Enricher - Intel 471 Adversary Intelligence Enricher#
Note
This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.
Specifications |
|
---|---|
Enricher name |
Intel 471 Adversary Intelligence Enricher |
Supported observable types |
|
Output |
Enriching an obervable looks up information
associated with the |
API endpoint |
|
Description |
This enricher looks up information associated with threat actors on the Intel 471 Adversary Intelligence database. |
Requirements#
Email address registered with Intel 471.
Intel 471 API key.
Automatic enrichment#
Avoid setting up enrichment rules for the Intel 471 enricher.
Setting up enrichment rules for this enricher allows it to automatically run and rapidly consume your API request quota.
Instead, Intel 471 recommends you run the enricher manually.
Set up the enricher#
Before using the enricher, configure it to add your Intel 471 credentials:
Select the enricher from the displayed list.
Edit the enricher by selecting from the top right More > Edit.
In the Edit enricher task view, fill out these fields:
Note
Required fields are marked with an asterisk (*).
Field
Description
API key*
Set this to your Intel 471 API key.
Email*
Set this to the email address associated with your Intel 471 account.
Click Save to store your changes.
Default configuration#
These are the default configuration parameters for the Intel 471 enricher:
Note
Required fields are marked with an asterisk (*).
Field |
Description |
---|---|
Name |
Leave this as “Intel 471 Adversary Intelligence Enricher”. Set by default. |
Override TLP |
Forces all entities and observables produced by this extension to inherit this TLP value. |
Description* |
Enter a description for this enricher. |
Cache validity (sec)* |
Set to |
Rate limit (per sec)* |
Set to |
Monthly execution cap (runs)* |
Set to |
Source reliability* |
Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System. |
Observable types* |
Observable types to enrich.
By default, this is set to the
observables supported by the Intel 471 enricher:
|
Enabled |
Select to enable this enricher. |
API URL* |
Set to |
API key* |
Set this to your Intel 471 API key. |
Email* |
Set this to the email address associated with your Intel 471 account. |
SSL verification |
Selected by default. Select to enable SSL verification. |
Path to SSL certificate file |
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source. |
Enrichment result#
When the Intel 471 enricher is applied to an observable, it attaches new observables extracted from the results returned from the Intel 471 Adversary Intelligence database, such as:
domain
email
forum-name
actor-id
handle
If the results include contact information for the threat actor, the following observables are created:
Type
Ingested result
ICQ handles
handle
observables named:icq|<handle_name>
Jabber handles
handle
observables named:jabber|<handle_name>
MSN handles
Treated as
email
observables.YahooIM handles
handle
observables named:yahoo|<handle_name>
AIM handles
handle
observables named:aim|<handle_name>
Skype handles
handle
observables named:skype|<handle_name>
BitcoinWalletID handles
Treated as
bank-account
observables.