Intel 471
App Vendor: Intel 471
App Category: Data Enrichment & Threat Intelligence
Connector Version: 2.0.0
API Version: 1.0.0
About App
This app integrates with Intel 471, a service focused on the provision of a high fidelity and timely indicators feed with rich context, TTP information, and malware intelligence reports. It is made to be operationalized easily out of the box within a customer's environment and is accessible via an online portal, RESTful API, and third-party integrations.
The Intel 471 app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Detailed Vulnerability Info | This action retrieves the detailed information on a vulnerability. |
Fetch Actor | This action retrieves the actor's details. |
Fetch Entity | This action retrieves the entity. |
Fetch IOC | This action retrieves the IOCs. |
Fetch Malware Indicator | This action retrieves indicators of a particular malware. |
Fetch Malware Intel | This action retrieves malware intel. |
Fetch Malware NIDS | This action retrieves the NIDs. |
Fetch Malware YARA | This action retrieves YARA. |
Fetch Vulnerability Search | This action retrieves vulnerability search. |
Get Breach Alert | This action retrieves the details of the specified breach alert. |
Get Malware Intelligence Report | This action retrieves the details of the specified malware intelligence report. |
Get Report | This action retrieves the details of the specified information report or Fintel report. |
Global Search | This action can be used to return results matching filter criteria such as IOC, vulnerabilities, etc. |
Search Breach Alerts | This action searches for breach alerts. |
Search Malware Families | This action searches for malware families. |
Search Malware Intelligence Reports | This action searches for malware reports that match the specified filter criteria. |
Search Reports | This action retrieves a list of information reports or Fintel reports matching the filter criteria. |
Generic Action | This is a generic action used to make requests to any Intel 471 endpoint. |
Configuration Parameters
The following configuration parameters are required for the Intel 471 app to communicate with the Intel 471 enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to access Intel 471. Example: https://example.com/v1 | Text | Required | |
Username | Enter the username. | Text | Required | |
API Key | Enter the API key for authentication. | Password | Required | |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is enabled. |
Timeout | Enter the timeout value in seconds. This is the number of seconds requests will wait to connect to Intel 471 and read the response. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Detailed Vulnerability Info
This action retrieves the detailed information for a vulnerability.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
UID | Enter the UID to retrieve vulnerability information. Example: e7fafbb8f44a6ded005c154976627da4 | Text | Required |
Action: Fetch Actor
This action retrieves the actor details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Actor | Enter the actor's name to retrieve the details. Example: apt1 | Text | Required | |
From Time | Enter the 'from' time, based on which the search results starting from the given creation time are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24 hours, 1 day |
Until | Enter the 'until' time, based on which the search results are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24 hours, 1 day |
Last Updated From | Enter the 'last updated from' time, based on which the search results are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24 hours, 1 day |
Last Updated Until | Enter the 'last updated until' time, based on which the search results are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24 hours, 1 day |
Count | Enter the count. Example: 100 | Text | Optional | |
Sort | Enter the value to sort the response. | Text | Optional | Allowed values: relevance, earliest, latest |
Pretty Print | Select an option for pretty print. | Boolean | Optional | |
Extra Params | Enter the extra parameters to fetch actor details. | Key Value | Optional | Allowed keys: format, offset, forum |
Action: Fetch Entity
This action can be used to fetch the entity.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Entity | Enter the entity to retrieve it. Example: syntax | Text | Required | |
From Time | Enter the 'from' time, based on which the search results starting from the given creation time are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Until | Enter the 'until' time, based on which the search results are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Last Updated From | Enter the 'last updated from' time, based on which the search results are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Last Updated Until | Enter the 'last updated until' time, based on which the search results are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Count | Enter the count of entities to retrieve. Example: 100 | Text | Optional | |
Sort | Enter the value to sort the response. | Text | Optional | Allowed values: relevance, earliest, latest |
Pretty Print | Select an option for pretty print. | Boolean | Optional | |
Extra Params | Enter the extra parameters to fetch entity details. | Key Value | Optional | Allowed keys: entitytype, offset, format |
Action: Fetch IOC
This action can be used to fetch the IOCs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IOC | Enter the IOC to be searched for. Example: malicious@fmail.com or domain.com) | Text | Required | |
Sort | Enter the value by which to sort the response. | Text | Optional | Allowed values: relevance, earliest, latest |
