Flashpoint Ignite Threat Intelligence Engine Integration User Guide

12 May 2025
15 Minutes to read

Print
Dark

Light

Flashpoint Ignite Threat Intelligence Engine Integration User Guide

Updated on 12 May 2025
15 Minutes to read

Print
Dark

Light

Article summary

Did you find this summary helpful?

Thank you for your feedback!

Software Version

This guide applies to the Flashpoint Ignite Threat Intelligence Engine App version 1.0.2.

Overview

The ThreatConnect^® integration with Flashpoint^® Ignite ingests Attributes, Events, Reports, and Vulnerabilities from Flashpoint Ignite and creates corresponding objects in ThreatConnect with select Flashpoint metadata.

Dependencies

ThreatConnect Dependencies

Active ThreatConnect Application Programming Interface (API) key
ThreatConnect instance with version 7.2.0 or newer installed

Note

All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.

Flashpoint Ignite Dependencies

Active Flashpoint Ignite Token
Important
This is a new token that needs to be populated from the Flashpoint Ignite platform. The old FP.Tools token will not work with the Flashpoint Ignite Threat Intelligence Engine App.
Subscription to the Cyber Threat Intelligence (CTI) product within the Flashpoint Ignite platform
- To ingest premium Vulnerabilities, you must have the Vulnerability Intelligence Premium plan. See https://docs.flashpoint.io/flashpoint/docs/vulnerability-intelligence for more information (must have a valid Flashpoint account to view this documentation).

Application Setup and Configuration

Installing the App

Follow these steps to install the Flashpoint Ignite Threat Intelligence Engine App via TC Exchange™:

Log into ThreatConnect with a System Administrator account.
Hover over Settingson the top navigation bar and select TC Exchange Settings. Then select the Catalog tab on the TC Exchange Settings screen.
Locate the Flashpoint Ignite Threat Intelligence Engine App on the Catalog tab. Then click Installin the Options column to install the App.
After you install the Flashpoint Ignite Threat Intelligence Engine App, the Feed Deployer will open automatically. Use the Feed Deployer to set up and configure the App. See the “Configuration Parameters” section for more information on the parameters available during the configuration and deployment process.

Updating the App

If you previously installed the Flashpoint Ignite Threat Intelligence Engine App, follow these steps to update the App via TC Exchange:

Warning

The Feed Deployer is NOT used when updating the Flashpoint Ignite Threat Intelligence Engine App.

Download the attributes.json file provided for the Flashpoint Ignite Threat Intelligence Engine App on ThreatConnect's Developer Hub.
Log into ThreatConnect with a System Administrator account.
Hover over Settingson the top navigation bar and select Account Settings. Then select the Communities/Sources tab.
Locate and click the name of the Source to which the current version of the Flashpoint Ignite Threat Intelligence Engine App is deployed.
Click the SOURCE CONFIG button on the left side of the Source Info screen.
Select the Attribute Types tab on the Source Config screen.
Click the UPLOAD button.
Click + SELECT FILE on the Upload Attributes window, and then locate and select the attributes.json file you downloaded in Step 1.
Click SAVE.
Hover over Settingson the top navigation bar and select TC Exchange Settings. Then select the Updates tab on the TC Exchange Settings screen.
Locate the Flashpoint Ignite Threat Intelligence Engine App on the Updates tab. Then click Update Nowin the Options column to update the App.
Hover over Playbooks on the top navigation bar and select Services.
Restart the Flashpoint Ignite Threat Intelligence Engine App by toggling its slider off and then on again.

Configuration Parameters

Parameter Definitions

The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the Flashpoint Ignite Threat Intelligence Engine App.

