Intel 471 Intelligence Engine Integration User Guide

24 Sep 2025
12 Minutes to read

Print
Dark

Light
PDF

Intel 471 Intelligence Engine Integration User Guide

Updated on 24 Sep 2025
12 Minutes to read

Print
Dark

Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback!

Software Version

This guide applies to the Intel 471 Intelligence Engine App version 1.0.7.

Overview

The ThreatConnect^® integration with Intel 471 Intelligence ingests Reports, Adversaries, Breaches, Malware, Vulnerabilities, and Indicators from Intel 471 into ThreatConnect. These Groups and Indicators are stored and associated in ThreatConnect with select relevant context.

Important

The first time you set up the Feed API Service for the Intel 471 Intelligence Engine App, the data will backfill to 30 days. During the process of backfilling data for the prior 30 days, you may reach your Intel 471 API daily limit. To increase the API limit for your account, contact Intel 471. Note that this daily limit resets at midnight GMT.

If you continue to reach the Intel 471 API daily limit after the App backfills data for the last 30 days, it is recommended to select a greater value for the App’s Advanced Settings parameter to increase the interval at which Intel 471 data are ingested. See the first FAQ in the "Frequently Asked Questions (FAQ)" section for more information.

Dependencies

ThreatConnect Dependencies

Active ThreatConnect Application Programming Interface (API) key

Note

All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.

Intel 471 Dependencies

Active Intel 471 API key
Active Intel 471 report subscriptions
- Adversary Intelligence
- Breach Intelligence
- Malware Intelligence
- Vulnerability Intelligence

Note

The Intel 471 Intelligence Engine App may seem like it is running for a subscription that you may not have. In this scenario, contact Intel 471 for assistance with subscribing to a new report.

Application Setup and Configuration

Follow these steps to install and configure the Intel 471 Intelligence Engine App via TC Exchange™:

Log into ThreatConnect with a System Administrator account.
From the Settingsmenu on the navigation bar, select TC Exchange Settings. Then select the Catalog tab on the TC Exchange Settings screen.
Locate the Intel 471 Intelligence Engine App on the Catalog tab. Then click Install in the Options column to install the App.
After you install the Intel 471 Intelligence Engine App, the Feed Deployer will open automatically. Use the Feed Deployer to set up and configure the Intel 471 Intelligence Engine App. See the “Configuration Parameters” section for more information on the parameters available during the configuration and deployment process.

Configuration Parameters

Parameter Definitions

The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the App.

Name	Description	Required?
Source Tab
Sources to Create	Enter the name of the source for the feed	Required
Owner	Select the organization in which the Source is created.	Required
Activate Deprecation	Select this checkbox to allow confidence deprecation rules to be created and applied to Indicators in the Source.	Optional
Create Attributes	Select this checkbox to allow custom Attribute Types to be created in the Source.	Optional
Parameters Tab
Launch Server	Select tc-job as the launch server for the Service corresponding to the Feed API Service App.	Required
Intel Reports to Ingest	Select one or more Intel 471 report subscriptions from which data will be ingested. Available choices include the following: Adversary Breach Malware Vulnerability	Required
Advanced Settings	Use this field to specify the interval, in days, at which the App will ingest Intel 471 data. The default interval is 1 day. Important While you may use this field to modify your data ingest interval, doing so is not recommended, as it may result in application timeout. See the first FAQ in the “Frequently Asked Questions (FAQ)” section for details about a situation for which an adjustment to this parameter is appropriate.	Optional
Variables Tab
Intel 471 Intelligence API Key	The Intel 471 Intelligence API key.	Required
Intel 471 Intelligence API Username	The Intel 471 Intelligence API username.	Required
Confirm Tab
Run Feeds after deployment	Select this checkbox to run the Intel 471 Intelligence Engine App immediately after the deployment configuration is complete (i.e., after you click DEPLOY on the Feed Deployer window).	Optional
Confirm Deployment Over Existing Source	This checkbox will be displayed if the Source entered in the Sources to Create field has previously been deployed to the Organization selected in the Owner dropdown on the Source tab. Select this checkbox to confirm that you want the Intel 471 Intelligence Engine App to write data to the same Source. This process will create a new Service for the Intel 471 Intelligence Engine App. As such, it is recommended that you delete the old Service associated with the Intel 471 Intelligence Engine App after the new one is created. Important If you do not select this checkbox, the DEPLOY button will be grayed out, and you will not be able to deploy the Service. Return to the Source tab and enter a different Source or select a different Organization and then proceed through the tabs of the Feed Deployer window again.	Optional

Intel 471 Intelligence Engine App UI

After successfully configuring and activating the Feed API Service, you can access the Intel 471 Intelligence Engine App user interface (UI). This UI allows you to interact with and manage ThreatConnect’s Intel 471 Intelligence integration.

