Intel 471 Intelligence Engine Integration User Guide
  • 21 Nov 2023
  • 9 Minutes to read
  • Dark
    Light

Intel 471 Intelligence Engine Integration User Guide

  • Dark
    Light

Article summary

Software Version
This guide applies to the Intel 471 Intelligence Engine App version 1.0.x.

Overview

The ThreatConnect® integration with Intel 471 Intelligence ingests Reports, Adversaries, Breaches, Malware, Vulnerabilities, and Indicators from Intel 471 into ThreatConnect. These Groups and Indicators are stored and associated in ThreatConnect with select relevant context.

Important

The first time you set up the Feed API Service for the Intel 471 Intelligence Engine App, the data will backfill to 30 days. During the process of backfilling data for the prior 30 days, you may reach your Intel 471 API daily limit. To increase the API limit for your account, contact Intel 471. Note that this daily limit resets at midnight GMT.

If you continue to reach the Intel 471 API daily limit after the App backfills data for the last 30 days, it is recommended to select a greater value for the App’s Update Time Interval In Hours setting.

Dependencies

ThreatConnect Dependencies

  • Active ThreatConnect Application Programming Interface (API) key
Note
All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.

Intel 471 Dependencies

  • Active Intel 471 API key
  • Active Intel 471 report subscriptions
    • Adversary Intelligence
    • Breach Intelligence
    • Malware Intelligence
    • Vulnerability Intelligence
Note
The Intel 471 Intelligence Engine may seem like it is running for a subscription that you may not have. In this scenario, contact Intel 471 for assistance with subscribing to a new report.

Application Setup and Configuration

  1. Log into ThreatConnect with a System Administrator account.
  2. Install the Intel 471 Intelligence Engine App via TC Exchange™.
  3. Use the ThreatConnect Feed Deployer to set up and configure the Intel 471 Intelligence Engine App.

Configuration Parameters

Parameter Definitions

The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the App.

 

NameDescriptionRequired?
Sources to CreateThe name of the Source to be created.Yes
OwnerThe Organization in which the Source will be created.Yes
Launch ServerSelect tc-job as the launch server for the Service corresponding to the Feed API Service App.Yes
Intel Reports to IngestSelect one or more Intel 471 report subscriptions from which data will be ingested. Available choices include the following:
  • Adversary
  • Breach
  • Malware
  • Vulnerability
Yes
Intel 471 API UsernameThe Intel 471 username. Yes
Intel 471 API KeyThe Intel 471 API key.Yes
Update Time Interval in HoursSelect the interval, in hours, at which the App will ingest Intel 471 data. Available choices include the following:
  • 4
  • 8
  • 12
  • 24
Yes

Intel 471 Intelligence Engine App UI

After successfully configuring and activating the Feed API Service in ThreatConnect, you can access the Intel 471 Intelligence Engine App user interface (UI). This UI allows you to interact with and manage ThreatConnect's Intel 471 integration.

Follow these steps to access the Intel 471 Intelligence Engine App UI:

  1. Log into ThreatConnect with a System Administrator account.
  2. On the top navigation bar, hover over Playbooks and select Services. The Services tab of the Playbooks screen will be displayed. 
  3. Locate the Intel 471 Intelligence Engine Feed API Service and then click the link in the Service’s API Path field. The DASHBOARD screen of the Intel 471 Intelligence Engine UI will open in a new browser tab.

The following screens are available in the Intel 471 Intelligence Engine App UI:

  • DASHBOARD
  • JOBS
  • TASKS
  • DOWNLOAD
  • REPORT

DASHBOARD

The DASHBOARD screen (Figure 1) provides an overview of the total number of Adversaries, Adversary Reports, Breach Reports, Indicators, Malware, Malware Reports, Signatures, and Vulnerabilities retrieved from Intel 471.

Figure 1_Intel 471 Intelligence Engine Integration User Guide_Software Version 1.0

 

Note
The numbers displayed on the DASHBOARD screen represent the count of threat intelligence objects that were processed by the App, including objects that were updated or processed again, and may not match the count of objects in ThreatConnect.

JOBS

The JOBS screen (Figure 2) breaks down the ingestion of Intel 471 data into manageable Job-like tasks.