Name	Description	Required?
Source Tab
Sources to Create	Enter the name of the Source for the feed.	Required
Owner	Select the Organization in which the Source will be created.	Required
Activate Deprecation	Select this checkbox to allow confidence deprecation rules to be created and applied to Indicators in the Source.	Optional
Create Attributes	Select this checkbox to allow custom Attribute Types to be created in the Source.	Optional
Parameters Tab
Launch Server	Select tc-job as the launch server for the Service corresponding to the Feed API Service App.	Required
Flashpoint Types	Select the types of Flashpoint objects to ingest. Available options include the following: Event FP Attribute Report Vulnerability Note Vulnerability objects are available only for Flashpoint users who have the Vulnerability Intelligence Premium plan.	Required
Advanced Settings	Use this setting to set default values for the following item(s) for the ThreatConnect objects to which Flashpoint data will be mapped: Confidence Rating (default_confidence) Threat Rating (default_rating) Security Label(default_label) If specifying multiple items, separate each one with a pipe character (\|). Examples: default_label=TLP:AMBER default_rating=5\|default_label=TLP:WHITE\|default_confidence=95 Note The values entered in the Advanced Settings field will also be used when ad-hoc Job requests are made.	Optional
Variables Tab
Flashpoint Ignite Bearer Token*	Enter the Flashpoint Ignite bearer token. Important This is a new token that needs to be populated from the Flashpoint Ignite platform. The old FP.Tools token will not work. Note You must enter the actual Flashpoint bearer token value instead of populating this parameter with a ThreatConnect variable.	Required
Confirm Tab
Run Feeds after deployment	Select this checkbox to run the Flashpoint Ignite Threat Intelligence Engine App immediately after the deployment configuration is complete (i.e., after you click DEPLOY on the Feed Deployer window).	Optional
Confirm Deployment Over Existing Source	This checkbox will be displayed if the Source entered in the Sources to Create field has previously been deployed to the Organization selected in the Owner dropdown on the Source tab. Select this checkbox to confirm that you want the Flashpoint Ignite Threat Intelligence Engine App to write data to the same Source. This process will create a new Service for the Flashpoint Ignite Threat Intelligence Engine App. As such, it is recommended that you delete the old Service associated with the Flashpoint Ignite Threat Intelligence EngineApp after the new one is created. Important If you do not select this checkbox, the DEPLOY button will be grayed out, and you will not be able to deploy the Service. Return to the Source tab and enter a different Source or select a different Organization and then proceed through the tabs of the Feed Deployer window again.	Optional

Flashpoint Ignite Threat Intelligence Engine

After successfully configuring and activating the Feed API Service for the Flashpoint Ignite Threat Intelligence Engine App, you can access the Flashpoint Ignite Threat Intelligence Engine user interface (UI). This UI allows you to interact with and manage the Flashpoint Ignite integration.

Follow these steps to access the Flashpoint Ignite Threat Intelligence Engine UI:

Log into ThreatConnect with a System Administrator account.
Hover over Playbooks on the top navigation bar and select Services.
Locate and turn on the Flashpoint Ignite Threat Intelligence Engine Feed API Service.
Click the link in the Service’s API Path field. The Flashpoint Ignite Threat Intelligence Engine UI will open in a new browser tab.

The following screens are available in the Flashpoint Ignite Threat Intelligence Engine UI:

Dashboard

The Dashboard screen (Figure 1) provides an overview of the total number of Attributes (Address, File, Host, Url), Events (Event, Malware, Intrusion Set), Reports (Report), and Vulnerabilities (Threat) retrieved from Flashpoint.

Figure 1_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0.1

Jobs

The Jobs screen (Figure 2) breaks down the ingestion of Flashpoint data into manageable Job-like tasks, displaying all processes that are pending, in progress, complete, and failed. The ⋯ menu in a Job’s row provides the following options:

Details: View details for the Job, such as download, convert, and upload start and complete times and counts of downloaded and batched Groups and Indicators.
Download Files: Download metadata files for all Jobs and data (convert, download, and upload) files for completed Jobs.
Batch Errors: View errors that have occurred for the Job on the Batch Errors screen.

Figure 2_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0.1

You can filter Flashpoint Ignite Threat Intelligence Engine App Jobs by the following elements:

Job ID: Enter text into this box to search for a Job by its Job ID.
Job Type: Select Job types to display on the Jobs screen.
Status: Select Job statuses to display on the Jobs screen.

Add a Job

You can add ad-hoc Jobs on the Jobs screen. Follow these steps to create a request for an ad-hoc Job for the Flashpoint Ignite Threat Intelligence Engine App:

Click the Add Job button at the upper right of the Jobs screen (Figure 2).
Fill out the fields on the Add Job drawer (Figure 3) as follows:
- Updated After: Select the date and time that Flashpoint data must be updated after in order to be ingested.
- Updated Before: Select the date and time that Flashpoint data must be updated before in order to be ingested.
- Flashpoint Types: Select the types of Flashpoint objects to include in the ad-hoc Job.
Click Submit to submit the request for the ad-hoc Job.