Follow these steps to access the Intel 471 Intelligence Engine App UI:

Log into ThreatConnect with a System Administrator account.
From the Automation & Feeds dropdown on the top navigation bar, select Services.
Locate and turn on the Intel 471 Intelligence Engine Feed API Service.
Click the link in the Service’s API Path field. The Intel 471 Intelligence Engine App will open in a new browser tab.

The following screens are available in the Intel 471 Intelligence Engine App UI:

Dashboard
Jobs
Tasks
Download
Batch Errors
Attachment Status

Dashboard

The Dashboard screen (Figure 1) provides an overview of the total number of Adversary Reports, Breach Reports, Indicators, Malware Reports, Signatures, and Vulnerabilities retrieved from Intel 471.

Note

The numbers displayed on the Dashboard screen represent the count of threat intelligence objects that were processed by the App, including objects that were updated or processed again, and may not match the count of objects in ThreatConnect.

Figure 1_Intel 471 Intelligence Engine Integration User Guide_Software Version 1.0.7

Jobs

The Jobs screen (Figure 2) breaks down the ingestion of Intel 471 Intelligence Engine data into manageable Job-like tasks, displaying all processes that are pending, in progress, complete, and failed. The ⋯ menu in a Job’s row provides the following options:

Details: View details for the Job, such as download, convert, and upload start and complete times and counts of downloaded and batched Groups and Indicators.
Download Files: Download metadata files for all Jobs and data (convert, download, and upload) files for completed Jobs.
Batch Errors: View errors that have occurred for the Job on the Batch Errors screen.

Figure 2_Intel 471 Intelligence Engine Integration User Guide_Software Version 1.0.7

You can filter Intel 471 Intelligence Engine App Jobs by the following elements:

Job ID: Enter text into this box to search for a Job by its Job ID.
Job Type: Select Job types to display on the Jobs screen.
Status: Select Job statuses to display on the Jobs screen.

Add a Job

You can add ad-hoc Jobs on the Jobs screen. Follow these steps to create a request for an ad-hoc Job for the Intel 471 Intelligence Engine App:

Click Add Job (Figure 2).
Fill out the fields on the Add Job drawer (Figure 3) as follows:

Figure 3_Intel 471 Intelligence Engine Integration User Guide_1.0.7

Start Time: (Optional) Enter the time at which the Job should start.
End Time: (Optional) Enter the time by which the Job should end.
Types: (Optional) Select the object types to include in the Job.
Click Submit to submit the request for the ad-hoc Job.

Tasks

The Tasks screen (Figure 4) displays all Tasks that may be part of a Job, including each step of the download, convert, and upload processes, as well as Tasks for the ThreatConnect Intel 471 Intelligence Engine App, such as Monitor, Schedule Downloads, and Cleaner. The current status (Idle, Paused, or Running), name, description, and heartbeat timeout length, in minutes, are displayed for each Task. The ⋯ menu in a Task’s row provides the following options, depending on the Task’s status:

Run (idle and paused Tasks only)
Pause (idle and running Tasks only)
Resume (paused Tasks only)
Kill (running Tasks only)

Under the table is a dashboard where you can view runtime analytics.

Figure 4_Intel 471 Intelligence Engine Integration User Guide_Software Version 1.0.7

Download

The Download screen (Figure 5) lets you download JavaScript® Object Notation (JSON) data for Intel 471 objects and then upload the data into ThreatConnect.

Figure 5_Intel 471 Intelligence Engine Integration User Guide_Software Version 1.0.7

Follow these steps to download JSON data for an Intel 471 Intelligence object on the Download screen and then upload the data into ThreatConnect:

Type: Select an Intel 471 Intelligence object type to download.
External ID: Enter one or more Intel 471 External IDs for the objects to download, separating each ID with a comma.
Click Download. The JSON data will be displayed in two columns: Results (raw JSON data) and Converted (JSON data in ThreatConnect batch format) (Figure 6).
Click Upload to submit the converted Threat intelligence data via the ThreatConnect Batch API.

