Flashpoint Intelligence Engine Integration User Guide

21 Nov 2023
7 Minutes to read

Print
Dark

Light

Flashpoint Intelligence Engine Integration User Guide

Updated on 21 Nov 2023
7 Minutes to read

Print
Dark

Light

Flashpoint is ending support for its FP Tools endpoints on September 1, 2024. Because this integration uses FP Tools endpoints, it is recommended to use the Flashpoint Ignite Threat Intelligence Engine App instead.

Article summary

Did you find this summary helpful?

Thank you for your feedback

Software Version

This guide applies to the Flashpoint Intelligence Engine App version 1.0.x.

Overview

The ThreatConnect^® integration with Flashpoint^® ingests Reports, Events, Indicators, Vulnerability, and Malware data from Flashpoint into ThreatConnect. These Groups and Indicators are stored and associated in ThreatConnect with select relevant context.

Dependencies

ThreatConnect Dependencies

Active ThreatConnect Application Programming Interface (API) key
ThreatConnect instance with version 7.0 or newer installed

Note

All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.

Flashpoint Dependencies

Active Flashpoint Intelligence token

Application Setup and Configuration

Installing the App

Log into ThreatConnect with a System Administrator account.
Install the Flashpoint Intelligence Engine App via TC Exchange™.
Use the ThreatConnect Feed Deployer to set up and configure the Flashpoint Intelligence Engine App.

Configuring ATT&CK Tag Conversion Rules

After installing and configuring the Flashpoint Intelligence Engine App, add the ThreatConnect Source that will contain the ingested Flashpoint data to the Approximate Match ATT&CK^® Tag conversion rule on the Tags tab of the System Settings screen in ThreatConnect (Figure 1). For instructions on performing this process, see the "Adding an Owner to a Conversion Rule" section of ATT&CK Tags.

Figure 1_Flashpoint Intelligence Engine Integration User Guide_Software Version 1.0

Completing this process will convert standard Tags applied to the ingested Flashpoint data that start with the letter “T” followed by a set of digits that map to a technique or sub-technique ID (e.g., T1055, T1055.001) to the corresponding ATT&CK Tag in ThreatConnect. Once the conversion is complete, you can leverage ThreatConnect's ATT&CK Visualizer to view tactics, techniques, and sub-techniques used by Groups ingested from Flashpoint.

Note

After Flashpoint data are ingested into ThreatConnect, there may be a slight delay before you see ATT&CK Tags applied to those data, due to the time it takes the ATT&CK Tag conversion process to run.

Configuration Parameters

Parameter Definitions

The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the App.

Name	Description	Required?
Sources to Create	The name of the Source to be created.	Yes
Owner	The Organization in which the Source will be created.	Yes
Launch Server	Select tc-job as the launch server for the Service corresponding to the Feed API Service App.	Yes
Data Types to Collect	Select one or more Flashpoint data types to be collected. Available choices include the following: Reports Events and Indicators Vulnerabilities	Yes
Report Tags to Filter	Enter a comma-separated list of Report tags by which to filter Flashpoint data. When multiple Report tags are provided, the App will use "OR" logic to filter Flashpoint data.	No
Indicator Types to Collect	Select one or more Flashpoint Indicator types to be collected. Available choices include the following: ASN Domain Email File IP Address Mutex Registry Key URL User Agent	Yes
Flashpoint Intelligence Token	The Flashpoint Intelligence token.	Yes

Flashpoint Intelligence Engine

After successfully configuring and activating the Feed API Service, you can access the Flashpoint Intelligence Engine user interface (UI). This UI allows you to interact with and manage the Flashpoint integration.

Follow these steps to access the UI:

Log into ThreatConnect with a System Administrator account.
On the top navigation bar, hover over Playbooks and select Services. The Services tab of the Playbooks screen will be displayed.
Locate the Flashpoint Intelligence Engine - Flashpoint Intelligence Feed API Service and then click the link in the Service’s API Path field. The DASHBOARD screen of the Flashpoint Intelligence Engine UI will open in a new browser tab.

The following screens are available in the Flashpoint Intelligence Engine UI:

DASHBOARD
JOBS
TASKS
DOWNLOAD
REPORT

DASHBOARD

The DASHBOARD screen (Figure 2) provides an overview of the total number of Events, Malware, Reports, Vulnerabilities, and Indicators retrieved from Flashpoint.

Figure 2_Flashpoint Intelligence Engine Integration User Guide_Software Version 1.0

Note

The numbers displayed on the DASHBOARD screen represent the count of threat intelligence objects that were processed by the App, including objects that were updated or processed again, and may not match the count of objects ingested into ThreatConnect.

JOBS

The JOBS screen (Figure 3) breaks down the ingestion of Flashpoint data into manageable Job-like tasks.