From Time | Enter the 'from' time, based on which the search results starting from the given creation time are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Until | Enter the 'until' time, based on which the search results are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Last Updated From | Enter the 'last updated from' time, based on which the search results are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Last Updated Until | Enter the 'last updated until' time, based on which the search results are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Count | Enter the count of IOCs to retrieve. Example: 100 | Text | Optional | |
Pretty Print | Select the option for pretty print. | Boolean | Optional | |
Extra Params | Enter the extra parameters to fetch IOCs. | Key Value | Optional | Allowed keys: iocType, offset, format |
Action: Fetch Malware Indicator
This action retrieves indicators of a particular malware.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Malware Family | Enter the malware family. Example: azorult | Text | Optional | |
Indicator Type | Enter the value to search for indicators by type. | Text | Optional | Allowed values: directory, domain, file, ipv4, ipv6, mutex, url, windows_registry_key |
Threat Type | Enter the threat type to search for malware indicators. | Text | Optional | Allowed values: malware, bulletproof_hosting, proxy_service |
Indicator | Enter the indicator to search for malware indicators. Example: example.com or example@domain.com | Text | Optional | |
Confidence | Enter the confidence level of the indicator. | Text | Optional | Allowed values: high, medium, low |
Extra Params | Enter the extra parameters to fetch malware indicators. | Key Value | Optional | Allowed keys: threatuid, malwareFamilyProfileuid, gir |
Action: Fetch Malware Intel
This action can be used to fetch malware intel.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Malware Family | Enter the malware family to retrieve malware intel. Example: azorult | Text | Optional | |
Event | Enter the event. Example: syntax | Text | Optional | |
Event Type | Enter the event type. | Text | Optional | Allowed values: download_execute, download_plugin, exfiltrate_data, webinject |
Threat Type | Enter the threat type to search events by threat type. | Text | Optional | Example: malware, bulletproof_hosting, proxy_service |
From Time | Enter the 'from' time, based on which the search results starting from the given creation time are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Until | Enter the 'until' time, based on which the search results are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Last Updated From | Enter the 'last updated from' time, based on which the search results are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Last Updated Until | Enter the 'last updated until' time, based on which the search results are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Count | Enter the count of records to retrieve. Example: 100 | Text | Optional | |
Sort | Enter the value to sort the response. | Text | Optional | Allowed values: relevance, earliest, latest |
Pretty Print | Select an option for pretty print. | Boolean | Optional | |
Extra Params | Enter the extra parameters to fetch malware intel. | Key Value | Optional | Allowed keys: threatuid, malwarefamilyprofileuid, gir |
Action: Fetch Malware NIDS
This action can be used to fetch the nids.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Malware Family | Enter the malware family name. Example: azorult | Text | Optional | |
NIDs | Enter the nids. | Text | Optional | |
NIDs Type | Enter the NID type to retrieve. | Text | Optional | |
Threat type | Enter the threat type. | Text | Optional | |
Confidence | Enter the confidence level to retrieve malware NIDs. | Text | Optional | Allowed values: high, medium, low |
Extra Params | Enter the extra parameters to fetch NIDs. | Key Value | Optional | Allowed keys: count, sort |
Action: Fetch Malware YARA
This action can be used to fetch YARA.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Malware Family | Enter the malware family to retrieve YARA. Example: azorult | Text | Optional | |
YARA | Enter the YARA. | Text | Optional | |
Threat Type | Enter the threat type. | Text | Optional | Allowed values: malware, bulletproof_hosting, proxy_service |
Confidence | Enter the confidence. | Text | Optional | Allowed values: high, medium, low |
From Time | Enter the 'from' time, based on which the search results starting from the given creation time are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Until | Enter the 'until' time, based on which the search results are returned. The format can be long Unix time or a string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Last Updated From | Enter the 'last updated from' time, based on which the search results are returned. The format can be long Unix time or string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Last Updated Until | Enter the 'last updated until' time, based on which the search results are returned. The format can be long unix time or string time range. | Text | Optional | Allowed values: 1569314472407, 24hours, 1day |
Count | Enter the count. Example: 100 | Text | Optional | |
Sort | Sort results by relevance or activity start time. | Text | Optional | Allowed values: relevance, earliest, latest |
Pretty Print | Select an option for pretty print. | Boolean | Optional | |
Extra Params | Enter the extra parameters to make the request. | Key Value | Optional | Allowed keys: malwarefamilyprofileuid, gir |
Action: Fetch Vulnerability Search
This action performs a vulnerability search.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
CVE Report | Enter the CVE report name. Example: cve-2017-234 | Text | Optional | |
CVE Type | Enter the CVE report type to filter the response. | Text | Optional | Allowed values: buffer overflow, privilege escalation, memory corruption |
CVE Status | Enter the status to search CVE reports. | Text | Optional | Allowed values: status_new, status_existing, status_historical |
CVE Name | Enter the CVE name. | Text | Optional | |
Extra Params | Enter the extra parameters to make the request. | Key Value | Optional | Allowed keys: product_name, vendor_name |
