Flashpoint Ignite Threat Intelligence Engine Integration User Guide

11 Sep 2024
16 Minutes to read

Print
Dark

Light

Flashpoint Ignite Threat Intelligence Engine Integration User Guide

Updated on 11 Sep 2024
16 Minutes to read

Print
Dark

Light

Article summary

Did you find this summary helpful?

Thank you for your feedback

Software Version

This guide applies to the Flashpoint Ignite Threat Intelligence Engine App version 1.0.1.

Overview

The ThreatConnect^® integration with Flashpoint^® Ignite ingests Attributes, Events, Reports, and Vulnerabilities from Flashpoint Ignite and creates corresponding objects in ThreatConnect with select Flashpoint metadata.

Dependencies

ThreatConnect Dependencies

Active ThreatConnect Application Programming Interface (API) key
ThreatConnect instance with version 7.2.0 or newer installed

Note

All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.

Flashpoint Ignite Dependencies

Active Flashpoint Ignite Token
Important
This is a new token that needs to be populated from the Flashpoint Ignite platform. The old FP.Tools token will not work with the Flashpoint Ignite Threat Intelligence Engine App.
Subscription to the Cyber Threat Intelligence (CTI) product within the Flashpoint Ignite platform
- To ingest premium Vulnerabilities, you must have the Vulnerability Intelligence Premium plan. See https://docs.flashpoint.io/flashpoint/docs/vulnerability-intelligence for more information (must have a valid Flashpoint account to view this documentation).

Application Setup and Configuration

Installing the App

Follow these steps to install the Flashpoint Ignite Threat Intelligence Engine App via TC Exchange™:

Log into ThreatConnect with a System Administrator account.
Hover over Settingson the top navigation bar and select TC Exchange Settings. Then select the Catalog tab on the TC Exchange Settings screen.
Locate the Flashpoint Ignite Threat Intelligence Engine App on the Catalog tab. Then click Installin the Options column to install the App.
After you install the Flashpoint Ignite Threat Intelligence Engine App, the Feed Deployer will open automatically. Use the Feed Deployer to set up and configure the App. See the “Configuration Parameters” section for more information on the parameters available during the configuration and deployment process.

Updating the App [New]

If you previously installed the Flashpoint Ignite Threat Intelligence Engine App, follow these steps to update the App via TC Exchange:

Warning

The Feed Deployer is NOT used when updating the Flashpoint Ignite Threat Intelligence Engine App from version 1.0.0 to version 1.0.1.

Download the attributes.json file provided for the Flashpoint Ignite Threat Intelligence Engine App on ThreatConnect's Developer Hub.
Log into ThreatConnect with a System Administrator account.
Hover over Settingson the top navigation bar and select Account Settings. Then select the Communities/Sources tab.
Locate and click the name of the Source to which the current version of the Flashpoint Ignite Threat Intelligence Engine App is deployed to display the Source's Source Info screen.
Click the SOURCE CONFIG button on the left side of the screen to display the Source's Source Config screen.
Select the Attribute Types tab.
Click the UPLOAD button to display the Upload Attributes window.
Click + SELECT FILE, and then locate and select the attributes.json file you downloaded in Step 1.
Click SAVE.
Hover over Settingson the top navigation bar and select TC Exchange Settings. Then select the Updates tab on the TC Exchange Settings screen.
Locate the Flashpoint Ignite Threat Intelligence Engine App on the Updates tab. Then click Update Nowin the Options column to update the App.
On the top navigation bar, hover over Playbooks and select Services.
Restart the Flashpoint Ignite Threat Intelligence Engine App by toggling its slider off and then on again.

Configuration Parameters

Parameter Definitions [Updated]

The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the Flashpoint Ignite Threat Intelligence Engine App.

Name	Description	Required?
Source Tab
Sources to Create	Enter the name of the Source to be created.	Required
Owner	Enter the Organization in which the Source will be created.	Required
Activate Deprecation	Select this checkbox to allow the creation of depreciation rules for Indicators in the Source.	Optional
Create Attributes	Select this checkbox to allow the creation of custom Attribute Types in the Source.	Optional
Parameters Tab
Launch Server	Select tc-job as the launch server for the Service corresponding to the Feed API Service App.	Required
Flashpoint Ignite Bearer Token	Enter the Flashpoint Ignite bearer token. Important This is a new token that needs to be populated from the Flashpoint Ignite platform. The old FP.Tools token will not work. Note You must enter the actual Flashpoint bearer token value instead of populating this parameter with a ThreatConnect variable.	Required
Flashpoint Types	Select the types of Flashpoint objects to ingest. Available options include the following: Event FP Attribute Report Vulnerability	Required
Advanced Settings	Use this setting to set default values for the following item(s) for the ThreatConnect objects to which Flashpoint data will be mapped: Confidence Rating (default_confidence) Threat Rating (default_rating) Security Label(default_label) If specifying multiple items, separate each one with a pipe character (\|). Examples: default_label=TLP:AMBER default_rating=5\|default_label=TLP:WHITE\|default_confidence=95 Note The values entered in the Advanced Settings field will also be used when ad-hoc Job requests are made.	Optional

Flashpoint Ignite Threat Intelligence Engine

After successfully configuring and activating the Feed API Service for the Flashpoint Ignite Threat Intelligence Engine App, you can access the Flashpoint Ignite Threat Intelligence Engine user interface (UI). This UI allows you to interact with and manage the Flashpoint Ignite integration.

