--- title: "Flashpoint Ignite Threat Intel Engine Integration | ThreatConnect" slug: "flashpoint-ignite-threat-intelligence-engine-integration-user-guide" description: "This article is a user guide for the Flashpoint Ignite Threat Intelligence Engine App in ThreatConnect." updated: 2026-03-29T16:25:50Z published: 2026-03-29T16:25:50Z --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Flashpoint Ignite Threat Intelligence Engine Integration User Guide Software VersionThis guide applies to the **Flashpoint Ignite Threat Intelligence Engine**App version 1.0.5. ## Overview The **Flashpoint Ignite Threat Intelligence Engine** App in ThreatConnect® ingests Alerts, Attributes, Events, Reports, and Vulnerabilities from Flashpoint® Ignite and creates corresponding objects in ThreatConnect with select Flashpoint Ignite metadata: - Alerts are created as Event Groups in ThreatConnect. Some Alerts have associated images that are created as Document Groups. Attributes associated to Events are created as Address, File, Host, or URL Indicators in ThreatConnect. - Events are created as Event Groups in ThreatConnect. In addition, **Malware** tags on ingested Events from Flashpoint Ignite are created as Malware Groups in ThreatConnect, and **Actor** or **Actor Profile** tags on ingested Events from Flashpoint Ignite are created as Intrusion Set Groups in ThreatConnect. Events with these tags typically describe an activity by malware or a threat actor that leverages indicators. - Reports are created as Report Groups in ThreatConnect. In addition, **Actor Profile** tags on ingested Reports from Flashpoint Ignite are created as Intrusion Set Groups in ThreatConnect. Vulnerabilities are created as Threat Groups in ThreatConnect. Each CVE® belonging to a Vulnerability is created as a Vulnerability Group in ThreatConnect if its CVE-ID has a Common Vulnerability Scoring System (CVSS) score provided by the [National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD)](https://nvd.nist.gov/). ## Dependencies ### ThreatConnect Dependencies - ThreatConnect instance with version 7.2.0 or newer installed ### Flashpoint Ignite Dependencies - Active Flashpoint Ignite token - Subscription to the Cyber Threat Intelligence (CTI) product within the Flashpoint Ignite platform - To ingest premium Vulnerabilities, you must have the Vulnerability Intelligence Premium plan. See [https://docs.flashpoint.io/flashpoint/docs/vulnerability-intelligence](https://docs.flashpoint.io/flashpoint/docs/vulnerability-intelligence) for more information (must have a valid Flashpoint account to view this documentation). - For each Alert Rule you want to ingest into ThreatConnect, you must ensure that the Flashpoint Ignite API user associated with the Flashpoint Ignite token is subscribed to the Alert Rule prior to ingestion.HintYou can fine-tune the volume of data ingested into ThreatConnect from an Alert Rule by editing the Alert Rule in Flashpoint Ignite. ## Application Setup and Configuration ImportantFollow the instructions in the [“Update the Flashpoint Ignite Threat Intelligence Engine App”](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#update-the-flashpoint-ignite-threat-intelligence-engine-app) section if you are updating a previously installed version of the **Flashpoint Ignite Threat Intelligence Engine** App. The **Flashpoint Ignite Threat Intelligence Engine**App leverages the [Feed Deployer](https://knowledge.threatconnect.com/docs/the-feed-deployer) to create a [Source](https://knowledge.threatconnect.com/docs/ownership-in-threatconnect) for data ingestion from Flashpoint Ignite in an Organization and to configure the corresponding [Service](https://knowledge.threatconnect.com/docs/playbook-services)’s ingestion and authentication parameters. After you install the**Flashpoint Ignite Threat Intelligence Engine**App on your ThreatConnect instance, you can deploy it to any Organization. It must be deployed separately for each Organization in which you want to create a Source for data ingestion and a corresponding Service. ### Install the Flashpoint Ignite Threat Intelligence Engine App Follow these steps to install the **Flashpoint Ignite Threat Intelligence Engine**App on your ThreatConnect instance: 1. Log into ThreatConnect with a System Administrator account. 2. From the **Settings![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**menu on the top navigation bar, select**TC Exchange Settings**. 3. Select the **Catalog**tab on the **TC Exchange™ Settings**screen. 4. Locate the **Flashpoint Ignite Threat Intelligence Engine**App on the **Catalog**tab. 5. Click **Install![Plus icon_Dark blue](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Plus%20icon_Dark%20blue.png)**in the**Options**column to install the App. 6. Click **INSTALL** in the App’s **Release Notes** window. 7. After you install the **Flashpoint Ignite Threat Intelligence Engine**App, the [Feed Deployer](https://knowledge.threatconnect.com/docs/the-feed-deployer) will open automatically. Follow the procedure in the [“Deploy the Flashpoint Ignite Threat Intelligence App to an Organization”](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#deploy-the-flashpoint-ignite-threat-intelligence-app-to-an-organization) section to deploy the **Flashpoint Ignite Threat Intelligence Engine**App to a Source in an Organization and configure the corresponding Service. ### Deploy the Flashpoint Ignite Threat Intelligence App to an Organization Follow these steps to deploy the **Flashpoint Ignite Threat Intelligence Engine** App to an Organization: NoteSkip to the fourth step in the procedure if you just [installed the **Flashpoint Ignite Threat Intelligence Engine** App](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#install-the-flashpoint-ignite-threat-intelligence-engine-app) and are already viewing the **Feed Deployer** window. 