Batch Errors

The Batch Errors screen (Figure 7) displays an overview of the batch error types that have occurred for Job requests. You can enter keywords to filter by Job ID.

Figure 7_Intel 471 Intelligence Engine Integration User Guide_Software Version 1.0.7

Select an error type to open a drawer containing a table with details on all batch errors of that type (Figure 8). You can enter keywords to filter by reason for error.

Figure 8 _Intel 471 Intelligence Engine Integration User Guide_1.0.7

Attachment Status

The AttachmentStatus screen (Figure 9) displays a table with details on ThreatConnect's attempts to download Report attachments from Intel 471 Intelligence. You can enter Intel 471 External IDs for Groups to filter the table by Group ID, which can be useful if you do not see an Intel 471 Intelligence attachment in ThreatConnect as expected, or by status.

Figure 9_Intel 471 Intelligence Engine Integration User Guide_Software Version 1.0.7

Data Mappings

The data mappings in Table 2 through Table 11 illustrate how data are mapped from Intel 471 Intelligence API endpoints into the ThreatConnect data model.

Actor

ThreatConnect object type: Adversary Group

Intel 471 API Field	ThreatConnect Field
uid	Attribute: "External ID"
handles	Attribute: "Aliases" (one Attribute per handle)
links/forumTotalCount	Attribute: "Total Count of Forums"
links/forumPrivateMessageTotalCount	Attribute: "Total Count of Private Messages"
links/forumPostTotalCount	Attribute: "Total Count of Posts"
links/reportTotalCount	Attribute: "Total Count of Reports"
links/instantMessageServerTotalCount	Attribute: "Total Count of IM Servers"
links/instantMessageChannelTotalCount	Attribute: "Total Count of IM Topics"
links/instantMessageTotalCount	Attribute: "Total Count of IMs"
links/instantMessageServers/{index}/uid	Attribute: "IM Server" (one concatenated Attribute per grouping) uid: %uid% serviceType: %serviceType% name: %name%
links/instantMessageServers/{index}/serviceType
links/instantMessageServers/{index}/name
links/forums/{index}/forum	Attribute: "Forum" (one concatenated Attribute per grouping) Forum ID: %uid% Forum Name: %name% Actor Handle: %actorHandle% Contact Type: %type% Contact Value: %value% TimeZone: %timeZone%
links/forums/{index}/uid
links/forums/{index}/name
links/forums/{index}/actorHandle
links/forums/{index}/timeZone
links/forums/{index}/contactInfo
links/forums/{index}/contactInfo/{index}/item/value
links/forums/{index}/contactInfo/{index}/item	N/A
links/forums/{index}/contactInfo/{index}/item/type	N/A
links/reports	Adversary-to-Report Association
links/reports/{index}/report	Adversary-to-Report Association
links/reports/{index}/actorHandle	Attribute: "Aliases" (one Attribute per handle)
activeFrom	Attribute: "First Seen"
activeUntil	Attribute: "Last Seen"
lastUpdated	Attribute: "External Date Last Modified"

Adversary Intelligence Report

ThreatConnect object type: Report Group

Intel 471 API Field	ThreatConnect Field
uid	Attribute: "External ID"
documentFamily	N/A
documentType	Attribute: "Report Type"
admiraltyCode	Attribute: "Admiralty Code"
motivation	Attribute: "Adversary Motivation Type"
subject	Name/Summary
researcherComments	Attribute: "Additional Analysis and Context"
rawText	Uploaded File
rawTextTranslated	N/A
executiveSummary	Attribute: "Description"
created	Attribute: "External Date Created"
dateOfInformation	Attribute: "Date of Information"
sourceCharacterization	Attribute: "Source Characterization"
relatedReports/{index}/uid	Report-to-Report Association
relatedReports/{index}/documentFamily	Report-to-Report Association
entities/{index}/type	See Table 11
locations/{index}/link	Attribute: "Region & Country" Region: %: % (region) Country: % (country) Link: % (link)
locations/{index}/region
locations/{index}/country
tags/{index}	Tag
portalReportUrl	Attribute: "Report URL"
lastUpdated	Last Modified
sources/{index}/url	Attribute: "Sources" (one concatenated Attribute per grouping) URL: %: % (url) Title: % (title) Type: % (type)
sources/{index}/title
sources/{index}/type
sources/{index}/index	N/A
actorSubjectOfReport/{index}/handle	N/A
actorSubjectOfReport/{index}/aliases	Attribute: "Aliases"
classification/intelRequirements	Tag: "GIR: %"
reportAttachments/{index}/fileName	Attribute: "Report Attachment" File Name: filename URL: url File Size: fileSize Mime Type: mimeType Description: description Malicious: malicious
reportAttachments/{index}/url
reportAttachments/{index}/fileSize
reportAttachments/{index}/mimeType
reportAttachments/{index}/description
reportAttachments/{index}/malicious

