--- title: "Dataminr Pulse Alerts Engine Integration User Guide" slug: "dataminr-pulse-alerts-engine-integration-user-guide-1" description: "This article is a user guide for the Dataminr Pulse Alerts Engine App in ThreatConnect." tags: ["Dataminr"] updated: 2026-05-07T21:42:44Z published: 2026-05-07T21:42:44Z canonical: "knowledge.threatconnect.com/dataminr-pulse-alerts-engine-integration-user-guide-1" --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Dataminr Pulse Alerts Engine Integration User Guide NoteThis guide applies to the **Dataminr Pulse Alerts Engine** app version 2.0.5. ## Overview The **Dataminr Pulse Alerts Engine** [feed API service](https://knowledge.threatconnect.com/docs/feed-api-services) app unlocks the power of real-time alerting in ThreatConnect® by ingesting [Dataminr Pulse](https://www.dataminr.com/products/pulse/cyber-risk/) Cyber Alerts and converting them into actionable intelligence in ThreatConnect. The app ingests Cyber Alerts from Dataminr Pulse Alert Lists every 10 minutes and creates corresponding objects in ThreatConnect with select Dataminr Pulse metadata and AI-powered context: - Alerts are created as Event Groups in ThreatConnect. Intel Agent and Live Brief AI content from Dataminr Pulse are included as AI insights for the Event Group in ThreatConnect, with **Intel Agent** and **Live Brief** Tags added to Event Groups that have those respective AI content types. - Discovered Entities for Alert Intel Agents are created as Indicators (Address, Host, or URL) or Groups (Intrusion Set, Malware, or Vulnerability) associated to the Event Group corresponding to the ingested Alert. - Key Points for Alerts are created as Indicators (Address, ASN, File, Host, or URL) or Groups (Intrusion Set, Malware, or Vulnerability) associated to the Event Group corresponding to the ingested Alert. HintThreatConnect instances on version 7.12.1 or later include an out-of-the-box System-level dashboard, **Dataminr Dashboard – System**, that tracks and analyzes the Alert data delivered to ThreatConnect. When viewing this dashboard, make sure to select the Source ingesting data for the **Dataminr Pulse Alerts Engine** app in the **Owners** dropdown. Data from other owners are not displayed in this dashboard. ## Dependencies ### ThreatConnect Dependencies - Active ThreatConnect API key - ThreatConnect instance with version 7.11.2-M1218R or newer installedNoteCertain context-enriching elements captured in attributes will be limited or unavailable on ThreatConnect instances running on versions earlier than 7.12.3. NoteAll ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the **Account Settings** screen within their ThreatConnect instance. ### Dataminr Dependencies - Dataminr Pulse API public key - Dataminr Pulse API secret - (Optional) [Dataminr List IDs](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#dataminr-list-ids) - (Optional) [Dataminr Alert IDs](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#dataminr-alert-ids) - (Optional) Dataminr hydration endpoint configured to receive Vulnerability hydration dataNoteThe hydration endpoint provides Common Platform Enumeration (CPE) data for Vulnerabilities ingested from Dataminr. It requires a subscription. Please contact your Dataminr Customer Success representative for more information. #### Dataminr List IDs When configuring a deployment of the **Dataminr Pulse Alerts Engine** app to an Organization, you can specify Dataminr Pulse List IDs from which to ingest Alerts. Follow these steps to obtain a List ID in Dataminr Pulse: 1. Log into Dataminr Pulse. 2. Select an Alert from the List whose List ID you want to identify. 3. From the **Actions** dropdown, select **Email**. 4. In the **EMAIL CONTENT** section of the **Email alert** window, locate the **Link to Alert in Dataminr Pulse:** section. In the link, the List ID is the number between `#alertDetailWL/` and `/alertDetail`.ExampleIn `https://app.dataminr.com/#alertDetailWL/9999999/alertDetail/6/123456789012345678901234567890-1234567890-1`, the List ID is `9999999`. #### Dataminr Alert IDs When [downloading data for a single Alert from Dataminr Pulse to upload into ThreatConnect](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#download), you need to specify the ID of the Alert to download. Follow these steps to obtain an Alert ID in Dataminr Pulse: 1. Log into Dataminr Pulse. 2. Select an Alert from the List whose List ID you want to identify. 3. From the **Actions** dropdown, select **Email**. 