1. Log into ThreatConnect with a System Administrator account. 2. From the **Settings![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**menu on the top navigation bar, select**TC Exchange Settings**. 3. Locate the **Flashpoint Ignite Threat Intelligence Engine** App on the **Installed** tab. Then select **Deploy** from the **Options****⋮** dropdown. 4. Follow the instructions in Table 1 to fill out the fields in the **Feed Deployer** window for a deployment of the **Flashpoint Ignite Threat Intelligence Engine**App. | Name | Description | Required? | | --- | --- | --- | | **Source**Tab | | Sources to Create | Enter the name of the Source for the feed.NoteUnless you are redeploying the feed to an existing Source in an Organization, the name of the Source must be unique on your ThreatConnect instance. It is recommended to add the Organization’s name to the end of the default Source name (e.g., **Flashpoint Ignite Threat Intelligence Engine – Demo Organization**) for easy identification of the Source’s owner. | Required | | Owner | Select the Organization in which the Source will be created. | Required | | Activate Deprecation | Select this checkbox to allow [confidence deprecation](https://knowledge.threatconnect.com/docs/indicator-confidence-deprecation) rules to be created and applied to Indicators in the Source. | Optional | | Create Attributes | Select this checkbox to allow [custom Attribute Types](https://knowledge.threatconnect.com/docs/creating-custom-attribute-types) for the **Flashpoint Ignite Threat Intelligence Engine**App to be created on the System level of your ThreatConnect instance.ImportantIt is recommended that you keep this checkbox selected. If you deselect it, data from the **Flashpoint Ignite Threat Intelligence Engine** App mapped to those Attribute Types will not be ingested. | Optional | | **Parameters**Tab | | Launch Server | Select **tc-job**as the launch server for the Feed API Service. | Required | | Flashpoint Types | Select the types of Flashpoint objects to ingest. Available options include the following: - Event - FP Attribute - Report - Vulnerability NoteVulnerability objects are available only for Flashpoint users who have the Vulnerability Intelligence Premium plan. | Required | | Alert Sources | Select the sources of Flashpoint Alerts to ingest. Available options include the following: - Media - News - Marketplaces - Communities - GitHub - GitLab - Bitbucket | Optional | | Advanced Settings | Use this setting to set default values for the following items for the ThreatConnect objects to which Flashpoint data will be mapped: - Confidence Rating (**default_confidence**) - Threat Rating (**default_rating**) - Security Label(**default_label**) If specifying multiple items, separate each one with a pipe character (\|). Example - default_label=TLP:AMBER - default_rating=5\|default_label=TLP:WHITE\|default_confidence=95 NoteThe values entered in the **Advanced Settings** field are also used in ad-hoc Job requests. | Optional | | **Variables**Tab | | Flashpoint Ignite Bearer Token* | Enter the Flashpoint Ignite bearer token.NoteYou must enter the actual Flashpoint bearer token value instead of populating this parameter with a ThreatConnect variable. | Required | | **Confirm**Tab | | Run Feeds after deployment | Select this checkbox to run the **Flashpoint Ignite Threat Intelligence Engine**Service immediately after you click **DEPLOY** on the **Feed Deployer** window. | Optional | | Confirm Deployment Over Existing Source | This checkbox and a warning message are displayed on the **Confirm** tab if the Source name entered on the **Source** tab is already used by a Source owned by the selected Organization. To confirm redeploying the App to the existing Source, select the checkbox. This will activate the **DEPLOY** button. Otherwise, you must return to the **Source**tab and either change the Source name or select a different Organization.WarningWhen you redeploy a Feed API Service to a Source, existing data in the Source may be overwritten. Redeployment will also create a new Service for the Feed API Service App**.** It is recommended that you delete the previous Service for the Feed API Service App after the new one is created. | Optional | 5. Click **DEPLOY** on the **Confirm** tab of the **Feed Deployer** window to deploy the **Flashpoint Ignite Threat Intelligence Engine** App in the Organization, which will create a Source for the feed in the Organization and a corresponding Feed API Service. ### Update the Flashpoint Ignite Threat Intelligence Engine App If you have previously deployed the **Flashpoint Ignite Threat Intelligence Engine** App to an Organization on your ThreatConnect instance, follow these steps to update the **Flashpoint Ignite Threat Intelligence Engine**App and the Attribute Types used for data ingestion into ThreatConnect: NoteWhen ThreatConnect 7.12 is released, Steps 1–8 will not be necessary. Instead, custom Attribute Types will be automatically updated when an App is updated on the **TC Exchange Settings** screen. 1. Download the [**attributes.json** file provided for the **Flashpoint Ignite Threat Intelligence Engine** App on the ThreatConnect Developer Hub](https://threatconnect.readme.io/docs/flashpoint-ignite-threat-intelligence-engine-service-attributes-json). 