Documentation Index

Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt

Use this file to discover all available pages before exploring further.

🎉 ThreatConnect® 8.0 is now available!

Intel471 Verity Intelligence Engine Integration User Guide

Prev Next
Note
This guide applies to the Intel471 Verity Intelligence Engine app version 1.0.0.

Overview

The Intel471 Verity Intelligence Engine feed API service app ingests structured threat intelligence—including indicators, malware families, vulnerabilities, finished intelligence reports, and breach alerts—as well as customer-specific watcher alerts from the Intel 471 Verity471 platform and creates corresponding objects in ThreatConnect® with select Verity471 metadata:

  • Alerts (including watcher alerts) are created as Event Groups in ThreatConnect.
  • Reports are created as Report Groups in ThreatConnect.
  • Vulnerabilities are created as Vulnerability Groups in ThreatConnect.
  • Indicators are created as Address, File, Host, and URL Indicators in ThreatConnect.
  • Malware families are created as Malware Groups in ThreatConnect.
  • YARA signatures are created as Signature Groups in ThreatConnect.

Dependencies

ThreatConnect Dependencies

  • Active ThreatConnect Application Programming Interface (API) key
  • ThreatConnect instance with version 7.12.2 or newer installed
Note
All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.

Intel 471 Verity471 Dependencies

  • Intel 471 Verity471 API credentials:
    • API username (Key ID)
    • API key (Key Secret)
  • An active Intel 471 Verity471 subscription
  • One or more Intel 471 watcher group IDs (required only if watcher alert ingestion is enabled)

Application Setup and Configuration

The Intel471 Verity Intelligence Engine app leverages the Feed Deployer to create a Source for data ingestion from Intel 471 Verity471 in an Organization and to configure the corresponding service’s ingestion and authentication parameters. After you install the Intel471 Verity Intelligence Engine app on your ThreatConnect instance, you can deploy it to any Organization. It must be deployed separately for each Organization in which you want to create a Source for data ingestion and a corresponding service.

Install the Intel471 Verity Intelligence Engine App

Follow these steps to install the Intel471 Verity Intelligence Engine app on your ThreatConnect instance:

  1. Log into ThreatConnect with a System Administrator account.
  2. From the SettingsGear iconmenu on the top navigation bar, select TC Exchange Settings.
  3. Select the Catalog tab on the TC Exchange™ Settings screen.
  4. Locate the Intel471 Verity Intelligence Engine app on the Catalog tab.
  5. Click InstallPlus iconin the Options column for the app.
  6. Click INSTALL in the app’s Release Notes window.
  7. After you install the Intel471 Verity Intelligence Engine app, the Feed Deployer opens automatically. Follow the procedure in the “Deploy the Intel471 Verity Intelligence Engine App to an Organization” section to deploy the Intel471 Verity Intelligence Engine app to a Source in an Organization and configure the corresponding service.

Deploy the Intel471 Verity Intelligence Engine App to an Organization

Follow these steps to deploy the Intel471 Verity Intelligence Engine app to an Organization:

Note
Skip to the fourth step in the procedure if you just installed the Intel471 Verity Intelligence Engine app and are already viewing the Feed Deployer window.
  1. Log into ThreatConnect with a System Administrator account.
  2. From the SettingsGear icon menu on the top navigation bar, select TC Exchange Settings.
  3. Locate the Intel471 Verity Intelligence Engine app on the Installed tab. Then select Deploy from the Options dropdown.
  4. Follow the instructions in Table 1 to fill out the fields in the Feed Deployer window for a deployment of the Intel471 Verity Intelligence Engine app.

     

    NameDescriptionRequired?
    Source Tab
    Sources to CreateEnter the name of the Source for the feed.
    Note
    Unless you are redeploying the feed to an existing Source in an Organization, the name of the Source must be unique on your ThreatConnect instance. It is recommended to add the Organization’s name to the end of the default Source name (e.g., Intel471 Verity Intelligence Engine - Demo Organization) for easy identification of the Source’s owner.
    Required
    OwnerSelect the Organization in which the Source will be created.Required
    Activate DeprecationSelect this checkbox to allow confidence deprecation rules to be created and applied to Indicators in the Source.Optional
    Create AttributesSelect this checkbox to allow custom attribute types for the Intel471 Verity Intelligence Engine app to be created on the System level of your ThreatConnect instance.
    Important
    It is recommended that you keep this checkbox selected. If you deselect it, data from the Intel471 Verity Intelligence Engine app mapped to those attribute types will not be ingested.
    Optional
    Parameters Tab
    Launch ServerSelect tc-job as the launch server for the feed API service.Required
    Intel Reports to IngestSelect the Verity471 report types to ingest. Available options include the following:
    • Breach (default)
    • Credential
    • FinTel (default)
    • Geopol (default)
    • Info (default)
    • Malware (default)
    • Spot (default)
    • Vulnerability (default)
    Required
    Ingest AlertsSelect this checkbox to ingest Verity471 watcher alerts into ThreatConnect.Optional
    Watcher Group IDsEnter the IDs, separated by commas, for one or more Verity471 watcher groups from which to ingest alerts.
    Important
    If the Ingest Alerts checkbox is selected, you must enter at least one watcher group ID; otherwise, the app may fail to start or may return an error.
    Optional
    Notification Digest IntervalSelect the interval at which the Intel471 Verity Intelligence Engine app should send notifications about job failure outcomes to the Notifications Center for users who are members of the Source for the Intel471 Verity Intelligence Engine service. The dissemination of the notifications is determined by each user’s Notifications Center settings.Required
    Notification TypesSelect the notification types to include in the notification digest.
    Note
    • The App Startup notification is sent only once, when the app is started for the first time. Selection of this option determines whether the initial digest sent to the Notifications Center will include a notification about successful app startup.
    • All notifications about app functionality (startup, startup failure, and shutdown) and job failure outcomes (failure, retry, and recovery) are provided on the Notifications screen in the service UI.
    Optional
    Advanced SettingsThere are no advanced settings to configure.
    Warning
    Leave this field blank, as entering values may result in unintended consequences.
    Optional
    Variables Tab
    Intel 471 Verity API UsernameEnter the Intel 471 Verity471 Key ID.Required
    Intel 471 Verity API KeyEnter the Intel 471 Verity471 Key Secret.Required
    Confirm Tab
    Run Feeds after deploymentSelect this checkbox to run the Intel471 Verity Intelligence Engine service immediately after you click DEPLOY on the Feed Deployer window.Optional
    Confirm Deployment Over Existing SourceThis checkbox and a warning message are displayed on the Confirm tab if the Source name entered on the Source tab is already used by a Source owned by the selected Organization. To confirm redeploying the app to the existing Source, select the checkbox. This will activate the DEPLOY button. Otherwise, you must return to the Source tab and either change the Source name or select a different Organization.
    Warning
    When you redeploy a feed API service to a Source, existing data in the Source may be overwritten. Redeployment will also create a new service for the feed API service app. It is recommended that you delete the previous service for the feed API service app after the new one is created.
    Optional
  5. Click DEPLOY on the Confirm tab of the Feed Deployer window to deploy the Intel471 Verity Intelligence Engine app in the Organization, which will create a Source for the feed in the Organization and a corresponding feed API service.