4. In the **EMAIL CONTENT** section of the **Email alert** window, locate the **Link to Alert in Dataminr Pulse:** section. In the link, the Alert ID is the number after the last `/`character.ExampleIn `https://app.dataminr.com/#alertDetailWL/9999999/alertDetail/6/123456789012345678901234567890-1234567890-1`, the Alert ID is `123456789012345678901234567890-1234567890-1`. ## Application Setup and Configuration The **Dataminr Pulse Alerts Engine** app leverages the [Feed Deployer](https://knowledge.threatconnect.com/docs/the-feed-deployer) to create a [Source](https://knowledge.threatconnect.com/docs/ownership-in-threatconnect) for data ingestion from Dataminr Pulse in an Organization and to configure the corresponding [service](https://knowledge.threatconnect.com/docs/playbook-services)’s ingestion and authentication parameters. After you install the **Dataminr Pulse Alerts Engine** app on your ThreatConnect instance, you can deploy it to any Organization. It must be deployed separately for each Organization in which you want to create a Source for data ingestion and a corresponding service. ### Install the Dataminr Pulse Alerts Engine App Follow these steps to install the **Dataminr Pulse Alerts Engine** app on your ThreatConnect instance: 1. Log into ThreatConnect with a System Administrator account. 2. From the **Settings**![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)menu on the top navigation bar, select **TC Exchange Settings**. 3. Select the **Catalog** tab on the **TC Exchange™ Settings** screen. 4. Locate the **Dataminr Pulse Alerts Engine** app on the **Catalog** tab. 5. Click **Install**![Install icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Plus%20icon_Dark%20blue.png)in the **Options** column for the app. 6. Click **INSTALL** in the app’s **Release Notes** window. 7. After you install the **Dataminr Pulse Alerts Engine** app, the [Feed Deployer](https://knowledge.threatconnect.com/docs/the-feed-deployer) opens automatically. Follow the procedure in the [“Deploy the Dataminr Pulse Alerts Engine App to an Organization”](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#deploy-the-dataminr-pulse-alerts-engine-app-to-an-organization) section to deploy the **Dataminr Pulse Alerts Engine** app to a Source in an Organization and configure the corresponding service. ### Deploy the Dataminr Pulse Alerts Engine App to an Organization Follow these steps to deploy the **Dataminr Pulse Alerts Engine** app to an Organization: NoteSkip to the fourth step in the procedure if you just [installed the **Dataminr Pulse Alerts Engine** app](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#install-the-dataminr-pulse-alerts-engine-app) and are already viewing the **Feed Deployer** window. 1. Log into ThreatConnect with a System Administrator account. 2. From the **Settings**![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)menu on the top navigation bar, select **TC Exchange Settings**. 3. Locate the **Dataminr Pulse Alerts Engine** app on the **Installed** tab. Then select **Deploy** from the **Options** **⋮** dropdown. 4. Follow the instructions in Table 1 to fill out the fields in the **Feed Deployer** window for a deployment of the **Dataminr Pulse Alerts Engine**app. | Name | Description | Required? | | --- | --- | --- | | **Source**Tab | | Sources to Create | Enter the name of the Source for the feed.NoteUnless you are redeploying the feed to an existing Source in an Organization, the name of the Source must be unique on your ThreatConnect instance. It is recommended to add the Organization’s name to the end of the default Source name (e.g., **Dataminr Pulse Alerts Engine – Demo Organization**) for easy identification of the Source’s owner. | Required | | Owner | Select the Organization in which the Source will be created. | Required | | Activate Deprecation | Select this checkbox to allow [confidence deprecation](https://knowledge.threatconnect.com/docs/indicator-confidence-deprecation) rules to be created and applied to Indicators in the Source. | Optional | | Create Attributes | Select this checkbox to allow [custom attribute types](https://knowledge.threatconnect.com/docs/creating-custom-attribute-types) for the **Dataminr Pulse Alerts Engine**app to be created on the System level of your ThreatConnect instance.ImportantIt is recommended that you keep this checkbox selected. If you deselect it, data from the **Dataminr Pulse Alerts Engine** app mapped to those attribute types will not be ingested. | Optional | | **Parameters**Tab | | Launch Server | Select **tc-job** as the launch server for the feed API service. | Required | | Dataminr List IDs | Enter the [IDs for the Dataminr Pulse Cyber Alert Lists to ingest into ThreatConnect](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#dataminr-list-ids). If you leave this field blank, the app will ingest all Dataminr Pulse Cyber Alerts to which your Dataminr Pulse API account has access.NoteIf a List whose ID is entered in this field is deleted from Dataminr, the **Dataminr Pulse Alerts Engine** app may stop working. Please cross-check the available Alert Lists in Dataminr Pulse against the List IDs entered in this field to ensure uninterrupted ingestion from the app. | Optional | | Notification Digest Interval | Select the interval at which the **Dataminr Pulse Alerts Engine** app should send notifications about job failure outcomes to the [Notifications Center](https://knowledge.threatconnect.com/docs/notifications-and-following) for users who are members of the Source for the **Dataminr Pulse Alerts Engine** service. The dissemination of the notifications is determined by each user’s Notifications Center settings. | Required | | Notification Types | Select the notification types to include in the notification digest.NoteThe **App Startup** notification is sent only once, when the app is started for the first time. Selection of this option determines whether the initial digest sent to the Notifications Center will include a notification about successful app startup.NoteAll notifications about app functionality (startup, startup failure, and shutdown) and job failure outcomes (failure, retry, and recovery) are provided on the [**Notifications** screen](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#notifications) in the [service UI](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#dataminr-pulse-alerts-engine-ui). | Optional | | **Variables**Tab | | Dataminr API Public | Enter the Dataminr Pulse API public key. | Required | | Dataminr API Secret | Enter the Dataminr Pulse API secret. | Required | | **Confirm**Tab | | Run Feeds after deployment | Select this checkbox to run the **Dataminr Pulse Alerts Engine** service immediately after you click **DEPLOY** on the **Feed Deployer** window. | Optional | | Confirm Deployment Over Existing Source | This checkbox and a warning message are displayed on the **Confirm** tab if the Source name entered on the **Source** tab is already used by a Source owned by the selected Organization. To confirm redeploying the app to the existing Source, select the checkbox. This will activate the **DEPLOY** button. Otherwise, you must return to the **Source**tab and either change the Source name or select a different Organization.WarningWhen you redeploy a feed API service to a Source, existing data in the Source may be overwritten. Redeployment will also create a new service for the feed API service app. It is recommended that you delete the previous service for the feed API service app after the new one is created. | Optional | 5. Click **DEPLOY** on the **Confirm** tab of the **Feed Deployer** window to deploy the **Dataminr Pulse Alerts Engine** app in the Organization, which will create a Source for the feed in the Organization and a corresponding feed API service. ## Dataminr Pulse Alerts Engine UI After [installing](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#install-the-dataminr-pulse-alerts-engine-app) the **Dataminr Pulse Alerts Engine** app and [deploying it to an Organization](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#deploy-the-dataminr-pulse-alerts-engine-app-to-an-organization), you can access the **Dataminr Pulse Alerts Engine** UI, where you can manage data ingestion from Dataminr Pulse into the Source created in the Organization. Follow these steps to access the **Dataminr Pulse Alerts Engine** UI: 1. Log into ThreatConnect with a System Administrator account or a user account in the Organization with an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Organization Administrator. 2. From the **Automation & Feeds** dropdown on the top navigation bar, select **Services.** 3. Locate the row for the **Dataminr Pulse Alerts Engine**feed API service.HintSelect **Feed Service** from the **Service Type** dropdown at the upper right to filter the screen to show only feed API services. If there are multiple services for the **Dataminr Pulse Alerts Engine** app, you can identify the one configured for your Organization by clicking the row for a service to view its **Details** drawer, which includes an **Organization** field showing the Organization that owns the Source for that service. 4. Turn on the toggle in the **Enable** column if the service is not already enabled. 