2. Log into ThreatConnect with a System Administrator account. 3. From the **Settings![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**menu on the top navigation bar, select**System Settings**. 4. Select the **Attribute Types** tab. 5. Click **UPLOAD**. 6. Click **+ SELECT FILE** on the **Upload Attributes** window. 7. Locate and select the **attributes.json** file you downloaded in Step 1. 8. Click **SAVE** to save the Attribute Types. 9. From the **Settings![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**menu on the top navigation bar, select**TC Exchange Settings**. 10. Select the **Updates**tab. 11. Locate the **Flashpoint Ignite Threat Intelligence Engine** App on the **Updates** tab. 12. Click **Update Now**![Update icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Update%20icon.png)in the **Options** column to update the App. 13. From the **Automation & Feeds** menu on the top navigation bar, select **Services**. 14. Toggle the slider for each **Flashpoint Ignite Threat Intelligence Engine** Service off and then on to restart the Service. ## Flashpoint Ignite Threat Intelligence Engine UI After [installing](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#install-the-flashpoint-ignite-threat-intelligence-engine-app) the **Flashpoint Ignite Threat Intelligence Engine** App and [deploying it to an Organization](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#deploy-the-flashpoint-ignite-threat-intelligence-app-to-an-organization), you can access the **Flashpoint Ignite Threat Intelligence Engine** user interface (UI), where you can manage data ingestion from Flashpoint Ignite into the Source created in the Organization. Follow these steps to access the **Flashpoint Ignite Threat Intelligence Engine** UI: 1. Log into ThreatConnect with a System Administrator account or a user account in the Organization with an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Organization Administrator. 2. From the **Automation & Feeds** dropdown on the top navigation bar, select **Services**. 3. Locate the row for the**Flashpoint Ignite Threat Intelligence Engine**Feed Service.HintSelect **Feed Service** from the **Service Type** dropdown at the upper right to filter the screen to show only Feed API Services. 4. Turn on the slider in the **Enable** column if the Service is not already enabled. 5. Click the link in the Service’s **API Path**field to open the **Flashpoint Ignite Threat Intelligence Engine** UI. The following screens are available in the **Flashpoint Ignite Threat Intelligence** Engine UI: - [**Dashboard**](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#dashboard) - [**Jobs**](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#jobs) - [**Tasks**](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#tasks) - [**Download**](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#download) - [**Batch Errors**](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#batch-errors) - [**Attachment Status**](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#attachment-status) ### Dashboard The **Dashboard**screen (Figure 1) provides an overview of the total number of Alerts (Event, Document) Attributes (Address, File, Host, URL), Events (Event, Malware, Intrusion Set), Reports (Report), and Vulnerabilities (Threat, Vulnerability) ingested from Flashpoint Ignite. ![Figure 1_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_Flashpoint%20Ignite%20Threat%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) ### Jobs The **Jobs**screen (Figure 2) breaks down the ingestion of Flashpoint Ignite data into manageable Job-like tasks, displaying all processes that are pending, in progress, complete, and failed. The **⋯** menu in a Job’s row provides the following options: - **Details**: View details for the Job, such as download, convert, and upload start and complete times and counts of downloaded and batched Groups and Indicators. - **Download Files**: Download metadata files for all Jobs and data (convert, download, and upload) files for completed Jobs. - **Batch Errors**: View errors that have occurred for the Job on the [**Batch Errors**](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#batch-errors) screen. ![Figure 2_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_Flashpoint%20Ignite%20Threat%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) You can filter **Flashpoint Ignite Threat Intelligence Engine** App Jobs by the following elements: - **Job ID:** Enter text into this box to search for a Job by its Job ID. - **Job Type:** Select Job types to display on the **Jobs** screen. - **Status:** Select Job statuses to display on the **Jobs** screen. #### Add a Job You can add ad-hoc Jobs on the **Jobs** screen. Follow these steps to create a request for an ad-hoc Job for the **Flashpoint Ignite Threat Intelligence Engine** Service: 1. Click **Add Job** (Figure 2). 