Intel471 Verity Intelligence Engine UI

After installing the Intel471 Verity Intelligence Engine app and deploying it to an Organization, you can access the Intel471 Verity Intelligence Engine UI, where you can manage data ingestion from Verity471 into the Source created in the Organization.

Follow these steps to access the Intel471 Verity Intelligence Engine UI:

  1. Log into ThreatConnect with a System Administrator account or a user account in the Organization with an Organization role of Organization Administrator.
  2. From the Automation & Feeds dropdown on the top navigation bar, select Services.
  3. Locate the row for the Intel471 Verity Intelligence Engine feed API service.
    Hint
    Select Feed Service from the Service Type dropdown at the upper right to filter the screen to show only feed API services. If there are multiple services for the Intel471 Verity Intelligence Engine app, you can identify the one configured for your Organization by clicking the row for a service to view its Details drawer, which includes an Organization field showing the Organization that owns the Source for that service.
  4. Turn on the toggle in the Enable column if the service is not already enabled.
  5. Click the link in the service’s API Path field to open the Intel471 Verity Intelligence Engine UI.

The following screens are available in the Intel471 Verity Intelligence Engine service UI:

Dashboard

The Dashboard screen provides an overview of the total number of intelligence types and alerts ingested from Verity471.

Jobs

The Jobs screen breaks down the ingestion of Verity471 data into manageable job-like tasks, displaying all processes that are pending, in progress, complete, and failed. The menu in a job’s row provides the following options:

  • Details: View details for the job, such as download, convert, and upload start and complete times and counts of downloaded and batched Groups and Indicators.
  • Download Files: Download metadata files for all jobs and data (convert, download, and upload) files for completed jobs.
  • Batch Errors: View errors that have occurred for the job on the Batch Errors screen.

You can filter Intel 471 Verity Intelligence Engine service jobs by the following elements:

  • Job ID: Enter text into this box to search for a job by its job ID.
  • Job Type: Select job types to display on the Jobs screen.
  • Status: Select job statuses to display on the Jobs screen.

Add a Job

You can add ad hoc jobs on the Jobs screen. Follow these steps to create a request for an ad hoc job for the Intel471 Verity Intelligence Engine service:

  1. Click Add Job.
  2. Fill out the fields on the Add Job drawer as follows:
    • Start Time: (Optional) Enter the time at which the job should start.
    • End Time: (Optional) Enter the time by which the job should end.
    • Reports to Ingest: (Optional) Select the Verity471 report types to include in the job.
    • Ingest Alerts? (Required) Select the appropriate option to determine whether to ingest alerts in the job.
  3. Click Submit.

Tasks

The Tasks screen displays all tasks that may be part of a job, including each step of the download, convert, and upload processes, as well as tasks for the Intel471 Verity Intelligence Engine service, such as monitor, scheduler, and cleaner. The current status (Idle, Paused, or Running), name, description, and heartbeat timeout length, in minutes, are displayed for each task. The menu in a task’s row provides the following options, depending on the task’s status:

  • Run (idle and paused tasks only)
  • Pause (idle and running tasks only)
  • Resume (paused tasks only)
  • Kill (running tasks only)

Under the table is a dashboard where you can view runtime analytics.

Download

The Download screen lets you download JavaScript® Object Notation (JSON) data for Verity471 objects and then upload the data into ThreatConnect. Follow these steps to download JSON data for a Verity471 object on the Download screen and then upload the data into ThreatConnect:

  1. Report Type: Select a Verity471 report type to download.
  2. External ID: Enter one or more Verity471 IDs for the objects to download, separating each ID with a comma.
  3. Click Download. The JSON data will be displayed in two columns: Results (raw JSON data) and Converted (JSON data in ThreatConnect batch format).
  4. Click Upload to submit the converted threat intelligence data via the ThreatConnect Batch API.