 

  • Job Type: If desired, select a Job type by which to filter Jobs. Available types include ad-hoc and scheduled
  • Status:If desired, select a Job status by which to filter Jobs. Available statuses include the following:
    1. Download In Progress
    2. Download Complete
    3. Convert In Progress
    4. Convert Complete
    5. Upload In Progress
    6. Upload Complete
  • Request ID: If desired, enter text into this box to search for a specific Job by its request ID.
  • + Add Request: Click this button to display the ADD REQUEST window (Figure 3). On this window, you can specify the date range and object types for an ad-hoc Job request. After a Job request is added, it will be displayed in the table on the JOBS screen (Figure 2), and its Job type will be listed as ad-hoc.

     

TASKS

The TASKS screen (Figure 4) is where you can view and manage the Tasks for each Job.

 

DOWNLOADS

The DOWNLOADS screen (Figure 5) is where you can view data for Adversaries, Breaches, Malware Families, and Vulnerabilities exactly as they appear in Intel 471.

 

  • Type: Select the type of object to download. Available options include Adversary, Breach, Malware Families, and Vulnerability.
  • ID(s): Enter the Intel 471 ID(s) for the object(s) to download. Data will be retrieved in JavaScript® Object Notation (JSON) format.
  • Convert: Select this checkbox to convert the threat intelligence data to ThreatConnect batch format.
  • Enrich: Select this checkbox to submit the threat intelligence data to the ThreatConnect Batch API.

REPORTS

The REPORTS screen provides two views: BATCH ERRORS and REPORT UPLOAD TRACKER. The BATCH ERRORS screen (Figure 6) displays batch errors for each request in a tabular format. Details provided for each error include the error’s code, message, and reason.

 

The REPORT UPLOAD TRACKER screen (Figure 7) is where you can view attempts ThreatConnect made to download reports from Intel 471. The table on this screen displays the most recent date on which ThreatConnect attempted to download a report, the number of times an attempt to download the report was made, and whether the report was downloaded successfully. You can also search for reports by ID on this screen, which can be useful if you do not see an Intel 471 report in ThreatConnect as expected.

 

Data Mappings

The data mappings in Table 2 through Table 11 illustrate how data are mapped from Intel 471 Intelligence API endpoints into the ThreatConnect data model.

Actor

ThreatConnect object type: Adversary Group

 

Intel 471 API FieldThreatConnect Field
uidAttribute: "External ID"
handlesAttribute: "Aliases" (one Attribute per handle)
links/forumTotalCountAttribute: "Total Count of Forums"
links/forumPrivateMessageTotalCountAttribute: "Total Count of Private Messages"
links/forumPostTotalCountAttribute: "Total Count of Posts"
links/reportTotalCountAttribute: "Total Count of Reports"
links/instantMessageServerTotalCountAttribute: "Total Count of IM Servers"
links/instantMessageChannelTotalCountAttribute: "Total Count of IM Topics"
links/instantMessageTotalCountAttribute: "Total Count of IMs"
links/instantMessageServers/{index}/uidAttribute: "IM Server" (one concatenated Attribute per grouping)
  • uid: %uid%
  • serviceType: %serviceType%
  • name: %name%
links/instantMessageServers/{index}/serviceType
links/instantMessageServers/{index}/name
links/forums/{index}/forumAttribute: "Forum" (one concatenated Attribute per grouping)
  • Forum ID: %uid%
  • Forum Name: %name%
  • Actor Handle: %actorHandle%
  • Contact Type: %type%
  • Contact Value: %value%
  • TimeZone: %timeZone%
links/forums/{index}/uid
links/forums/{index}/name
links/forums/{index}/actorHandle
links/forums/{index}/timeZone
links/forums/{index}/contactInfo
links/forums/{index}/contactInfo/{index}/item/value
links/forums/{index}/contactInfo/{index}/itemN/A
links/forums/{index}/contactInfo/{index}/item/typeN/A
links/reportsAdversary-to-Report Association
links/reports/{index}/report
links/reports/{index}/actorHandleAttribute: "Aliases" (one Attribute per handle)
activeFromAttribute: "First Seen"
activeUntilAttribute: "Last Seen"
lastUpdatedAttribute: "External Date Last Modified"

Adversary Intelligence Report

ThreatConnect object type: Report Group

 

