---
title: "Intel 471 Intelligence Engine Integration User Guide | ThreatConnect"
slug: "intel-471-intelligence-engine-integration-user-guide"
description: "This article is a user guide for the Intel 471 Intelligence Engine integration with ThreatConnect."
updated: 2025-09-24T15:45:28Z
published: 2025-09-24T15:45:28Z
---
> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Intel 471 Intelligence Engine Integration User Guide
Software VersionThis guide applies to the **Intel 471 Intelligence Engine******App version 1.0.7.
## Overview
The ThreatConnect® integration with Intel 471 Intelligence ingests Reports, Adversaries, Breaches, Malware, Vulnerabilities, and Indicators from Intel 471 into ThreatConnect. These Groups and Indicators are stored and associated in ThreatConnect with select relevant context.
Important
The first time you set up the Feed API Service for the Intel 471 Intelligence Engine App, the data will backfill to 30 days. During the process of backfilling data for the prior 30 days, you may reach your Intel 471 API daily limit. To increase the API limit for your account, contact Intel 471. Note that this daily limit resets at midnight GMT.
If you continue to reach the Intel 471 API daily limit after the App backfills data for the last 30 days, it is recommended to select a greater value for the App’s **Advanced Settings**parameter to increase the interval at which Intel 471 data are ingested. See the first FAQ in the "[Frequently Asked Questions (FAQ)](/v1/docs/intel-471-intelligence-engine-integration-user-guide#frequently-asked-questions-faq)"****section for more information.
## Dependencies
### ThreatConnect Dependencies
- Active ThreatConnect Application Programming Interface (API) key
NoteAll ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the **Account Settings** screen within their ThreatConnect instance.
### Intel 471 Dependencies
- Active Intel 471 API key
- Active Intel 471 report subscriptions
- Adversary Intelligence
- Breach Intelligence
- Malware Intelligence
- Vulnerability Intelligence
NoteThe **Intel 471 Intelligence Engine App******may seem like it is running for a subscription that you may not have. In this scenario, contact Intel 471 for assistance with subscribing to a new report.
## Application Setup and Configuration
Follow these steps to install and configure the Intel 471 Intelligence Engine App via TC Exchange™:
1. Log into ThreatConnect with a System Administrator account.
2. From the **Settings**menu on the navigation bar, select **TC Exchange Settings**. Then select the **Catalog** tab on the **TC Exchange Settings** screen.
3. Locate the **Intel 471 Intelligence Engine**App on the **Catalog** tab. Then click **Install **in the **Options** column to install the App.
4. After you install the **Intel 471 Intelligence Engine**App, the [Feed Deployer](https://knowledge.threatconnect.com/docs/the-feed-deployer) will open automatically. Use the Feed Deployer to [set up and configure](https://knowledge.threatconnect.com/docs/feed-api-services) the **Intel 471 Intelligence Engine** App. See the [](/docs/intel-471-intelligence-engine-integration-user-guide#_Configuration_Parameters)[“Configuration Parameters”](/v1/docs/intel-471-intelligence-engine-integration-user-guide#configuration-parameters)section for more information on the parameters available during the configuration and deployment process.
## Configuration Parameters
### Parameter Definitions
The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the App.