Batch Errors

The Batch Errors screen displays an overview of the batch error types that have occurred for job requests. You can enter keywords to filter by job ID. Select an error type to open a drawer containing a table with details on all batch errors of that type.

Notifications

The Notifications screen displays a table with details on notifications regarding app functionality and job failure outcomes for the Intel471 Verity Intelligence Engine service.

Attachment Status

The Attachment Status screen displays a table with details on ThreatConnect's attempts to download Report Group attachments from Verity471 You can enter Verity471 IDs for Groups to filter the table by Group ID, which can be useful if you do not see a Verity471 attachment in ThreatConnect as expected, or by status.

Data Mappings

The data mappings in Table 2 through Table 29 illustrate how data are mapped from Verity471 API endpoints to the ThreatConnect data model.

Alert: Breach Alert

ThreatConnect object type: Event Group

 

Verity471 API FieldThreatConnect Field
titleName/Summary
wrapper_status
creation_tsEvent Date
released_tsDate Added
last_updated_tsLast Modified
idAttribute: "External ID"
watcher_group_nameAttribute: "Watcher Group"
links.verity_portal.hrefAttribute: "Source"
bodyAttribute: "Description"
victims[].name
  • Attribute: "Breach Alert Victim"
  • Tag
actor_or_group
  • Attribute: "Actor or Group"
  • Tag: "Adversary: <name>"
  • Tag: "Intrusion Set: <name>"
confidence.levelAttribute: "Confidence"
sources[].links.verity_portal.hrefAttribute: "Additional Analysis and Context"
entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
  • Tag: "Intrusion Set: <name>"
derived_entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
derived_entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
entities[?type=='MobileMalwareFamily'].valueTag: "Malware: <name>"
entities[?type=='Telegram'].valueTag
entities[?type=='MaliciousDomain'].valueTag
entities[?type=='FileName'].valueTag
entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
classification.girs[].nameTag
derived_entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
related_reports[].idAssociated Group

Alert: Chat Message

ThreatConnect object type: Event Group

 

Verity471 API FieldThreatConnect Field
chat_room.name
  • Name/Summary
  • Tag
wrapper_status
message.creation_ts
  • Event Date
  • Date Added
message.idAttribute: "External ID"
watcher_group_nameAttribute: "Watcher Group"
links.verity_portal.hrefAttribute: "Source"
message.htmlAttribute: "Description"
message.author.user_name
  • Attribute: "Actor or Group"
  • Tag: "Adversary: <name>"
chat_room.links.verity_portal.hrefAttribute: "Additional Analysis and Context"
message.author.idAssociated Group

Alert: Credential Occurrence

ThreatConnect object type: Event Group

 

Verity471 API FieldThreatConnect Field
data.credential.credential_login
  • Name/Summary
  • Attribute: "Username"
wrapper_status
activity.first_seen_tsFirst Seen
activity.last_seen_tsLast Seen
data.info_stealer.infection_tsEvent Date
last_updated_ts
  • Publish Date
  • Last Modified
idAttribute: "External ID"
watcher_group_nameAttribute: "Watcher Group"
links.verity_portal.hrefAttribute: "Source"
data.credential.affiliations[]Tag
data.credential_typeTag
classification.girs[].nameTag
data.credential.idAssociated Group
data.credential_set.idAssociated Group

Alert: Credential Set

ThreatConnect object type: Event Group

 

Verity471 API FieldThreatConnect Field
name
  • Name/Summary
  • Attribute: "Description"
wrapper_status
wrapper_creation_tsEvent Date
idAttribute: "External ID"
watcher_group_nameAttribute: "Watcher Group"
links.verity_portal.hrefAttribute: "Source"

Alert: Data Leak Post

ThreatConnect object type: Event Group

 

Verity471 API FieldThreatConnect Field
thread.titleName/Summary
wrapper_status
post.creation_tsEvent Date
post.last_updated_tsLast Modified
thread.idAttribute: "External ID"
watcher_group_nameAttribute: "Watcher Group"
links.verity_portal.hrefAttribute: "Source"
post.messageAttribute: "Description"
thread.links.verity_portal.hrefAttribute: "Additional Analysis and Context"
website.titleTag

Alert: FinTel

ThreatConnect object type: Event Group

 

Verity471 API FieldThreatConnect Field
titleName/Summary
wrapper_status
creation_tsEvent Date
released_tsDate Added
last_updated_tsLast Modified
idAttribute: "External ID"
watcher_group_nameAttribute: "Watcher Group"
links.verity_portal.hrefAttribute: "Source"
bodyAttribute: "Description"
victims[].name
  • Attribute: "Breach Alert Victim"
  • Tag
entities[?type=='Handle'].value
  • Attribute: "Actor or Group"
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
  • Tag: "Intrusion Set: <name>"
sources[].links.verity_portal.hrefAttribute: "Additional Analysis and Context"
locations[].country
  • Attribute: "Country"
  • Tag
derived_entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
derived_entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
sub_typeTag
entities[?type=='MobileMalwareFamily'].valueTag: "Malware: <name>"
entities[?type=='Telegram'].valueTag
entities[?type=='MaliciousDomain'].valueTag
entities[?type=='FileName'].valueTag
entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
classification.girs[].nameTag
derived_entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
related_reports[].idAssociated Group

Alert: Forum Post

ThreatConnect object type: Event Group

 