Intel 471 API FieldThreatConnect Field
uidAttribute: "External ID"
documentFamilyN/A
documentTypeAttribute: "Report Type"
admiraltyCodeAttribute: "Admiralty Code"
motivationAttribute: "Adversary Motivation Type"
subjectName/Summary
researcherCommentsAttribute: "Additional Analysis and Context"
rawTextUploaded File
rawTextTranslatedN/A
executiveSummaryAttribute: "Description"
createdAttribute: "External Date Created"
dateOfInformationAttribute: "Date of Information"
sourceCharacterizationAttribute: "Source Characterization"
relatedReports/{index}/uidReport-to-Report Association
relatedReports/{index}/documentFamily
entities/{index}/type See Table 11
locations/{index}/linkAttribute: "Region & Country"
  • Region: %: % (region)
  • Country: % (country)
  • Link: % (link)
locations/{index}/region
locations/{index}/country
tags/{index}Tag
portalReportUrlAttribute: "Report URL"
lastUpdatedLast Modified
sources/{index}/urlAttribute: "Sources" (one concatenated Attribute per grouping)
  • URL: %: % (url)
  • Title: % (title)
  • Type: % (type)
sources/{index}/title
sources/{index}/type
sources/{index}/indexN/A
actorSubjectOfReport/{index}/handleN/A
actorSubjectOfReport/{index}/aliasesAttribute: "Aliases"
classification/intelRequirementsTag: "GIR: %"
reportAttachments/{index}/fileNameAttribute: "Report Attachment"
  • File Name: filename
  • URL: url
  • File Size: fileSize
  • Mime Type: mimeType
  • Description: description
  • Malicious: malicious
reportAttachments/{index}/url
reportAttachments/{index}/fileSize
reportAttachments/{index}/mimeType
reportAttachments/{index}/description
reportAttachments/{index}/malicious

Malware Intelligence Report

ThreatConnect object type: Report Group

 

Intel 471 API FieldThreatConnect Field
malwareReportTotalCountN/A
malwareReportsPartialResultN/A
malwareReportsN/A
malwareReports/{index}/uidAttribute: "External ID"
malwareReports/{index}/activity/firstAttribute: "First Seen"
malwareReports/{index}/activity/lastAttribute: "Last Seen"
malwareReports/{index}/meta/versionN/A
malwareReports/{index}/data/threat/uidN/A
malwareReports/{index}/data/threat/typeN/A
malwareReports/{index}/data/threat/data/familyN/A
malwareReports/{index}/data/threat/data/
malware_family_profile_uid
N/A
malwareReports/{index}/data/threat/data/versionN/A
malwareReports/{index}/malware_report_data/titleName/Summary
malwareReports/{index}/malware_report_data/textN/A
malwareReports/{index}/malware_report_data/
attachments
Attribute: "Report Attachment"
  • File Name: fileName
  • URL: url
  • File Size: fileSize
  • Mime Type: mimeType
  • Description: description
  • Malicious: malicious
malwareReports/{index}/malware_report_data/
related_reports
N/A
malwareReports/{index}/malware_report_data/
released_at
Publish Date
malwareReports/{index}/last_updatedAttribute: "External Date Last Modified"

Related Indicators

ThreatConnect object type: Indicator (all types)

 

Intel 471 API FieldThreatConnect Field
indicatorTotalCountN/A
indicatorsN/A
indicators/{index}/data/uidN/A
indicators/{index}/data/source_idN/A
indicators/{index}/data/threat/typeN/A
indicators/{index}/data/threat/uidIndicator-to-Malware Association
indicators/{index}/data/threat/data/
malware_family_profile_uid
Indicator-to-Malware Association
indicators/{index}/data/threat/data/familyIndicator-to-Malware Association
indicators/{index}/data/threat/data/versionN/A
indicators/{index}/data/expirationAttribute: "External Date Expires"
indicators/{index}/data/confidenceAttribute: "Confidence"
indicators/{index}/data/context/descriptionAttribute: "Description"
indicators/{index}/data/mitre_tacticsTag: "MITRE Tactic: %"
indicators/{index}/data/indicator_typeIndicator Type
indicators/{index}/data/indicator_data/addressAddress Indicator
indicators/{index}/data/indicator_data/urlURL Indicator
indicators/{index}/data/indicator_data/domainHost Indicator
indicators/{index}/data/indicator_data/mutexMutex Indicator
indicators/{index}/data/indicator_data/
windows_registry_key
Registry Key Indicator
indicators/{index}/data/indicator_data/fileFile Indicator
indicators/{index}/data/indicator_data/file/sha1File Indicator
indicators/{index}/data/indicator_data/file/sha256File Indicator
indicators/{index}/data/indicator_data/file/md5File Indicator
indicators/{index}/data/indicator_data/file/typeAttribute: "File Type"
indicators/{index}/data/indicator_data/file/sizeFile Indicator: File Size
indicators/{index}/data/indicator_data/file/
download_url
Attribute: "Sample Download Link"
indicators/{index}/data/intel_requirementsTag: "GIR: %"
indicators/{index}/meta/versionN/A
indicators/{index}/last_updatedLast Modified
indicators/{index}/uidAttribute: "External ID"
indicators/{index}/activity/firstAttribute: "First Seen"
indicators/{index}/activity/lastAttribute: "Last Seen"