Follow these steps to access the Flashpoint Ignite Threat Intelligence Engine UI:

Log into ThreatConnect with a System Administrator account.
On the top navigation bar, hover over Playbooks and select Services.
Locate the Flashpoint Ignite Threat Intelligence Engine Feed API Service on the Services screen, and then click the link in the Service’s API Path field to open the Dashboard screen of the Flashpoint Ignite Threat Intelligence Engine UI.

The following screens are available in the Flashpoint Ignite Threat Intelligence Engine UI:

Dashboard
Jobs
Tasks
Download
Batch Errors
Attachment Status

Dashboard

The Dashboard screen (Figure 1) provides an overview of the total number of Flashpoint Attributes (Address, File, Host, Url); Events (Event, Malware, Intrusion Set); Reports (Report); and Vulnerabilities (Threat).

Figure 1_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0.1

Jobs

The Jobs screen (Figure 2) breaks down the ingestion of Flashpoint data into manageable Job-like tasks.

Figure 2_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0.1

Job ID: Enter text into this box to search for a specific Job by its ID.
Job Type: Select a Job type by which to filter Jobs. Available types include ad-hoc and scheduled.
Job Status: Select a Job status by which to filter Jobs. Available statuses include the following:
- Convert Complete
- Convert In Progress
- Download Complete
- Download In Progress
- Failed
- Upload Complete
- Upload In Progress
Add Job: Click this button to create an ad-hoc Job.

Add a Job

Follow these steps to create an ad-hoc Job on the Jobs screen of the Flashpoint Ignite Threat Intelligence Engine UI:

Navigate to the Jobs screen of the Flashpoint Ignite Threat Intelligence Engine UI (Figure 2). Then click Add Job at the top right of the screen.
Fill out the fields on the Add Job drawer (Figure 3) as follows:
- Updated After: Select the date and time that Flashpoint data must be updated after in order to be ingested.
- Updated Before: Select the date and time that Flashpoint data must be updated before in order to be ingested.
- Flashpoint Types: Select the type(s) of Flashpoint objects to ingest. Available options include Event, FP Attribute, Report, and Vulnerability.
Click Submit on the Add Job drawer.

After the Job is created, it will be displayed in the table on the Jobs screen (Figure 2), and its Job type will be ad-hoc.

Tasks

The Tasks screen (Figure 4) is where you can view and manage the Tasks for each Job.

Figure 4_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0

Download

The Download screen (Figure 5) is where you can download specific data from Flashpoint Ignite.

Figure 5_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0

External ID: Enter the Flashpoint ID (FPID) of the object to download.
Type: Select the type of object to download. Available options include Event, Report, and Vulnerability.

After providing a FPID and selecting a Flashpoint object type, click Download to retrieve JSON responses and view the converted threat intelligence data in ThreatConnect batch format (Figure 6). To upload the threat intelligence data to the ThreatConnect Batch API, click Upload.

Figure 6_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0

Batch Errors

The Batch Errors screen (Figure 7) displays batch errors for each request in a tabular format. Details provided for each error include the Job ID; date added; error code and message; and error reason.

Figure 7_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0

Attachment Status

The Attachment Status screen (Figure 8) is where you can view attempts ThreatConnect made to download file attachments for Reports from Flashpoint Ignite. The table on this screen displays the most recent date and time when ThreatConnect attempted to download a file attachment, the number of times ThreatConnect attempted to download the file attachment, and whether ThreatConnect downloaded the file attachment successfully. You can also filter results by ID and download status on this screen, which can be useful if you do not see a file attachment for a Flashpoint Ignite Report in ThreatConnect as expected.

Figure 8_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0

Data Mappings

The data mappings in Table 2 through Table 7 illustrate how data are mapped from Flashpoint Ignite API endpoints into the ThreatConnect data model.