Verity471 API FieldThreatConnect Field
thread.topic_original || name || forum.idName/Summary
wrapper_status
post.creation_ts
  • Date Added
  • Event Date
post.idAttribute: "External ID"
watcher_group_nameAttribute: "Watcher Group"
links.verity_portal.hrefAttribute: "Source"
post.htmlAttribute: "Description"
post.author.user_name
  • Attribute: "Actor or Group"
  • Tag: "Adversary: <name>"
thread.links.verity_portal.hrefAttribute: "Additional Analysis and Context"
forum.title
  • Attribute: "Forum Name"
  • Tag: "Source: <name>"
post.entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
post.derived_entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
post.entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
post.derived_entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
post.entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
post.derived_entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
post.author.idAssociated Group

Alert: Geopolitical Report

ThreatConnect object type: Event Group

 

Verity471 API FieldThreatConnect Field
titleName/Summary
wrapper_status
creation_tsEvent Date
released_tsDate Added
last_updated_tsLast Modified
idAttribute: "External ID"
watcher_group_nameAttribute: "Watcher Group"
links.verity_portal.hrefAttribute: "Source"
bodyAttribute: "Description"
sources[].links.verity_portal.hrefAttribute: "Additional Analysis and Context"
country_profiles[].country_iso_codeAttribute: "Country Code"
country_profiles[].country
  • Attribute: "Country"
  • Tag
entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
  • Tag: "Intrusion Set: <name>"
derived_entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
derived_entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
sub_typeTag
classification.girs[].nameTag
entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
derived_entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
related_reports[].idAssociated Group

Alert: Information Report

ThreatConnect object type: Event Group

 

Verity471 API FieldThreatConnect Field
titleName/Summary
wrapper_status
creation_tsEvent Date
released_tsDate Added
last_updated_tsLast Modified
idAttribute: "External ID"
watcher_group_nameAttribute: "Watcher Group"
links.verity_portal.hrefAttribute: "Source"
bodyAttribute: "Description"
victims[].name
  • Attribute: "Breach Alert Victim"
  • Tag
actor_subject_of_report[].handle
  • Attribute: "Actor or Group"
  • Tag: "Adversary: <name>"
  • Tag: "Intrusion Set: <name>"
assessment.admiralty_codeAttribute: "Admiralty Code"
source_characterizationAttribute: "Source Characterization"
motivation[]Attribute: "Adversary Motivation Type"
researcher_commentsAttribute: "Additional Analysis and Context"
entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
  • Tag: "Intrusion Set: <name>"
derived_entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
derived_entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
entities[?type=='MobileMalwareFamily'].valueTag: "Malware: <name>"
entities[?type=='Telegram'].valueTag
entities[?type=='MaliciousDomain'].valueTag
entities[?type=='FileName'].valueTag
entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
classification.girs[].nameTag
derived_entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
related_reports[].idAssociated Group

Alert: Malware Report

ThreatConnect object type: Event Group

 

Verity471 API FieldThreatConnect Field
titleName/Summary
wrapper_status
creation_tsEvent Date
released_tsDate Added
last_updated_tsLast Modified
idAttribute: "External ID"
watcher_group_nameAttribute: "Watcher Group"
links.verity_portal.href
  • Attribute: "Source"
  • Attribute: "Additional Analysis and Context"
bodyAttribute: "Description"
entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
  • Tag: "Intrusion Set: <name>"
derived_entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
derived_entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
classification.girs[].nameTag
threat.familyTag: "Malware: <name>"
entities[?type=='Telegram'].valueTag
entities[?type=='MobileMalwareFamily'].valueTag: "Malware: <name>"
entities[?type=='MaliciousDomain'].valueTag
entities[?type=='FileName'].valueTag
entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
entities[?type=='EmailAddress'].valueTag
derived_entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
related_reports[].idAssociated Group

Alert: Observable

ThreatConnect object type: Event Group

 

Verity471 API FieldThreatConnect Field
value
  • Name/Summary
  • Attribute: "Description"
wrapper_status
activity.first_seen_ts
  • Event Date
  • First Seen
activity.last_seen_tsLast Seen
idAttribute: "External ID"
watcher_group_nameAttribute: "Watcher Group"
links.verity_portal.hrefAttribute: "Source"
report.links.verity_portal.hrefAttribute: "Additional Analysis and Context"
typeTag
report.typeTag

Alert: Private Message

ThreatConnect object type: Event Group

 

Verity471 API FieldThreatConnect Field
private_message.subjectName/Summary
wrapper_status
private_message.creation_ts
  • Date Added
  • Event Date
  • Last Modified
private_message.idAttribute: "External ID"
watcher_group_nameAttribute: "Watcher Group"
links.verity_portal.hrefAttribute: "Source"
private_message.messageAttribute: "Description"
forum.links.verity_portal.hrefAttribute: "Additional Analysis and Context"
forum.title
  • Attribute: "Source Characterization"
  • Tag: "Source: <name>"
author.user_nameTag
recipient.user_nameTag

Alert: Spot Report

ThreatConnect object type: Event Group

 

Verity471 API FieldThreatConnect Field
titleName/Summary
wrapper_status
creation_tsEvent Date
released_tsDate Added
last_updated_tsLast Modified
idAttribute: "External ID"
watcher_group_nameAttribute: "Watcher Group"
links.verity_portal.hrefAttribute: "Source"
sources[].links.verity_portal.hrefAttribute: "Additional Analysis and Context"
entities[?type=='MalwareFamily'].valueTag: "Malware: <name>"
entities[?type=='MobileMalwareFamily'].valueTag: "Malware: <name>"
entities[?type=='Handle'].value
  • Tag: "Adversary: <name>"
  • Tag: "Intrusion Set: <name>"
entities[?type=='Telegram'].valueTag
entities[?type=='MaliciousDomain'].valueTag
entities[?type=='FileName'].valueTag
entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
classification.girs[].nameTag
sub_typeTag
derived_entities[?type=='Handle'].valueTag: "Adversary: <name>"
derived_entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
derived_entities[?type=='MalwareFamily'].valueTag: "Malware: <name>"