Job Type: If desired, select a Job type by which to filter Jobs. Available types include ad-hoc and scheduled.
Status:If desired, select a Job status by which to filter Jobs. Available statuses include the following:
1. Download In Progress
2. Download Complete
3. Convert In Progress
4. Convert Complete
5. Upload In Progress
6. Upload Complete
Request ID: If desired, enter text into this box to search for a specific Job by its request ID.
+ Add Request: Click this button to display the ADD REQUEST window (Figure 4). On this window, you can specify the date range, data types, Indicator types, and Report tags for an ad-hoc Job request. After a Job request is added, it will be displayed in the table on the JOBS screen (Figure 3), and its Job type will be listed as ad-hoc.

TASKS

The TASKS screen (Figure 5) is where you can view and manage the Tasks for each Job.

DOWNLOADS

The DOWNLOADS screen (Figure 6) is where you can view data for Reports, Events, Indicators, and Vulnerabilities exactly as they appear in Flashpoint.

Type: Select the type of object to download. Available options include Event and Indicator, Report, and Vulnerability.
ID(s): Enter the Flashpoint ID(s) for the object(s) to download. Data will be retrieved in JavaScript^® Object Notation (JSON) format.
Convert: Select this checkbox to convert the threat intelligence data to ThreatConnect batch format.
Enrich: Select this checkbox to submit the threat intelligence data to the ThreatConnect Batch API.

REPORTS

The REPORTS screen provides two views: BATCH ERRORS and REPORT UPLOAD TRACKER. The BATCH ERRORS screen (Figure 7) displays batch errors for each request in a tabular format. Details provided for each error include the error’s code, message, and reason.

The REPORT UPLOAD TRACKER screen (Figure 8) is where you can view attempts ThreatConnect made to download Reports from Flashpoint. The table on this screen displays the most recent date on which ThreatConnect attempted to download a Report, the number of times an attempt to download the Report was made, and whether the Report was downloaded successfully. You can also search for Reports by ID on this screen, which can be useful if you do not see a Flashpoint Report in ThreatConnect as expected.

Data Mappings

The data mappings in Table 2 through Table 6 illustrate how data are mapped from Flashpoint Intelligence API endpoints into the ThreatConnect data model.

Events

ThreatConnect object type: Event Group

Flashpoint API Field	ThreatConnect Field
event/tag/name	Associated Malware Group (See the "Malware" section for more details)
event/date	Attribute: "External Date Created"
event/info	Name/Summary
event/published_timestamp	Event Date
event/uuid	Attribute: "External ID"
event/attack_ids	Tag: "%mitre_attack_ttp_id%"
fpid	Attribute: "FP ID"
event/header_/indexed_at	Attribute: "External Date Last Modified"
href	Attribute: "Source"
malware_description	Associated Malware Group (See the "Malware" section for more details)

Indicators

ThreatConnect object type: Indicators (Address, ASN, Email Address, File, Host, Mutex, Registry Key, URL, User Agent)

Flashpoint API Field	ThreatConnect Field
event/attribute/category	Type
event/attribute/type	Type
event/attribute/value/*	Name/Summary
event/attribute/fpid	Attribute: "FP ID"
event/attribute/href	Attribute: "Source"
event/attribute/timestamp	Attribute: "External Date Created"
event/attribute/uuid	Attribute: "External ID"
event/attribute/uuid	Associated Event Group (See the "Events" section for more details)

Reports

ThreatConnect object type: Report Group

Flashpoint API Field	ThreatConnect Field
id	Attribute: "External ID"
	Associated Indicator (See the "Indicators" section for more details)
	Associated Event Group (See the "Events" section for more details)
google_document_id	Attribute: "Google Doc ID"
title	Name/Summary
summary	Attribute: "Description"
tags	Tag
body	Report File (Saved as HTML)
title_asset	Attribute: "Assets" (one Attribute per grouping) Asset Title: %title_asset% Title Asset ID: %title_asset_id% Assets: %assets% Assets IDs: %assets_ids%
title_asset_id
assets
assets_ids
posted_at	Published Date
platform_url	Attribute: "External References"
updated_at	Attribute: "External Date Last Modified"
published_status	Tag