Attribute (From Events Endpoint)

ThreatConnect object type: Indicator (Address, File, Host, or URL)

Flashpoint Ignite API Field	ThreatConnect Field
Event.Attribute.category	Attribute: "Category"
Event.Attribute.fpid	Attribute: "External ID"
Event.Attribute.href	Attribute: "Source"
Event.Attribute.type	Indicator Type
Event.Attribute.value.X	Indicator Value [See the Table 3 in the “Value (From Events Endpoint)” section for details on how different Flashpoint data types are mapped in ThreatConnect]

Value (From Events Endpoint)

ThreatConnect object type: Varies

Flashpoint Data Type	ThreatConnect Object
AS	ASN Indicator
bte	Event Group Attribute: "Bitcoin Address"
domain	Host Indicator
email-dst	Email Address Indicator Tag: "Destination"
email-src	Email Address Indicator Tag: "Source"
email-subject	Email Subject Indicator
filename	Event Group Attribute: "File Name"
github-username	Event Group Attribute: "GitHub"
hostname	Host Group
ip-dst	Address Indicator Tag: "Destination"
ip-dst\|port	Address Indicator Tag: "Destination" Attribute: "Port"
ip-src	Address Indicator Tag: "Source"
link	Event Group Attribute: "External References"
md5	File Indicator
mutex	Mutex Indicator
other	Event Group Attribute: "Additional Analysis and Context"
regkey	Registry Key Indicator
regkey\|value	Registry Key Indicator
sha1	File Indicator
sha256	File Indicator
threat-actor	Intrusion Set Group
twitter-id	Event Group Attribute: "Social Media: Twitter"
url	URL Indicator
user-agent	User Agent Indicator
whois-registrant-email	Email Address Indicator Tag: "WHOIS"

Event

ThreatConnect object type: Event Group

Flashpoint Ignite API Field	ThreatConnect Field
Event.Tag.name	Tag If the Tag type is Actor or Actor Profile, the Tag is also mapped to an Intrusion Set Group that is associated to the Event Group If the Tag type is Malware, the Tag is also mapped to a Malware Group that is associated to the Event Group
Event.date	Event Date
Event.info	Name/Summary
Event.report	Associated Report Group
Event.publish_timestamp	Attribute: "Publish Date"
Event.timestamp	Attribute: "External Date Created"
Event.attack_ids	ATT&CK^® Tag
Event.fpid	Attribute: "External ID"
href	Attribute: "Source"
Event.Attribute.reports.html	Associated Report Group Attribute: "Source"
reports.html	Associated Report Group
malware_description	Associated Malware Group Attribute: "Description" (default)
actor_description	Associated Intrusion Set Group Attribute: "Description" (default)

Intelligence Report

ThreatConnect object type: Report Group

Flashpoint Ignite API Field	ThreatConnect Field
data.id	Attribute: "External ID"
data.actors	Tag: "Intrusion Set: <Intrusion Set Name>"
data.title	Name/Summary
data.summary	Attribute: "Description" (default)
data.tags	Tag If the Tag type is Actor Profile, the Tag is also mapped to an Intrusion Set Group that is associated to the Report Group
data.body	HTML File Attachment
data.ingested_at	Attribute: "Ingestion Date"
data.posted_at	Attribute: "Publish Date"
data.platform_url	Attribute: "Source"
data.notified_at	Attribute: "First Seen"
data.updated_at	Attribute: "External Date Last Modified"
data.published_status	Attribute: "Publish Status"

Vulnerability Intelligence (Essential) [Updated]