Malware Intelligence Report

ThreatConnect object type: Report Group

Intel 471 API Field	ThreatConnect Field
malwareReportTotalCount	N/A
malwareReportsPartialResult	N/A
malwareReports	N/A
malwareReports/{index}/uid	Attribute: "External ID"
malwareReports/{index}/activity/first	Attribute: "First Seen"
malwareReports/{index}/activity/last	Attribute: "Last Seen"
malwareReports/{index}/meta/version	N/A
malwareReports/{index}/data/threat/uid	N/A
malwareReports/{index}/data/threat/type	N/A
malwareReports/{index}/data/threat/data/family	N/A
malwareReports/{index}/data/threat/data/ malware_family_profile_uid	N/A
malwareReports/{index}/data/threat/data/version	N/A
malwareReports/{index}/malware_report_data/title	Name/Summary
malwareReports/{index}/malware_report_data/text	N/A
malwareReports/{index}/malware_report_data/ attachments	Attribute: "Report Attachment" File Name: fileName URL: url File Size: fileSize Mime Type: mimeType Description: description Malicious: malicious
malwareReports/{index}/malware_report_data/ related_reports	N/A
malwareReports/{index}/malware_report_data/ released_at	Publish Date
malwareReports/{index}/last_updated	Attribute: "External Date Last Modified"

Related Indicators

ThreatConnect object type: Indicator (all types)

Intel 471 API Field	ThreatConnect Field
indicatorTotalCount	N/A
indicators	N/A
indicators/{index}/data/uid	N/A
indicators/{index}/data/source_id	N/A
indicators/{index}/data/threat/type	N/A
indicators/{index}/data/threat/uid	Indicator-to-Malware Association
indicators/{index}/data/threat/data/ malware_family_profile_uid	Indicator-to-Malware Association
indicators/{index}/data/threat/data/family	Indicator-to-Malware Association
indicators/{index}/data/threat/data/version	N/A
indicators/{index}/data/expiration	Attribute: "External Date Expires"
indicators/{index}/data/confidence	Attribute: "Confidence"
indicators/{index}/data/context/description	Attribute: "Description"
indicators/{index}/data/mitre_tactics	Tag: "MITRE Tactic: %"
indicators/{index}/data/indicator_type	Indicator Type
indicators/{index}/data/indicator_data/address	Address Indicator
indicators/{index}/data/indicator_data/url	URL Indicator
indicators/{index}/data/indicator_data/domain	Host Indicator
indicators/{index}/data/indicator_data/mutex	Mutex Indicator
indicators/{index}/data/indicator_data/ windows_registry_key	Registry Key Indicator
indicators/{index}/data/indicator_data/file	File Indicator
indicators/{index}/data/indicator_data/file/sha1	File Indicator
indicators/{index}/data/indicator_data/file/sha256	File Indicator
indicators/{index}/data/indicator_data/file/md5	File Indicator
indicators/{index}/data/indicator_data/file/type	Attribute: "File Type"
indicators/{index}/data/indicator_data/file/size	File Indicator: File Size
indicators/{index}/data/indicator_data/file/ download_url	Attribute: "Sample Download Link"
indicators/{index}/data/intel_requirements	Tag: "GIR: %"
indicators/{index}/meta/version	N/A
indicators/{index}/last_updated	Last Modified
indicators/{index}/uid	Attribute: "External ID"
indicators/{index}/activity/first	Attribute: "First Seen"
indicators/{index}/activity/last	Attribute: "Last Seen"

GIR Tags

ThreatConnect object type: Tags

Intel 471 API Field	ThreatConnect Field
girs/{index}/data/gir/path	Tag: "GIR: % %" (path, name)
girs/{index}/data/gir/name	Tag: "GIR: % %" (path, name)