GIR Tags

ThreatConnect object type: Tags

 

Intel 471 API FieldThreatConnect Field
girs/{index}/data/gir/pathTag: "GIR: % %" (path, name)
girs/{index}/data/gir/name

Malware 

ThreatConnect object type: Malware Group

 

Intel 471 API FieldThreatConnect Field
malwareReportTotalCountN/A
malwareReports/data/threat/uidAttribute: "External ID"
malwareReports/data/threat/typeAttribute: "Malware Threat Type"
malwareReports/data/threat/data/familyName/Summary
malwareReports/data/threat/data/
malware_family_profile_uid
Attribute: "External ID"
malwareReports/data/malware_report_data/textAttribute: "Malware Report Text"
malwareReports/data/malware_report_data/
released_at
Attribute: "Report Published Date"
malwareReports/meta/versionN/A
malwareReports/last_updatedLast Modified
malwareReports/uidN/A
malwareReports/classification/intelRequirements[]Tag: "GIR: %"
activity/firstAttribute: "First Seen"
activity/lastAttribute: "Last Seen"

Malware Family YARA Signatures

ThreatConnect object type: Signature Group

 

Intel 471 API FieldThreatConnect Field
yaraTotalCountN/A
yaras/{index}/uidAttribute: "External ID"
yaras/{index}/data/threat/typeSignature-to-Malware Association
yaras/{index}/data/threat/uid
yaras/{index}/data/threat/data/
malware_family_profile_uid
yaras/{index}/data/threat/data/family
yaras/{index}/data/yara_data/titleName/Summary
yaras/{index}/data/yara_data/signatureSignature File Contents
yaras/{index}/data/confidenceAttribute: "Confidence"
yaras/{index}/data/intel_requirementsTag: "GIR: %"
yaras/{index}/meta/versionN/A
yaras/{index}/last_updatedLast Modified
yaras/{index}/activity/firstAttribute: "First Seen"
yaras/{index}/activity/lastAttribute: "Last Seen"

Vulnerability Report Search

ThreatConnect object type: Vulnerability Group

 

Intel 471 API FieldThreatConnect Field
cveReportsTotalCountN/A
partialResultN/A
cveReports/{index}/uidAttribute: "External ID"
cveReports/{index}/data/cve_report/nameName/Summary
cveReports/{index}/data/cve_report/cve_typeAttribute: "CVE Type"
cveReports/{index}/data/cve_report/risk_levelAttribute: "CVE Threat Level"
cveReports/{index}/data/cve_report/vendor_nameAttribute: "Vulnerable Vendor"
cveReports/{index}/data/cve_report/product_nameAttribute: "Vulnerable Product"
cveReports/{index}/data/cve_report/cve_statusAttribute: "CVE Status"
cveReports/{index}/data/cve_report/interest_level/
disclosed_publicly
Attribute: "Interest Level" (one Attribute per grouping)
cveReports/{index}/data/cve_report/interest_level/
researched_publicly
cveReports/{index}/data/cve_report/interest_level/
exploit_sought
cveReports/{index}/data/cve_report/activity_location/
location_opensource
Attribute: "Activity Location" (one Attribute per grouping)
cveReports/{index}/data/cve_report/activity_location/
location_underground
cveReports/{index}/data/cve_report/activity_location/
location_private
cveReports/{index}/data/cve_report/exploit_status/
available
Attribute: "Exploits" (one Attribute per grouping)
cveReports/{index}/data/cve_report/exploit_status/
weaponized
cveReports/{index}/data/cve_report/exploit_status/
productized
cveReports/{index}/data/cve_report/exploit_status/
not_observed
cveReports/{index}/data/cve_report/cvss_score/v2Attribute: "CVSS v2 Score"
cveReports/{index}/data/cve_report/cvss_score/v3Attribute: "CVSS v3 Score"
cveReports/{index}/data/cve_report/patch_statusAttribute: "Patch Status"
cveReports/{index}/data/cve_report/detectionAttribute: "Detection"
cveReports/{index}/data/cve_report/
underground_activity
Attribute: "Underground Activity"
cveReports/{index}/data/cve_report/
underground_activity_summary
Attribute: "Summary"
cveReports/{index}/data/cve_report/summaryAttribute: "Description"
cveReports/{index}/data/cve_report/titan_links/
{index}/title