| Name | Description | Required? |
| --- | --- | --- |
| **Source**Tab |
| Sources to Create | Enter the name of the source for the feed | Required |
| Owner | Select the organization in which the Source is created. | Required |
| Activate Deprecation | Select this checkbox to allow [confidence deprecation](https://knowledge.threatconnect.com/docs/indicator-confidence-deprecation) rules to be created and applied to Indicators in the Source. | Optional |
| Create Attributes | Select this checkbox to allow [custom Attribute Types](https://knowledge.threatconnect.com/docs/creating-custom-attribute-types) to be created in the Source. | Optional |
| **Parameters**Tab |
| Launch Server | Select tc-job as the launch server for the Service corresponding to the Feed API Service App. | Required |
| Intel Reports to Ingest | Select one or more Intel 471 report subscriptions from which data will be ingested. Available choices include the following: - Adversary - Breach - Malware - Vulnerability | Required |
| Advanced Settings | Use this field to specify the interval, in days, at which the App will ingest Intel 471 data. The default interval is 1 day. ImportantWhile you may use this field to modify your data ingest interval, doing so is not recommended, as it may result in application timeout. See the first FAQ in the [“Frequently Asked Questions (FAQ)”](/docs/intel-471-intelligence-engine-integration-user-guide#_Frequently_Asked_Questions) section for details about a situation for which an adjustment to this parameter is appropriate. | Optional |
| **Variables**Tab |
| Intel 471 Intelligence API Key | The Intel 471 Intelligence API key. | Required |
| Intel 471 Intelligence API Username | The Intel 471 Intelligence API username. | Required |
| **Confirm**Tab |
| Run Feeds after deployment | Select this checkbox to run the **Intel 471 Intelligence Engine******App immediately after the deployment configuration is complete (i.e., after you click **DEPLOY** on the **Feed Deployer** window). | Optional |
| Confirm Deployment Over Existing Source | This checkbox will be displayed if the Source entered in the **Sources to Create** field has previously been deployed to the Organization selected in the **Owner** dropdown on the **Source** tab. Select this checkbox to confirm that you want the **Intel 471 Intelligence Engine**App to write data to the same Source. This process will create a new Service for the **Intel 471 Intelligence Engine**App. As such, it is recommended that you delete the old Service associated with the **Intel 471 Intelligence Engine**App after the new one is created.ImportantIf you do not select this checkbox, the **DEPLOY** button will be grayed out, and you will not be able to deploy the Service. Return to the **Source** tab and enter a different Source or select a different Organization and then proceed through the tabs of the **Feed Deployer** window again. | Optional |
## Intel 471 Intelligence Engine App UI
After successfully configuring and activating the [Feed API Service](https://knowledge.threatconnect.com/docs/feed-api-services), you can access the **Intel 471 Intelligence Engine** App user interface (UI). This UI allows you to interact with and manage ThreatConnect’s Intel 471 Intelligence integration.
Follow these steps to access the **Intel 471 Intelligence Engine** App UI:
The following screens are available in the **Intel 471 Intelligence Engine**App UI:
- **Dashboard**
- **Jobs**
- **Tasks**
- **Download**
- **Batch Errors**
- **Attachment Status**
### Dashboard
The **Dashboard******screen (Figure 1) provides an overview of the total number of Adversary Reports, Breach Reports, Indicators, Malware Reports, Signatures, and Vulnerabilities retrieved from Intel 471.
NoteThe numbers displayed on the **Dashboard** screen represent the count of threat intelligence objects that were processed by the App, including objects that were updated or processed again, and may not match the count of objects in ThreatConnect.
### Jobs
The **Jobs**screen (Figure 2) breaks down the ingestion of Intel 471 Intelligence Engine data into manageable Job-like tasks, displaying all processes that are pending, in progress, complete, and failed. The **⋯** menu in a Job’s row provides the following options:
- **Details**: View details for the Job, such as download, convert, and upload start and complete times and counts of downloaded and batched Groups and Indicators.
- **Download Files**: Download metadata files for all Jobs and data (convert, download, and upload) files for completed Jobs.
- **Batch Errors**: View errors that have occurred for the Job on the [**Batch Errors**](/v1/docs/intel-471-intelligence-engine-integration-user-guide#batch-errors) screen.
You can filter **Intel 471 Intelligence Engine**App Jobs by the following elements:
- **Job ID**: Enter text into this box to search for a Job by its Job ID.
- **Job Type**: Select Job types to display on the **Jobs** screen.
- **Status**: Select Job statuses to display on the **Jobs** screen.
#### Add a Job
You can add ad-hoc Jobs on the **Jobs** screen. Follow these steps to create a request for an ad-hoc Job for the **Intel 471 Intelligence Engine**App:
1. Click **Add Job** (Figure 2).
2. Fill out the fields on the **Add Job** drawer (Figure 3) as follows:
- **Start Time**: (Optional) Enter the time at which the Job should start.
- **End Time**: (Optional) Enter the time by which the Job should end.
- **Types:**(Optional) Select the object types to include in the Job.