Malware

ThreatConnect object type: Malware Group

Intel 471 API Field	ThreatConnect Field
malwareReportTotalCount	N/A
malwareReports/data/threat/uid	Attribute: "External ID"
malwareReports/data/threat/type	Attribute: "Malware Threat Type"
malwareReports/data/threat/data/family	Name/Summary
malwareReports/data/threat/data/ malware_family_profile_uid	Attribute: "External ID"
malwareReports/data/malware_report_data/text	Attribute: "Malware Report Text"
malwareReports/data/malware_report_data/ released_at	Attribute: "Report Published Date"
malwareReports/meta/version	N/A
malwareReports/last_updated	Last Modified
malwareReports/uid	N/A
malwareReports/classification/intelRequirements[]	Tag: "GIR: %"
activity/first	Attribute: "First Seen"
activity/last	Attribute: "Last Seen"

Malware Family YARA Signatures

ThreatConnect object type: Signature Group

Intel 471 API Field	ThreatConnect Field
yaraTotalCount	N/A
yaras/{index}/uid	Attribute: "External ID"
yaras/{index}/data/threat/type	Signature-to-Malware Association
yaras/{index}/data/threat/uid
yaras/{index}/data/threat/data/ malware_family_profile_uid
yaras/{index}/data/threat/data/family
yaras/{index}/data/yara_data/title	Name/Summary
yaras/{index}/data/yara_data/signature	Signature File Contents
yaras/{index}/data/confidence	Attribute: "Confidence"
yaras/{index}/data/intel_requirements	Tag: "GIR: %"
yaras/{index}/meta/version	N/A
yaras/{index}/last_updated	Last Modified
yaras/{index}/activity/first	Attribute: "First Seen"
yaras/{index}/activity/last	Attribute: "Last Seen"

Vulnerability Report Search

ThreatConnect object type: Vulnerability Group

Intel 471 API Field	ThreatConnect Field
cveReportsTotalCount	N/A
partialResult	N/A
cveReports/{index}/uid	Attribute: "External ID"
cveReports/{index}/data/cve_report/name	Name/Summary
cveReports/{index}/data/cve_report/cve_type	Attribute: "CVE Type"
cveReports/{index}/data/cve_report/risk_level	Attribute: "CVE Threat Level"
cveReports/{index}/data/cve_report/vendor_name	Attribute: "Vulnerable Vendor"
cveReports/{index}/data/cve_report/product_name	Attribute: "Vulnerable Product"
cveReports/{index}/data/cve_report/cve_status	Attribute: "CVE Status"
cveReports/{index}/data/cve_report/interest_level/ disclosed_publicly	Attribute: "Interest Level" (one Attribute per grouping)
cveReports/{index}/data/cve_report/interest_level/ researched_publicly
cveReports/{index}/data/cve_report/interest_level/ exploit_sought
cveReports/{index}/data/cve_report/activity_location/ location_opensource	Attribute: "Activity Location" (one Attribute per grouping)
cveReports/{index}/data/cve_report/activity_location/ location_underground
cveReports/{index}/data/cve_report/activity_location/ location_private
cveReports/{index}/data/cve_report/exploit_status/ available	Attribute: "Exploits" (one Attribute per grouping)
cveReports/{index}/data/cve_report/exploit_status/ weaponized
cveReports/{index}/data/cve_report/exploit_status/ productized
cveReports/{index}/data/cve_report/exploit_status/ not_observed
cveReports/{index}/data/cve_report/cvss_score/v2	Attribute: "CVSS v2 Score"
cveReports/{index}/data/cve_report/cvss_score/v3	Attribute: "CVSS v3 Score"
cveReports/{index}/data/cve_report/patch_status	Attribute: "Patch Status"
cveReports/{index}/data/cve_report/detection	Attribute: "Detection"
cveReports/{index}/data/cve_report/ underground_activity	Attribute: "Underground Activity"
cveReports/{index}/data/cve_report/ underground_activity_summary	Attribute: "Summary"
cveReports/{index}/data/cve_report/summary	Attribute: "Description"
cveReports/{index}/data/cve_report/titan_links/ {index}/title	Attribute: "External References" Note Due to this Attribute Type's length limit, each link will be in its own Attribute.
cveReports/{index}/data/cve_report/titan_links/ {index}/url
cveReports/{index}/data/cve_report/poc	Attribute: "External References" Note Due to this Attribute Type's length limit, each link will be in its own Attribute.
cveReports/{index}/data/cve_report/poc_links/ {index}/title
cveReports/{index}/data/cve_report/poc_links/ {index}/url
cveReports/{index}/data/cve_report/ counter_measures	Attribute: "Course of Action Recommendation" (one concatenated Attribute per grouping) Counter Measures: counter_measures Counter Measure Title: title Counter Measure URL:URL
cveReports/{index}/data/cve_report/ counter_measure_links/{index}/title
cveReports/{index}/data/cve_report/ counter_measure_links/{index}/url
cveReports/{index}/data/cve_report/ patch_links/{index}/title	Attribute: "Course of Action Taken" (one concatenated Attribute per grouping) Patch Links Title: title Patch Links URL: URL
cveReports/{index}/data/cve_report/ patch_links/{index}/url
cveReports/{index}/data/cve_report/cpe/ cve_data_version	Attribute: "Vulnerable CPE" (one concatenated Attribute per grouping) CVE Data Version: cve_data_version Operator: operator CPE Match Vulnerable: vulnerable CPE Match 23 uri: cpe23Uri
cveReports/{index}/data/cve_report/cpe/ nodes/{index}/operator
cveReports/{index}/data/cve_report/cpe/ nodes/{index}/cpe_match/{index}/vulnerable
cveReports/{index}/data/cve_report/cpe/ nodes/{index}/cpe_match/{index}/cpe23Uri
cveReports/{index}/classification/ intel_requirements	Tags: "GIR: %"
cveReports/{index}/last_updated	Last Modified
cveReports/{index}/activity/first	Attribute: "First Seen"
cveReports/{index}/activity/last	Attribute: "Last Seen"