ThreatConnect object type: Threat Group

Flashpoint Ignite API Field	ThreatConnect Field
id	Attribute: "External ID"
title	Name/Summary
description	Attribute: "Description" (default)
solution	Attribute: "Mitigations"
timelines.disclosed_at	First Seen Attribute: "Timeline" (Disclosure Date row)
timelines.published_at	Attribute: "Timeline" (Published Date row)
timelines.last_modified_at	External Date Last Modified Attribute: "Timeline" (Last Update row)
scores.epss_score	Attribute: "EPSS Score"
scores.severity	Attribute: "Threat Level"
vuln_status	Attribute: "Status"
cwes.cwe_id	Tag
ext_references.value	Attribute: "External Details" (Value column)
ext_references.type	Attribute: "External Details" (Type column)
ext_references.created_at	Attribute: "External Details" (External Date Created column)
classifications.longname	Attribute: "Classification" (Name column)
classifications.description	Attribute: "Classification" (Description column)
cvss_v2s.access_vector	Attribute: "CVSS Score Flashpoint" (Access Vector row)
cvss_v2s.access_complexity	Attribute: "CVSS Score Flashpoint" (Access Complexity row)
cvss_v2s.authentication	Attribute: "CVSS Score Flashpoint" (Authentication row)
cvss_v2s.confidentiality_impact	Attribute: "CVSS Score Flashpoint" (Confidentiality Impact row)
cvss_v2s.integrity_impact	Attribute: "CVSS Score Flashpoint" (Integrity Impact row)
cvss_v2s.availability_impact	Attribute: "CVSS Score Flashpoint" (Availability Impact row)
cvss_v2s.source	Attribute: "CVSS Score Flashpoint" (Source row)
cvss_v2s.generated_at	Attribute: "CVSS Score Flashpoint" (Generated At row)
cvss_v2s.score	Attribute: "CVSS Score Flashpoint" (Score row)
cvss_v2s.calculated_cvss_base_score	Attribute: "CVSS Score Flashpoint" (Calculated CVSS Base Score row)
cvss_v3s.attack_vector	Attribute: "CVSS Score Flashpoint" (Attack Vector row)
cvss_v3s.attack_complexity	Attribute: "CVSS Score Flashpoint" (Attack Complexity row)
cvss_v3s.privileges_required	Attribute: "CVSS Score Flashpoint" (Privileges Required row)
cvss_v3s.user_interaction	Attribute: "CVSS Score Flashpoint" (User Interaction row)
cvss_v3s.scope	Attribute: "CVSS Score Flashpoint" (Scope row)
cvss_v3s.confidentiality_impact	Attribute: "CVSS Score Flashpoint" (Confidentiality Impact row)
cvss_v3s.integrity_impact	Attribute: "CVSS Score Flashpoint" (Integrity Impact row)
cvss_v3s.availability_impact	Attribute: "CVSS Score Flashpoint" (Availability Impact row)
cvss_v3s.source	Attribute: "CVSS Score Flashpoint" (Source row)
cvss_v3s.generated_at	Attribute: "CVSS Score Flashpoint" (Generated At row)
cvss_v3s.score	Attribute: "CVSS Score Flashpoint" (Score row)
cvss_v3s.calculated_cvss_base_score	Attribute: "CVSS Score Flashpoint" (Base Score row)
cvss_v3s.vector_string	Attribute: "CVSS Score Flashpoint" (Vector String row)
cvss_v3s.version	Attribute: "CVSS Score Flashpoint" (Version row)
cvss_v4s.score	Attribute: "CVSS Score Flashpoint" (Score row)
cvss_v4s.threat_score	Attribute: "CVSS Score Flashpoint" (Threat Score row)
cvss_v4s.source	Attribute: "CVSS Score Flashpoint" (Source row)
cvss_v4s.generated_at	Attribute: "CVSS Score Flashpoint" (Generated At row)
cvss_v4s.updated_at	Attribute: "CVSS Score Flashpoint" (Updated At row)
cvss_v4s.vector_string	Attribute: "CVSS Score Flashpoint" (Vector String row)
cvss_v4s.version	Attribute: "CVSS Score Flashpoint" (Version row)
cvss_v4s.attack_vector	Attribute: "CVSS Score Flashpoint" (Attack Vector row)
cvss_v4s.attack_complexity	Attribute: "CVSS Score Flashpoint" (Attack Complexity row)
cvss_v4s.attack_requirements	Attribute: "CVSS Score Flashpoint" (Attack Requirements row)
cvss_v4s.privileges_required	Attribute: "CVSS Score Flashpoint" (Privileges Required row)
cvss_v4s.user_interaction	Attribute: "CVSS Score Flashpoint" (User Interaction row)
cvss_v4s.exploit_maturity	Attribute: "CVSS Score Flashpoint" (Exploit Maturity row)
cvss_v4s.vulnerable_system_confidentiality_impact	Attribute: "CVSS Score Flashpoint" (VS Confidentiality Impact row)
cvss_v4s.vulnerable_system_integrity_impact	Attribute: "CVSS Score Flashpoint" (VS Integrity Impact row)
cvss_v4s.vulnerable_system_availability_impact	Attribute: "CVSS Score Flashpoint" (VS Availability Impact row)
cvss_v4s.subsequent_system_confidentiality_impact	Attribute: "CVSS Score Flashpoint" (SS Confidentiality Impact row)
cvss_v4s.subsequent_system_integrity_impact	Attribute: "CVSS Score Flashpoint" (SS Integrity Impact row)
cvss_v4s.subsequent_system_availability_impact	Attribute: "CVSS Score Flashpoint" (SS Availability Impact row)
products.name	Attribute: "Vulnerable Product" (Product row) Tag
vendors.name	Attribute: "Vulnerable Product" (Vendor row) Tag
tags	Tag