- Click **Submit** to submit the request for the ad-hoc Job.
### Tasks
The **Tasks** screen (Figure 4) displays all Tasks that may be part of a Job, including each step of the download, convert, and upload processes, as well as Tasks for the **ThreatConnect Intel 471 Intelligence Engine**App, such as Monitor, Schedule Downloads, and Cleaner. The current status (**Idle**, **Paused**, or **Running**), name, description, and heartbeat timeout length, in minutes, are displayed for each Task. The **⋯** menu in a Task’s row provides the following options, depending on the Task’s status:
- **Run** (idle and paused Tasks only)
- **Pause** (idle and running Tasks only)
- **Resume** (paused Tasks only)
- **Kill** (running Tasks only)
Under the table is a dashboard where you can view runtime analytics.
### Download
The **Download**screen (Figure 5) lets you download JavaScript® Object Notation (JSON) data for Intel 471 objects and then upload the data into ThreatConnect.
Follow these steps to download JSON data for an Intel 471 Intelligence object on the **Download**screen and then upload the data into ThreatConnect:
1. **Type**: Select an Intel 471 Intelligence object type to download.
2. **External ID**: Enter one or more Intel 471 External IDs for the objects to download, separating each ID with a comma.
3. Click **Download**. The JSON data will be displayed in two columns: **Results** (raw JSON data) and **Converted** (JSON data in ThreatConnect batch format) (Figure 6).
4. Click **Upload** to submit the converted Threat intelligence data via the [ThreatConnect Batch API](https://docs.threatconnect.com/en/latest/rest_api/v2/batch_api/batch_api.html).
### Batch Errors
The **Batch Errors**screen (Figure 7) displays an overview of the batch error types that have occurred for Job requests. You can enter keywords to filter by Job ID.
Select an error type to open a drawer containing a table with details on all batch errors of that type (Figure 8). You can enter keywords to filter by reason for error.
### Attachment Status
The **Attachment****Status** screen (Figure 9) displays a table with details on ThreatConnect's attempts to download Report attachments from Intel 471 Intelligence. You can enter Intel 471 External IDs for Groups to filter the table by Group ID, which can be useful if you do not see an Intel 471 Intelligence attachment in ThreatConnect as expected, or by status.
## Data Mappings
The data mappings in Table 2 through Table 11 illustrate how data are mapped from Intel 471 Intelligence API endpoints into the [ThreatConnect data model](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model).
### Actor
ThreatConnect object type: Adversary Group
| Intel 471 API Field | ThreatConnect Field |
| --- | --- |
| uid | Attribute: "External ID" |
| handles | Attribute: "Aliases" (one Attribute per handle) |
| links/forumTotalCount | Attribute: "Total Count of Forums" |
| links/forumPrivateMessageTotalCount | Attribute: "Total Count of Private Messages" |
| links/forumPostTotalCount | Attribute: "Total Count of Posts" |
| links/reportTotalCount | Attribute: "Total Count of Reports" |
| links/instantMessageServerTotalCount | Attribute: "Total Count of IM Servers" |
| links/instantMessageChannelTotalCount | Attribute: "Total Count of IM Topics" |
| links/instantMessageTotalCount | Attribute: "Total Count of IMs" |
| links/instantMessageServers/{index}/uid | Attribute: "IM Server" (one concatenated Attribute per grouping) - uid: %uid% - serviceType: %serviceType% - name: %name% |
| links/instantMessageServers/{index}/serviceType |
| links/instantMessageServers/{index}/name |
| links/forums/{index}/forum | Attribute: "Forum" (one concatenated Attribute per grouping) - Forum ID: %uid% - Forum Name: %name% - Actor Handle: %actorHandle% - Contact Type: %type% - Contact Value: %value% - TimeZone: %timeZone% |