Attribute: "External References"

Note
Due to this Attribute Type's length limit, each link will be in its own Attribute.
cveReports/{index}/data/cve_report/titan_links/
{index}/url
cveReports/{index}/data/cve_report/poc
Attribute: "External References"

Note
Due to this Attribute Type's length limit, each link will be in its own Attribute.
cveReports/{index}/data/cve_report/poc_links/
{index}/title
cveReports/{index}/data/cve_report/poc_links/
{index}/url
cveReports/{index}/data/cve_report/
counter_measures
Attribute: "Course of Action Recommendation" (one concatenated Attribute per grouping)
  • Counter Measures: counter_measures
  • Counter Measure Title: title
  • Counter Measure URL:URL
cveReports/{index}/data/cve_report/
counter_measure_links/{index}/title
cveReports/{index}/data/cve_report/
counter_measure_links/{index}/url
cveReports/{index}/data/cve_report/
patch_links/{index}/title
Attribute: "Course of Action Taken" (one concatenated Attribute per grouping)
  • Patch Links Title: title
  • Patch Links URL: URL
cveReports/{index}/data/cve_report/
patch_links/{index}/url
cveReports/{index}/data/cve_report/cpe/
cve_data_version
Attribute: "Vulnerable CPE" (one concatenated Attribute per grouping)
  • CVE Data Version: cve_data_version
  • Operator: operator
  • CPE Match Vulnerable: vulnerable
  • CPE Match 23 uri: cpe23Uri
cveReports/{index}/data/cve_report/cpe/
nodes/{index}/operator
cveReports/{index}/data/cve_report/cpe/
nodes/{index}/cpe_match/{index}/vulnerable
cveReports/{index}/data/cve_report/cpe/
nodes/{index}/cpe_match/{index}/cpe23Uri
cveReports/{index}/classification/
intel_requirements
Tags: "GIR: %"
cveReports/{index}/last_updatedLast Modified
cveReports/{index}/activity/firstAttribute: "First Seen"
cveReports/{index}/activity/lastAttribute: "Last Seen"

Breach Alerts

ThreatConnect object type: Report Group

 

Intel 471 API FieldThreatConnect Field
breach_alerts/activity/firstAttribute: "First Seen"
breach_alerts/activity/lastAttribute: "Last Seen"
breach_alerts/lastupdatedAttribute: "External Date Last Modified"
breach_alerts/uidAttribute: "External ID"
breach_alerts/data/uidN/A
data/breach_alerts/date_of_informationAttribute: "Date of Discovery"
data/breach_alerts/confidence/levelAttribute: "Confidence"
data/breach_alerts/summaryAttribute: "Description"
data/breach_alerts/intel_requirementsTags: "GIR: %"
data/breach_alerts/released_atPublish Date
data/breach_alerts/titleAttribute: "Report Title"
data/breach_alerts/victimAttribute: "Breach Alert Victim" (one concatenated Attribute per grouping)
  • Name: name
  • Industry: industry
  • Sector: sector
  • URL: urls
  • Country: country
  • Revenue: revenue
  • Region: region

data/breach_alert/victim/name
data/breach_alert/victim/industries/industry
data/breach_alert/victim/industries/sector
data/breach_alert/victim/urls
data/breach_alert/victim/country
data/breach_alert/victim/revenue
data/breach_alert/victim/region
data/breach_alerts/sources/urlAttribute: "Source" (one concatenated Attribute per grouping)
  • Date: date
  • Source Type: source type
  • Title: title
  • Urls: urls
  • Type: type
data/breach_alerts/sources/source_type
data/breach_alerts/sources/date
data/breach_alerts/sources/title
data/breach_alerts/sources/type
data/breach_alerts/actor_or_groupAttribute: "Actor or Group"
data/entities/typeAttribute: "Additional Analysis and Context"
  • Entity Type: type
  • Entity value: value
data/entities/value
data/breach_alerts/N/A

Entity

 