2. Fill out the fields on the **Add Job**drawer (Figure 3) as follows: ![Figure 3_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_Flashpoint%20Ignite%20Threat%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) - **Updated After**: Select the date and time that Flashpoint Ignite data must be updated after in order to be ingested. - **Updated Before**: Select the date and time that Flashpoint Ignite data must be updated before in order to be ingested. - **Flashpoint Types**: Select the types of Flashpoint Ignite object types to include in the ad-hoc Job. - **Alert Sources**: Select the Flashpoint Ignite Alert sources to include in the ad-hoc Job. 3. Click **Submit**to submit the request for the ad-hoc Job. ### Tasks The **Tasks** screen (Figure 4) displays all Tasks that may be part of a Job, including each step of the download, convert, and upload processes, as well as Tasks for the **Flashpoint Ignite Threat Intelligence Engine** Service, such as Monitor, Scheduler, and Cleaner. The current status (**Idle**, **Paused**, or **Running**), name, description, and heartbeat timeout length, in minutes, are displayed for each Task. The **⋯** menu in a Task’s row provides the following options, depending on the Task’s status: - **Run** (idle and paused Tasks only) - **Pause** (idle and running Tasks only) - **Resume** (paused Tasks only) - **Kill** (running Tasks only) Under the table is a dashboard where you can view runtime analytics. ![Figure 4_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_Flashpoint%20Ignite%20Threat%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) ### Download The **Download**screen (Figure 5) lets you download JavaScript® Object Notation (JSON) data for Flashpoint Ignite objects and then upload the data into ThreatConnect. ![Figure 5_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%205_Flashpoint%20Ignite%20Threat%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) Follow these steps to download JSON data for a Flashpoint Ignite object on the **Download** screen and then upload the data into ThreatConnect: 1. **External ID**: Enter the Flashpoint ID (FPID) of the object to download. 2. **Type**: Select the Flashpoint Ignite object type to download: - **Vulnerability**: Download a Flashpoint Ignite Vulnerability. If you upload the JSON data, a Threat Group will be created in ThreatConnect. If the Vulnerability includes CVEs with a CVSS scores, those CVEs will be created as Vulnerability Groups in ThreatConnect. - **Report**: Download a Flashpoint Ignite Report. If you upload the JSON data, a Report Group will be created in ThreatConnect. - **Event**: Download a Flashpoint Ignite Event. If you upload the JSON data, an Event Group will be created in ThreatConnect. If the Flashpoint Ignite Event has Attributes, then Address, File, Host, and/or URL Indicators will be created in ThreatConnect as well. In addition, if the Event has a **Malware** tag in Flashpoint Ignite, a Malware Group will be created in ThreatConnect. If the Event has an **Actor** or **Actor Profile** tag in Flashpoint Ignite, an Intrusion Set Group will be created in ThreatConnect. - **Notification**: Download a Flashpoint Ignite Alert. If you upload the JSON data, a Document Group or Event Group will be created in ThreatConnect. 3. Click **Download**. The JSON data will be displayed in two columns: **Results** (raw JSON data) and **Converted**(JSON data in ThreatConnect batch format) (Figure 6). ![Figure 6_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%206_Flashpoint%20Ignite%20Threat%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) 4. Click **Upload** to submit the converted threat intelligence data via the [ThreatConnect Batch API](https://docs.threatconnect.com/en/latest/rest_api/v2/batch_api/batch_api.html). ### Batch Errors The **Batch Errors**screen (Figure 7) displays an overview of the batch error types that have occurred for Job requests. You can enter keywords to filter by Job ID. ![Figure 7_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%207_Flashpoint%20Ignite%20Threat%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) Select an error type to open a drawer containing a table with details on all batch errors of that type (Figure 8). You can enter keywords to filter by reason for error. ![Figure 8_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%208_Flashpoint%20Ignite%20Threat%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) ### Attachment Status The **Attachment Status**screen (Figure 9) displays a table with details on ThreatConnect's attempts to download Report attachments from Flashpoint Ignite. You can filter the table by Flashpoint Ignite Group ID, which can be useful if you do not see a Flashpoint Ignite attachment in ThreatConnect as expected, or by status. ![Figure 9_Flashpoint Ignite Threat Intelligence Engine Integration User Guide_Software Version 1.0.5](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%209_Flashpoint%20Ignite%20Threat%20Intelligence%20Engine%20Integration%20User%20Guide_Software%20Version%201.0.5.png) ## Data Mappings The data mappings in Table 2 through Table 13 illustrate how data are mapped from Flashpoint Ignite API endpoints into the [ThreatConnect data model](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model). ### Attribute (From Events Endpoint) ThreatConnect object type: Indicator (Address, File, Host, or URL) | Flashpoint Ignite API Field | ThreatConnect Field | | --- | --- | | Event.Attribute.category | Attribute: "Category" | | Event.Attribute.fpid | Attribute: "External ID" | | Event.Attribute.href | Attribute: "Source" | | Event.Attribute.type | Indicator Type | | Event.Attribute.value.