ThreatConnect object type: Vulnerability Group

Flashpoint Ignite API Field	ThreatConnect Field
nvd_additional_information.cve_id	Attribute: "External ID" (default) Name/Summary Source: "https://nvd.nist.gov/vuln/detail/<CVE ID number>"
nvd_additional_information.summary	Attribute: "Description" (default)
nvd_additional_information.cwes.cwe_id	Tag: "Vulnerability: <CWE ID number>"
nvd_additional_information.references.name	Attribute: "Additional Analysis and Context" (Reference Name column)
nvd_additional_information.references.url	Attribute: "Additional Analysis and Context" (Reference URL column)
nvd_additional_information.cvss_v2s.access_vector	Attribute: "CVSS v2 Access Vector" Attribute: "Description" (Access Vector row)
nvd_additional_information.cvss_v2s.access_complexity	Attribute: "CVSS v2 Access Complexity" Attribute: "Description" (Access Complexity row)
nvd_additional_information.cvss_v2s.authentication	Attribute: "CVSS v2 Authentication" Attribute: "Description" (Authentication row)
nvd_additional_information.cvss_v2s.confidentiality_impact	Attribute: "CVSS v2 Confidentiality Impact" Attribute: "Description" (Confidentiality Impact row)
nvd_additional_information.cvss_v2s.integrity_impact	Attribute: "CVSS v2 Integrity Impact" Attribute: "Description" (Integrity Impact row)
nvd_additional_information.cvss_v2s.availability_impact	Attribute: "CVSS v2 Availability Impact" Attribute: "Description" (Availability Impact row)
nvd_additional_information.cvss_v2s.score	Attribute: "CVSS Score v2" Attribute: "Description" (Score row)
nvd_additional_information.cvss_v3s.attack_vector	Attribute: "CVSS v3 Attack Vector" Attribute: "Description" (Attack Vector row)
nvd_additional_information.cvss_v3s.attack_complexity	Attribute: "CVSS v3 Attack Complexity" Attribute: "Description" (Attack Complexity row)
nvd_additional_information.cvss_v3s.privileges_required	Attribute: "CVSS v3 Privileges Required" Attribute: "Description" (Privileges Required row)
nvd_additional_information.cvss_v3s.user_interaction	Attribute: "CVSS v3 User Interaction" Attribute: "Description" (User Interaction row)
nvd_additional_information.cvss_v3s.scope	Attribute: "CVSS v3 Scope" Attribute: "Description" (Scope row)
nvd_additional_information.cvss_v3s.confidentiality_impact	Attribute: "CVSS v3 Confidentiality Impact" Attribute: "Description" (Confidentiality Impact row)
nvd_additional_information.cvss_v3s.integrity_impact	Attribute: "CVSS v3 Integrity Impact" Attribute: "Description" (Integrity Impact row)
nvd_additional_information.cvss_v3s.availability_impact	Attribute: "CVSS v3 Availability Impact" Attribute: "Description" (Availability Impact row)
nvd_additional_information.cvss_v3s.score	Attribute: "CVSS Score v3" Attribute: "Description" (Score row)
nvd_additional_information.cvss_v3s.vector_string	Attribute: "CVSS v3 Vector String" Attribute: "Description" (Vector String row)
nvd_additional_information.cvss_v3s.version	Attribute: "CVSS Version"
scores.epss_score	Attribute: "EPSS Score"
scores.severity	Attribute: "Threat Level"

Vulnerability Intelligence (Premium) [Updated]