Alert: Vulnerability

ThreatConnect object type: Event Group

 

Verity471 API FieldThreatConnect Field
name
  • Name/Summary
  • Tag: "Vulnerability: <name>"
wrapper_status
creation_ts
  • Date Added
  • Event Date
last_updated_tsLast Modified
idAttribute: "External ID"
watcher_group_nameAttribute: "Watcher Group"
links.verity_portal.hrefAttribute: "Source"
bodyAttribute: "Description"
underground_activity_summary_htmlAttribute: "Additional Analysis and Context"
risk_levelAttribute: "CVE Threat Level"
patch_status
  • Attribute: "Patch Status"
  • Tag
poc_links[].links.external.hrefAttribute: "Exploit PoC Link"
activity_location[]Attribute: "Activity Location"
cve_typeAttribute: "CVE Type"
cvss[?version=='2.0' && score >= `0`].score | [0]Attribute: "CVSS Score v2"
cvss[?version=='3.0' && score >= `0`].score | [0]Attribute: "CVSS Score v3"
cvss[?version=='3.1' && score >= `0`].score | [0]Attribute: "CVSS Score v3.1"
cvss[?version=='4.0' && score >= `0`].score | [0]Attribute: "CVSS Score v4"
exploit_status[]
  • Attribute: "Exploitation State"
  • Tag
sources[].links.verity_portal.hrefAttribute: "Source"
status
  • Attribute: "CVE Status"
  • Tag
product_nameAttribute: "Vulnerable Product"
interest_level[]Attribute: "Interest Level"
vendor_nameAttribute: "Vulnerable Vendor"
classification.girs[].nameTag

Breach Alert

ThreatConnect object type: Report Group

 

Verity471 API FieldThreatConnect Field
titleName/Summary
body
  • Attribute: "Description"
  • Report File
released_tsPublish Date
creation_tsDate Added
last_updated_tsLast Modified
idAttribute: "External ID"
links.verity_portal.hrefAttribute: "Source"
confidence.levelAttribute: "Confidence"
actor_or_group
  • Attribute: "Actor or Group"
  • Tag: "Adversary: <name>"
entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
derived_entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
derived_entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
victims[].nameAttribute: "Breach Alert Victim"
classification.girs[].nameTag
entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
derived_entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
related_reports[].idAssociated Group

FinTel Report

ThreatConnect object type: Report Group

 

Verity471 API FieldThreatConnect Field
titleName/Summary
body
  • Attribute: "Description"
  • Report File
released_tsPublish Date
creation_tsDate Added
last_updated_tsLast Modified
idAttribute: "External ID"
links.verity_portal.hrefAttribute: "Source"
information_tsAttribute: "Date of Information"
entities[?type=='Telegram'] || derived_entities[?type=='Telegram'] | [].valueAttribute: "Social Media: Telegram"
entities[?type=='Discord'] || derived_entities[?type=='Discord'] | [].valueAttribute: "Social Media: Discord"
entities[?type=='Instagram'] || derived_entities[?type=='Instagram'] | [].valueAttribute: "Social Media: Instagram"
entities[?type=='LinkedIn'] || derived_entities[?type=='LinkedIn'] | [].valueAttribute: "Social Media: LinkedIn"
entities[?type=='GitHub'] || derived_entities[?type=='GitHub'] | [].valueAttribute: "Github"
entities[?type=='Wickr'] || derived_entities[?type=='Wickr'] | [].valueAttribute: "Social Media: Wickr"
entities[?type=='Facebook'] || derived_entities[?type=='Facebook'] | [].valueAttribute: "Social Media: Facebook"
entities[?type=='ICQ'] || derived_entities[?type=='ICQ'] | [].valueAttribute: "Social Media: ICQ"
entities[?type=='Jabber'] || derived_entities[?type=='Jabber'] | [].valueAttribute: "Social Media: Jabber"
entities[?type=='Skype'] || derived_entities[?type=='Skype'] | [].valueAttribute: "Social Media: Skype"
entities[?type=='VK'] || derived_entities[?type=='VK'] | [].valueAttribute: "Social Media: VK"
entities[?type=='X'] || derived_entities[?type=='X'] | [].valueAttribute: "Social Media: Twitter"
entities[?type=='Phone'] || derived_entities[?type=='Phone'] | [].valueAttribute: "Phone"
entities[?type=='Tox'] || derived_entities[?type=='Tox'] | [].valueAttribute: "Social Media: Tox"
entities[?type=='BitcoinAddress'] || derived_entities[?type=='BitcoinAddress'] | [].valueAttribute: "Bitcoin Address"
entities[?type=='BitcoinTransactionID'] || derived_entities[?type=='BitcoinTransactionID'] | [].valueAttribute: "Bitcoin Transaction ID"
entities[?type=='OtherCryptoCurrencies'] || derived_entities[?type=='OtherCryptoCurrencies'] | [].valueAttribute: "Other CryptoCurrencies"
entities[?type=='WebMoneyID'] || derived_entities[?type=='WebMoneyID'] | [].valueAttribute: "WebMoney ID"
entities[?type=='WebMoneyPurse'] || derived_entities[?type=='WebMoneyPurse'] | [].valueAttribute: "WebMoney Purse"
entities[?type=='QiwiWallet'] || derived_entities[?type=='QiwiWallet'] | [].valueAttribute: "Qiwi Wallet"
entities[?type=='YandexMoney'] || derived_entities[?type=='YandexMoney'] | [].valueAttribute: "Yandex.Money"
entities[?type=='EmailAddress'] || derived_entities[?type=='EmailAddress'] | [].valueAttribute: "Email Address"
entities[?type=='ActorOtherWebsite'] || derived_entities[?type=='ActorOtherWebsite'] | [].valueAttribute: "Actor Other Website"
entities[?type=='FileName'] || derived_entities[?type=='FileName'] | [].valueAttribute: "File Name"
entities[?type=='FileType'] || derived_entities[?type=='FileType'] | [].valueAttribute: "File Type"
entities[?type=='PGPKey'] || derived_entities[?type=='PGPKey'] | [].valueAttribute: "PGP Key"
entities[?type=='MalwareFamily'] || derived_entities[?type=='MalwareFamily'] | [].valueAttribute: "Malware Family"
entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
derived_entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
derived_entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
sub_typeTag
classification.girs[].nameTag
victims[].nameTag
derived_entities[?type=='Handle'].valueTag: "Adversary: <name>"
entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
derived_entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
related_reports[].idAssociated Group

