Overview
The Intel471 Verity Intelligence Engine feed API service app ingests structured threat intelligence—including indicators, malware families, vulnerabilities, finished intelligence reports, and breach alerts—as well as customer-specific watcher alerts from the Intel 471 Verity471 platform and creates corresponding objects in ThreatConnect® with select Verity471 metadata:
- Alerts (including watcher alerts) are created as Event Groups in ThreatConnect.
- Reports are created as Report Groups in ThreatConnect.
- Vulnerabilities are created as Vulnerability Groups in ThreatConnect.
- Indicators are created as Address, File, Host, and URL Indicators in ThreatConnect.
- Malware families are created as Malware Groups in ThreatConnect.
- YARA signatures are created as Signature Groups in ThreatConnect.
Dependencies
ThreatConnect Dependencies
- Active ThreatConnect Application Programming Interface (API) key
- ThreatConnect instance with version 7.12.2 or newer installed
Intel 471 Verity471 Dependencies
- Intel 471 Verity471 API credentials:
- API username (Key ID)
- API key (Key Secret)
- An active Intel 471 Verity471 subscription
- One or more Intel 471 watcher group IDs (required only if watcher alert ingestion is enabled)
Application Setup and Configuration
The Intel471 Verity Intelligence Engine app leverages the Feed Deployer to create a Source for data ingestion from Intel 471 Verity471 in an Organization and to configure the corresponding service’s ingestion and authentication parameters. After you install the Intel471 Verity Intelligence Engine app on your ThreatConnect instance, you can deploy it to any Organization. It must be deployed separately for each Organization in which you want to create a Source for data ingestion and a corresponding service.
Install the Intel471 Verity Intelligence Engine App
Follow these steps to install the Intel471 Verity Intelligence Engine app on your ThreatConnect instance:
- Log into ThreatConnect with a System Administrator account.
- From the Settings
menu on the top navigation bar, select TC Exchange Settings. - Select the Catalog tab on the TC Exchange™ Settings screen.
- Locate the Intel471 Verity Intelligence Engine app on the Catalog tab.
- Click Install
in the Options column for the app. - Click INSTALL in the app’s Release Notes window.
- After you install the Intel471 Verity Intelligence Engine app, the Feed Deployer opens automatically. Follow the procedure in the “Deploy the Intel471 Verity Intelligence Engine App to an Organization” section to deploy the Intel471 Verity Intelligence Engine app to a Source in an Organization and configure the corresponding service.
Deploy the Intel471 Verity Intelligence Engine App to an Organization
Follow these steps to deploy the Intel471 Verity Intelligence Engine app to an Organization:
- Log into ThreatConnect with a System Administrator account.
- From the Settings
menu on the top navigation bar, select TC Exchange Settings. - Locate the Intel471 Verity Intelligence Engine app on the Installed tab. Then select Deploy from the Options ⋮ dropdown.
- Follow the instructions in Table 1 to fill out the fields in the Feed Deployer window for a deployment of the Intel471 Verity Intelligence Engine app.
Name Description Required? Source Tab Sources to Create Enter the name of the Source for the feed. NoteUnless you are redeploying the feed to an existing Source in an Organization, the name of the Source must be unique on your ThreatConnect instance. It is recommended to add the Organization’s name to the end of the default Source name (e.g., Intel471 Verity Intelligence Engine - Demo Organization) for easy identification of the Source’s owner.Required Owner Select the Organization in which the Source will be created. Required Activate Deprecation Select this checkbox to allow confidence deprecation rules to be created and applied to Indicators in the Source. Optional Create Attributes Select this checkbox to allow custom attribute types for the Intel471 Verity Intelligence Engine app to be created on the System level of your ThreatConnect instance. ImportantIt is recommended that you keep this checkbox selected. If you deselect it, data from the Intel471 Verity Intelligence Engine app mapped to those attribute types will not be ingested.Optional Parameters Tab Launch Server Select tc-job as the launch server for the feed API service. Required Intel Reports to Ingest Select the Verity471 report types to ingest. Available options include the following: - Breach (default)
- Credential
- FinTel (default)
- Geopol (default)
- Info (default)
- Malware (default)
- Spot (default)
- Vulnerability (default)
Required Ingest Alerts Select this checkbox to ingest Verity471 watcher alerts into ThreatConnect. Optional Watcher Group IDs Enter the IDs, separated by commas, for one or more Verity471 watcher groups from which to ingest alerts. ImportantIf the Ingest Alerts checkbox is selected, you must enter at least one watcher group ID; otherwise, the app may fail to start or may return an error.Optional Notification Digest Interval Select the interval at which the Intel471 Verity Intelligence Engine app should send notifications about job failure outcomes to the Notifications Center for users who are members of the Source for the Intel471 Verity Intelligence Engine service. The dissemination of the notifications is determined by each user’s Notifications Center settings. Required Notification Types Select the notification types to include in the notification digest. Note- The App Startup notification is sent only once, when the app is started for the first time. Selection of this option determines whether the initial digest sent to the Notifications Center will include a notification about successful app startup.
- All notifications about app functionality (startup, startup failure, and shutdown) and job failure outcomes (failure, retry, and recovery) are provided on the Notifications screen in the service UI.