| links/forums/{index}/uid |
| links/forums/{index}/name |
| links/forums/{index}/actorHandle |
| links/forums/{index}/timeZone |
| links/forums/{index}/contactInfo |
| links/forums/{index}/contactInfo/{index}/item/value |
| links/forums/{index}/contactInfo/{index}/item | N/A |
| links/forums/{index}/contactInfo/{index}/item/type | N/A |
| links/reports | Adversary-to-Report Association |
| links/reports/{index}/report |
| links/reports/{index}/actorHandle | Attribute: "Aliases" (one Attribute per handle) |
| activeFrom | Attribute: "First Seen" |
| activeUntil | Attribute: "Last Seen" |
| lastUpdated | Attribute: "External Date Last Modified" |
### Adversary Intelligence Report
ThreatConnect object type: Report Group
| Intel 471 API Field | ThreatConnect Field |
| --- | --- |
| uid | Attribute: "External ID" |
| documentFamily | N/A |
| documentType | Attribute: "Report Type" |
| admiraltyCode | Attribute: "Admiralty Code" |
| motivation | Attribute: "Adversary Motivation Type" |
| subject | Name/Summary |
| researcherComments | Attribute: "Additional Analysis and Context" |
| rawText | Uploaded File |
| rawTextTranslated | N/A |
| executiveSummary | Attribute: "Description" |
| created | Attribute: "External Date Created" |
| dateOfInformation | Attribute: "Date of Information" |
| sourceCharacterization | Attribute: "Source Characterization" |
| relatedReports/{index}/uid | Report-to-Report Association |
| relatedReports/{index}/documentFamily |
| entities/{index}/type | See [Table 11](/docs/intel-471-intelligence-engine-integration-user-guide#entity) |
| locations/{index}/link | Attribute: "Region & Country" - Region: %: % (region) - Country: % (country) - Link: % (link) |
| locations/{index}/region |
| locations/{index}/country |
| tags/{index} | Tag |
| portalReportUrl | Attribute: "Report URL" |
| lastUpdated | Last Modified |
| sources/{index}/url | Attribute: "Sources" (one concatenated Attribute per grouping) - URL: %: % (url) - Title: % (title) - Type: % (type) |
| sources/{index}/title |
| sources/{index}/type |
| sources/{index}/index | N/A |
| actorSubjectOfReport/{index}/handle | N/A |
| actorSubjectOfReport/{index}/aliases | Attribute: "Aliases" |
| classification/intelRequirements | Tag: "GIR: %" |
| reportAttachments/{index}/fileName | Attribute: "Report Attachment" - File Name: filename - URL: url - File Size: fileSize - Mime Type: mimeType - Description: description - Malicious: malicious |
| reportAttachments/{index}/url |
| reportAttachments/{index}/fileSize |
| reportAttachments/{index}/mimeType |
| reportAttachments/{index}/description |
| reportAttachments/{index}/malicious |
### Malware Intelligence Report
ThreatConnect object type: Report Group
| Intel 471 API Field | ThreatConnect Field |
| --- | --- |
| malwareReportTotalCount | N/A |
| malwareReportsPartialResult | N/A |
| malwareReports | N/A |
| malwareReports/{index}/uid | Attribute: "External ID" |
| malwareReports/{index}/activity/first | Attribute: "First Seen" |
| malwareReports/{index}/activity/last | Attribute: "Last Seen" |
| malwareReports/{index}/meta/version | N/A |
| malwareReports/{index}/data/threat/uid | N/A |
| malwareReports/{index}/data/threat/type | N/A |
| malwareReports/{index}/data/threat/data/family | N/A |
| malwareReports/{index}/data/threat/data/ malware_family_profile_uid | N/A |
| malwareReports/{index}/data/threat/data/version | N/A |
| malwareReports/{index}/malware_report_data/title | Name/Summary |
| malwareReports/{index}/malware_report_data/text | N/A |
| malwareReports/{index}/malware_report_data/ attachments | Attribute: "Report Attachment" - File Name: fileName - URL: url - File Size: fileSize - Mime Type: mimeType - Description: description - Malicious: malicious |