Tasks

The Tasks screen (Figure 4) displays all Tasks that may be part of a Job, including each step of the download, convert, and upload processes, as well as Tasks for the Flashpoint Ignite Threat Intelligence Engine App, such as Monitor, Scheduler, and Cleaner. The current status (Idle, Paused, or Running), name, description, and heartbeat timeout length, in minutes, are displayed for each Task. The ⋯ menu in a Task’s row provides the following options, depending on the Task’s status:

Run (idle and paused Tasks only)
Pause (idle and running Tasks only)
Resume (paused Tasks only)
Kill (running Tasks only)

Under the table is a dashboard where you can view runtime analytics.

Figure 4_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0

Download

The Download screen (Figure 5) lets you download JavaScript® Object Notation (JSON) data for Flashpoint Ignite objects and then upload the data into ThreatConnect.

Figure 5_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0

Follow these steps to download JSON data for a Flashpoint object on the Download screen and then upload the data into ThreatConnect:

External ID: Enter the Flashpoint ID (FPID) of the object to download.
Type: Select the type of object to download.
Click Download. The JSON data will be displayed in two columns: Results (raw JSON data) and Converted(JSON data in ThreatConnect batch format) (Figure 6).
Click Upload to submit the converted threat intelligence data via the ThreatConnect Batch API.

Batch Errors

The Batch Errors screen (Figure 7) displays a table with details on batch errors that have occurred for Job requests. You can filter the table by error type or enter keywords to filter by Job ID or reason for error.

Figure 7_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0

Attachment Status

The Attachment Status screen (Figure 8) displays a table with details on ThreatConnect's attempts to download Report attachments from Flashpoint. You can enter keywords to filter the table by the Flashpoint Group ID, which can be useful if you do not see a Flashpoint attachment in ThreatConnect as expected, or by status.

Figure 8_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0

Data Mappings

The data mappings in Table 2 through Table 7 illustrate how data are mapped from Flashpoint Ignite API endpoints into the ThreatConnect data model.

Attribute (From Events Endpoint)

ThreatConnect object type: Indicator (Address, File, Host, or URL)

Flashpoint Ignite API Field	ThreatConnect Field
Event.Attribute.category	Attribute: "Category"
Event.Attribute.fpid	Attribute: "External ID"
Event.Attribute.href	Attribute: "Source"
Event.Attribute.type	Indicator Type
Event.Attribute.value.X	Indicator Value [See the Table 3 in the “Value (From Events Endpoint)” section for details on how different Flashpoint data types are mapped in ThreatConnect]

Value (From Events Endpoint)

ThreatConnect object type: Varies

Flashpoint Data Type	ThreatConnect Object
AS	ASN Indicator
bte	Event Group Attribute: "Bitcoin Address"
domain	Host Indicator
email-dst	Email Address Indicator Tag: "Destination"
email-src	Email Address Indicator Tag: "Source"
email-subject	Email Subject Indicator
filename	Event Group Attribute: "File Name"
github-username	Event Group Attribute: "GitHub"
hostname	Host Group
ip-dst	Address Indicator Tag: "Destination"
ip-dst\|port	Address Indicator Tag: "Destination" Attribute: "Port"
ip-src	Address Indicator Tag: "Source"
link	Event Group Attribute: "External References"
md5	File Indicator
mutex	Mutex Indicator
other	Event Group Attribute: "Additional Analysis and Context"
regkey	Registry Key Indicator
regkey\|value	Registry Key Indicator
sha1	File Indicator
sha256	File Indicator
threat-actor	Intrusion Set Group
twitter-id	Event Group Attribute: "Social Media: Twitter"
url	URL Indicator
user-agent	User Agent Indicator
whois-registrant-email	Email Address Indicator Tag: "WHOIS"

Event

ThreatConnect object type: Event Group

Flashpoint Ignite API Field	ThreatConnect Field
Event.Tag.name	Tag If the Tag type is Actor or Actor Profile, the Tag is also mapped to an Intrusion Set Group that is associated to the Event Group If the Tag type is Malware, the Tag is also mapped to a Malware Group that is associated to the Event Group
Event.date	Event Date
Event.info	Name/Summary
Event.report	Associated Report Group
Event.publish_timestamp	Attribute: "Publish Date"
Event.timestamp	Attribute: "External Date Created"
Event.attack_ids	ATT&CK^® Tag
Event.fpid	Attribute: "External ID"
href	Attribute: "Source"
Event.Attribute.reports.html	Associated Report Group Attribute: "Source"
reports.html	Associated Report Group
malware_description	Associated Malware Group Attribute: "Description" (default)
actor_description	Associated Intrusion Set Group Attribute: "Description" (default)