Optional Advanced Settings There are no advanced settings to configure. WarningLeave this field blank, as entering values may result in unintended consequences.Optional Variables Tab Intel 471 Verity API Username Enter the Intel 471 Verity471 Key ID. Required Intel 471 Verity API Key Enter the Intel 471 Verity471 Key Secret. Required Confirm Tab Run Feeds after deployment Select this checkbox to run the Intel471 Verity Intelligence Engine service immediately after you click DEPLOY on the Feed Deployer window. Optional Confirm Deployment Over Existing Source This checkbox and a warning message are displayed on the Confirm tab if the Source name entered on the Source tab is already used by a Source owned by the selected Organization. To confirm redeploying the app to the existing Source, select the checkbox. This will activate the DEPLOY button. Otherwise, you must return to the Source tab and either change the Source name or select a different Organization. WarningWhen you redeploy a feed API service to a Source, existing data in the Source may be overwritten. Redeployment will also create a new service for the feed API service app. It is recommended that you delete the previous service for the feed API service app after the new one is created.Optional - Click DEPLOY on the Confirm tab of the Feed Deployer window to deploy the Intel471 Verity Intelligence Engine app in the Organization, which will create a Source for the feed in the Organization and a corresponding feed API service.
Intel471 Verity Intelligence Engine UI
After installing the Intel471 Verity Intelligence Engine app and deploying it to an Organization, you can access the Intel471 Verity Intelligence Engine UI, where you can manage data ingestion from Verity471 into the Source created in the Organization.
Follow these steps to access the Intel471 Verity Intelligence Engine UI:
- Log into ThreatConnect with a System Administrator account or a user account in the Organization with an Organization role of Organization Administrator.
- From the Automation & Feeds dropdown on the top navigation bar, select Services.
- Locate the row for the Intel471 Verity Intelligence Engine feed API service.HintSelect Feed Service from the Service Type dropdown at the upper right to filter the screen to show only feed API services. If there are multiple services for the Intel471 Verity Intelligence Engine app, you can identify the one configured for your Organization by clicking the row for a service to view its Details drawer, which includes an Organization field showing the Organization that owns the Source for that service.
- Turn on the toggle in the Enable column if the service is not already enabled.
- Click the link in the service’s API Path field to open the Intel471 Verity Intelligence Engine UI.
The following screens are available in the Intel471 Verity Intelligence Engine service UI:
Dashboard
The Dashboard screen provides an overview of the total number of intelligence types and alerts ingested from Verity471.
Jobs
The Jobs screen breaks down the ingestion of Verity471 data into manageable job-like tasks, displaying all processes that are pending, in progress, complete, and failed. The ⋯ menu in a job’s row provides the following options:
- Details: View details for the job, such as download, convert, and upload start and complete times and counts of downloaded and batched Groups and Indicators.
- Download Files: Download metadata files for all jobs and data (convert, download, and upload) files for completed jobs.
- Batch Errors: View errors that have occurred for the job on the Batch Errors screen.
You can filter Intel 471 Verity Intelligence Engine service jobs by the following elements:
- Job ID: Enter text into this box to search for a job by its job ID.
- Job Type: Select job types to display on the Jobs screen.
- Status: Select job statuses to display on the Jobs screen.
Add a Job
You can add ad hoc jobs on the Jobs screen. Follow these steps to create a request for an ad hoc job for the Intel471 Verity Intelligence Engine service:
- Click Add Job.
- Fill out the fields on the Add Job drawer as follows:
- Start Time: (Optional) Enter the time at which the job should start.
- End Time: (Optional) Enter the time by which the job should end.
- Reports to Ingest: (Optional) Select the Verity471 report types to include in the job.
- Ingest Alerts? (Required) Select the appropriate option to determine whether to ingest alerts in the job.
- Click Submit.
Tasks
The Tasks screen displays all tasks that may be part of a job, including each step of the download, convert, and upload processes, as well as tasks for the Intel471 Verity Intelligence Engine service, such as monitor, scheduler, and cleaner. The current status (Idle, Paused, or Running), name, description, and heartbeat timeout length, in minutes, are displayed for each task. The ⋯ menu in a task’s row provides the following options, depending on the task’s status:
- Run (idle and paused tasks only)
- Pause (idle and running tasks only)
- Resume (paused tasks only)
- Kill (running tasks only)
Under the table is a dashboard where you can view runtime analytics.
Download
The Download screen lets you download JavaScript® Object Notation (JSON) data for Verity471 objects and then upload the data into ThreatConnect. Follow these steps to download JSON data for a Verity471 object on the Download screen and then upload the data into ThreatConnect:
- Report Type: Select a Verity471 report type to download.
- External ID: Enter one or more Verity471 IDs for the objects to download, separating each ID with a comma.
- Click Download. The JSON data will be displayed in two columns: Results (raw JSON data) and Converted (JSON data in ThreatConnect batch format).
- Click Upload to submit the converted threat intelligence data via the ThreatConnect Batch API.
Batch Errors
The Batch Errors screen displays an overview of the batch error types that have occurred for job requests. You can enter keywords to filter by job ID. Select an error type to open a drawer containing a table with details on all batch errors of that type.
Notifications
The Notifications screen displays a table with details on notifications regarding app functionality and job failure outcomes for the Intel471 Verity Intelligence Engine service.
Attachment Status
The Attachment Status screen displays a table with details on ThreatConnect's attempts to download Report Group attachments from Verity471 You can enter Verity471 IDs for Groups to filter the table by Group ID, which can be useful if you do not see a Verity471 attachment in ThreatConnect as expected, or by status.
Data Mappings
The data mappings in Table 2 through Table 29 illustrate how data are mapped from Verity471 API endpoints to the ThreatConnect data model.