| malwareReports/{index}/malware_report_data/ related_reports | N/A |
| malwareReports/{index}/malware_report_data/ released_at | Publish Date |
| malwareReports/{index}/last_updated | Attribute: "External Date Last Modified" |
### Related Indicators
ThreatConnect object type: Indicator (all types)
| Intel 471 API Field | ThreatConnect Field |
| --- | --- |
| indicatorTotalCount | N/A |
| indicators | N/A |
| indicators/{index}/data/uid | N/A |
| indicators/{index}/data/source_id | N/A |
| indicators/{index}/data/threat/type | N/A |
| indicators/{index}/data/threat/uid | Indicator-to-Malware Association |
| indicators/{index}/data/threat/data/ malware_family_profile_uid | Indicator-to-Malware Association |
| indicators/{index}/data/threat/data/family | Indicator-to-Malware Association |
| indicators/{index}/data/threat/data/version | N/A |
| indicators/{index}/data/expiration | Attribute: "External Date Expires" |
| indicators/{index}/data/confidence | Attribute: "Confidence" |
| indicators/{index}/data/context/description | Attribute: "Description" |
| indicators/{index}/data/mitre_tactics | Tag: "MITRE Tactic: %" |
| indicators/{index}/data/indicator_type | Indicator Type |
| indicators/{index}/data/indicator_data/address | Address Indicator |
| indicators/{index}/data/indicator_data/url | URL Indicator |
| indicators/{index}/data/indicator_data/domain | Host Indicator |
| indicators/{index}/data/indicator_data/mutex | Mutex Indicator |
| indicators/{index}/data/indicator_data/ windows_registry_key | Registry Key Indicator |
| indicators/{index}/data/indicator_data/file | File Indicator |
| indicators/{index}/data/indicator_data/file/sha1 | File Indicator |
| indicators/{index}/data/indicator_data/file/sha256 | File Indicator |
| indicators/{index}/data/indicator_data/file/md5 | File Indicator |
| indicators/{index}/data/indicator_data/file/type | Attribute: "File Type" |
| indicators/{index}/data/indicator_data/file/size | File Indicator: File Size |
| indicators/{index}/data/indicator_data/file/ download_url | Attribute: "Sample Download Link" |
| indicators/{index}/data/intel_requirements | Tag: "GIR: %" |
| indicators/{index}/meta/version | N/A |
| indicators/{index}/last_updated | Last Modified |
| indicators/{index}/uid | Attribute: "External ID" |
| indicators/{index}/activity/first | Attribute: "First Seen" |
| indicators/{index}/activity/last | Attribute: "Last Seen" |
### GIR Tags
ThreatConnect object type: Tags
| Intel 471 API Field | ThreatConnect Field |
| --- | --- |
| girs/{index}/data/gir/path | Tag: "GIR: % %" (path, name) |
| girs/{index}/data/gir/name |
### Malware
ThreatConnect object type: Malware Group
| Intel 471 API Field | ThreatConnect Field |
| --- | --- |
| malwareReportTotalCount | N/A |
| malwareReports/data/threat/uid | Attribute: "External ID" |
| malwareReports/data/threat/type | Attribute: "Malware Threat Type" |
| malwareReports/data/threat/data/family | Name/Summary |
| malwareReports/data/threat/data/ malware_family_profile_uid | Attribute: "External ID" |
| malwareReports/data/malware_report_data/text | Attribute: "Malware Report Text" |
| malwareReports/data/malware_report_data/ released_at | Attribute: "Report Published Date" |
| malwareReports/meta/version | N/A |
| malwareReports/last_updated | Last Modified |
| malwareReports/uid | N/A |
| malwareReports/classification/intelRequirements[] | Tag: "GIR: %" |
| activity/first | Attribute: "First Seen" |
| activity/last | Attribute: "Last Seen" |
### Malware Family YARA Signatures
ThreatConnect object type: Signature Group
| Intel 471 API Field | ThreatConnect Field |
| --- | --- |
| yaraTotalCount | N/A |
| yaras/{index}/uid | Attribute: "External ID" |
| yaras/{index}/data/threat/type | Signature-to-Malware Association |
| yaras/{index}/data/threat/uid |