Vulnerabilities

ThreatConnect object type: Vulnerability Group

Flashpoint API Field	ThreatConnect Field
id	Attribute: "External ID"
cpe/vulnerability	Attribute: "CPE Vulnerability"(one Attribute per grouping) CPE Vulnerability: %vulnerability% CPE Version: %cpe_version% Vulnerable Part: %part% Vulnerable Product: %product% Vulnerable Vendor: %vendor%
cpe/cpe_version
cpe/part
cpe/product
cpe/vendor
cve/vulnerability	Tag: "%cve id%"
first_observed_at/timestamp	Attribute: "First Seen"
last_observed_at/timestamp	Attribute: "Last Seen"
mitre/body/raw	Attribute: "Description"
mitre/site/title	Attribute: "Source MITRE" (one Attribute per grouping) Name: %site.title% MITRE FPID: %mitre.fpid% Source FPID: %mitre.site.fpid% Site Type: %site.site_type% URI: %source_uri% Created Date: %mitre.site.created_at["date-time"]% Updated Date: %mitre.site.updated_at["date-time"]% Status: %mitre.status%
mitre/fpid
mitre/site/fpid
mitre/site/site_type
mitre/site/source_uri
mitre/site/created_at["date-time"]
mitre/site/updated_at["date-time"]
mitre/status
mitre/site/tags/name	Tag
mitre/site/tags/parent_tag/name	Tag
nist/body/enrichments/links/href	Attribute: "NIST Description"
nist/configurations/cpe23_uri	Attribute: "CPE 23 URI"
nist/cvssv2/access_complexity	Attribute: "CVSS v2 Score" (one Attribute per grouping) Access Complexity v2: %access_complexity% Access Vector v2: %access_vector% Authentication v2: %authentication% Availity Impact v2: %availability_impact% CVSS Score v2: %cvssv2.base_score% Confidentiality Impact v2: %confidentiality_impact% Exploitability Score v2: %exploitability_score% Impact Score v2: %impact_score% Integrity Impact v2: %integrity_impact% Severity v2: %severity% Vector String v2: %vector_string%
nist/cvssv2/access_vector
nist/cvssv2/authentication
nist/cvssv2/availability_impact
nist/cvssv2.base_score
nist/cvssv2/confidentiality_impact
nist/cvssv2/exploitability_score
nist/cvssv2/impact_score
nist/cvssv2/integrity_impact
nist/cvssv2/severity
nist/cvssv2/vector_string
nist/cvssv3/attack_complexity	Attribute: "CVSS v3 Score" (one Attribute per grouping) Attack Complexity v3: %attack_complexity% Attack Vector v3: %attack_vector% Availability Impact v3: %availability_impact% CVSS Score v3: %base_score% Confidentiality Impact v3: %confidentiality_impact% Exploitability Score v3: %exploitability_score% Impact Score v3: %impact_score% Integrity Impact v3: %integrity_impact% Privileges Required: %privileges_required% Scope: %scope% Severity v3: %severity% User Interaction: %user_interaction% Vector String v3: %vector_string%
nist/cvssv3/attack_vector
nist/cvssv3/availability_impact
nist/cvssv3/base_score
nist/cvssv3/confidentiality_impact
nist/cvssv3/exploitability_score
nist/cvssv3/impact_score
nist/cvssv3/integrity_impact
nist/cvssv3/privileges_required
nist/cvssv3/scope
nist/cvssv3/severity
nist/cvssv3/user_interaction
nist/cvssv3/vector_string
nist/products/product_name	Attribute: "NIST Product" (one Attribute per grouping) Vulnerable Products: %product_name% Vulnerable Product Type: %type% Vulnerable Vendor Name: %vendor_name%
nist/products/type
nist/products/vendor_name
nist/references/url	Attribute: "External References"
nist/site/title	Attribute: "NIST Source" (one Attribute per grouping) Title: %nist.site.title% FPID: %nist.site.fpid% Site Type: %site_type% Tags: %tags.name% (comma separated) URI: %source_uri% Updated Date: %nist.updated_at["date-time"]%
nist/site/titlenist/site/fpid
nist/site/site_type
nist/site/tags/name
nist/site/source_uri
nist/site/updated_at/"date-time"
nist/vulnerability_types	Tag: "%cwe%"
title	Name/Summary

Malware

Note

Malware Groups are created based on Malware data returned from the Flashpoint /api/v4/indicators/event API endpoint. Also, the count on the MALWARE card on the DASHBOARD screen (Figure 1) may not match the count of Malware Groups created in ThreatConnect.

ThreatConnect object type: Malware Group

Flashpoint API Field	ThreatConnect Field
event/tag/name	Name/Summary
malware/wiki/body/raw	Attribute: "Description"
event/malware_description	Attribute: "Description"

Frequently Asked Questions (FAQ)

When would I want to use the + Add Request button on the Jobs screen?

The + Add Request button on the Jobs screen allows you to make ad-hoc requests for data within a specific date range. To retrieve reports for specific data types, use the Downloads screen.

How do I convert Tags applied to Flashpoint data in ThreatConnect to ATT&CK Tags?

Add the ThreatConnect Source that contains the ingested Flashpoint data to the Approximate Match ATT&CK Tag conversion rule on the Tags tab of the System Settings screen in ThreatConnect. For instructions on performing this process, see the "Adding an Owner to a Conversion Rule" section of ATT&CK Tags.

Completing this step will allow you to leverage ThreatConnect's ATT&CK Visualizer to view tactics, techniques, and sub-techniques used by Groups ingested from Flashpoint.

How much historical data does the Flashpoint Intelligence Engine App ingest from Flashpoint into ThreatConnect?

The Flashpoint Intelligence Engine App ingests Flashpoint data from the last 90 days.

ThreatConnect^® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
Flashpoint^® is a registered trademark of Flashpoint.
JavaScript^® is a registered trademark of Oracle Corporation.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

30080-01 EN Rev. A

Was this article helpful?

What's Next

Flashpoint Intelligence Reports Integration Installation and Configuration Guide

Table of contents

Overview
Dependencies
Configuration Parameters
Flashpoint Intelligence Engine
Data Mappings
Frequently Asked Questions (FAQ)

Company

Sales and Support