5. Click the link in the service’s **API Path** field to open the **Dataminr Pulse Alerts Engine** UI. The following screens are available in the **Dataminr Pulse Alerts Engine** service UI: - [**Dashboard**](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#dashboard) - [**Jobs**](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#jobs) - [**Tasks**](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#tasks) - [**Download**](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#download) - [**Batch Errors**](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#batch-errors) - [**Notifications**](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#notifications) - [**Attachment Status**](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#attachment-status) ### Dashboard The **Dashboard** screen provides an overview of the number of Cyber Alerts, categorized by Alert subtype, ingested from Dataminr Pulse. ### Jobs The **Jobs** screen breaks down the ingestion of Dataminr Pulse data into manageable job-like tasks, displaying all processes that are pending, in progress, complete, and failed. The **⋯** menu in a job’s row provides the following options: - **Details**: View details for the job, such as download, convert, and upload start and complete times and counts of downloaded and batched Groups and Indicators. - **Download Files**: Download metadata files for all jobs and data (convert, download, and upload) files for completed jobs. - **Batch Errors**: View errors that have occurred for the job on the [**Batch Errors**](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#batch-errors) screen. You can filter **Dataminr Pulse Alerts Engine** service jobs by the following elements: - **Job ID**: Enter text into this box to search for a job by its job ID. - **Job Type**: Select job types to display on the **Jobs** screen. - **Status**: Select job statuses to display on the **Jobs** screen. NoteThe **Add Job** button is grayed out because you cannot add ad-hoc jobs for the **Dataminr Pulse Alerts Engine** service in version 2.0.5. ### Tasks The **Tasks** screen displays all tasks that may be part of a job, including each step of the download, convert, and upload processes, as well as tasks for the **Dataminr Pulse Alerts Engine** service, such as monitor, scheduler, and cleaner. The current status (**Idle**, **Paused**, or **Running**), name, description, and heartbeat timeout length, in minutes, are displayed for each task. The **⋯** menu in a task’s row provides the following options, depending on the task’s status: - **Run** (idle and paused tasks only) - **Pause** (idle and running tasks only) - **Resume** (paused tasks only) - **Kill** (running tasks only) Under the table is a dashboard where you can view runtime analytics. ### Download The **Download** screen lets you download JavaScript® Object Notation (JSON) data for an Alert in Dataminr Pulse and then upload the data into ThreatConnect. Follow these steps to download JSON data for a Dataminr Pulse Alert on the **Download** screen and then upload the data into ThreatConnect: 1. **Alert ID**: Enter the [Alert ID](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#dataminr-alert-ids) for the Alert to download. 2. Click **Download**. The JSON data will be displayed in two columns: **Results** (raw JSON data) and **Converted** (JSON data in ThreatConnect batch format). 3. Click **Upload** to submit the converted threat intelligence data via the [ThreatConnect Batch API](https://docs.threatconnect.com/en/latest/rest_api/v2/batch_api/batch_api.html). ImportantYou cannot download data on the **Download** screen while a scheduled job for the **Dataminr Pulse Alerts Engine** app is running. This situation can easily occur, as the **Dataminr Pulse Alerts Engine** app runs about every 10 minutes. If you get the following error after clicking **Download**, wait a few minutes and try again: `HTTP ErrorDownload operation blocked: An automated download task is currently running. Please wait for the current download to complete before retrying.