Geopolitical Report

ThreatConnect object type: Report Group

 

Verity471 API FieldThreatConnect Field
titleName/Summary
body
  • Attribute: "Description"
  • Report File
released_tsPublish Date
creation_tsDate Added
last_updated_tsLast Modified
idAttribute: "External ID"
links.verity_portal.hrefAttribute: "Source"
information_tsAttribute: "Date of Information"
entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
derived_entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
derived_entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
sub_typeTag
classification.girs[].nameTag
country_profiles[].countryTag
entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
derived_entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
related_reports[].idAssociated Group

Indicator: Email Address

ThreatConnect object type: Email Address Indicator

 

Verity471 API FieldThreatConnect Field
data.emailName/Summary
confidenceConfidence Rating
activity.first_seen_tsFirst Seen
activity.last_seen_tsLast Seen
expiration_ts
  • External Date Expires
  • Attribute: "External Date Expires"
idAttribute: "External ID"
descriptionAttribute: "Description"
threat.data.malware_family.nameTag: "Malware: <name>"
kill_chain_phases[].phase_nameTag
classification.girs[].nameTag
threat.data.malware_family.idAssociated Group

Indicator: File

ThreatConnect object type: File Indicator

 

Verity471 API FieldThreatConnect Field
data.file.md5
  • Name/Summary (value 1)
  • MD5
data.file.sha1
  • Name/Summary (value 2)
  • SHA1
data.file.sha256
  • Name/Summary (value 3)
  • SHA256
confidenceConfidence Rating
activity.first_seen_tsFirst Seen
activity.last_seen_tsLast Seen
expiration_ts
  • External Date Expires
  • Attribute: "External Date Expires"
idAttribute: "External ID"
descriptionAttribute: "Description"
threat.data.malware_family.nameTag: "Malware: <name>"
kill_chain_phases[].phase_nameTag
classification.girs[].nameTag
threat.data.malware_family.idAssociated Group

Indicator: Host

ThreatConnect object type: Host Indicator

 

Verity471 API FieldThreatConnect Field
data.domainName/Summary
confidenceConfidence Rating
activity.first_seen_tsFirst Seen
activity.last_seen_tsLast Seen
expiration_ts
  • External Date Expires
  • Attribute: "External Date Expires"
idAttribute: "External ID"
descriptionAttribute: "Description"
threat.data.malware_family.nameTag: "Malware: <name>"
kill_chain_phases[].phase_nameTag
classification.girs[].nameTag
threat.data.malware_family.idAssociated Group

Indicator: IPv4 Address

ThreatConnect object type: Address Indicator

 

Verity471 API FieldThreatConnect Field
data.ipv4.ip_addressName/Summary
confidenceConfidence Rating
activity.first_seen_tsFirst Seen
activity.last_seen_tsLast Seen
expiration_ts
  • External Date Expires
  • Attribute: "External Date Expires"
idAttribute: "External ID"
descriptionAttribute: "Description"
data.ipv4.geo_ip.country
  • Attribute: "Country"
  • Tag
data.ipv4.geo_ip.cityAttribute: "City"
data.ipv4.geo_ip.country_codeAttribute: "Country Code"
data.ipv4.geo_ip.isp.autonomous_systemAttribute: "ASN Host"
data.ipv4.geo_ip.isp.organizationAttribute: "Organization"
threat.data.malware_family.nameTag: "Malware: <name>"
kill_chain_phases[].phase_nameTag
classification.girs[].nameTag
threat.data.malware_family.idAssociated Group

Indicator: URL

ThreatConnect object type: URL Indicator

 

Verity471 API FieldThreatConnect Field
data.urlName/Summary
confidenceConfidence Rating
activity.first_seen_tsFirst Seen
activity.last_seen_tsLast Seen
expiration_ts
  • External Date Expires
  • Attribute: "External Date Expires"
idAttribute: "External ID"
descriptionAttribute: "Description"
threat.data.malware_family.nameTag: "Malware: <name>"
kill_chain_phases[].phase_nameTag
classification.girs[].nameTag
threat.data.malware_family.idAssociated Group

Information Report

ThreatConnect object type: Report Group

 