Intelligence Report

ThreatConnect object type: Report Group

Flashpoint Ignite API Field	ThreatConnect Field
data.id	Attribute: "External ID"
data.actors	Tag: "Intrusion Set: <Intrusion Set Name>"
data.title	Name/Summary
data.summary	Attribute: "Description" (default)
data.tags	Tag If the Tag type is Actor Profile, the Tag is also mapped to an Intrusion Set Group that is associated to the Report Group
data.body	HTML File Attachment
data.ingested_at	Attribute: "Ingestion Date"
data.posted_at	Attribute: "Publish Date"
data.platform_url	Attribute: "Source"
data.notified_at	Attribute: "First Seen"
data.updated_at	Attribute: "External Date Last Modified"
data.published_status	Attribute: "Publish Status"

Vulnerability Intelligence (Premium)

ThreatConnect object type: Threat Group

Flashpoint Ignite API Field	ThreatConnect Field
id	Attribute: "External ID"
title	Name/Summary
description	Attribute: "Description" (default)
solution	Attribute: "Mitigations"
technical_description	Attribute: "Analyst Notes"
timelines.disclosed_at	First Seen Attribute: "Timeline" (Disclosure Date row)
timelines.published_at	Attribute: "Timeline" (Published Date row)
timelines.last_modified_at	External Date Last Modified Attribute: "Timeline" (Last Update row)
timelines.exploit_published_at	Attribute: "Timeline" (Exploit Publish Date row)
timelines.discovered_at	External Date Added Attribute: "Timeline" (Date of Discovery row)
timelines.vendor_informed_at	Attribute: "Timeline" (Vendor Inform Date row)
timelines.vendor_acknowledged_at	Attribute: "Timeline" (Vendor Acknowledge Date row)
timelines.third_party_solution_provided_at	Attribute: "Timeline" (Third Party Solution Date row)
timelines.solution_provided_at	Attribute: "Timeline" (Solution Date row)
scores.severity	Attribute: "Threat Level"
scores.ransomware_score	Attribute: "Ransomware Score"
vuln_status	Attribute: "Status"
exploits.value	Attribute: "Exploits" (Value column)
exploits.type	Attribute: "Exploits" (Type column)
cwes.cwe_id	Tag
ext_references.value	Attribute: "External Details" (Value column)
ext_references.type	Attribute: "External Details" (Type column)
ext_references.created_at	Attribute: "External Details" (External Date Created column)
classifications.longname	Attribute: "Classification" (Name column)
classifications.description	Attribute: "Classification" (Description column)
cvss_v2s.access_vector	Attribute: "CVSS Score Flashpoint" (Access Vector column)
cvss_v2s.access_complexity	Attribute: "CVSS Score Flashpoint" (Access Complexity column)
cvss_v2s.authentication	Attribute: "CVSS Score Flashpoint" (Authentication column)
cvss_v2s.confidentiality_impact	Attribute: "CVSS Score Flashpoint" (Confidentiality Impact column)
cvss_v2s.integrity_impact	Attribute: "CVSS Score Flashpoint" (Integrity Impact column)
cvss_v2s.availability_impact	Attribute: "CVSS Score Flashpoint" (Availability Impact column)
cvss_v2s.source	Attribute: "CVSS Score Flashpoint" (Source column)
cvss_v2s.generated_at	Attribute: "CVSS Score Flashpoint" (Generated At column)
cvss_v2s.score	Attribute: "CVSS Score Flashpoint" (Score column)
cvss_v2s.calculated_cvss_base_score	Attribute: "CVSS Score Flashpoint" (Calculated CVSS Base Score column)
cvss_v3s.attack_vector	Attribute: "CVSS Score Flashpoint" (Attack Vector row)
cvss_v3s.attack_complexity	Attribute: "CVSS Score Flashpoint" (Attack Complexity row)