*X* | Indicator Value [See the Table 3 in the [“Value (From Events Endpoint)”](/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#value-from-events-endpoint) section for details on how different Flashpoint data types are mapped in ThreatConnect] | ### Value (From Events Endpoint) ThreatConnect object type: Varies | Flashpoint Data Type | ThreatConnect Object | | --- | --- | | AS | ASN Indicator | | bte | Event Group - Attribute: "Bitcoin Address" | | domain | Host Indicator | | email-dst | Email Address Indicator - Tag: "Destination" | | email-src | Email Address Indicator - Tag: "Source" | | email-subject | Email Subject Indicator | | filename | Event Group - Attribute: "File Name" | | github-username | Event Group - Attribute: "GitHub" | | hostname | Host Group | | ip-dst | Address Indicator - Tag: "Destination" | | ip-dst\|port | Address Indicator - Tag: "Destination" - Attribute: "Port" | | ip-src | Address Indicator - Tag: "Source" | | link | Event Group - Attribute: "External References" | | md5 | File Indicator | | mutex | Mutex Indicator | | other | Event Group - Attribute: "Additional Analysis and Context" | | regkey | Registry Key Indicator | | regkey\|value | Registry Key Indicator | | sha1 | File Indicator | | sha256 | File Indicator | | threat-actor | Intrusion Set Group | | twitter-id | Event Group - Attribute: "Social Media: Twitter" | | url | URL Indicator | | user-agent | User Agent Indicator | | whois-registrant-email | Email Address Indicator - Tag: "WHOIS" | ### Event ThreatConnect object type: Event Group | Flashpoint Ignite API Field | ThreatConnect Field | | --- | --- | | Event.Tag.name | Tag - If the Tag type is **Actor**or **Actor Profile**, the Tag is also mapped to an Intrusion Set Group that is associated to the Event Group - If the Tag type is **Malware**, the Tag is also mapped to a Malware Group that is associated to the Event Group | | Event.date | Event Date | | Event.info | Name/Summary | | Event.report | Associated Report Group | | Event.publish_timestamp | Attribute: "Publish Date" | | Event.timestamp | Attribute: "External Date Created" | | Event.attack_ids | [ATT&CK® Tag](https://knowledge.threatconnect.com/docs/attack-tags) | | Event.fpid | Attribute: "External ID" | | href | Attribute: "Source" | | Event.Attribute.reports.html | Associated Report Group - Attribute: "Source" | | reports.html | Associated Report Group | | malware_description | Associated Malware Group - Attribute: "Description" (default) | | actor_description | Associated Intrusion Set Group - Attribute: "Description" (default) | ### Intelligence Report ThreatConnect object type: Report Group | Flashpoint Ignite API Field | ThreatConnect Field | | --- | --- | | data.id | Attribute: "External ID" | | data.actors | Tag: "Intrusion Set: <*Intrusion Set Name*>" | | data.title | Name/Summary | | data.summary | Attribute: "Description" (default) | | data.tags | Tag - If the Tag type is **Actor Profile**, the Tag is also mapped to an Intrusion Set Group that is associated to the Report Group | | data.body | HTML File Attachment | | data.ingested_at | Attribute: "Ingestion Date" | | data.posted_at | Attribute: "Publish Date" | | data.platform_url | Attribute: "Source" | | data.notified_at | Attribute: "First Seen" | | data.updated_at | Attribute: "External Date Last Modified" | | data.published_status | Attribute: "Publish Status" | ### Vulnerability Intelligence (Premium) ThreatConnect object type: Threat Group | Flashpoint Ignite API Field | ThreatConnect Field | | --- | --- | | id | Attribute: "External ID" | | title | Name/Summary | | description | Attribute: "Description" (default) | | solution | Attribute: "Mitigations" | | technical_description | Attribute: "Analyst Notes" | | timelines.disclosed_at | - First Seen - Attribute: "Timeline" (**Disclosure Date**row) | | timelines.published_at | Attribute: "Timeline" (**Published Date**row) | | timelines.last_modified_at | - External Date Last Modified - Attribute: "Timeline" (**Last Update**row) | | timelines.exploit_published_at | Attribute: "Timeline" (**Exploit Publish Date**row) | | timelines.discovered_at | - External Date Added - Attribute: "Timeline" (**Date of Discovery** row) | | timelines.vendor_informed_at | Attribute: "Timeline" (**Vendor Inform Date**row) | | timelines.vendor_acknowledged_at | Attribute: "Timeline" (**Vendor Acknowledge Date**row) | | timelines.third_party_solution_provided_at | Attribute: "Timeline" (**Third Party Solution Date**row) | | timelines.solution_provided_at | Attribute: "Timeline" (**Solution Date**row) | | scores.severity | Attribute: "Threat Level" | | scores.ransomware_score | Attribute: "Ransomware Score" | | vuln_status | Attribute: "Status" | | exploits.value | Attribute: "Exploits" (**Value** column) | | exploits.type | Attribute: "Exploits" (**Type** column) | | cwes.cwe_id | Tag | | ext_references.value | Attribute: "External Details" (**Value**column) | | ext_references.type | Attribute: "External Details" (**Type**column) | | ext_references.created_at | Attribute: "External Details" (**External Date Created**column) | | classifications.longname | Attribute: "Classification" (**Name**column) | | classifications.description | Attribute: "Classification" (**Description**column) | | cvss_v2s.access_vector | Attribute: "CVSS Score Flashpoint" (**Access Vector** column) | | cvss_v2s.access_complexity | Attribute: "CVSS Score Flashpoint" (**Access Complexity** column) | | cvss_v2s.authentication | Attribute: "CVSS Score Flashpoint" (**Authentication**column) | | cvss_v2s.confidentiality_impact | Attribute: "CVSS Score Flashpoint" (**Confidentiality Impact**column) | | cvss_v2s.integrity_impact | Attribute: "CVSS Score Flashpoint" (**Integrity Impact**column) | | cvss_v2s.availability_impact | Attribute: "CVSS Score Flashpoint" (**Availability Impact**column) | | cvss_v2s.source | Attribute: "CVSS Score Flashpoint" (**Source**column) | | cvss_v2s.generated_at | Attribute: "CVSS Score Flashpoint" (**Generated At** column) | | cvss_v2s.score | Attribute: "CVSS Score