Verity471 API FieldThreatConnect Field
titleName/Summary
body
  • Attribute: "Description"
  • Report File
released_tsPublish Date
creation_tsDate Added
last_updated_tsLast Modified
idAttribute: "External ID"
links.verity_portal.hrefAttribute: "Source"
assessment.admiralty_codeAttribute: "Admiralty Code"
source_characterizationAttribute: "Source Characterization"
motivation[]Attribute: "Adversary Motivation Type"
executive_summaryAttribute: "Executive Summary"
information_tsAttribute: "Date of Information"
entities[?type=='AIM'].valueAttribute: "Social Media: AIM"
entities[?type=='Tox'] || derived_entities[?type=='Tox'] | [].valueAttribute: "Social Media: Tox"
entities[?type=='OtherCryptoCurrencies'].valueAttribute: "Other CryptoCurrencies"
entities[?type=='Facebook'].valueAttribute: "Social Media: Facebook"
entities[?type=='ICQ'].valueAttribute: "Social Media: ICQ"
entities[?type=='Jabber'].valueAttribute: "Social Media: Jabber"
entities[?type=='MSN'].valueAttribute: "MSN"
entities[?type=='PerfectMoneyID'].valueAttribute: "Perfect Money ID"
entities[?type=='Phone'] || derived_entities[?type=='Phone'] | [].valueAttribute: "Phone"
entities[?type=='Skype'].valueAttribute: "Social Media: Skype"
entities[?type=='X'].valueAttribute: "Social Media: Twitter"
entities[?type=='VK'].valueAttribute: "Social Media: VK"
entities[?type=='WebMoneyID'].valueAttribute: "WebMoney ID"
entities[?type=='WebMoneyPurse'].valueAttribute: "WebMoney Purse"
entities[?type=='YahooIM'].valueAttribute: "Social Media: YahooIM"
entities[?type=='YandexMoney'].valueAttribute: "Yandex.Money"
entities[?type=='BitcoinAddress'] || derived_entities[?type=='BitcoinAddress'] | [].valueAttribute: "Bitcoin Address"
entities[?type=='EmailAddress'] || derived_entities[?type=='EmailAddress'] | [].valueAttribute: "Email Address"
entities[?type=='ActorOtherWebsite'] || derived_entities[?type=='ActorOtherWebsite'] | [].valueAttribute: "Actor Other Website"
actor_subject_of_report[].aliases[]Attribute: "Aliases"
entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
derived_entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
derived_entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
actor_subject_of_report[].handleTag: "Adversary: <name>"
classification.girs[].nameTag
victims[].nameTag
entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
derived_entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
related_reports[].idAssociated Group

Malware Family

ThreatConnect object type: Malware Group

 

Verity471 API FieldThreatConnect Field
name
  • Name/Summary
  • Tag: "Malware: <name>"
descriptionAttribute: "Description"
activity.first_seen_ts
  • First Seen
  • Attribute: "First Seen"
activity.last_seen_ts
  • Last Seen
  • Attribute: "Last Seen"
id
  • Attribute: "External ID"
  • Attribute: "Source"
platforms[]Tag
classification.girs[].nameTag

Spot Report

ThreatConnect object type: Report Group

 

Verity471 API FieldThreatConnect Field
titleName/Summary
body
  • Attribute: "Description"
  • Report File
released_tsPublish Date
creation_tsDate Added
last_updated_tsLast Modified
idAttribute: "External ID"
links.verity_portal.hrefAttribute: "Source"
information_tsAttribute: "Date of Information"
entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
derived_entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
derived_entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
classification.girs[].nameTag
victims[].nameTag
sub_typeTag
entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
derived_entities[?type=='CveID'].valueTag: "Vulnerability: <name>"

Vulnerability

ThreatConnect object type: Vulnerability Group

 

Verity471 API FieldThreatConnect Field
name
  • Name/Summary
  • Tag: "Vulnerability: <name>"
activity.first_seen_tsFirst Seen
activity.last_seen_tsLast Seen
creation_tsPublish Date
last_updated_tsLast Modified
idAttribute: "External ID"
links.verity_portal.hrefAttribute: "Source"
cve_typeAttribute: "CVE Type"
cvss[?version=='2.0' && score >= `0`].score | [0]Attribute: "CVSS Score v2"
cvss[?version=='3.0' && score >= `0`].score | [0]Attribute: "CVSS Score v3"
cvss[?version=='3.1' && score >= `0`].score | [0]Attribute: "CVSS Score v3.1"
cvss[?version=='4.0' && score >= `0`].score | [0]Attribute: "CVSS Score v4"
exploit_status[]
  • Attribute: "Exploitation State"
  • Tag
patch_status
  • Attribute: "Patch Status"
  • Tag
risk_levelAttribute: "Vulnerability Priority"
vendor_nameAttribute: "Vulnerable Vendor"
product_nameAttribute: "Product"
interest_level[]Attribute: "Interest Level"
activity_location[]Attribute: "Activity Location"
aliases[]Attribute: "Aliases"
classification.girs[].nameTag
statusTag

YARA Signature

ThreatConnect object type: Signature Group

 

Verity471 API FieldThreatConnect Field
data.yara.title
  • Name/Summary
  • File Name
data.yara.signatureFile Content
activity.first_seen_tsFirst Seen
activity.last_seen_tsLast Seen
idAttribute: "External ID"
threat.data.malware_family.nameTag: "Malware: <name>"
classification.girs[].nameTag
threat.data.malware_family.idAssociated Group

Malware Report

ThreatConnect object type: Report Group

 