Breach Alerts

ThreatConnect object type: Report Group

Intel 471 API Field	ThreatConnect Field
breach_alerts/activity/first	Attribute: "First Seen"
breach_alerts/activity/last	Attribute: "Last Seen"
breach_alerts/lastupdated	Attribute: "External Date Last Modified"
breach_alerts/uid	Attribute: "External ID"
breach_alerts/data/uid	N/A
data/breach_alerts/date_of_information	Attribute: "Date of Discovery"
data/breach_alerts/confidence/level	Attribute: "Confidence"
data/breach_alerts/summary	Attribute: "Description"
data/breach_alerts/intel_requirements	Tags: "GIR: %"
data/breach_alerts/released_at	Publish Date
data/breach_alerts/title	Attribute: "Report Title"
data/breach_alerts/victim	Attribute: "Breach Alert Victim" (one concatenated Attribute per grouping) Name: name Industry: industry Sector: sector URL: urls Country: country Revenue: revenue Region: region
data/breach_alert/victim/name
data/breach_alert/victim/industries/industry
data/breach_alert/victim/industries/sector
data/breach_alert/victim/urls
data/breach_alert/victim/country
data/breach_alert/victim/revenue
data/breach_alert/victim/region
data/breach_alerts/sources/url	Attribute: "Source" (one concatenated Attribute per grouping) Date: date Source Type: source type Title: title Urls: urls Type: type
data/breach_alerts/sources/source_type
data/breach_alerts/sources/date
data/breach_alerts/sources/title
data/breach_alerts/sources/type
data/breach_alerts/actor_or_group	Attribute: "Actor or Group"
data/entities/type	Attribute: "Additional Analysis and Context" Entity Type: type Entity value: value
data/entities/value
data/breach_alerts/	N/A