| yaras/{index}/data/threat/data/ malware_family_profile_uid |
| yaras/{index}/data/threat/data/family |
| yaras/{index}/data/yara_data/title | Name/Summary |
| yaras/{index}/data/yara_data/signature | Signature File Contents |
| yaras/{index}/data/confidence | Attribute: "Confidence" |
| yaras/{index}/data/intel_requirements | Tag: "GIR: %" |
| yaras/{index}/meta/version | N/A |
| yaras/{index}/last_updated | Last Modified |
| yaras/{index}/activity/first | Attribute: "First Seen" |
| yaras/{index}/activity/last | Attribute: "Last Seen" |
### Vulnerability Report Search
ThreatConnect object type: Vulnerability Group
| Intel 471 API Field | ThreatConnect Field |
| --- | --- |
| cveReportsTotalCount | N/A |
| partialResult | N/A |
| cveReports/{index}/uid | Attribute: "External ID" |
| cveReports/{index}/data/cve_report/name | Name/Summary |
| cveReports/{index}/data/cve_report/cve_type | Attribute: "CVE Type" |
| cveReports/{index}/data/cve_report/risk_level | Attribute: "CVE Threat Level" |
| cveReports/{index}/data/cve_report/vendor_name | Attribute: "Vulnerable Vendor" |
| cveReports/{index}/data/cve_report/product_name | Attribute: "Vulnerable Product" |
| cveReports/{index}/data/cve_report/cve_status | Attribute: "CVE Status" |
| cveReports/{index}/data/cve_report/interest_level/ disclosed_publicly | Attribute: "Interest Level" (one Attribute per grouping) |
| cveReports/{index}/data/cve_report/interest_level/ researched_publicly |
| cveReports/{index}/data/cve_report/interest_level/ exploit_sought |
| cveReports/{index}/data/cve_report/activity_location/ location_opensource | Attribute: "Activity Location" (one Attribute per grouping) |
| cveReports/{index}/data/cve_report/activity_location/ location_underground |
| cveReports/{index}/data/cve_report/activity_location/ location_private |
| cveReports/{index}/data/cve_report/exploit_status/ available | Attribute: "Exploits" (one Attribute per grouping) |
| cveReports/{index}/data/cve_report/exploit_status/ weaponized |
| cveReports/{index}/data/cve_report/exploit_status/ productized |
| cveReports/{index}/data/cve_report/exploit_status/ not_observed |
| cveReports/{index}/data/cve_report/cvss_score/v2 | Attribute: "CVSS v2 Score" |
| cveReports/{index}/data/cve_report/cvss_score/v3 | Attribute: "CVSS v3 Score" |
| cveReports/{index}/data/cve_report/patch_status | Attribute: "Patch Status" |
| cveReports/{index}/data/cve_report/detection | Attribute: "Detection" |
| cveReports/{index}/data/cve_report/ underground_activity | Attribute: "Underground Activity" |
| cveReports/{index}/data/cve_report/ underground_activity_summary | Attribute: "Summary" |
| cveReports/{index}/data/cve_report/summary | Attribute: "Description" |
| cveReports/{index}/data/cve_report/titan_links/ {index}/title | Attribute: "External References" NoteDue to this Attribute Type's length limit, each link will be in its own Attribute. |
| cveReports/{index}/data/cve_report/titan_links/ {index}/url |
| cveReports/{index}/data/cve_report/poc | Attribute: "External References" NoteDue to this Attribute Type's length limit, each link will be in its own Attribute. |
| cveReports/{index}/data/cve_report/poc_links/ {index}/title |
| cveReports/{index}/data/cve_report/poc_links/ {index}/url |
| cveReports/{index}/data/cve_report/ counter_measures | Attribute: "Course of Action Recommendation" (one concatenated Attribute per grouping) - Counter Measures: counter_measures - Counter Measure Title: title - Counter Measure URL:URL |
| cveReports/{index}/data/cve_report/ counter_measure_links/{index}/title |
| cveReports/{index}/data/cve_report/ counter_measure_links/{index}/url |
| cveReports/{index}/data/cve_report/ patch_links/{index}/title | Attribute: "Course of Action Taken" (one concatenated Attribute per grouping) - Patch Links Title: title - Patch Links URL: URL |