Intel 471 API FieldThreatConnect Field
ActorDomainHost Indicator
ActorOtherWebsiteURL Indicator
AIMAttribute: "Social Media: AIM"
AutonomousSystemASN Indicator
BitcoinAddressAttribute: "Bitcoin Address"
BitcoinTransactionIDAttribute: "Bitcoin Transaction ID"
CveIDVulnerability Group
DiscordAttribute: "Social Media: Discord"
EcurrencyAttribute: "Ecurrency"
EmailAddressEmail Address Indicator
FacebookAttribute: "Social Media: Facebook"
FileNameAttribute: "File Name"
FileSizeAttribute: "File Size"
FileTypeAttribute: "File Type"
GitHubAttribute: "Github"
HandleAdversary Group
ICQAttribute: "Social Media: ICQ"
InstagramAttribute: "Social Media: Instagram"
IPAddressAddress Indicator
IPv4PrefixAttribute:" IPv4 Prefix"
IPv6PrefixAttribute: "IPv6 Prefix"
JabberAttribute: "Social Media: Jabber"
LinkedInAttribute: "Social Media: LinkedIn"
MaliciousDomainHost Indicator
MaliciousURLURL Indicator
MD5File Indicator
MoiMirAttribute: "Social Media: Moimir"
MSNAttribute: "MSN"
OdnoklassnikiAttribute: "Social Media: Odnoklassniki"
OtherCryptoCurrenciesAttribute: "Other CryptoCurrencies"
PasswordAttribute: "Password"
PasswordHashAttribute: "Password Hash"
PerfectMoneyIDAttribute: "Perfect Money ID"
PGPKeyAttribute: "PGP Key"
PGPKeyIDAttribute: "PGP Key ID"
PhoneAttribute: Phone
QiwiWalletAttribute: "QIWI Wallet"
QQAttribute: "Social Media: QQ"
SHA1File Indicator
SHA256File Indicator
SkypeAttribute: "Social Media: Skype"
SSLCertificateAttribute: "SSL Certificate"
SSLCertificateFingerprintAttribute: "SSL Certificate Fingerprint"
SSLCertificateIDAttribute: "SSL Certificate ID"
TagTag
TelegramAttribute: "Social Media: Telegram"
ToxAttribute: "Social Media: Tox"
TwitterAttribute: "Social Media: Twitter"
URLURL Indicator
VKAttribute: "Social Media: VK"
WebMoneyIDAttribute: "WebMoney ID"
WebMoneyPurseAttribute: "WebMoney Purse"
WeChatAttribute: "Social Media: WeChat"
WickrAttribute: "Social Media: Wickr"
YahooIMAttribute: "Social Media: YahooIM"
YandexMoneyAttribute: "Yandex.Money"

Frequently Asked Questions (FAQ)

Are there any limitations I should be aware of?

The first time you set up the Feed API Service, the data will backfill to 30 days. During the process of backfilling data for the prior 30 days, you may reach your Intel 471 API daily limit. To increase the API limit for your account, contact Intel 471. Note that this daily limit resets at midnight GMT.

If you continue to reach the Intel 471 API daily limit after the App backfills data for the last 30 days, it is recommended to select a greater value for the App's Update Time Interval In Hours setting.

How can I tell which Intel 471 report an Indicator is from? 

Any data ingested from Intel 471 will have one of these four Tags applied to them: 

  • "Source: Intel 471 Adversary Intelligence Feed"
  • "Source: Intel 471 Breach Intelligence Feed"
  • "Source: Intel 471 Malware Intelligence Feed"
  • "Source: Intel 471 Vulnerability Intelligence Feed" 

Why do I want to use the + Add Request button on the Jobs screen?

The + Add Request button on the Jobs screen allows you to make ad-hoc requests from a certain date range. To retrieve reports for specific object types, use the Downloads screen. 

How does the Intel 471 Intelligence Engine Feed API Service App differ from the previous Intel 471 Job App?

See Feed API Services for more information on how Feed API Service Apps function.

No new data are being ingested from Intel 471 into my ThreatConnect instance. What happened?

As you approach your Intel 471 API daily limit, Intel 471 will handle only one request per minute and then eventually return a 429 error until the daily limit resets at midnight GMT. Similarly, if there are multiple requests occurring at the same time, Intel 471 will handle one request per minute until the daily limit resets at midnight GMT. To increase the API limit for your account, contact Intel 471.


ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
JavaScript® is a registered trademark of Oracle Corporation.

30078-02 EN Rev. A


Was this article helpful?