Entity

Intel 471 Entity	ThreatConnect Object
ActorDomain	Host Indicator
ActorOtherWebsite	URL Indicator
AIM	Attribute: "Social Media: AIM"
AutonomousSystem	ASN Indicator
BitcoinAddress	Attribute: "Bitcoin Address"
BitcoinTransactionID	Attribute: "Bitcoin Transaction ID"
CveID	Vulnerability Group
Discord	Attribute: "Social Media: Discord"
Ecurrency	Attribute: "Ecurrency"
EmailAddress	Email Address Indicator
Facebook	Attribute: "Social Media: Facebook"
FileName	Attribute: "File Name"
FileSize	Attribute: "File Size"
FileType	Attribute: "File Type"
GitHub	Attribute: "Github"
Handle	Adversary Group
ICQ	Attribute: "Social Media: ICQ"
Instagram	Attribute: "Social Media: Instagram"
IPAddress	Address Indicator
IPv4Prefix	Attribute:" IPv4 Prefix"
IPv6Prefix	Attribute: "IPv6 Prefix"
Jabber	Attribute: "Social Media: Jabber"
LinkedIn	Attribute: "Social Media: LinkedIn"
MaliciousDomain	Host Indicator
MaliciousURL	URL Indicator
MD5	File Indicator
MoiMir	Attribute: "Social Media: Moimir"
MSN	Attribute: "MSN"
Odnoklassniki	Attribute: "Social Media: Odnoklassniki"
OtherCryptoCurrencies	Attribute: "Other CryptoCurrencies"
Password	Attribute: "Password"
PasswordHash	Attribute: "Password Hash"
PerfectMoneyID	Attribute: "Perfect Money ID"
PGPKey	Attribute: "PGP Key"
PGPKeyID	Attribute: "PGP Key ID"
Phone	Attribute: Phone
QiwiWallet	Attribute: "QIWI Wallet"
QQ	Attribute: "Social Media: QQ"
SHA1	File Indicator
SHA256	File Indicator
Skype	Attribute: "Social Media: Skype"
SSLCertificate	Attribute: "SSL Certificate"
SSLCertificateFingerprint	Attribute: "SSL Certificate Fingerprint"
SSLCertificateID	Attribute: "SSL Certificate ID"
Tag	Tag
Telegram	Attribute: "Social Media: Telegram"
Tox	Attribute: "Social Media: Tox"
Twitter	Attribute: "Social Media: Twitter"
URL	URL Indicator
VK	Attribute: "Social Media: VK"
WebMoneyID	Attribute: "WebMoney ID"
WebMoneyPurse	Attribute: "WebMoney Purse"
WeChat	Attribute: "Social Media: WeChat"
Wickr	Attribute: "Social Media: Wickr"
YahooIM	Attribute: "Social Media: YahooIM"
YandexMoney	Attribute: "Yandex.Money"

Frequently Asked Questions (FAQ)

Are there any limitations I should be aware of?

The first time you set up the Feed API Service for the Intel 471 Intelligence Engine App, the data will backfill to 30 days. During the process of backfilling data for the prior 30 days, you may reach your Intel 471 API daily limit. To increase the API limit for your account, contact Intel 471. Note that this daily limit resets at midnight GMT.

If you continue to reach the Intel 471 API daily limit after the App backfills data for the last 30 days, it is recommended to select a greater value for the App's Advanced Settings parameter to increase the interval at which Intel 471 data are ingested.

Follow these steps to update the Advanced Settings parameter for the Intel 471 Intelligence Engine App:

From the ⋮ menu for the Intel 471 Intelligence Engine App on the Services screen, select Edit.
On Step 3 (Parameters) of the Edit Service drawer, increase the value of the Advanced Settings parameter. The unit for this field is days. If the field for this parameter is blank, then the current value is the default of 1 day.
Click SAVE.

Why are no new data are being ingested from Intel 471 into my ThreatConnect instance?

As you approach your Intel 471 API daily limit, Intel 471 will handle only one request per minute and then eventually return a 429 error until the daily limit resets at midnight GMT. Similarly, if there are multiple requests occurring at the same time, Intel 471 will handle one request per minute until the daily limit resets at midnight GMT. To increase the API limit for your account, contact Intel 471.

How can I tell which Intel 471 report an Indicator is from?

Any data ingested from Intel 471 will have one of these four Tags applied to them:

"Source: Intel 471 Adversary Intelligence Feed"
"Source: Intel 471 Breach Intelligence Feed"
"Source: Intel 471 Malware Intelligence Feed"
"Source: Intel 471 Vulnerability Intelligence Feed"

When would I use the Add Job feature on the Jobs screen?

The Add Job feature on the Jobs screen allows you to make ad-hoc requests for one or more of the Intel 471 products in a certain date range. If you want to retrieve specific reports or other objects, use the Downloads screen.

ThreatConnect^® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
JavaScript^® is a registered trademark of Oracle Corporation.

30078-03 EN Rev. A

Was this article helpful?

What's Next

Intel 471 Adversary Intelligence Integration Configuration Guide

Table of contents

Overview
Dependencies
Application Setup and Configuration
Configuration Parameters
Intel 471 Intelligence Engine App UI
Data Mappings
Frequently Asked Questions (FAQ)

Company

Sales and Support