Flashpoint" (**Score** column) | | cvss_v2s.calculated_cvss_base_score | Attribute: "CVSS Score Flashpoint" (**Calculated CVSS Base Score** column) | | cvss_v3s.attack_vector | Attribute: "CVSS Score Flashpoint" (**Attack Vector** row) | | cvss_v3s.attack_complexity | Attribute: "CVSS Score Flashpoint" (**Attack Complexity** row) | | cvss_v3s.privileges_required | Attribute: "CVSS Score Flashpoint" (**Privileges Required**row) | | cvss_v3s.user_interaction | Attribute: "CVSS Score Flashpoint" (**User Interaction**row) | | cvss_v3s.scope | Attribute: "CVSS Score Flashpoint" (**Scope** row) | | cvss_v3s.confidentiality_impact | Attribute: "CVSS Score Flashpoint" (**Confidentiality Impact** row) | | cvss_v3s.integrity_impact | Attribute: "CVSS Score Flashpoint" (**Integrity Impact** row) | | cvss_v3s.availability_impact | Attribute: "CVSS Score Flashpoint" (**Availability Impact** row) | | cvss_v3s.source | Attribute: "CVSS Score Flashpoint" (**Source** row) | | cvss_v3s.generated_at | Attribute: "CVSS Score Flashpoint" (**Generated At** row) | | cvss_v3s.score | Attribute: "CVSS Score Flashpoint" (**Score** row) | | cvss_v3s.calculated_cvss_base_score | Attribute: "CVSS Score Flashpoint" (**Calculated CVSS****Base Score**row) | | cvss_v3s.vector_string | Attribute: "CVSS Score Flashpoint" (**Vector String**row) | | cvss_v3s.version | Attribute: "CVSS Score Flashpoint" (**Version** row) | | cvss_v3s.remediation_level | Attribute: "CVSS Score Flashpoint" (**Remediation Level** row) | | cvss_v3s.report_confidence | Attribute: "CVSS Score Flashpoint" (**Report Confidence** row) | | cvss_v3s.exploit_code_maturity | Attribute: "CVSS Score Flashpoint" (**Exploit Code Maturity** row) | | cvss_v3s.temporal_score | Attribute: "CVSS Score Flashpoint" (**Temporal Score** row) | | cvss_v3s.updated_at | Attribute: "CVSS Score Flashpoint" (**Updated At** row) | | cvss_v4s.score | Attribute: "CVSS Score Flashpoint" (**Score** row) | | cvss_v4s.threat_score | Attribute: "CVSS Score Flashpoint" (**Threat Score**row) | | cvss_v4s.source | Attribute: "CVSS Score Flashpoint" (**Source** row) | | cvss_v4s.generated_at | Attribute: "CVSS Score Flashpoint" (**Generated At** row) | | cvss_v4s.updated_at | Attribute: "CVSS Score Flashpoint" (**Updated At** row) | | cvss_v4s.vector_string | Attribute: "CVSS Score Flashpoint" (**Vector String** row) | | cvss_v4s.version | Attribute: "CVSS Score Flashpoint" (**Version** row) | | cvss_v4s.attack_vector | Attribute: "CVSS Score Flashpoint" (**Attack Vector** row) | | cvss_v4s.attack_complexity | Attribute: "CVSS Score Flashpoint" (**Attack Complexity** row) | | cvss_v4s.attack_requirements | Attribute: "CVSS Score Flashpoint" (**Attack Requirements** row) | | cvss_v4s.privileges_required | Attribute: "CVSS Score Flashpoint" (**Privileges Required** row) | | cvss_v4s.user_interaction | Attribute: "CVSS Score Flashpoint" (**User Interaction** row) | | cvss_v4s.exploit_maturity | Attribute: "CVSS Score Flashpoint" (**Exploit Maturity** row) | | cvss_v4s.vulnerable_system_confidentiality_impact | Attribute: "CVSS Score Flashpoint" (**VS Confidentiality Impact** row) | | cvss_v4s.vulnerable_system_integrity_impact | Attribute: "CVSS Score Flashpoint" (**VS Integrity Impact** row) | | cvss_v4s.vulnerable_system_availability_impact | Attribute: "CVSS Score Flashpoint" (**VS Availability Impact** row) | | cvss_v4s.subsequent_system_confidentiality_impact | Attribute: "CVSS Score Flashpoint" (**SS Confidentiality Impact** row) | | cvss_v4s.subsequent_system_integrity_impact | Attribute: "CVSS Score Flashpoint" (**SS Integrity Impact** row) | | cvss_v4s.subsequent_system_availability_impact | Attribute: "CVSS Score Flashpoint" (**SS Availability Impact** row) | | tags | Tag | | products.name | - Attribute: "Vulnerable Product" (**Product**column) - Tag | | products.versions.affected | Attribute: "Vulnerable CPE" (**Affected**column) | | products.versions.cpes.name | Attribute: "Vulnerable CPE" (**CPE**column) | | products.versions.cpes.source | Attribute: "Vulnerable CPE" (**Source**column) | | vendors.name | - Attribute: "Vulnerable Product" (**Vendor**column) - Tag | ThreatConnect object type: Vulnerability Group | Flashpoint Ignite API Field | ThreatConnect Field | | --- | --- | | nvd_additional_information.cve_id | - Attribute: "External ID" (default) - Name/Summary - Source: "https://nvd.nist.gov/vuln/detail/**" | | nvd_additional_information.summary | Attribute: "Description" (default) | | nvd_additional_information.cwes.cwe_id | Tag: "Vulnerability: **" | | scores.epss_score | Attribute: "EPSS Score" | | scores.epss_v1_score | Attribute: "EPSS v1 Score" | | scores.severity | Attribute: "Threat Level" | | scores.ransomware_score | Attribute: "Ransomware Score" | | scores.social_risk_scores.cve_id | Attribute: "Metrics" (**CVE ID**row) | | scores.social_risk_scores.numeric_score | Attribute: "Metrics" (**Social Risk Numerical Score** row) | | scores.social_risk_scores.categorical_score | Attribute: "Metrics" (**Social Risk Categorical Score** row) | | scores.social_risk_scores.score_date | Attribute: "Metrics" (**Score Date**row) | | scores.social_risk_scores.todays_tweets | Attribute: "Metrics" (**Number of Today's Tweets**row) | | scores.social_risk_scores.total_tweets | Attribute: "Metrics" (**Total Number of Tweets**row) | | scores.social_risk_scores.unique_users | Attribute: "Metrics" (**Number of Unique Users** row) | | nvd_additional_information.cvss_v2s.access_vector | - Attribute: "CVSS v2 Access Vector" - Attribute: "Description" (**Access