User Guide_Software Version 1.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_Accenture%20iDefense%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%202.0.png) NoteThe numbers displayed on the **DASHBOARD**screen represent the count of threat intelligence objects that were processed by the App, including objects that were updated or processed again, and may not match the count of objects ingested into ThreatConnect. ### JOBS The **JOBS**screen (Figure 2) breaks down the ingestion of Accenture iDefense data into manageable Job-like tasks. ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_Accenture%20iDefense%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.png) - **Job Type:** If desired, select a Job type by which to filter Jobs. Available types include **ad-hoc**and **scheduled**. - **Status:**If desired, select a Job status by which to filter Jobs. Available statuses include the following: 1. Download In Progress 2. Download Complete 3. Convert In Progress 4. Convert Complete 5. Upload In Progress 6. Upload Complete - **Request ID:** If desired, enter text into this box to search for a specific Job by its request ID. - **+ Add Request**: Click this button to display the **ADD REQUEST**window (Figure 4). On this window, you can specify the date range and object types for an ad-hoc Job request. After a Job request is added, it will be displayed in the table on the **JOBS** screen (Figure 2), and its Job type will be listed as **ad-hoc**. ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_Accenture%20iDefense%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.png) ### TASKS The **TASKS** screen (Figure 4) is where you can view and manage the Tasks for each Job. ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_Accenture%20iDefense%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.png) ### DOWNLOADS The **DOWNLOADS**screen (Figure 5) is where you can download data exactly as they appear in Accenture iDefense. ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%205_Accenture%20iDefense%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.png) - **ID(s)**: Enter the Accenture iDefense ID(s) for the object(s) to download. Data will be retrieved in JavaScript® Object Notation (JSON) format. - **Convert**: Select this checkbox to convert the threat intelligence data to ThreatConnect batch format. - **Enrich**: Select this checkbox to submit the threat intelligence data to the ThreatConnect Batch API. ### REPORTS The **REPORTS**screen provides a **BATCH ERRORS** view (Figure 6) that displays batch errors for each request in a tabular format. Details provided for each error include the error’s code, message, and reason. ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%206_Accenture%20iDefense%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.png) ## Data Mappings The data mappings in Table 2 through Table 13 illustrate how data are mapped from Accenture iDefense API endpoints into the [ThreatConnect data model](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model). ### IPv4 ThreatConnect object type: Address Indicator | Accenture iDefense API Field | ThreatConnect Field | | --- | --- | | confidence | Threat Rating | | created | Attribute: "External Date Created" | | id | Attribute: "External ID" | | labels | Tags | | modified | Attribute: "External Date Modified" | | name | IP Address | | object_marking_ref/name | Security Labels | | revoked | Indicator Status (set to active if **revoked**is false; set to inactive if **revoked**is true) | ### IPv6 ThreatConnect object type: Address Indicator | Accenture iDefense API Field | ThreatConnect Field | | --- | --- | | confidence | Threat Rating | | created | Attribute: "External Date Created" | | id | Attribute: "External ID" | | labels | Tags | | modified | Attribute: "External Date Modified" | | name | IP Address | | object_marking_ref/name | Security Labels | | revoked | Indicator Status (set to active if **revoked** is false; set to inactive if **revoked** is true) | ### URL ThreatConnect object type: URL Indicator | Accenture iDefense API Field | ThreatConnect Field | | --- | --- | | confidence | Threat Rating | | created | Attribute: "External Date Created" | | id | Attribute: "External ID" | | labels | Tags | | modified | Attribute: "External Date Modified" | | name | URL | | object_marking_ref/name | Security Labels | | revoked | Indicator Status (set to active if **revoked** is false; set to inactive if **revoked** is true) | ### Domain ThreatConnect object type: Host Indicator | Accenture iDefense API Field | ThreatConnect Field | | --- | --- | | confidence | Threat Rating | | created | Attribute: "External Date Created" | | id | Attribute: "External ID" | | labels | Tags | | modified | Attribute: "External Date Modified" | | name | Host Name | | object_marking_ref/name | Security Labels | | revoked | Indicator Status (set to active if **revoked** is false; set to inactive if **revoked** is true) | ### File ThreatConnect object type: File Indicator NoteIn ThreatConnect, a file may be represented by three hash algorithms: MD5, SHA1, and SHA256. When Accenture iDefense data is ingested into ThreatConnect, a separate File Indicator is created for each hash algorithm of the same file. | Accenture iDefense API Field | ThreatConnect Field | | --- | --- | | confidence | Threat Rating | | created | Attribute: "External Date Created" | | id | Attribute: "External ID" | | labels | Tags | | modified | Attribute: "External Date Modified" | | object_marking_ref/name | Security Labels | | pattern | Hash Value | | revoked | Indicator Status (set to active if **revoked** is false; set to inactive if **revoked** is true) | ### Threat Actor ThreatConnect object type: Adversary Group | Accenture iDefense API Field | ThreatConnect Field | | --- | --- | | aliases | Attribute: "Alias" | | confidence | Attribute: "Confidence" | | created | Attribute: "External Date Created" | | description | Description | | external_references | Attribute: "External Reference" | | first_seen | Attribute: "First Seen" | | goals | Attribute: "Goal" | | id | Attribute: "External ID" | | labels | Tags | | last_seen | Attribute: "Last Seen" | | modified | Attribute: "External Date Modified" | | name | Name/Summary | | object_marking_ref/name | Security Labels | | personal_motivations | Attribute: "Personal Motivation" | | primary_motivation | Attribute: "Adversary Motivation Type" | | resource_level | Attribute: "Resource Level" | | roles | Attribute: "Role" | | secondary_motivations | Attribute: "Secondary Motivation Type" | | sophistication | Attribute: "Sophistication" | | threat_actor_types | Attribute: "Threat Actor Type" | ### Malware ThreatConnect object type: Malware Group | Accenture iDefense API Field | ThreatConnect Field | | --- | --- | | aliases | Attribute: "Alias" | | confidence | Attribute: "Confidence" | | created | Attribute: "External Date Created" | | description | Description | | first_seen | Attribute: "First Seen" | | id | Attribute: "External ID" | | kill_chain_phases | Attribute: "Phase of Intrusion" | | labels | Tags | | last_seen | Attribute: "Last Seen" | | modified | Attribute: "External Date Modified" | | name | Name/Summary | | object_marking_ref/name | Security Labels | ### Report ThreatConnect object type: Report Group | Accenture iDefense API Field | ThreatConnect Field | | --- | --- | | confidence | Attribute: "Confidence" | | created | Attribute: "External Date Created" | | description | Description | | id | Attribute: "External ID" | | labels | Tags | | modified | Attribute: "External Date Modified" | | name | Name/Summary | | object_marking_ref/name | Security Labels | | object_refs/name | Tags | | published | Published Date | | report_type | Attribute: "Report Type" | ### Tool ThreatConnect object type: Tool Group | Accenture iDefense API Field | ThreatConnect Field | | --- | --- | | aliases | Attribute: "Alias" | | confidence | Attribute: "Confidence" | | created | Attribute: "External Date Created" | | description | Description | | id | Attribute: "External ID" | | kill_chain_phases | Attribute: "Phase of Intrusion" | | labels | Tags | | modified | Attribute: "External Date Modified" | | name | Name/Summary | | object_marking_ref/name | Security Labels | | tool_types | Attribute: "Tool Type" | | tool_version | Attribute: "Tool Version" | ### Campaign ThreatConnect object type: Campaign Group | Accenture iDefense API Field | ThreatConnect Field | | --- | --- | | aliases | Attribute: "Alias" | | confidence | Attribute: "Confidence" | | created | Attribute: "External Date Created" | | external_reference | Attribute: "External Reference" | | first_seen | Attribute: "First Seen" | | id | Attribute: "External ID" | | labels | Tags | | last_seen | Attribute: "Last Seen" | | modified | Attribute: "External Date Modified" | | name | Name/Summary | | object_marking_ref/name | Security Labels | | objective | Attribute: "Campaign Objective" | ### Vulnerability ThreatConnect object type: Vulnerability Group | Accenture iDefense API Field | ThreatConnect Field | | --- | --- | | confidence | Attribute: "Confidence" | | created | Attribute: "External Date Created" | | description | Description | | id | Attribute: "External ID" | | labels | Tags | | modified | Attribute: "External Date Modified" | | name | Name/Summary | | object_marking_ref/name | Security Labels | ### Signature (YARA) ThreatConnect object type: Signature Group | Accenture iDefense API Field | ThreatConnect Field | | --- | --- | | confidence | Attribute: "Confidence" | | created | Attribute: "External Date Created" | | description | Description | | id | Attribute: "External ID" | | kill_chain_phases | Attribute: "Phase of Intrusion" | | labels | Tags | | modified | Attribute: "External Date Modified" | | name | Name/Summary | | object_marking_ref/name | Security Labels | | revoked | Attribute: "Active" | ## Frequently Asked Questions (FAQ) **How does the**Accenture iDefense Intelligence Engine **App differ from the**Accenture iDefense IntelGraph Intelligence Engine **App****?** Accenture changed its intel delivery from IntelGraph to a TAXII 2.1 server solution. This means the integration data are formatted with the STIX 2.1 standard format. Between the two Apps, users can expect differences in the data ingested by each one. These data differences, which are due to limitations of the STIX 2.1 data format, mean that there are fewer intel data points in Accenture's new implementation for intel delivery. Accenture will end support of its iDefense IntelGraph solution on October 16, 2023. After the end-of-support date, the **Accenture iDefense IntelGraph Intelligence Engine** App will not be able to collect data from Accenture iDefense. --- *ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc. Accenture™ is a trademark of Accenture Global Services Limited. iDefense® is a registered trademark of Accenture. JavaScript® is a registered trademark of Oracle Corporation. STIX™ and TAXII™ is a trademark of The MITRE Corporation.* 30081-02 EN Rev. A