cvss_v3s.privileges_required	Attribute: "CVSS Score Flashpoint" (Privileges Required row)
cvss_v3s.user_interaction	Attribute: "CVSS Score Flashpoint" (User Interaction row)
cvss_v3s.scope	Attribute: "CVSS Score Flashpoint" (Scope row)
cvss_v3s.confidentiality_impact	Attribute: "CVSS Score Flashpoint" (Confidentiality Impact row)
cvss_v3s.integrity_impact	Attribute: "CVSS Score Flashpoint" (Integrity Impact row)
cvss_v3s.availability_impact	Attribute: "CVSS Score Flashpoint" (Availability Impact row)
cvss_v3s.source	Attribute: "CVSS Score Flashpoint" (Source row)
cvss_v3s.generated_at	Attribute: "CVSS Score Flashpoint" (Generated At row)
cvss_v3s.score	Attribute: "CVSS Score Flashpoint" (Score row)
cvss_v3s.calculated_cvss_base_score	Attribute: "CVSS Score Flashpoint" (Calculated CVSSBase Score row)
cvss_v3s.vector_string	Attribute: "CVSS Score Flashpoint" (Vector String row)
cvss_v3s.version	Attribute: "CVSS Score Flashpoint" (Version row)
cvss_v3s.remediation_level	Attribute: "CVSS Score Flashpoint" (Remediation Level row)
cvss_v3s.report_confidence	Attribute: "CVSS Score Flashpoint" (Report Confidence row)
cvss_v3s.exploit_code_maturity	Attribute: "CVSS Score Flashpoint" (Exploit Code Maturity row)
cvss_v3s.temporal_score	Attribute: "CVSS Score Flashpoint" (Temporal Score row)
cvss_v3s.updated_at	Attribute: "CVSS Score Flashpoint" (Updated At row)
cvss_v4s.score	Attribute: "CVSS Score Flashpoint" (Score row)
cvss_v4s.threat_score	Attribute: "CVSS Score Flashpoint" (Threat Score row)
cvss_v4s.source	Attribute: "CVSS Score Flashpoint" (Source row)
cvss_v4s.generated_at	Attribute: "CVSS Score Flashpoint" (Generated At row)
cvss_v4s.updated_at	Attribute: "CVSS Score Flashpoint" (Updated At row)
cvss_v4s.vector_string	Attribute: "CVSS Score Flashpoint" (Vector String row)
cvss_v4s.version	Attribute: "CVSS Score Flashpoint" (Version row)
cvss_v4s.attack_vector	Attribute: "CVSS Score Flashpoint" (Attack Vector row)
cvss_v4s.attack_complexity	Attribute: "CVSS Score Flashpoint" (Attack Complexity row)
cvss_v4s.attack_requirements	Attribute: "CVSS Score Flashpoint" (Attack Requirements row)
cvss_v4s.privileges_required	Attribute: "CVSS Score Flashpoint" (Privileges Required row)
cvss_v4s.user_interaction	Attribute: "CVSS Score Flashpoint" (User Interaction row)
cvss_v4s.exploit_maturity	Attribute: "CVSS Score Flashpoint" (Exploit Maturity row)
cvss_v4s.vulnerable_system_confidentiality_impact	Attribute: "CVSS Score Flashpoint" (VS Confidentiality Impact row)
cvss_v4s.vulnerable_system_integrity_impact	Attribute: "CVSS Score Flashpoint" (VS Integrity Impact row)
cvss_v4s.vulnerable_system_availability_impact	Attribute: "CVSS Score Flashpoint" (VS Availability Impact row)
cvss_v4s.subsequent_system_confidentiality_impact	Attribute: "CVSS Score Flashpoint" (SS Confidentiality Impact row)
cvss_v4s.subsequent_system_integrity_impact	Attribute: "CVSS Score Flashpoint" (SS Integrity Impact row)
cvss_v4s.subsequent_system_availability_impact	Attribute: "CVSS Score Flashpoint" (SS Availability Impact row)
tags	Tag
products.name	Attribute: "Vulnerable Product" (Product column) Tag
products.versions.affected	Attribute: "Vulnerable CPE" (Affected column)
products.versions.cpes.name	Attribute: "Vulnerable CPE" (CPE column)
products.versions.cpes.source	Attribute: "Vulnerable CPE" (Source column)
vendors.name	Attribute: "Vulnerable Product" (Vendor column) Tag