Vector** row) | | nvd_additional_information.cvss_v2s.access_complexity | - Attribute: "CVSS v2 Access Complexity" - Attribute: "Description" (**Access Complexity** row) | | nvd_additional_information.cvss_v2s.authentication | - Attribute: "CVSS v2 Authentication" - Attribute: "Description" (**Authentication** row) | | nvd_additional_information.cvss_v2s.confidentiality_impact | - Attribute: "CVSS v2 Confidentiality Impact" - Attribute: "Description" (**Confidentiality Impact** row) | | nvd_additional_information.cvss_v2s.integrity_impact | - Attribute: "CVSS v2 Integrity Impact" - Attribute: "Description" (**Integrity Impact** row) | | nvd_additional_information.cvss_v2s.availability_impact | - Attribute: "CVSS v2 Availability Impact" - Attribute: "Description" (**Availability Impact** row) | | nvd_additional_information.cvss_v2s.score | - Attribute: "CVSS Score v2" - Attribute: "Description" (**Score** row) | | nvd_additional_information.cvss_v3s.attack_vector | - Attribute: "CVSS v3 Attack Vector" - Attribute: "Description" (**Attack Vector** row) | | nvd_additional_information.cvss_v3s.attack_complexity | - Attribute: "CVSS v3 Attack Complexity" - Attribute: "Description" (**Attack Complexity** row) | | nvd_additional_information.cvss_v3s.privileges_required | - Attribute: "CVSS v3 Privileges Required" - Attribute: "Description" (**Privileges Required** row) | | nvd_additional_information.cvss_v3s.user_interaction | - Attribute: "CVSS v3 User Interaction" - Attribute: "Description" (**User Interaction** row) | | nvd_additional_information.cvss_v3s.scope | - Attribute: "CVSS v3 Scope" - Attribute: "Description" (**Scope** row) | | nvd_additional_information.cvss_v3s.confidentiality_impact | - Attribute: "CVSS v3 Confidentiality Impact" - Attribute: "Description" (**Confidentiality Impact** row) | | nvd_additional_information.cvss_v3s.integrity_impact | - Attribute: "CVSS v3 Integrity Impact" - Attribute: "Description" (**Integrity Impact** row) | | nvd_additional_information.cvss_v3s.availability_impact | - Attribute: "CVSS v3 Availability Impact" - Attribute: "Description" (**Availability Impact** row) | | nvd_additional_information.cvss_v3s.score | - Attribute: "CVSS Score v3" - Attribute: "Description" (**Score** row) | | nvd_additional_information.cvss_v3s.vector_string | - Attribute: "CVSS v3 Vector String" - Attribute: "Description" (**Vector String** row) | | nvd_additional_information.cvss_v3s.version | - Attribute: "CVSS Version" - Attribute: "Description" (**Version** row) | ### Alerts - Communities ThreatConnect object type: Event Group | Flashpoint Ignite API Field | ThreatConnect Field | | --- | --- | | reason.name | Attribute: "Alert Rule" | | reason.id | Attribute: "Alert Rule ID" | | resource.id | - Attribute: "Description" (default) with additional custom mapping - Attribute: "Source" (default) with additional custom mapping - Attribute: "Additional Analysis and Context" with additional custom mapping - Name/Summary with additional custom mapping - Status with additional custom mapping | | id | Attribute: "External ID" | | created_at | - Event Date - External Date Added | | resource.basetypes[] | Tag | | tags | Tag | | reason.details.sources[] | Tag | | source | Tag | | data_type | Tag | | reason.origin | Tag | | N/A | Tag: "Source: Flashpoint Alert" | ### Alerts - Marketplace ThreatConnect object type: Event Group | Flashpoint Ignite API Field | ThreatConnect Field | | --- | --- | | reason.name | Attribute: "Alert Rule" | | reason.id | Attribute: "Alert Rule ID" | | resource.id | - Attribute: "Description" (default) with additional custom mapping - Attribute: "Source" (default) with additional custom mapping - Attribute: "Additional Analysis and Context" with additional custom mapping - Name/Summary with additional custom mapping - Status with additional custom mapping | | id | Attribute: "External ID" | | created_at | - Event Date - External Date Added | | resource.basetypes[] | Tag | | tags | Tag | | reason.details.sources[] | Tag | | source | Tag | | data_type | Tag | | reason.origin | Tag | | resource.site.title | Tag | | N/A | Tag: "Source: Flashpoint Alert" | ### Alerts - Media ThreatConnect object type: Document Group | Flashpoint Ignite API Field | ThreatConnect Field | | --- | --- | | reason.name | Attribute: "Alert Rule" | | reason.id | Attribute: "Alert Rule ID" | | resource.id | - Attribute: "Description" (default) with additional custom mapping - Attribute: "Source" (default) with additional custom mapping - Attribute: "Additional Analysis and Context" with additional custom mapping - Name/Summary with additional custom mapping - Status with additional custom mapping | | id | Attribute: "External ID" | | created_at | - Event Date - External Date Added | | resource.basetypes[] | Tag | | tags | Tag | | reason.details.sources[] | Tag | | source | Tag | | data_type | Tag | | reason.origin | Tag | | resource.site.title | Tag | | N/A | Tag: "Source: Flashpoint Alert" | ### Image Files From Alerts - Media ThreatConnect object type: Document Group | Flashpoint Ignite API Field | ThreatConnect Field | | --- | --- | | media_v2.sha1 | Attribute: "Description" (default) with additional custom mapping | | media_v2.image_enrichment.enrichments | | media_v2.phash | Attribute: "Source" (default) with additional custom mapping | | file_name | File Name with additional custom mapping | | sha1 | Name/Summary with additional custom mapping | | N/A | Tag: "Source: Flashpoint Alert" | | N/A | Tag: "Alert Image Pending"NoteThis Tag is added while the file is uploading. After