Alert: Breach Alert
ThreatConnect object type: Event Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| title | Name/Summary |
| wrapper_status |
|
| creation_ts | Event Date |
| released_ts | Date Added |
| last_updated_ts | Last Modified |
| id | Attribute: "External ID" |
| watcher_group_name | Attribute: "Watcher Group" |
| links.verity_portal.href | Attribute: "Source" |
| body | Attribute: "Description" |
| victims[].name |
|
| actor_or_group |
|
| confidence.level | Attribute: "Confidence" |
| sources[].links.verity_portal.href | Attribute: "Additional Analysis and Context" |
| entities[?type=='Handle'].value |
|
| derived_entities[?type=='Handle'].value |
|
| entities[?type=='MalwareFamily'].value |
|
| derived_entities[?type=='MalwareFamily'].value |
|
| entities[?type=='MobileMalwareFamily'].value | Tag: "Malware: <name>" |
| entities[?type=='Telegram'].value | Tag |
| entities[?type=='MaliciousDomain'].value | Tag |
| entities[?type=='FileName'].value | Tag |
| entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| classification.girs[].name | Tag |
| derived_entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| related_reports[].id | Associated Group |
Alert: Chat Message
ThreatConnect object type: Event Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| chat_room.name |
|
| wrapper_status |
|
| message.creation_ts |
|
| message.id | Attribute: "External ID" |
| watcher_group_name | Attribute: "Watcher Group" |
| links.verity_portal.href | Attribute: "Source" |
| message.html | Attribute: "Description" |
| message.author.user_name |
|
| chat_room.links.verity_portal.href | Attribute: "Additional Analysis and Context" |
| message.author.id | Associated Group |
Alert: Credential Occurrence
ThreatConnect object type: Event Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| data.credential.credential_login |
|
| wrapper_status |
|
| activity.first_seen_ts | First Seen |
| activity.last_seen_ts | Last Seen |
| data.info_stealer.infection_ts | Event Date |
| last_updated_ts |
|
| id | Attribute: "External ID" |
| watcher_group_name | Attribute: "Watcher Group" |
| links.verity_portal.href | Attribute: "Source" |
| data.credential.affiliations[] | Tag |
| data.credential_type | Tag |
| classification.girs[].name | Tag |
| data.credential.id | Associated Group |
| data.credential_set.id | Associated Group |
Alert: Credential Set
ThreatConnect object type: Event Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| name |
|
| wrapper_status |
|
| wrapper_creation_ts | Event Date |
| id | Attribute: "External ID" |
| watcher_group_name | Attribute: "Watcher Group" |
| links.verity_portal.href | Attribute: "Source" |
Alert: Data Leak Post
ThreatConnect object type: Event Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| thread.title | Name/Summary |
| wrapper_status |
|
| post.creation_ts | Event Date |
| post.last_updated_ts | Last Modified |
| thread.id | Attribute: "External ID" |
| watcher_group_name | Attribute: "Watcher Group" |
| links.verity_portal.href | Attribute: "Source" |
| post.message | Attribute: "Description" |
| thread.links.verity_portal.href | Attribute: "Additional Analysis and Context" |
| website.title | Tag |
Alert: FinTel
ThreatConnect object type: Event Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| title | Name/Summary |
| wrapper_status |
|
| creation_ts | Event Date |
| released_ts | Date Added |
| last_updated_ts | Last Modified |
| id | Attribute: "External ID" |
| watcher_group_name | Attribute: "Watcher Group" |
| links.verity_portal.href | Attribute: "Source" |
| body | Attribute: "Description" |
| victims[].name |
|
| entities[?type=='Handle'].value |
|
| sources[].links.verity_portal.href | Attribute: "Additional Analysis and Context" |
| locations[].country |
|
| derived_entities[?type=='Handle'].value |
|
| entities[?type=='MalwareFamily'].value |
|
| derived_entities[?type=='MalwareFamily'].value |
|
| sub_type | Tag |
| entities[?type=='MobileMalwareFamily'].value | Tag: "Malware: <name>" |
| entities[?type=='Telegram'].value | Tag |
| entities[?type=='MaliciousDomain'].value | Tag |
| entities[?type=='FileName'].value | Tag |
| entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| classification.girs[].name | Tag |
| derived_entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| related_reports[].id | Associated Group |
Alert: Forum Post
ThreatConnect object type: Event Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| thread.topic_original || name || forum.id | Name/Summary |
| wrapper_status |
|
| post.creation_ts |
|
| post.id | Attribute: "External ID" |
| watcher_group_name | Attribute: "Watcher Group" |
| links.verity_portal.href | Attribute: "Source" |
| post.html | Attribute: "Description" |
| post.author.user_name |
|
| thread.links.verity_portal.href | Attribute: "Additional Analysis and Context" |
| forum.title |
|
| post.entities[?type=='Handle'].value |
|
| post.derived_entities[?type=='Handle'].value |
|
| post.entities[?type=='MalwareFamily'].value |
|
| post.derived_entities[?type=='MalwareFamily'].value |
|
| post.entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| post.derived_entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| post.author.id | Associated Group |
Alert: Geopolitical Report