ThreatConnect object type: Threat Group

Flashpoint Ignite API Field	ThreatConnect Field
id	Attribute: "External ID"
title	Name/Summary
description	Attribute: "Description" (default)
solution	Attribute: "Mitigations"
technical_description	Attribute: "Analyst Notes"
timelines.disclosed_at	First Seen Attribute: "Timeline" (Disclosure Date row)
timelines.published_at	Attribute: "Timeline" (Published Date row)
timelines.last_modified_at	External Date Last Modified Attribute: "Timeline" (Last Update row)
timelines.exploit_published_at	Attribute: "Timeline" (Exploit Publish Date row)
timelines.discovered_at	External Date Added Attribute: "Timeline" (Date of Discovery row)
timelines.vendor_informed_at	Attribute: "Timeline" (Vendor Inform Date row)
timelines.vendor_acknowledged_at	Attribute: "Timeline" (Vendor Acknowledge Date row)
timelines.third_party_solution_provided_at	Attribute: "Timeline" (Third Party Solution Date row)
timelines.solution_provided_at	Attribute: "Timeline" (Solution Date row)
scores.severity	Attribute: "Threat Level"
scores.ransomware_score	Attribute: "Ransomware Score"
vuln_status	Attribute: "Status"
exploits.value	Attribute: "Exploits" (Value column)
exploits.type	Attribute: "Exploits" (Type column)
cwes.cwe_id	Tag
ext_references.value	Attribute: "External Details" (Value column)
ext_references.type	Attribute: "External Details" (Type column)
ext_references.created_at	Attribute: "External Details" (External Date Created column)
classifications.longname	Attribute: "Classification" (Name column)
classifications.description	Attribute: "Classification" (Description column)
cvss_v2s.access_vector	Attribute: "CVSS Score Flashpoint" (Access Vector column)
cvss_v2s.access_complexity	Attribute: "CVSS Score Flashpoint" (Access Complexity column)
cvss_v2s.authentication	Attribute: "CVSS Score Flashpoint" (Authentication column)
cvss_v2s.confidentiality_impact	Attribute: "CVSS Score Flashpoint" (Confidentiality Impact column)
cvss_v2s.integrity_impact	Attribute: "CVSS Score Flashpoint" (Integrity Impact column)
cvss_v2s.availability_impact	Attribute: "CVSS Score Flashpoint" (Availability Impact column)
cvss_v2s.source	Attribute: "CVSS Score Flashpoint" (Source column)
cvss_v2s.generated_at	Attribute: "CVSS Score Flashpoint" (Generated At column)
cvss_v2s.score	Attribute: "CVSS Score Flashpoint" (Score column)
cvss_v2s.calculated_cvss_base_score	Attribute: "CVSS Score Flashpoint" (Calculated CVSS Base Score column)
cvss_v3s.attack_vector	Attribute: "CVSS Score Flashpoint" (Attack Vector row)
cvss_v3s.attack_complexity	Attribute: "CVSS Score Flashpoint" (Attack Complexity row)
cvss_v3s.privileges_required	Attribute: "CVSS Score Flashpoint" (Privileges Required row)
cvss_v3s.user_interaction	Attribute: "CVSS Score Flashpoint" (User Interaction row)
cvss_v3s.scope	Attribute: "CVSS Score Flashpoint" (Scope row)
cvss_v3s.confidentiality_impact	Attribute: "CVSS Score Flashpoint" (Confidentiality Impact row)
cvss_v3s.integrity_impact	Attribute: "CVSS Score Flashpoint" (Integrity Impact row)
cvss_v3s.availability_impact	Attribute: "CVSS Score Flashpoint" (Availability Impact row)
cvss_v3s.source	Attribute: "CVSS Score Flashpoint" (Source row)
cvss_v3s.generated_at	Attribute: "CVSS Score Flashpoint" (Generated At row)
cvss_v3s.score	Attribute: "CVSS Score Flashpoint" (Score row)
cvss_v3s.calculated_cvss_base_score	Attribute: "CVSS Score Flashpoint" (Calculated CVSSBase Score row)
cvss_v3s.vector_string	Attribute: "CVSS Score Flashpoint" (Vector String row)
cvss_v3s.version	Attribute: "CVSS Score Flashpoint" (Version row)
cvss_v3s.remediation_level	Attribute: "CVSS Score Flashpoint" (Remediation Level row)
cvss_v3s.report_confidence	Attribute: "CVSS Score Flashpoint" (Report Confidence row)
cvss_v3s.exploit_code_maturity	Attribute: "CVSS Score Flashpoint" (Exploit Code Maturity row)
cvss_v3s.temporal_score	Attribute: "CVSS Score Flashpoint" (Temporal Score row)
cvss_v3s.updated_at	Attribute: "CVSS Score Flashpoint" (Updated At row)
cvss_v4s.score	Attribute: "CVSS Score Flashpoint" (Score row)
cvss_v4s.threat_score	Attribute: "CVSS Score Flashpoint" (Threat Score row)
cvss_v4s.source	Attribute: "CVSS Score Flashpoint" (Source row)
cvss_v4s.generated_at	Attribute: "CVSS Score Flashpoint" (Generated At row)
cvss_v4s.updated_at	Attribute: "CVSS Score Flashpoint" (Updated At row)
cvss_v4s.vector_string	Attribute: "CVSS Score Flashpoint" (Vector String row)
cvss_v4s.version	Attribute: "CVSS Score Flashpoint" (Version row)
cvss_v4s.attack_vector	Attribute: "CVSS Score Flashpoint" (Attack Vector row)
cvss_v4s.attack_complexity	Attribute: "CVSS Score Flashpoint" (Attack Complexity row)
cvss_v4s.attack_requirements	Attribute: "CVSS Score Flashpoint" (Attack Requirements row)
cvss_v4s.privileges_required	Attribute: "CVSS Score Flashpoint" (Privileges Required row)
cvss_v4s.user_interaction	Attribute: "CVSS Score Flashpoint" (User Interaction row)
cvss_v4s.exploit_maturity	Attribute: "CVSS Score Flashpoint" (Exploit Maturity row)
cvss_v4s.vulnerable_system_confidentiality_impact	Attribute: "CVSS Score Flashpoint" (VS Confidentiality Impact row)
cvss_v4s.vulnerable_system_integrity_impact	Attribute: "CVSS Score Flashpoint" (VS Integrity Impact row)
cvss_v4s.vulnerable_system_availability_impact	Attribute: "CVSS Score Flashpoint" (VS Availability Impact row)
cvss_v4s.subsequent_system_confidentiality_impact	Attribute: "CVSS Score Flashpoint" (SS Confidentiality Impact row)
cvss_v4s.subsequent_system_integrity_impact	Attribute: "CVSS Score Flashpoint" (SS Integrity Impact row)
cvss_v4s.subsequent_system_availability_impact	Attribute: "CVSS Score Flashpoint" (SS Availability Impact row)
tags	Tag
products.name	Attribute: "Vulnerable Product" (Product column) Tag
products.versions.affected	Attribute: "Vulnerable CPE" (Affected column)
products.versions.cpes.name	Attribute: "Vulnerable CPE" (CPE column)
products.versions.cpes.source	Attribute: "Vulnerable CPE" (Source column)
vendors.name	Attribute: "Vulnerable Product" (Vendor column) Tag