the file has uploaded, the Tag is removed. | | file_type | Tag | | xid | Attribute: "External ID" | ### Alerts - News ThreatConnect object type: Event Group | Flashpoint Ignite API Field | ThreatConnect Field | | --- | --- | | reason.name | Attribute: "Alert Rule" | | reason.id | Attribute: "Alert Rule ID" | | resource.id | - Attribute: "Description" (default) with additional custom mapping - Attribute: "Source" (default) with additional custom mapping - Attribute: "Additional Analysis and Context" with additional custom mapping - Name/Summary with additional custom mapping - Status with additional custom mapping | | id | Attribute: "External ID" | | created_at | - Event Date - External Date Added | | resource.basetypes[] | Tag | | reason.details.sources[] | Tag | | source | Tag | | tags | Tag | | N/A | Tag: "Source: Flashpoint Alert" | ### Alerts - Code Repositories ThreatConnect object type: Event Group | Flashpoint Ignite API Field | ThreatConnect Field | | --- | --- | | reason.name | Attribute: "Alert Rule" | | reason.id | Attribute: "Alert Rule ID" | | resource.id | - Attribute: "Description" (default) with additional custom mapping - Name/Summary with additional custom mapping - Status with additional custom mapping | | resource.url | Attribute: "Source" (default) with additional custom mapping | | id | Attribute: "External ID" | | created_at | - Event Date - External Date Added | | resource.basetypes[] | Tag | | reason.details.sources[] | Tag | | source | Tag | | tags | Tag | | data_type | Tag | | reason.origin | Tag | | resource.repo | Tag | | N/A | Tag: "Source: Flashpoint Alert" | ## Frequently Asked Questions (FAQ) **How are Flashpoint Ignite Vulnerability objects mapped to ThreatConnect objects?** Under Flashpoint Ignite’s Vulnerability structure, a single CVE-ID can be associated with multiple Flashpoint IDs (FPIDs), or multiple CVE-IDs can be associated with a single FPID. In version 1.0.0 of the **Flashpoint Ignite Threat Intelligence Engine** App, Flashpoint Ignite Vulnerabilities are mapped to Threat Groups in ThreatConnect. In version 1.0.1 and later versions, each CVE-ID representing a Flashpoint Ignite Vulnerability is mapped to a Vulnerability Group in ThreatConnect, and Common Weakness Enumeration (CWE™) IDs are mapped to Tags that are applied to Vulnerability and Threat Groups in ThreatConnect that correspond to Flashpoint Ignite Vulnerabilities. --- **Which Flashpoint Ignite data objects are modeled as Intrusion Sets in ThreatConnect?** The **Flashpoint Ignite Threat Intelligence Engine**App ingests and models the following Flashpoint Ignite data objects as Intrusion Set Groups in ThreatConnect: - Actor descriptions from the Flashpoint Events API endpoint - **Actor** Tags - **Actor Profile** Tags applied to Flashpoint Reports --- **How can I ingest more historical data from Flashpoint Ignite?** You can ingest more historical data from Flashpoint Ignite via the [**Add Job** button](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#add-a-job) on the **Jobs**screen of the **Flashpoint Ignite Threat Intelligence Engine** UI (Figure 2). When adding a Job, select an appropriate date range from which to ingest historical Flashpoint Ignite data. For Reports, FP Attributes, and Events, it is recommended to use an ingestion date range of 90 days or fewer. For Vulnerabilities, any ad-hoc Jobs with an ingestion date range greater than 2 days may interrupt the daily scheduled Job runs if the daily limit of 5000 calls per day to the Vulnerability Flashpoint API endpoints is reached. --- **The Service for the**Flashpoint Ignite Threat Intelligence Engine**App is not starting, and I am getting an error saying, “Required attributes are missing. Shutting down Flashpoint Ignite app.” What should I do next?** Follow Steps 1–8 in the [“Update the Flashpoint Ignite Threat Intelligence Engine App”](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#update-the-flashpoint-ignite-threat-intelligence-engine-app) section to retrieve the **attributes.json** file containing the most up-to-date Attribute Types for the **Flashpoint Ignite Threat Intelligence Engine** App and add those Attribute Types on the System level on your ThreatConnect instance. --- **Why do I not see any Vulnerability data from Flashpoint Ignite in the Source for the**Flashpoint Ignite Threat Intelligence Engine**App in ThreatConnect?** As of March 2025, Flashpoint Ignite does not support API access to Vulnerability data for Essential-tier membership. Vulnerability data are still available for users with the Vulnerability Intelligence Premium plan. --- **Why do I not see any Alert data from Flashpoint Ignite in the Source for the**Flashpoint Ignite Threat Intelligence Engine**App in ThreatConnect?** Double check that the Flashpoint Ignite API user associated with the Flashpoint Ignite token provided in the **Flashpoint Ignite Threat Intelligence Engine** App’s configuration is subscribed to each Alert Rule you want to ingest into ThreatConnect. See the [“Flashpoint Ignite Dependencies”](/v1/docs/flashpoint-ignite-threat-intelligence-engine-integration-user-guide#flashpoint-ignite-dependencies) section for more information. --- *ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc. Flashpoint® is a registered trademark of EJ2 Communications, Inc. JavaScript® is a registered trademark of Oracle Corporation. CVE® (Common Vulnerabilities and Exposures), MITRE ATT&CK®, and ATT&CK® are registered trademarks, and CWE™ (Common Weakness Enumeration) is a trademark, of The MITRE Corporation.* 30089-04 EN Rev. A