ThreatConnect object type: Event Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| title | Name/Summary |
| wrapper_status |
|
| creation_ts | Event Date |
| released_ts | Date Added |
| last_updated_ts | Last Modified |
| id | Attribute: "External ID" |
| watcher_group_name | Attribute: "Watcher Group" |
| links.verity_portal.href | Attribute: "Source" |
| body | Attribute: "Description" |
| sources[].links.verity_portal.href | Attribute: "Additional Analysis and Context" |
| country_profiles[].country_iso_code | Attribute: "Country Code" |
| country_profiles[].country |
|
| entities[?type=='Handle'].value |
|
| derived_entities[?type=='Handle'].value |
|
| entities[?type=='MalwareFamily'].value |
|
| derived_entities[?type=='MalwareFamily'].value |
|
| sub_type | Tag |
| classification.girs[].name | Tag |
| entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| derived_entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| related_reports[].id | Associated Group |
Alert: Information Report
ThreatConnect object type: Event Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| title | Name/Summary |
| wrapper_status |
|
| creation_ts | Event Date |
| released_ts | Date Added |
| last_updated_ts | Last Modified |
| id | Attribute: "External ID" |
| watcher_group_name | Attribute: "Watcher Group" |
| links.verity_portal.href | Attribute: "Source" |
| body | Attribute: "Description" |
| victims[].name |
|
| actor_subject_of_report[].handle |
|
| assessment.admiralty_code | Attribute: "Admiralty Code" |
| source_characterization | Attribute: "Source Characterization" |
| motivation[] | Attribute: "Adversary Motivation Type" |
| researcher_comments | Attribute: "Additional Analysis and Context" |
| entities[?type=='Handle'].value |
|
| derived_entities[?type=='Handle'].value |
|
| entities[?type=='MalwareFamily'].value |
|
| derived_entities[?type=='MalwareFamily'].value |
|
| entities[?type=='MobileMalwareFamily'].value | Tag: "Malware: <name>" |
| entities[?type=='Telegram'].value | Tag |
| entities[?type=='MaliciousDomain'].value | Tag |
| entities[?type=='FileName'].value | Tag |
| entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| classification.girs[].name | Tag |
| derived_entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| related_reports[].id | Associated Group |
Alert: Malware Report
ThreatConnect object type: Event Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| title | Name/Summary |
| wrapper_status |
|
| creation_ts | Event Date |
| released_ts | Date Added |
| last_updated_ts | Last Modified |
| id | Attribute: "External ID" |
| watcher_group_name | Attribute: "Watcher Group" |
| links.verity_portal.href |
|
| body | Attribute: "Description" |
| entities[?type=='Handle'].value |
|
| derived_entities[?type=='Handle'].value |
|
| entities[?type=='MalwareFamily'].value |
|
| derived_entities[?type=='MalwareFamily'].value |
|
| classification.girs[].name | Tag |
| threat.family | Tag: "Malware: <name>" |
| entities[?type=='Telegram'].value | Tag |
| entities[?type=='MobileMalwareFamily'].value | Tag: "Malware: <name>" |
| entities[?type=='MaliciousDomain'].value | Tag |
| entities[?type=='FileName'].value | Tag |
| entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| entities[?type=='EmailAddress'].value | Tag |
| derived_entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| related_reports[].id | Associated Group |
Alert: Observable
ThreatConnect object type: Event Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| value |
|
| wrapper_status |
|
| activity.first_seen_ts |
|
| activity.last_seen_ts | Last Seen |
| id | Attribute: "External ID" |
| watcher_group_name | Attribute: "Watcher Group" |
| links.verity_portal.href | Attribute: "Source" |
| report.links.verity_portal.href | Attribute: "Additional Analysis and Context" |
| type | Tag |
| report.type | Tag |
Alert: Private Message
ThreatConnect object type: Event Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| private_message.subject | Name/Summary |
| wrapper_status |
|
| private_message.creation_ts |
|
| private_message.id | Attribute: "External ID" |
| watcher_group_name | Attribute: "Watcher Group" |
| links.verity_portal.href | Attribute: "Source" |
| private_message.message | Attribute: "Description" |
| forum.links.verity_portal.href | Attribute: "Additional Analysis and Context" |
| forum.title |
|
| author.user_name | Tag |
| recipient.user_name | Tag |
Alert: Spot Report
ThreatConnect object type: Event Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| title | Name/Summary |
| wrapper_status |
|
| creation_ts | Event Date |
| released_ts | Date Added |
| last_updated_ts | Last Modified |
| id | Attribute: "External ID" |
| watcher_group_name | Attribute: "Watcher Group" |
| links.verity_portal.href | Attribute: "Source" |
| sources[].links.verity_portal.href | Attribute: "Additional Analysis and Context" |
| entities[?type=='MalwareFamily'].value | Tag: "Malware: <name>" |
| entities[?type=='MobileMalwareFamily'].value | Tag: "Malware: <name>" |
| entities[?type=='Handle'].value |
|
| entities[?type=='Telegram'].value | Tag |
| entities[?type=='MaliciousDomain'].value | Tag |
| entities[?type=='FileName'].value | Tag |
| entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| classification.girs[].name | Tag |
| sub_type | Tag |