ThreatConnect object type: Threat Group

Flashpoint Ignite API Field	ThreatConnect Field
nvd_additional_information.cve_id	Attribute: "External ID" (default) Name/Summary Source: "https://nvd.nist.gov/vuln/detail/<CVE ID number>"
nvd_additional_information.summary	Attribute: "Description" (default)
nvd_additional_information.cwes.cwe_id	Tag: "Vulnerability: <CWE ID number>"
scores.epss_score	Attribute: "EPSS Score"
scores.epss_v1_score	Attribute: "EPSS v1 Score"
scores.severity	Attribute: "Threat Level"
scores.ransomware_score	Attribute: "Ransomware Score"
scores.social_risk_scores.cve_id	Attribute: "Metrics" (CVE ID row)
scores.social_risk_scores.numeric_score	Attribute: "Metrics" (Social Risk Numerical Score row)
scores.social_risk_scores.categorical_score	Attribute: "Metrics" (Social Risk Categorical Score row)
scores.social_risk_scores.score_date	Attribute: "Metrics" (Score Date row)
scores.social_risk_scores.todays_tweets	Attribute: "Metrics" (Number of Today's Tweets row)
scores.social_risk_scores.total_tweets	Attribute: "Metrics" (Total Number of Tweets row)
scores.social_risk_scores.unique_users	Attribute: "Metrics" (Number of Unique Users row)
nvd_additional_information.cvss_v2s.access_vector	Attribute: "CVSS v2 Access Vector" Attribute: "Description" (Access Vector row)
nvd_additional_information.cvss_v2s.access_complexity	Attribute: "CVSS v2 Access Complexity" Attribute: "Description" (Access Complexity row)
nvd_additional_information.cvss_v2s.authentication	Attribute: "CVSS v2 Authentication" Attribute: "Description" (Authentication row)
nvd_additional_information.cvss_v2s.confidentiality_impact	Attribute: "CVSS v2 Confidentiality Impact" Attribute: "Description" (Confidentiality Impact row)
nvd_additional_information.cvss_v2s.integrity_impact	Attribute: "CVSS v2 Integrity Impact" Attribute: "Description" (Integrity Impact row)
nvd_additional_information.cvss_v2s.availability_impact	Attribute: "CVSS v2 Availability Impact" Attribute: "Description" (Availability Impact row)
nvd_additional_information.cvss_v2s.score	Attribute: "CVSS Score v2" Attribute: "Description" (Score row)
nvd_additional_information.cvss_v3s.attack_vector	Attribute: "CVSS v3 Attack Vector" Attribute: "Description" (Attack Vector row)
nvd_additional_information.cvss_v3s.attack_complexity	Attribute: "CVSS v3 Attack Complexity" Attribute: "Description" (Attack Complexity row)
nvd_additional_information.cvss_v3s.privileges_required	Attribute: "CVSS v3 Privileges Required" Attribute: "Description" (Privileges Required row)
nvd_additional_information.cvss_v3s.user_interaction	Attribute: "CVSS v3 User Interaction" Attribute: "Description" (User Interaction row)
nvd_additional_information.cvss_v3s.scope	Attribute: "CVSS v3 Scope" Attribute: "Description" (Scope row)
nvd_additional_information.cvss_v3s.confidentiality_impact	Attribute: "CVSS v3 Confidentiality Impact" Attribute: "Description" (Confidentiality Impact row)
nvd_additional_information.cvss_v3s.integrity_impact	Attribute: "CVSS v3 Integrity Impact" Attribute: "Description" (Integrity Impact row)
nvd_additional_information.cvss_v3s.availability_impact	Attribute: "CVSS v3 Availability Impact" Attribute: "Description" (Availability Impact row)
nvd_additional_information.cvss_v3s.score	Attribute: "CVSS Score v3" Attribute: "Description" (Score row)
nvd_additional_information.cvss_v3s.vector_string	Attribute: "CVSS v3 Vector String" Attribute: "Description" (Vector String row)
nvd_additional_information.cvss_v3s.version	Attribute: "CVSS Version" Attribute: "Description" (Version row)

Frequently Asked Questions (FAQ) [Updated]

What are the major changes to the Flashpoint Ignite Threat Intelligence Engine App in version 1.0.1?