Action: Get Breach Alert
This action retrieves the details of the specified breach alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert UID | Enter the alert identifier to retrieve its details. Example: 8c5e0e87e683c62bb0a50baeff732152 | Text | Required | You can retrieve this using the action Action: Search Breach Alerts. |
Action: Get Malware Intelligence Report
This action retrieves the details of the specified malware intelligence report.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report UID | Enter the malware intelligence report UID to retrieve the details. Example: e7fafbb8f44a6ded005c154976627da4 | Text | Required |
Action: Get Report
This action retrieves the details of the specified information report or Fintel report.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report UID | Enter the report UID to retrieve the details. Example: 32537c9c6dce18ce6ea4d5106540f089 | Text | Required | You can retrieve this using the action Action: Search Reports. |
Action: Global Search
This action can be used to return results matching filter criteria such as IOC, vulnerabilities, etc.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address | Enter the IP address to search for. Example: 1.1.1.1 | Text | Optional | |
URL | Enter the URL to search for. Example: https://www.example.com | Text | Optional | |
IOC | Enter the IOC value to search. Example: malicious@example.com | Text | Optional | |
Confidence | Enter the confidence level to search. Example: medium | Text | Optional | Allowed values: high, low, medium |
Extra Params | Enter any extra parameters to make the request. | Key Value | Optional | Allowed keys: report, reportTag |
Action: Search Breach Alerts
This action searches for breach alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Breach Alert | Enter a search term to search for breach alerts. Example: communications | Text | Optional | NoteYou must provide at least one of Breach Alert, Actor, or Victim. |
Actor | Enter the actor or actor group names to search for breach alerts. Example: hakkr | Text | Optional | NoteYou must provide at least one of Breach Alert, Actor, or Victim. |
Victim | Enter the victim of the breach to filter the response. Example: bcn telecom | Text | Optional | NoteYou must provide at least one of Breach Alert, Actor, or Victim. |
Confidence | Enter the confidence level to filter the response. Example: medium | Text | Optional | Allowed values: High, low, medium |
Extra Params | Enter the extra parameters to filter the response. | Key Value | Optional | Allowed keys: from, until, gir |
Action: Search Malware Families
This action searches for malware families.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Malware Family | Enter the malware family name to search. Example: asyncrat | Text | Optional | |
From Time | Enter the start time for the search. Allowed formats are Unix timestamp or relative time. Example: 24hours | Text | Optional | |
Until | Enter the end time for the search. Allowed formats are Unix timestamp or relative time. Example: 24hours | Text | Optional | |
Extra Params | Enter the extra parameters to search for a malware family. | Key Value | Optional | Allowed keys: sort, offset, count, prettyprint, format |
Action: Search Malware Intelligence Reports
This action searches for malware reports that match the specified filter criteria.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Malware Report | Enter the malware report to filter the search. You must provide at least one of Malware Report, Threat Type, Report Title, Malware Family, or Malware Family Profile UID. | Text | Optional | |
Threat Type | Enter the threat type to search for malware intelligence reports. You must provide at least one of Malware Report, Threat Type, Report Title, Malware Family, or Malware Family Profile UID. Example: malware | Text | Optional | |
Report Title | Enter the threat ID to search for malware intelligence reports. You must provide at least one of Malware Report, Threat Type, Report Title, Malware Family, or Malware Family Profile UID. | Text | Optional | |
Malware Family | Enter the malware family to search for malware intelligence reports. You must provide at least one of Malware Report, Threat Type, Report Title, Malware Family, or Malware Family Profile UID. Example: gozi_isfb | Text | Optional | |
Malware Family Profile UID | Enter the malware family profile UID to search for malware intelligence reports. You must provide at least one of Malware Report, Threat Type, Report Title, Malware Family, or Malware Family Profile UID. | Text | Optional | |
Extra Params | Enter the extra parameters to search for malware intelligence reports. | Key Value | Optional | Allowed keys: from, sort, gir |
Action: Search Reports
This action retrieves a list of information reports or fintel reports matching the filter criteria.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report | Enter a search term to find matching reports, subjects, and entities. Example: ransomware-as-a-service | Text | Optional | |
Report Location | Enter the country or region to search for reports. Example: USA | Text | Optional | |
Report Tag | Enter a tag to filter reports. Example: e-commerce | Text | Optional | |
Extra Params | Enter the extra parameters to search for reports. | Key Value | Optional | Allowed keys: reportadmiraltycode, reporttitle, victim |
Action: Generic Action
This is a generic action used to make requests to any Intel 471 endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Endpoint | Enter the endpoint to make the request to. Example: alerts | Text | Required | |
Query Params | Enter the query parameters to make the request. Example: {'format': csv} | Key Value | Optional | |
JSON Payload | Enter the payload in JSON format for the API request. Example: $JSON[{"description": description}] | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: payload_data, custom_output, download, filename, files, retry_wait, retry_count, response_type |