| derived_entities[?type=='Handle'].value | Tag: "Adversary: <name>" |
| derived_entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| derived_entities[?type=='MalwareFamily'].value | Tag: "Malware: <name>" |
Alert: Vulnerability
ThreatConnect object type: Event Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| name |
|
| wrapper_status |
|
| creation_ts |
|
| last_updated_ts | Last Modified |
| id | Attribute: "External ID" |
| watcher_group_name | Attribute: "Watcher Group" |
| links.verity_portal.href | Attribute: "Source" |
| body | Attribute: "Description" |
| underground_activity_summary_html | Attribute: "Additional Analysis and Context" |
| risk_level | Attribute: "CVE Threat Level" |
| patch_status |
|
| poc_links[].links.external.href | Attribute: "Exploit PoC Link" |
| activity_location[] | Attribute: "Activity Location" |
| cve_type | Attribute: "CVE Type" |
| cvss[?version=='2.0' && score >= `0`].score | [0] | Attribute: "CVSS Score v2" |
| cvss[?version=='3.0' && score >= `0`].score | [0] | Attribute: "CVSS Score v3" |
| cvss[?version=='3.1' && score >= `0`].score | [0] | Attribute: "CVSS Score v3.1" |
| cvss[?version=='4.0' && score >= `0`].score | [0] | Attribute: "CVSS Score v4" |
| exploit_status[] |
|
| sources[].links.verity_portal.href | Attribute: "Source" |
| status |
|
| product_name | Attribute: "Vulnerable Product" |
| interest_level[] | Attribute: "Interest Level" |
| vendor_name | Attribute: "Vulnerable Vendor" |
| classification.girs[].name | Tag |
Breach Alert
ThreatConnect object type: Report Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| title | Name/Summary |
| body |
|
| released_ts | Publish Date |
| creation_ts | Date Added |
| last_updated_ts | Last Modified |
| id | Attribute: "External ID" |
| links.verity_portal.href | Attribute: "Source" |
| confidence.level | Attribute: "Confidence" |
| actor_or_group |
|
| entities[?type=='Handle'].value |
|
| derived_entities[?type=='Handle'].value |
|
| entities[?type=='MalwareFamily'].value |
|
| derived_entities[?type=='MalwareFamily'].value |
|
| victims[].name | Attribute: "Breach Alert Victim" |
| classification.girs[].name | Tag |
| entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| derived_entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| related_reports[].id | Associated Group |
FinTel Report
ThreatConnect object type: Report Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| title | Name/Summary |
| body |
|
| released_ts | Publish Date |
| creation_ts | Date Added |
| last_updated_ts | Last Modified |
| id | Attribute: "External ID" |
| links.verity_portal.href | Attribute: "Source" |
| information_ts | Attribute: "Date of Information" |
| entities[?type=='Telegram'] || derived_entities[?type=='Telegram'] | [].value | Attribute: "Social Media: Telegram" |
| entities[?type=='Discord'] || derived_entities[?type=='Discord'] | [].value | Attribute: "Social Media: Discord" |
| entities[?type=='Instagram'] || derived_entities[?type=='Instagram'] | [].value | Attribute: "Social Media: Instagram" |
| entities[?type=='LinkedIn'] || derived_entities[?type=='LinkedIn'] | [].value | Attribute: "Social Media: LinkedIn" |
| entities[?type=='GitHub'] || derived_entities[?type=='GitHub'] | [].value | Attribute: "Github" |
| entities[?type=='Wickr'] || derived_entities[?type=='Wickr'] | [].value | Attribute: "Social Media: Wickr" |
| entities[?type=='Facebook'] || derived_entities[?type=='Facebook'] | [].value | Attribute: "Social Media: Facebook" |
| entities[?type=='ICQ'] || derived_entities[?type=='ICQ'] | [].value | Attribute: "Social Media: ICQ" |
| entities[?type=='Jabber'] || derived_entities[?type=='Jabber'] | [].value | Attribute: "Social Media: Jabber" |
| entities[?type=='Skype'] || derived_entities[?type=='Skype'] | [].value | Attribute: "Social Media: Skype" |
| entities[?type=='VK'] || derived_entities[?type=='VK'] | [].value | Attribute: "Social Media: VK" |
| entities[?type=='X'] || derived_entities[?type=='X'] | [].value | Attribute: "Social Media: Twitter" |
| entities[?type=='Phone'] || derived_entities[?type=='Phone'] | [].value | Attribute: "Phone" |
| entities[?type=='Tox'] || derived_entities[?type=='Tox'] | [].value | Attribute: "Social Media: Tox" |
| entities[?type=='BitcoinAddress'] || derived_entities[?type=='BitcoinAddress'] | [].value | Attribute: "Bitcoin Address" |
| entities[?type=='BitcoinTransactionID'] || derived_entities[?type=='BitcoinTransactionID'] | [].value | Attribute: "Bitcoin Transaction ID" |
| entities[?type=='OtherCryptoCurrencies'] || derived_entities[?type=='OtherCryptoCurrencies'] | [].value | Attribute: "Other CryptoCurrencies" |
| entities[?type=='WebMoneyID'] || derived_entities[?type=='WebMoneyID'] | [].value | Attribute: "WebMoney ID" |
| entities[?type=='WebMoneyPurse'] || derived_entities[?type=='WebMoneyPurse'] | [].value | Attribute: "WebMoney Purse" |
| entities[?type=='QiwiWallet'] || derived_entities[?type=='QiwiWallet'] | [].value | Attribute: "Qiwi Wallet" |
| entities[?type=='YandexMoney'] || derived_entities[?type=='YandexMoney'] | [].value | Attribute: "Yandex.Money" |
| entities[?type=='EmailAddress'] || derived_entities[?type=='EmailAddress'] | [].value | Attribute: "Email Address" |
| entities[?type=='ActorOtherWebsite'] || derived_entities[?type=='ActorOtherWebsite'] | [].value | Attribute: "Actor Other Website" |