ThreatConnect object type: Threat Group

Flashpoint Ignite API Field	ThreatConnect Field
nvd_additional_information.cve_id	Attribute: "External ID" (default) Name/Summary Source: "https://nvd.nist.gov/vuln/detail/<CVE ID number>"
nvd_additional_information.summary	Attribute: "Description" (default)
nvd_additional_information.cwes.cwe_id	Tag: "Vulnerability: <CWE ID number>"
scores.epss_score	Attribute: "EPSS Score"
scores.epss_v1_score	Attribute: "EPSS v1 Score"
scores.severity	Attribute: "Threat Level"
scores.ransomware_score	Attribute: "Ransomware Score"
scores.social_risk_scores.cve_id	Attribute: "Metrics" (CVE ID row)
scores.social_risk_scores.numeric_score	Attribute: "Metrics" (Social Risk Numerical Score row)
scores.social_risk_scores.categorical_score	Attribute: "Metrics" (Social Risk Categorical Score row)
scores.social_risk_scores.score_date	Attribute: "Metrics" (Score Date row)
scores.social_risk_scores.todays_tweets	Attribute: "Metrics" (Number of Today's Tweets row)
scores.social_risk_scores.total_tweets	Attribute: "Metrics" (Total Number of Tweets row)
scores.social_risk_scores.unique_users	Attribute: "Metrics" (Number of Unique Users row)
nvd_additional_information.cvss_v2s.access_vector	Attribute: "CVSS v2 Access Vector" Attribute: "Description" (Access Vector row)
nvd_additional_information.cvss_v2s.access_complexity	Attribute: "CVSS v2 Access Complexity" Attribute: "Description" (Access Complexity row)
nvd_additional_information.cvss_v2s.authentication	Attribute: "CVSS v2 Authentication" Attribute: "Description" (Authentication row)
nvd_additional_information.cvss_v2s.confidentiality_impact	Attribute: "CVSS v2 Confidentiality Impact" Attribute: "Description" (Confidentiality Impact row)
nvd_additional_information.cvss_v2s.integrity_impact	Attribute: "CVSS v2 Integrity Impact" Attribute: "Description" (Integrity Impact row)
nvd_additional_information.cvss_v2s.availability_impact	Attribute: "CVSS v2 Availability Impact" Attribute: "Description" (Availability Impact row)
nvd_additional_information.cvss_v2s.score	Attribute: "CVSS Score v2" Attribute: "Description" (Score row)
nvd_additional_information.cvss_v3s.attack_vector	Attribute: "CVSS v3 Attack Vector" Attribute: "Description" (Attack Vector row)
nvd_additional_information.cvss_v3s.attack_complexity	Attribute: "CVSS v3 Attack Complexity" Attribute: "Description" (Attack Complexity row)
nvd_additional_information.cvss_v3s.privileges_required	Attribute: "CVSS v3 Privileges Required" Attribute: "Description" (Privileges Required row)
nvd_additional_information.cvss_v3s.user_interaction	Attribute: "CVSS v3 User Interaction" Attribute: "Description" (User Interaction row)
nvd_additional_information.cvss_v3s.scope	Attribute: "CVSS v3 Scope" Attribute: "Description" (Scope row)
nvd_additional_information.cvss_v3s.confidentiality_impact	Attribute: "CVSS v3 Confidentiality Impact" Attribute: "Description" (Confidentiality Impact row)
nvd_additional_information.cvss_v3s.integrity_impact	Attribute: "CVSS v3 Integrity Impact" Attribute: "Description" (Integrity Impact row)
nvd_additional_information.cvss_v3s.availability_impact	Attribute: "CVSS v3 Availability Impact" Attribute: "Description" (Availability Impact row)
nvd_additional_information.cvss_v3s.score	Attribute: "CVSS Score v3" Attribute: "Description" (Score row)
nvd_additional_information.cvss_v3s.vector_string	Attribute: "CVSS v3 Vector String" Attribute: "Description" (Vector String row)
nvd_additional_information.cvss_v3s.version	Attribute: "CVSS Version" Attribute: "Description" (Version row)

Frequently Asked Questions (FAQ)

What are the major changes to the Flashpoint Ignite Threat Intelligence Engine App in version 1.0.1?

The major changes to the Flashpoint Ignite Threat Intelligence Engine App in version 1.0.1 include the following:

You can now set default values for Threat Rating, Confidence Rating, and Security Labels.
Each Common Vulnerabilities and Exposures (CVE®) ID in Flashpoint is now mapped to a Vulnerability Group in ThreatConnect instead of being represented only as a Tag on a Threat Group.
The technical_description Flashpoint Ignite API field now maps to the ThreatConnect "Analyst Notes" Attribute.

