Skip to main content

Cyware Threat Intelligence eXchange

Intel471

Connector Category: API Feed Source

Overview

What is this integration about?

Intel Exchange integrates with Intel471 to retrieve up-to-date malware, vulnerability, and adversary intelligence. This integration provides access to intelligence reports and technical data to empower analysts with the context they need to make better decisions on risks and cyber threats.

Use Cases

  • Utilize technical and contextual data from Adversary Intelligence and Malware Intelligence to make informed decisions and put them into action.

  • Set up the necessary defensive measures using the YARA rules obtained from Intel 471.

  • Gather additional details on significant vulnerabilities to assess their priority for patching.

Benefits

  • Get real-time and up-to-date intel feeds about emerging cyber threats, threat actors, and malicious activities.

  • Understand the MITRE tactics and techniques used by various threat actors.

Configure Intel471

Integrate Intel471 as a feed source and start receiving threat intel in Intel Exchange. You can use the following sections for more information:

Configure Intel471 as Feed Source

Configure Intel471 as an API feed source in Intel Exchange to receive adversary intelligence, malware intelligence, indicator, vulnerability intelligence, and finished intel report feeds from Intel471.

Before your Start

  • You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in Intel Exchange.

  • You must have the username and password of your Intel471 account.

Steps

To configure Intel471 as an API feed source in Intel Exchange, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Click Add API source.

  3. Search and select the Intel471 app.

  4. Click Add Instance.

  5. Enter a unique name to identify the instance name. For example, Intel471-Prod.

  6. Enter the base URL of your Intel471 instance. The default base URL is https://api.intel471.com/v1/.

  7. Enter the username and password of your Intel471 account to authenticate communication between the Intel Exchange and Intel471 servers.

  8. Select Verify SSL to verify the SSL certificate and secure the connection between the Intel Exchange and Intel471 servers. By default, Verify SSL is selected.

    Note

    Cyware recommends you select Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.

  9. Click Save.

The Intel471 instance is configured and you can view the Intel471 feed channels. You can configure multiple instances by clicking Manage > Add More.

Test Feed Channel Connectivity

Test the connectivity of the Intel471 feed channels to ensure that the connection with the correct API endpoint is established and that you have permission to poll feeds.

Before you Start

  • Ensure that the Intel471 integration is enabled.

  • Ensure that the feed channel for which you want to test connectivity is enabled.

Steps

To test the connectivity of a feed channel, follow these steps:

  1. Go to Administration > Integration Management. In Feed Sources, click APIs.

  2. Search and select the Intel471 app.

  3. On a feed channel, click the vertical ellipses and select View Details.

  4. In the Working Status section, click Test Connectivity.

If the connection is established, then the working status shows Running. If the connectivity is broken, then the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code.

Note

When a feed channel loses connectivity, it is automatically disabled, and the system attempts to restore connectivity three times per hour. If the connectivity is successfully restored, the feed channel is automatically re-enabled.

Configure Intel471 Feed Channels

Configure the respective feed channels to retrieve the adversary intelligence, malware intelligence, indicator, vulnerability intelligence, and finished intel report feeds from Intel471 and store the feeds in a collection.

Steps

To configure an Intel471 channel, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Search and select the Intel471 app.

  3. Click the ellipsis on the top right corner and select Manage.

  4. Click Manage Feed Channels.

  5. Select a feed channel and enable the toggle.

  6. Enter the date and time to start polling feeds. Select a date within 15 days from the current date.

  7. Enter the name of the collection to group the feed data. For example, Intel471 Feeds. Intel Exchange creates the collection and stores all the feeds from the feed channel.

  8. Select from one of the following Polling Cron Schedule types to define when to poll the data: 

    • Manual: Allows you to manually poll from the source collection. 

    • Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto. 

      • Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.

  9. Set a default TLP and confidence score to assign to the feeds that do not have a TLP and confidence score already assigned. By default, the default TLP and confidence score are set to Amber and 100 respectively.

  10. Select any tags to identify and categorize the feeds.

  11. (Optional) Enable the Broken Connection Retry Policy to allow the CTIX application to re-attempt any failed connection attempts to your Recorded Future account. The system will attempt to connect 10 times. 

    • You can enter the retry interval in days, minutes, or weeks and also specify the retry interval and the retry count. 

    • Enable Exponential Backoff Entry to progressively extend the wait time between retries for consecutive error responses. For example, for a 10-minute exponential retry interval, the system will re-attempt to connect in 10, 100, 1000, 10000, and so on minutes till the retry count value is met. Use this option to give your system resources some breathing time and resolve any service overload issues.

  12. Click Save.

The feed channel is configured, and you can poll feeds from the channel. You can enable the other feed channels, poll feeds, and view the feeds. For more information, see API Integrations.

Intel471 Feed Channels

provides multiple channels to poll feeds from Intel471. The following table lists all the feed channels and the Intel471 API endpoints used for each feed channel.

Feed Channel

API URL

Adversary Intelligence

{{base_url}}/yara

Malware Intelligence

{{base_url}}/yara?threatType=malware

Fetch Indicator Feeds

{{base_url}}/indicators/stream

Fetch Finished Intel Reports

{{base_url}}/reports

Vulnerability Intelligence

{{base_url}}cve/reports?cveReport=vulnerability