| entities[?type=='FileName'] || derived_entities[?type=='FileName'] | [].value | Attribute: "File Name" |
| entities[?type=='FileType'] || derived_entities[?type=='FileType'] | [].value | Attribute: "File Type" |
| entities[?type=='PGPKey'] || derived_entities[?type=='PGPKey'] | [].value | Attribute: "PGP Key" |
| entities[?type=='MalwareFamily'] || derived_entities[?type=='MalwareFamily'] | [].value | Attribute: "Malware Family" |
| entities[?type=='Handle'].value |
|
| derived_entities[?type=='Handle'].value |
|
| entities[?type=='MalwareFamily'].value |
|
| derived_entities[?type=='MalwareFamily'].value |
|
| sub_type | Tag |
| classification.girs[].name | Tag |
| victims[].name | Tag |
| derived_entities[?type=='Handle'].value | Tag: "Adversary: <name>" |
| entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| derived_entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| related_reports[].id | Associated Group |
Geopolitical Report
ThreatConnect object type: Report Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| title | Name/Summary |
| body |
|
| released_ts | Publish Date |
| creation_ts | Date Added |
| last_updated_ts | Last Modified |
| id | Attribute: "External ID" |
| links.verity_portal.href | Attribute: "Source" |
| information_ts | Attribute: "Date of Information" |
| entities[?type=='Handle'].value |
|
| derived_entities[?type=='Handle'].value |
|
| entities[?type=='MalwareFamily'].value |
|
| derived_entities[?type=='MalwareFamily'].value |
|
| sub_type | Tag |
| classification.girs[].name | Tag |
| country_profiles[].country | Tag |
| entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| derived_entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| related_reports[].id | Associated Group |
Indicator: Email Address
ThreatConnect object type: Email Address Indicator
| Verity471 API Field | ThreatConnect Field |
|---|---|
| data.email | Name/Summary |
| confidence | Confidence Rating |
| activity.first_seen_ts | First Seen |
| activity.last_seen_ts | Last Seen |
| expiration_ts |
|
| id | Attribute: "External ID" |
| description | Attribute: "Description" |
| threat.data.malware_family.name | Tag: "Malware: <name>" |
| kill_chain_phases[].phase_name | Tag |
| classification.girs[].name | Tag |
| threat.data.malware_family.id | Associated Group |
Indicator: File
ThreatConnect object type: File Indicator
| Verity471 API Field | ThreatConnect Field |
|---|---|
| data.file.md5 |
|
| data.file.sha1 |
|
| data.file.sha256 |
|
| confidence | Confidence Rating |
| activity.first_seen_ts | First Seen |
| activity.last_seen_ts | Last Seen |
| expiration_ts |
|
| id | Attribute: "External ID" |
| description | Attribute: "Description" |
| threat.data.malware_family.name | Tag: "Malware: <name>" |
| kill_chain_phases[].phase_name | Tag |
| classification.girs[].name | Tag |
| threat.data.malware_family.id | Associated Group |
Indicator: Host
ThreatConnect object type: Host Indicator
| Verity471 API Field | ThreatConnect Field |
|---|---|
| data.domain | Name/Summary |
| confidence | Confidence Rating |
| activity.first_seen_ts | First Seen |
| activity.last_seen_ts | Last Seen |
| expiration_ts |
|
| id | Attribute: "External ID" |
| description | Attribute: "Description" |
| threat.data.malware_family.name | Tag: "Malware: <name>" |
| kill_chain_phases[].phase_name | Tag |
| classification.girs[].name | Tag |
| threat.data.malware_family.id | Associated Group |
Indicator: IPv4 Address
ThreatConnect object type: Address Indicator
| Verity471 API Field | ThreatConnect Field |
|---|---|
| data.ipv4.ip_address | Name/Summary |
| confidence | Confidence Rating |
| activity.first_seen_ts | First Seen |
| activity.last_seen_ts | Last Seen |
| expiration_ts |
|
| id | Attribute: "External ID" |
| description | Attribute: "Description" |
| data.ipv4.geo_ip.country |
|
| data.ipv4.geo_ip.city | Attribute: "City" |
| data.ipv4.geo_ip.country_code | Attribute: "Country Code" |
| data.ipv4.geo_ip.isp.autonomous_system | Attribute: "ASN Host" |
| data.ipv4.geo_ip.isp.organization | Attribute: "Organization" |
| threat.data.malware_family.name | Tag: "Malware: <name>" |
| kill_chain_phases[].phase_name | Tag |
| classification.girs[].name | Tag |
| threat.data.malware_family.id | Associated Group |
Indicator: URL
ThreatConnect object type: URL Indicator
| Verity471 API Field | ThreatConnect Field |
|---|---|
| data.url | Name/Summary |
| confidence | Confidence Rating |
| activity.first_seen_ts | First Seen |
| activity.last_seen_ts | Last Seen |
| expiration_ts |
|
| id | Attribute: "External ID" |
| description | Attribute: "Description" |
| threat.data.malware_family.name | Tag: "Malware: <name>" |
| kill_chain_phases[].phase_name | Tag |
| classification.girs[].name | Tag |
| threat.data.malware_family.id | Associated Group |
Information Report
ThreatConnect object type: Report Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| title | Name/Summary |
| body |
|
| released_ts | Publish Date |
| creation_ts | Date Added |
| last_updated_ts | Last Modified |
| id | Attribute: "External ID" |
| links.verity_portal.href | Attribute: "Source" |
| assessment.admiralty_code | Attribute: "Admiralty Code" |
| source_characterization | Attribute: "Source Characterization" |
| motivation[] | Attribute: "Adversary Motivation Type" |