| cveReports/{index}/data/cve_report/ patch_links/{index}/url |
| cveReports/{index}/data/cve_report/cpe/ cve_data_version | Attribute: "Vulnerable CPE" (one concatenated Attribute per grouping) - CVE Data Version: cve_data_version - Operator: operator - CPE Match Vulnerable: vulnerable - CPE Match 23 uri: cpe23Uri |
| cveReports/{index}/data/cve_report/cpe/ nodes/{index}/operator |
| cveReports/{index}/data/cve_report/cpe/ nodes/{index}/cpe_match/{index}/vulnerable |
| cveReports/{index}/data/cve_report/cpe/ nodes/{index}/cpe_match/{index}/cpe23Uri |
| cveReports/{index}/classification/ intel_requirements | Tags: "GIR: %" |
| cveReports/{index}/last_updated | Last Modified |
| cveReports/{index}/activity/first | Attribute: "First Seen" |
| cveReports/{index}/activity/last | Attribute: "Last Seen" |
### Breach Alerts
ThreatConnect object type: Report Group
| Intel 471 API Field | ThreatConnect Field |
| --- | --- |
| breach_alerts/activity/first | Attribute: "First Seen" |
| breach_alerts/activity/last | Attribute: "Last Seen" |
| breach_alerts/lastupdated | Attribute: "External Date Last Modified" |
| breach_alerts/uid | Attribute: "External ID" |
| breach_alerts/data/uid | N/A |
| data/breach_alerts/date_of_information | Attribute: "Date of Discovery" |
| data/breach_alerts/confidence/level | Attribute: "Confidence" |
| data/breach_alerts/summary | Attribute: "Description" |
| data/breach_alerts/intel_requirements | Tags: "GIR: %" |
| data/breach_alerts/released_at | Publish Date |
| data/breach_alerts/title | Attribute: "Report Title" |
| data/breach_alerts/victim | Attribute: "Breach Alert Victim" (one concatenated Attribute per grouping) - Name: name - Industry: industry - Sector: sector - URL: urls - Country: country - Revenue: revenue - Region: region |
| data/breach_alert/victim/name |
| data/breach_alert/victim/industries/industry |
| data/breach_alert/victim/industries/sector |
| data/breach_alert/victim/urls |
| data/breach_alert/victim/country |
| data/breach_alert/victim/revenue |
| data/breach_alert/victim/region |
| data/breach_alerts/sources/url | Attribute: "Source" (one concatenated Attribute per grouping) - Date: date - Source Type: source type - Title: title - Urls: urls - Type: type |
| data/breach_alerts/sources/source_type |
| data/breach_alerts/sources/date |
| data/breach_alerts/sources/title |
| data/breach_alerts/sources/type |
| data/breach_alerts/actor_or_group | Attribute: "Actor or Group" |
| data/entities/type | Attribute: "Additional Analysis and Context" - Entity Type: type - Entity value: value |
| data/entities/value |
| data/breach_alerts/ | N/A |
### Entity
| Intel 471 Entity | ThreatConnect Object |
| --- | --- |
| ActorDomain | Host Indicator |
| ActorOtherWebsite | URL Indicator |
| AIM | Attribute: "Social Media: AIM" |
| AutonomousSystem | ASN Indicator |
| BitcoinAddress | Attribute: "Bitcoin Address" |
| BitcoinTransactionID | Attribute: "Bitcoin Transaction ID" |
| CveID | Vulnerability Group |
| Discord | Attribute: "Social Media: Discord" |
| Ecurrency | Attribute: "Ecurrency" |
| EmailAddress | Email Address Indicator |
| Facebook | Attribute: "Social Media: Facebook" |
| FileName | Attribute: "File Name" |
| FileSize | Attribute: "File Size" |
| FileType | Attribute: "File Type" |
| GitHub | Attribute: "Github" |
| Handle | Adversary Group |
| ICQ | Attribute: "Social Media: ICQ" |
| Instagram | Attribute: "Social Media: Instagram" |
| IPAddress | Address Indicator |
| IPv4Prefix | Attribute:" IPv4 Prefix" |
| IPv6Prefix | Attribute: "IPv6 Prefix" |
| Jabber | Attribute: "Social Media: Jabber" |
| LinkedIn | Attribute: "Social Media: LinkedIn" |
| MaliciousDomain | Host Indicator |
| MaliciousURL | URL Indicator |
| MD5 | File Indicator |