` ### Batch Errors The **Batch Errors** screen displays an overview of the batch error types that have occurred for job requests. You can enter keywords to filter by job ID. Select an error type to open a drawer containing a table with details on all batch errors of that type. You can enter keywords to filter by reason for error. ### Notifications The **Notifications** screen displays a table with details on notifications regarding app functionality and job failure outcomes for the **Dataminr Pulse Alerts Engine** service. ### Attachment Status The **Attachment Status** screen is not functional for services for version 2.0.5 of the **Dataminr Pulse Alerts Engine** app. ## Data Mappings The data mappings in Table 2 through Table 15 illustrate how data are mapped from Dataminr Pulse API endpoints to the [ThreatConnect data model](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model). ### Alert (Cyber) ThreatConnect object type: Event Group | Dataminr Pulse API Field | ThreatConnect Field | | --- | --- | | alertCompanies[].name | Attribute: "Company" | | alertId | Attribute: "External ID" | | alertReferenceTerms[].text | Attribute: "Alert Reference Term" | | alertSectors[].name | Attribute: "Industry" | | alertTimestamp | - Date Added - Last Modified - External Date Added - Event Date | | alertTopics[].id | Part of Attribute: "Description" | | alertTopics[].name | Attribute: "Alert Topic" | | alertType.name | Attribute: "Priority" | | assetsMatched.thirdPartyAssets[].name | Attribute: "3rd Party Asset" | | dataminrAlertUrl | Attribute: "Source" | | estimatedEventLocation.name | Attribute: "Location Name" | | estimatedEventLocation.coordinates[0] | Attribute: "Latitude" | | estimatedEventLocation.coordinates[1] | Attribute: "Longitude" | | estimatedEventLocation.probabilityRadius | Attribute: "Probability Radius" | | headline | Name/Summary | | intelAgents[].summary[].title | - AI insights - Attribute: "Additional Analysis and Context" | | intelAgents[].summary[].content[] | - AI insights - Attribute: "Additional Analysis and Context" | | linkedAlerts[].parentAlertId | Name/Summary of associated Event Group | | listsMatched[].id | Part of Attribute: "Description" | | listsMatched[].name | - Part of Attribute: "Description" - Attribute: "Alert List" | | listsMatched[].topicIds[] | Part of Attribute: "Description" | | listsMatched[].subType | - Part of Attribute: "Description" - Attribute: "Alert Rule" | | liveBrief[].timestamp | Attribute: "Additional Analysis and Context" | | liveBrief[].version | Attribute: "Additional Analysis and Context" | | liveBrief[].summary | - AI insights - Attribute: "Additional Analysis and Context" | | publicPost.timestamp | Part of Attribute: "Description" | | publicPost.href | Part of Attribute: "Description" | | publicPost.sourceName | - Part of Attribute: "Description" - Attribute: "Data Source Name" | | publicPost.expandedHref | - Part of Attribute: "Description" - Attribute: "Data Source URL" | | publicPost.channels[] | - Part of Attribute: "Description" - Attribute: "Source Channel" | | publicPost.media[].type | Part of Attribute: "Description" | | publicPost.media[].href | Part of Attribute: "Description" | | subHeadline.title | Part of Attribute: "Description" | | subHeadline.content[] | Part of Attribute: "Description" | | metadata.cyber.addresses[].ip | Name/Summary of associated Address Indicator | | metadata.cyber.asOrgs[].asn | Name/Summary of associated ASN Indicator | | metadata.cyber.hashValues[] | Name/Summary of associated File Indicator | | metadata.cyber.malware[].name | Associated Malware Group | | intelAgents[].discoveredEntities[].name intelAgents[].discoveredEntities[].type | Name/Summary of associated Intrusion Set, Malware, or Vulnerability Group or of associated Address, Host, or URL Indicator | | metadata.cyber.threatActors[].name | Name/Summary of associated Intrusion Set Group | | metadata.cyber.URL[].name | Name/Summary of associated Host or URL Indicator | | metadata.cyber.vulnerabilities[].id | Name/Summary of associated Vulnerability Group | ### Address From Intel Agent ThreatConnect object type: Address Indicator | Dataminr Pulse API Field | ThreatConnect Field | | --- | --- | | intelAgents[].discoveredEntities[].ip | Name/Summary | | intelAgents[].discoveredEntities[].CAL[].status | Attribute: "CAL Status" | | intelAgents[].discoveredEntities[].CAL[].score | Attribute: "CAL Score"NoteThis attribute, corresponding to the Indicator’s [CAL Global Threat Score](https://knowledge.threatconnect.com/docs/cal-global-threat-score), is populated based on rules set by Dataminr Pulse and may not be present for some Indicators. | | intelAgents[].discoveredEntities[].CAL[].classifiers[] | Attribute: "CAL Classifier" | | intelAgents[].discoveredEntities[].CAL[].impactFactors[] | Attribute: "CAL Impact Factor" | | intelAgents[].discoveredEntities[].geoIpMapping.city | Attribute: "IP Geo City" | | intelAgents[].discoveredEntities[].geoIpMapping.country | Attribute: "IP Geo Country" | | intelAgents[].discoveredEntities[].geoIpMapping.region | Attribute: "IP Geo State" | | intelAgents[].discoveredEntities[].ports[] | Tag: "Port: " | ### Address From Metadata ThreatConnect object type: Address Indicator | Dataminr Pulse API Field | ThreatConnect Field | | --- | --- | | metadata.cyber.addresses[].ip | Name/Summary | | metadata.cyber.addresses[].port | Tag: "Port: " | ### ASN From Metadata ThreatConnect object type: ASN Indicator | Dataminr Pulse API Field | ThreatConnect Field | | --- | --- | | metadata.cyber.asOrgs[].asn | Name/Summary | | metadata.cyber.asOrgs[].asOrg | Attribute: "ASN Host" | ### File From Metadata ThreatConnect object type: File Indicator | Dataminr Pulse API Field | ThreatConnect Field | | --- | --- | | metadata.cyber.hashValues[].type metadata.cyber.hashValues[].name | Name/Summary | ### Malware From Intel Agent ThreatConnect object type: Malware Group | Dataminr Pulse API Field | ThreatConnect Field | | --- | --- | | intelAgents[].discoveredEntities[].name | Name/Summary | | intelAgents[].discoveredEntities[].summary | Attribute: "Description" | | intelAgents[].discoveredEntities[].publishedDate | External Date Added | | intelAgents[].discoveredEntities[].affected OperatingSystems | Attribute: "Operating System" | | intelAgents[].discoveredEntities[].yaraRules[] | Part of Attribute: "Description" | | intelAgents[].discoveredEntities[].threatActors[].name | Name/Summary of associated Intrusion Set Group | ### Malware From Metadata ThreatConnect object type: Malware Group | Dataminr Pulse API Field | ThreatConnect Field | | --- | --- | | metadata.cyber.malware[].name | Name/Summary | ### Threat Actor From Intel Agent ThreatConnect object type: Intrusion Set Group | Dataminr Pulse API Field | ThreatConnect Field | | --- | --- | | intelAgents[].discoveredEntities[].name | Name/Summary | | intelAgents[].discoveredEntities[].summary | Attribute: "Description" | | intelAgents[].discoveredEntities[].publishedDate | External Date Added | | intelAgents[].discoveredEntities[].ttps[].techniqueId | [ATT&CK® Tag](https://knowledge.threatconnect.com/docs/attack-tags) | ### Threat Actor From Metadata ThreatConnect object type: Intrusion Set Group | Dataminr Pulse API Field | ThreatConnect Field | | --- | --- | | metadata.cyber.threatActors[].name | Name/Summary | | metadata.cyber.threatActors[].countriesOfOrigin[] | Attribute: "Source Geography" | | metadata.cyber.threatActors[].aliases[] | Attribute: "Aliases" | ### URL From Intel Agent ThreatConnect object type: Host or URL Indicator | Dataminr Pulse API Field | ThreatConnect Field | | --- | --- | | intelAgents[].discoveredEntities[].name | Name/Summary | | intelAgents[].discoveredEntities[].CAL[].status | Attribute: "CAL Status" | | intelAgents[].discoveredEntities[].CAL[].score | Attribute: "CAL Score"NoteThis attribute, corresponding to the Indicator’s [CAL Global Threat Score](https://knowledge.threatconnect.com/docs/cal-global-threat-score), is populated based on rules set by Dataminr Pulse and may not be present for some Indicators. | | intelAgents[].discoveredEntities[].CAL[].classifiers[] | Attribute: "CAL Classifier" | | intelAgents[].discoveredEntities[].CAL[].impactFactors[] | Attribute: "CAL Impact Factor" | | intelAgents[].discoveredEntities[].certificate.issuedDate | Attribute: "Certificate Issue Date" | | intelAgents[].discoveredEntities[].certificate.expirationDate | Attribute: "Certificate Expiration Date" | | intelAgents[].discoveredEntities[].certificate.issuedToCommonName | Attribute: "Certificate Issued To" | | intelAgents[].discoveredEntities[].certificate.issuedByCommonName | Attribute: "Certificate Issued By" | | intelAgents[].discoveredEntities[].certificate.issuedByOrg | Attribute: "Certificate Issued By Organization" | | intelAgents[].discoveredEntities[].domainRegistration.expirationDate | Attribute: "Registration Expiration Date" | | intelAgents[].discoveredEntities[].domainRegistration.creationDate | Attribute: "Registration Date" | | intelAgents[].discoveredEntities[].domainRegistration.registrarName | Attribute: "Registrar Name" | | intelAgents[].discoveredEntities[].domainRegistration.nameServers[] | Attribute: "Name Servers" | | intelAgents[].discoveredEntities[].domainRegistration.registrantEmail | Attribute: "Registrant Email" | ### URL From Metadata ThreatConnect object type: Host or URL Indicator | Dataminr Pulse API Field | ThreatConnect Field | | --- | --- | | metadata.cyber.URL[].name | Name/Summary | ### Vulnerability From Intel Agent ThreatConnect object type: Vulnerability Group | Dataminr Pulse API Field | ThreatConnect Field | | --- | --- | | intelAgents[].discoveredEntities[].name | Name/Summary | | intelAgents[].discoveredEntities[].summary | Attribute: "Description" | | intelAgents[].discoveredEntities[].publishedDate | External Date Added | | intelAgents[].discoveredEntities[].products[].productVendor intelAgents[].discoveredEntities[].products[].productName | Attribute: "Vulnerable Product" | | intelAgents[].discoveredEntities[].knownExploitedDate | Attribute: "Known Exploited Date" | | intelAgents[].discoveredEntities[].exploitPocLinks[] | Attribute: "Exploit POC Link" | | intelAgents[].discoveredEntities[].epssScore | Attribute: "EPSS Score" | | intelAgents[].discoveredEntities[].cvss | Attribute: "CVSS Base Score" | | intelAgents[].discoveredEntities[].exploitable | Attribute: "Has Exploit" | ### Vulnerability From Metadata ThreatConnect object type: Vulnerability Group | Dataminr Pulse API Field | ThreatConnect Field | | --- | --- | | metadata.cyber.vulnerabilities[].id | Name/Summary | | metadata.cyber.vulnerabilities[].publishedDate | External Date Added | | metadata.cyber.vulnerabilities[].products[].productVersion metadata.cyber.vulnerabilities[].products[].productVendor metadata.cyber.vulnerabilities[].products[].productName | Attribute: "Vulnerable Product" | | metadata.cyber.vulnerabilities[].knownExploitedDate | Attribute: "Known Exploited Date" | | metadata.cyber.vulnerabilities[].exploitPocLinks[] | Attribute: "Exploit POC Link" | | metadata.cyber.vulnerabilities[].epssScore | Attribute: "EPSS Score" | | metadata.cyber.vulnerabilities[].cvss | Attribute: "CVSS Base Score" | ### Vulnerability From the Hydration Endpoint ThreatConnect object type: Vulnerability Group NoteVulnerability data from the hydration endpoint are available only for users with a subscription to this endpoint. Please contact your Dataminr Customer Success representative for more information. | Dataminr Pulse API Field | ThreatConnect Field | | --- | --- | | items.cpes | Attribute: "CPE" | | items.id | Name/Summary | ## Frequently Asked Questions (FAQ) **When does ThreatConnect start ingesting data from Dataminr Pulse?** If you select the **Run Feeds After Deployment** checkbox in the Feed Deployer when [deploying the **Dataminr Pulse Alerts Engine** app to an Organization](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#deploy-the-dataminr-pulse-alerts-engine-app-to-an-organization), ThreatConnect will ingest Dataminr Pulse data once you click **DEPLOY**, with the time of deployment being the starting time from which to retrieve Alerts. This means that ThreatConnect will ingest only Alerts created at the time of deployment or later; it will not ingest Alerts created before the time of deployment. If you do not select the **Run Feeds After Deployment** checkbox, ThreatConnect will ingest Dataminr Pulse data once you turn on the corresponding service for the app on the **Services** screen. --- **Does ThreatConnect ingest Cyber Alerts from all Dataminr Pulse Alert Lists?** If you leave the **Dataminr List IDs** field blank in the Feed Deployer when [deploying the **Dataminr Pulse Alerts Engine** app to an Organization](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#deploy-the-dataminr-pulse-alerts-engine-app-to-an-organization), then ThreatConnect will ingest Cyber Alerts from all Dataminr Pulse Alert Lists you have provisioned. If you enter [List IDs](https://knowledge.threatconnect.com/docs/dataminr-pulse-alerts-engine-integration-user-guide#dataminr-list-ids), then ThreatConnect will ingest Cyber Alerts only from the Dataminr Pulse Alert Lists with those IDs. Please check your Dataminr API rate limits to inform your decision on the number of Alerts you can ingest into ThreatConnect. --- **How can I filter my ThreatConnect data to show only Alerts from select Alert Lists from Dataminr Pulse?** Use a [ThreatConnect Query Language (TQL)](https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql) query to filter ingested Dataminr Pulse Alerts by Alert List. For example, the following query returns only Alerts that belong to the **Vulnerability Flash** Alert List (that is, the query returns only Event Groups that have an **Alert List** attribute with a value of **Vulnerability Flash**): ImportantThe value of the **Alert List** attribute should be the name of a Dataminr Pulse Alert List configured for the API account used by the **Dataminr Pulse Alerts Engine** service. ```custom typeName in ("Event") and attributeAlert_List in ("Vulnerability Flash") ``` NoteIf using this query as a stand-alone query on the **Search** screen, make sure to run