| executive_summary | Attribute: "Executive Summary" |
| information_ts | Attribute: "Date of Information" |
| entities[?type=='AIM'].value | Attribute: "Social Media: AIM" |
| entities[?type=='Tox'] || derived_entities[?type=='Tox'] | [].value | Attribute: "Social Media: Tox" |
| entities[?type=='OtherCryptoCurrencies'].value | Attribute: "Other CryptoCurrencies" |
| entities[?type=='Facebook'].value | Attribute: "Social Media: Facebook" |
| entities[?type=='ICQ'].value | Attribute: "Social Media: ICQ" |
| entities[?type=='Jabber'].value | Attribute: "Social Media: Jabber" |
| entities[?type=='MSN'].value | Attribute: "MSN" |
| entities[?type=='PerfectMoneyID'].value | Attribute: "Perfect Money ID" |
| entities[?type=='Phone'] || derived_entities[?type=='Phone'] | [].value | Attribute: "Phone" |
| entities[?type=='Skype'].value | Attribute: "Social Media: Skype" |
| entities[?type=='X'].value | Attribute: "Social Media: Twitter" |
| entities[?type=='VK'].value | Attribute: "Social Media: VK" |
| entities[?type=='WebMoneyID'].value | Attribute: "WebMoney ID" |
| entities[?type=='WebMoneyPurse'].value | Attribute: "WebMoney Purse" |
| entities[?type=='YahooIM'].value | Attribute: "Social Media: YahooIM" |
| entities[?type=='YandexMoney'].value | Attribute: "Yandex.Money" |
| entities[?type=='BitcoinAddress'] || derived_entities[?type=='BitcoinAddress'] | [].value | Attribute: "Bitcoin Address" |
| entities[?type=='EmailAddress'] || derived_entities[?type=='EmailAddress'] | [].value | Attribute: "Email Address" |
| entities[?type=='ActorOtherWebsite'] || derived_entities[?type=='ActorOtherWebsite'] | [].value | Attribute: "Actor Other Website" |
| actor_subject_of_report[].aliases[] | Attribute: "Aliases" |
| entities[?type=='Handle'].value |
|
| derived_entities[?type=='Handle'].value |
|
| entities[?type=='MalwareFamily'].value |
|
| derived_entities[?type=='MalwareFamily'].value |
|
| actor_subject_of_report[].handle | Tag: "Adversary: <name>" |
| classification.girs[].name | Tag |
| victims[].name | Tag |
| entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| derived_entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| related_reports[].id | Associated Group |
Malware Family
ThreatConnect object type: Malware Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| name |
|
| description | Attribute: "Description" |
| activity.first_seen_ts |
|
| activity.last_seen_ts |
|
| id |
|
| platforms[] | Tag |
| classification.girs[].name | Tag |
Spot Report
ThreatConnect object type: Report Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| title | Name/Summary |
| body |
|
| released_ts | Publish Date |
| creation_ts | Date Added |
| last_updated_ts | Last Modified |
| id | Attribute: "External ID" |
| links.verity_portal.href | Attribute: "Source" |
| information_ts | Attribute: "Date of Information" |
| entities[?type=='Handle'].value |
|
| derived_entities[?type=='Handle'].value |
|
| entities[?type=='MalwareFamily'].value |
|
| derived_entities[?type=='MalwareFamily'].value |
|
| classification.girs[].name | Tag |
| victims[].name | Tag |
| sub_type | Tag |
| entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| derived_entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
Vulnerability
ThreatConnect object type: Vulnerability Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| name |
|
| activity.first_seen_ts | First Seen |
| activity.last_seen_ts | Last Seen |
| creation_ts | Publish Date |
| last_updated_ts | Last Modified |
| id | Attribute: "External ID" |
| links.verity_portal.href | Attribute: "Source" |
| cve_type | Attribute: "CVE Type" |
| cvss[?version=='2.0' && score >= `0`].score | [0] | Attribute: "CVSS Score v2" |
| cvss[?version=='3.0' && score >= `0`].score | [0] | Attribute: "CVSS Score v3" |
| cvss[?version=='3.1' && score >= `0`].score | [0] | Attribute: "CVSS Score v3.1" |
| cvss[?version=='4.0' && score >= `0`].score | [0] | Attribute: "CVSS Score v4" |
| exploit_status[] |
|
| patch_status |
|
| risk_level | Attribute: "Vulnerability Priority" |
| vendor_name | Attribute: "Vulnerable Vendor" |
| product_name | Attribute: "Product" |
| interest_level[] | Attribute: "Interest Level" |
| activity_location[] | Attribute: "Activity Location" |
| aliases[] | Attribute: "Aliases" |
| classification.girs[].name | Tag |
| status | Tag |
YARA Signature
ThreatConnect object type: Signature Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| data.yara.title |
|
| data.yara.signature | File Content |
| activity.first_seen_ts | First Seen |
| activity.last_seen_ts | Last Seen |
| id | Attribute: "External ID" |
| threat.data.malware_family.name | Tag: "Malware: <name>" |
| classification.girs[].name | Tag |
| threat.data.malware_family.id | Associated Group |
Malware Report
ThreatConnect object type: Report Group
| Verity471 API Field | ThreatConnect Field |
|---|---|
| title | Name/Summary |
| body |
|
| released_ts | Publish Date |
| creation_ts | Date Added |
| last_updated_ts | Last Modified |
| id | Attribute: "External ID" |
| links.verity_portal.href | Attribute: "Source" |
| assessment.admiralty_code | Attribute: "Admiralty Code" |
| source_characterization | Attribute: "Source Characterization" |
| motivation[] | Attribute: "Adversary Motivation Type" |
| executive_summary | Attribute: "Executive Summary" |