How are Flashpoint Vulnerability objects mapped to ThreatConnect objects?

Under Flashpoint Ignite’s Vulnerability structure, a single CVE ID can be associated with multiple Flashpoint IDs (FPIDs), or multiple CVE IDs can be associated with a single FPID. In version 1.0.0 of the Flashpoint Ignite Threat Intelligence Engine App, Flashpoint Vulnerabilities are mapped to Threat Groups in ThreatConnect. In version 1.0.1, each CVE ID representing a Flashpoint Vulnerability is mapped to a Vulnerability Group in ThreatConnect, and Common Weakness Enumeration (CWE™) IDs are mapped to Tags that are applied to Vulnerability and Threat Groups in ThreatConnect that correspond to Flashpoint Vulnerabilities.

How much historical Flashpoint data does the Flashpoint Ignite Threat Intelligence Engine App ingest into ThreatConnect?

During the initial ingestion of Flashpoint data, the Flashpoint Ignite Threat Intelligence Engine App will ingest Flashpoint objects added or published within the last 90 days. After the initial ingestion of data is complete, the App will ingest new data and update existing data every 2 hours.

Which Flashpoint data are modeled as Intrusion Sets in ThreatConnect?

The Flashpoint Ignite Threat Intelligence Engine App ingests and models the following Flashpoint data as Intrusion Set Groups in ThreatConnect:

Actor descriptions from the Flashpoint Events API endpoint
Actor Tags
Actor Profile Tags applied to Flashpoint Reports

How can I ingest more historical data from Flashpoint?

Use the Add Job button on the Jobs screen of the Flashpoint Ignite Threat Intelligence Engine UI (Figure 2). When creating a Job, select an appropriate date range from which to ingest Flashpoint data. For Reports, FP Attributes, and Events, it is recommended to use an ingestion date range of 90 days or fewer. For Vulnerabilities, any ad-hoc Jobs with an ingestion date range greater than 2 days may interrupt the daily scheduled Job runs if the daily limit of 5000 calls per day to the Vulnerability Flashpoint API endpoints is reached.

How can I update to the latest version of the Flashpoint Ignite Threat Intelligence Engine App?

Warning

The Feed Deployer is NOT used when updating the Flashpoint Ignite Threat Intelligence Engine App.

Please refer to the instructions in the “Updating the App” section.

The Service App for the Flashpoint Ignite Threat Intelligence Engine App is not starting, and I am getting an error saying, “Required attributes are missing. Shutting down Flashpoint Ignite app.” What should I do next?

Warning

The Feed Deployer is NOT used when updating the Flashpoint Ignite Threat Intelligence Engine App.

Follow these instructions to address this issue:

Download the attributes.json file provided for the Flashpoint Ignite Threat Intelligence Engine App on ThreatConnect's Developer Hub.
Log into ThreatConnect with a System Administrator account.
Hover over Settingson the top navigation bar and select Account Settings. Then select the Communities/Sources tab.
Locate and click the name of the Source to which the current version of the Flashpoint Ignite Threat Intelligence Engine App is deployed to display the Source's Source Info screen.
Click the SOURCE CONFIG button on the left side of the screen to display the Source's Source Config screen.
Select the Attribute Types tab.
Click the UPLOAD button to display the Upload Attributes window.
Click + SELECT FILE, and then locate and select the attributes.json file you downloaded in Step 1.
Click SAVE.

Why do I not see any Vulnerability data from Flashpoint?

As of March 2025, Flashpoint does not support API access to Vulnerability data for Essential-tier membership. Vulnerability data are still available for users with the Vulnerability Intelligence Premium plan.

ThreatConnect^® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
Flashpoint^® is a registered trademark of EJ2 Communications, Inc.
JavaScript® is a registered trademark of Oracle Corporation.
CVE^® (Common Vulnerabilities and Exposures), MITRE ATT&CK^®, and ATT&CK^® are registered trademarks, and CWE™ (Common Weakness Enumeration) is a trademark, of The MITRE Corporation.

30089-03 EN Rev. A

Was this article helpful?

What's Next

FS-ISAC Integration Installation and Configuration Guide

Table of contents

Overview
Dependencies
Application Setup and Configuration
Configuration Parameters
Flashpoint Ignite Threat Intelligence Engine
Data Mappings
Frequently Asked Questions (FAQ)

Company

Sales and Support