| MoiMir | Attribute: "Social Media: Moimir" |
| MSN | Attribute: "MSN" |
| Odnoklassniki | Attribute: "Social Media: Odnoklassniki" |
| OtherCryptoCurrencies | Attribute: "Other CryptoCurrencies" |
| Password | Attribute: "Password" |
| PasswordHash | Attribute: "Password Hash" |
| PerfectMoneyID | Attribute: "Perfect Money ID" |
| PGPKey | Attribute: "PGP Key" |
| PGPKeyID | Attribute: "PGP Key ID" |
| Phone | Attribute: Phone |
| QiwiWallet | Attribute: "QIWI Wallet" |
| QQ | Attribute: "Social Media: QQ" |
| SHA1 | File Indicator |
| SHA256 | File Indicator |
| Skype | Attribute: "Social Media: Skype" |
| SSLCertificate | Attribute: "SSL Certificate" |
| SSLCertificateFingerprint | Attribute: "SSL Certificate Fingerprint" |
| SSLCertificateID | Attribute: "SSL Certificate ID" |
| Tag | Tag |
| Telegram | Attribute: "Social Media: Telegram" |
| Tox | Attribute: "Social Media: Tox" |
| Twitter | Attribute: "Social Media: Twitter" |
| URL | URL Indicator |
| VK | Attribute: "Social Media: VK" |
| WebMoneyID | Attribute: "WebMoney ID" |
| WebMoneyPurse | Attribute: "WebMoney Purse" |
| WeChat | Attribute: "Social Media: WeChat" |
| Wickr | Attribute: "Social Media: Wickr" |
| YahooIM | Attribute: "Social Media: YahooIM" |
| YandexMoney | Attribute: "Yandex.Money" |
## Frequently Asked Questions (FAQ)
**Are there any limitations I should be aware of?**
The first time you set up the Feed API Service for the **Intel 471 Intelligence Engine** App, the data will backfill to 30 days. During the process of backfilling data for the prior 30 days, you may reach your Intel 471 API daily limit. To increase the API limit for your account, contact Intel 471. Note that this daily limit resets at midnight GMT.
If you continue to reach the Intel 471 API daily limit after the App backfills data for the last 30 days, it is recommended to select a greater value for the App's **Advanced Settings** parameter to increase the interval at which Intel 471 data are ingested.
Follow these steps to update the **Advanced Settings** parameter for the **Intel 471 Intelligence Engine** App:
1. From the **⋮** menu for the **Intel 471 Intelligence Engine** App on the [**Services** screen](https://knowledge.threatconnect.com/docs/playbook-services), select **Edit**.
2. On Step 3 (**Parameters**) of the **Edit Service** drawer, increase the value of the **Advanced Settings** parameter. The unit for this field is `days`. If the field for this parameter is blank, then the current value is the default of 1 day.
3. Click **SAVE**.****
**Why are no new data are being ingested from Intel 471 into my ThreatConnect instance?**
As you approach your Intel 471 API daily limit, Intel 471 will handle only one request per minute and then eventually return a 429 error until the daily limit resets at midnight GMT. Similarly, if there are multiple requests occurring at the same time, Intel 471 will handle one request per minute until the daily limit resets at midnight GMT. To increase the API limit for your account, contact Intel 471.
**How can I tell which Intel 471 report an Indicator is from?**
Any data ingested from Intel 471 will have one of these four Tags applied to them:
- "Source: Intel 471 Adversary Intelligence Feed"
- "Source: Intel 471 Breach Intelligence Feed"
- "Source: Intel 471 Malware Intelligence Feed"
- "Source: Intel 471 Vulnerability Intelligence Feed"
**When would I use the Add Job feature on the Jobs screen?**
The **Add Job** feature on the **Jobs**screen allows you to make ad-hoc requests for one or more of the Intel 471 products in a certain date range. If you want to retrieve specific reports or other objects, use the **Downloads** screen.
---
*ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.* *JavaScript® is a registered trademark of Oracle Corporation.*
30078-03 EN Rev. A