| information_ts | Attribute: "Date of Information" |
| entities[?type=='AIM'].value | Attribute: "Social Media: AIM" |
| entities[?type=='Tox'] || derived_entities[?type=='Tox'] | [].value | Attribute: "Social Media: Tox" |
| entities[?type=='OtherCryptoCurrencies'].value | Attribute: "Other CryptoCurrencies" |
| entities[?type=='Facebook'].value | Attribute: "Social Media: Facebook" |
| entities[?type=='ICQ'].value | Attribute: "Social Media: ICQ" |
| entities[?type=='Jabber'].value | Attribute: "Social Media: Jabber" |
| entities[?type=='MSN'].value | Attribute: "MSN" |
| entities[?type=='PerfectMoneyID'].value | Attribute: "Perfect Money ID" |
| entities[?type=='Phone'] || derived_entities[?type=='Phone'] | [].value | Attribute: "Phone" |
| entities[?type=='Skype'].value | Attribute: "Social Media: Skype" |
| entities[?type=='X'].value | Attribute: "Social Media: Twitter" |
| entities[?type=='VK'].value | Attribute: "Social Media: VK" |
| entities[?type=='WebMoneyID'].value | Attribute: "WebMoney ID" |
| entities[?type=='WebMoneyPurse'].value | Attribute: "WebMoney Purse" |
| entities[?type=='YahooIM'].value | Attribute: "Social Media: YahooIM" |
| entities[?type=='YandexMoney'].value | Attribute: "Yandex.Money" |
| entities[?type=='BitcoinAddress'] || derived_entities[?type=='BitcoinAddress'] | [].value | Attribute: "Bitcoin Address" |
| entities[?type=='EmailAddress'] || derived_entities[?type=='EmailAddress'] | [].value | Attribute: "Email Address" |
| entities[?type=='ActorOtherWebsite'] || derived_entities[?type=='ActorOtherWebsite'] | [].value | Attribute: "Actor Other Website" |
| actor_subject_of_report[].aliases[] | Attribute: "Aliases" |
| entities[?type=='Handle'].value |
|
| derived_entities[?type=='Handle'].value |
|
| entities[?type=='MalwareFamily'].value |
|
| derived_entities[?type=='MalwareFamily'].value |
|
| actor_subject_of_report[].handle | Tag: "Adversary: <name>" |
| classification.girs[].name | Tag |
| victims[].name | Tag |
| entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| derived_entities[?type=='CveID'].value | Tag: "Vulnerability: <name>" |
| related_reports[].id | Associated Group |
Event Status Mapping
Table 30 shows how Verity471 alert status is mapped to ThreatConnect Event Group status.
| Verity471 Alert Status | ThreatConnect Event Status | Description |
|---|---|---|
| generated | Needs Review | Default state when an alert fires; the analyst should triage. |
| needs_action | Escalated | The analyst has flagged the alert for action in Verity471. |
| in_progress | In Progress | The alert is being actively worked in Verity471. |
| completed | Completed | The alert has been resolved in Verity471. |
| false_positive | False Positive | The alert has been dismissed as a false positive. |
Watcher Alerts
The Intel471 Verity Intelligence Engine app ingests customer-specific watcher alerts from Verity471’s watcher system. All watcher alerts are created as Event Groups in ThreatConnect.
Watcher alert ingestion is enabled by selecting the Ingest Alerts checkbox and specifying one or more values in the Watcher Group IDs field during deployment. All alerts are ingested on a 30-minute polling cycle.
The human-readable watcher group name for each corresponding Event Group, stored in the Watcher Group attribute, is resolved from the alert’s watcher group ID. The Verity471 portal URL from the alert is stored in the Source attribute so that you can pivot back to Verity471 to view additional details about the object.
Frequently Asked Questions (FAQ)
Does the Intel471 Verity Intelligence Engine app replace the Intel 471 Intelligence Engine app?
No. The Intel471 Verity Intelligence Engine app targets the next-generation Verity471 API and runs in parallel with the Intel 471 Intelligence Engine app, which targets the legacy Titan API. It does not deprecate or disable the Intel 471 Intelligence Engine app.
Why don’t I see any watcher alerts in ThreatConnect?
Confirm that the Ingest Alerts checkbox is selected and that valid watcher group IDs are entered in the service’s configuration. The Intel471 Verity Intelligence Engine app ingests alerts only from the specified Watcher groups; it does not pull from all watcher groups.
Why did the Intel471 Verity Intelligence Engine fail to start?
- The Intel471 Verity Intelligence Engine app may fail if the Ingest Alerts checkbox is selected in the configuration, but no watcher group IDs are specified. Either clear the checkbox or ensure that valid watcher group IDs are entered in the Watcher Group IDs field.
- Verify that the Verity471 API credentials entered in the app’s configuration are correct. The app may fail if the watcher alerts API cannot be reached or returns a 401 unauthorized response.
How are Verity471 alert statuses represented in ThreatConnect?
Each alert’s status is mapped to a ThreatConnect Event Group status on ingestion. See the “Event Status Mapping” section for more information.
The Description attribute for a Report Group ingested by the Intel471 Verity Intelligence Engine app appears to be truncated. What happened?
Some report bodies (e.g., for malware reports) may be very large. Report bodies that exceed 65,535 characters may be truncated in the Description attribute.
ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
30097-01 EN Rev. A