the query on the [**Search: Groups** screen](https://knowledge.threatconnect.com/docs/searching-groups). If using this query as a stand-alone query on the **Legacy Browse** screen, make sure to [filter your view to Groups](https://knowledge.threatconnect.com/docs/the-browse-screen#groups). In addition, you can filter the results in one of the following ways to ensure that only data from Dataminr Pulse are included: Select only the Source for which the **Dataminr Pulse Alerts Engine** service is configured from the owners dropdown on the **Search: Groups** screen or in **My Intel Sources** on the **Legacy Browse** screen. Add the following to the TQL query, replacing `Dataminr Pulse Alerts Source` with the name of the Source for which the **Dataminr Pulse Alerts Engine** service is configured: `and (ownerName in ("Dataminr Pulse Alerts Source"))` --- **How can I filter my ThreatConnect data to show only Alerts with a particular priority from Dataminr Pulse?** Use a [TQL](https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql) query to filter ingested Dataminr Pulse Alerts by priority. For example, the following query returns only Alerts whose priority is either **Urgent** or **Flash** (that is, the query returns only Event Groups that have a **Priority** attribute with a value of **Urgent** or **Flash**): ```custom typeName in ("Event") and attributePriority in ("Urgent", "Flash") ``` NoteIf using this query as a stand-alone query on the **Search** screen, make sure to run the query on the [**Search: Groups** screen](https://knowledge.threatconnect.com/docs/searching-groups). If using this query as a stand-alone query on the **Legacy Browse** screen, make sure to [filter your view to Groups](https://knowledge.threatconnect.com/docs/the-browse-screen#groups). In addition, you can filter the results in one of the following ways to ensure that only data from Dataminr Pulse are included: Select only the Source for which the **Dataminr Pulse Alerts Engine** service is configured from the owners dropdown on the **Search: Groups** screen or in **My Intel Sources** on the **Legacy Browse** screen. Add the following to the TQL query, replacing `Dataminr Pulse Alerts Source` with the name of the Source for which the **Dataminr Pulse Alerts Engine** service is configured: `and (ownerName in ("Dataminr Pulse Alerts Source"))` --- **How can I filter my ThreatConnect data to show only Alerts with AI content from Dataminr Pulse?** Use a [TQL](https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql) query to filter ingested Dataminr Pulse Alerts for Alerts that have AI content. For example, the following query returns only Alerts that have Intel Agent or Live Brief AI content (that is, the query returns only Event Groups that have a Tag with a value of **Intel Agent** or **Live Brief**): ```custom typeName in ("Event") and tag in ("Intel Agent", "Live Brief") ``` Similarly, the following query returns only Alerts with AI content provided by Dataminr and containing the text **Microsoft Server Message Block** (that is, the query returns only Event Groups which have AI insights that are provided by Dataminr and that contain the text **Microsoft Server Message Block**): ```custom typeName in ("Event") and aiProvider="Dataminr" and insights contains "Microsoft Server Message Block" ``` NoteIf using one of these queries as a stand-alone query on the **Search** screen, make sure to run the query on the [**Search: Groups** screen](https://knowledge.threatconnect.com/docs/searching-groups). If using one of these queries as a stand-alone query on the **Legacy Browse** screen, make sure to [filter your view to Groups](https://knowledge.threatconnect.com/docs/the-browse-screen#groups). In addition, you can filter the results in one of the following ways to ensure that only data from Dataminr Pulse are included: Select only the Source for which the **Dataminr Pulse Alerts Engine** service is configured from the owners dropdown on the **Search: Groups** screen or in **My Intel Sources** on the **Legacy Browse** screen. Add the following to the TQL query, replacing `Dataminr Pulse Alerts Source` with the name of the Source for which the **Dataminr Pulse Alerts Engine** service is configured: `and (ownerName in ("Dataminr Pulse Alerts Source"))` --- *ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc. MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation. JavaScript® is a registered trademark of Oracle Corporation.* 30087-03 EN Rev. A ## Related - [Dataminr Cyber Pulse Limited Feed](/dataminr-cyber-pulse-limited-feed.md)