The major changes to the Flashpoint Ignite Threat Intelligence Engine App in version 1.0.1 include the following:

You can now set default values for Threat Rating, Confidence Rating, and Security Labels.
Each Common Vulnerabilities and Exposures (CVE®) ID in Flashpoint is now mapped to a Vulnerability Group in ThreatConnect instead of being represented only as a Tag on a Threat Group.
The technical_description Flashpoint Ignite API field now maps to the ThreatConnect "Analyst Notes" Attribute.

How are Flashpoint Vulnerability objects mapped to ThreatConnect objects?

Under Flashpoint Ignite’s Vulnerability structure, a single CVE ID can be associated with multiple Flashpoint IDs (FPIDs), or multiple CVE IDs can be associated with a single FPID. In version 1.0.0 of the Flashpoint Ignite Threat Intelligence Engine App, Flashpoint Vulnerabilities are mapped to Threat Groups in ThreatConnect. In version 1.0.1, each CVE ID representing a Flashpoint Vulnerability is mapped to a Vulnerability Group in ThreatConnect, and Common Weakness Enumeration (CWE™) IDs are mapped to Tags that are applied to Vulnerability and Threat Groups in ThreatConnect that correspond to Flashpoint Vulnerabilities.

How much historical Flashpoint data does the Flashpoint Ignite Threat Intelligence Engine App ingest into ThreatConnect?

During the initial ingestion of Flashpoint data, the Flashpoint Ignite Threat Intelligence Engine App will ingest Flashpoint objects added or published within the last 90 days. After the initial ingestion of data is complete, the App will ingest new data and update existing data every 2 hours.

Which Flashpoint data are modeled as Intrusion Sets in ThreatConnect?

The Flashpoint Ignite Threat Intelligence Engine App ingests and models the following Flashpoint data as Intrusion Set Groups in ThreatConnect:

Actor descriptions from the Flashpoint Events API endpoint
Actor Tags
Actor Profile Tags applied to Flashpoint Reports

How can I ingest more historical data from Flashpoint?

Use the Add Job button on the Jobs screen of the Flashpoint Ignite Threat Intelligence Engine UI (Figure 2). When creating a Job, select an appropriate date range from which to ingest Flashpoint data. For Reports, FP Attributes, and Events, it is recommended to use an ingestion date range of 90 days or fewer. For Vulnerabilities, any ad-hoc Jobs with an ingestion date range greater than 2 days may interrupt the daily scheduled Job runs if the daily limit of 5000 calls per day to the Vulnerability Flashpoint API endpoints is reached.

How can I upgrade to the latest version of the Flashpoint Ignite Threat Intelligence Engine App?

Warning

The Feed Deployer is NOT used when updating the Flashpoint Ignite Threat Intelligence Engine App from version 1.0.0 to version 1.0.1.

Please refer to the instructions in the “Updating the App [New]” section.

The Service App for the Flashpoint Ignite Threat Intelligence Engine App is not starting, and I am getting an error saying, “Required attributes are missing. Shutting down Flashpoint Ignite app.” What should I do next?

Warning

The Feed Deployer is NOT used when updating the Flashpoint Ignite Threat Intelligence Engine App from version 1.0.0 to version 1.0.1.

Follow these instructions to address this issue:

Download the attributes.json file provided for the Flashpoint Ignite Threat Intelligence Engine App on ThreatConnect's Developer Hub.
Log into ThreatConnect with a System Administrator account.
Hover over Settingson the top navigation bar and select Account Settings. Then select the Communities/Sources tab.
Locate and click the name of the Source to which the current version of the Flashpoint Ignite Threat Intelligence Engine App is deployed to display the Source's Source Info screen.
Click the SOURCE CONFIG button on the left side of the screen to display the Source's Source Config screen.
Select the Attribute Types tab.
Click the UPLOAD button to display the Upload Attributes window.
Click + SELECT FILE, and then locate and select the attributes.json file you downloaded in Step 1.
Click SAVE.

ThreatConnect^® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
Flashpoint^® is a registered trademark of EJ2 Communications, Inc.
CVE^® (Common Vulnerabilities and Exposures), MITRE ATT&CK^®, and ATT&CK^® are registered trademarks, and CWE™ (Common Weakness Enumeration) is a trademark, of The MITRE Corporation.

30089-02 EN Rev. A

Was this article helpful?

What's Next

FS-ISAC Integration Installation and Configuration Guide

Table of contents

Overview
Dependencies
Application Setup and Configuration
Configuration Parameters
Flashpoint Ignite Threat Intelligence Engine
Data Mappings
Frequently Asked Questions (FAQ)

Company

Sales and Support