Verity471 API FieldThreatConnect Field
titleName/Summary
body
  • Attribute: "Description"
  • Report File
released_tsPublish Date
creation_tsDate Added
last_updated_tsLast Modified
idAttribute: "External ID"
links.verity_portal.hrefAttribute: "Source"
assessment.admiralty_codeAttribute: "Admiralty Code"
source_characterizationAttribute: "Source Characterization"
motivation[]Attribute: "Adversary Motivation Type"
executive_summaryAttribute: "Executive Summary"
information_tsAttribute: "Date of Information"
entities[?type=='AIM'].valueAttribute: "Social Media: AIM"
entities[?type=='Tox'] || derived_entities[?type=='Tox'] | [].valueAttribute: "Social Media: Tox"
entities[?type=='OtherCryptoCurrencies'].valueAttribute: "Other CryptoCurrencies"
entities[?type=='Facebook'].valueAttribute: "Social Media: Facebook"
entities[?type=='ICQ'].valueAttribute: "Social Media: ICQ"
entities[?type=='Jabber'].valueAttribute: "Social Media: Jabber"
entities[?type=='MSN'].valueAttribute: "MSN"
entities[?type=='PerfectMoneyID'].valueAttribute: "Perfect Money ID"
entities[?type=='Phone'] || derived_entities[?type=='Phone'] | [].valueAttribute: "Phone"
entities[?type=='Skype'].valueAttribute: "Social Media: Skype"
entities[?type=='X'].valueAttribute: "Social Media: Twitter"
entities[?type=='VK'].valueAttribute: "Social Media: VK"
entities[?type=='WebMoneyID'].valueAttribute: "WebMoney ID"
entities[?type=='WebMoneyPurse'].valueAttribute: "WebMoney Purse"
entities[?type=='YahooIM'].valueAttribute: "Social Media: YahooIM"
entities[?type=='YandexMoney'].valueAttribute: "Yandex.Money"
entities[?type=='BitcoinAddress'] || derived_entities[?type=='BitcoinAddress'] | [].valueAttribute: "Bitcoin Address"
entities[?type=='EmailAddress'] || derived_entities[?type=='EmailAddress'] | [].valueAttribute: "Email Address"
entities[?type=='ActorOtherWebsite'] || derived_entities[?type=='ActorOtherWebsite'] | [].valueAttribute: "Actor Other Website"
actor_subject_of_report[].aliases[]Attribute: "Aliases"
entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
derived_entities[?type=='Handle'].value
  • Attribute: "Aliases"
  • Tag: "Adversary: <name>"
entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
derived_entities[?type=='MalwareFamily'].value
  • Attribute: "Malware Family"
  • Tag: "Malware: <name>"
actor_subject_of_report[].handleTag: "Adversary: <name>"
classification.girs[].nameTag
victims[].nameTag
entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
derived_entities[?type=='CveID'].valueTag: "Vulnerability: <name>"
related_reports[].idAssociated Group

Event Status Mapping

Table 30 shows how Verity471 alert status is mapped to ThreatConnect Event Group status.

 

Verity471 Alert StatusThreatConnect Event StatusDescription
generatedNeeds ReviewDefault state when an alert fires; the analyst should triage.
needs_actionEscalatedThe analyst has flagged the alert for action in Verity471.
in_progressIn ProgressThe alert is being actively worked in Verity471.
completedCompletedThe alert has been resolved in Verity471.
false_positiveFalse PositiveThe alert has been dismissed as a false positive.

Watcher Alerts

The Intel471 Verity Intelligence Engine app ingests customer-specific watcher alerts from Verity471’s watcher system. All watcher alerts are created as Event Groups in ThreatConnect.

Watcher alert ingestion is enabled by selecting the Ingest Alerts checkbox and specifying one or more values in the Watcher Group IDs field during deployment. All alerts are ingested on a 30-minute polling cycle.

The human-readable watcher group name for each corresponding Event Group, stored in the Watcher Group attribute, is resolved from the alert’s watcher group ID. The Verity471 portal URL from the alert is stored in the Source attribute so that you can pivot back to Verity471 to view additional details about the object.

Frequently Asked Questions (FAQ)

Does the Intel471 Verity Intelligence Engine app replace the Intel 471 Intelligence Engine app?

No. The Intel471 Verity Intelligence Engine app targets the next-generation Verity471 API and runs in parallel with the Intel 471 Intelligence Engine app, which targets the legacy Titan API. It does not deprecate or disable the Intel 471 Intelligence Engine app.


Why don’t I see any watcher alerts in ThreatConnect?

Confirm that the Ingest Alerts checkbox is selected and that valid watcher group IDs are entered in the service’s configuration. The Intel471 Verity Intelligence Engine app ingests alerts only from the specified Watcher groups; it does not pull from all watcher groups.


Why did the Intel471 Verity Intelligence Engine fail to start?

  • The Intel471 Verity Intelligence Engine app may fail if the Ingest Alerts checkbox is selected in the configuration, but no watcher group IDs are specified. Either clear the checkbox or ensure that valid watcher group IDs are entered in the Watcher Group IDs field.
  • Verify that the Verity471 API credentials entered in the app’s configuration are correct. The app may fail if the watcher alerts API cannot be reached or returns a 401 unauthorized response.

How are Verity471 alert statuses represented in ThreatConnect?

Each alert’s status is mapped to a ThreatConnect Event Group status on ingestion. See the “Event Status Mapping” section for more information.


The Description attribute for a Report Group ingested by the Intel471 Verity Intelligence Engine app appears to be truncated. What happened?

Some report bodies (e.g., for malware reports) may be very large. Report bodies that exceed 65,535 characters may be truncated in the Description attribute.


ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.

30097-01 EN Rev. A