Incoming feed - Intel 471 Malware Intelligence Reports Feed#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport types

Intel 471 Malware Intelligence Reports Feed

Content type

Intel 471 Malware Reports JSON

Ingested data

Ingests malware reports from Intel 471.

Processed data

TTP entities of “Malware Variant” type and Indicators of “File Hash Watchlist” type are extracted from the ingested malware reports, along with associated observables.

Requirements#

  • Email address registered with Intel 471.

  • Intel 471 API key.

Execution schedule recommendation#

The Execution schedule field allows you to set the feed to run automatically at specified intervals. Running the feed too frequently can strain resources and exhaust API rate limits. Follow your feed provider’s recommendations when setting the Execution schedule.

The Execution schedule field is set to None by default.

Intel 471 recommends that you:

  • Manually run the incoming feed. Set the Execution schedule to None.

  • Or automatically run the incoming feed a maximum of once every 30 minutes:

    1. Set the Execution schedule to: Every [n] minutes

    2. Then, select 30 from the drop-down menu that appears below so that the line reads:

      “Every 30 minutes”

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Intel 471 Malware Intelligence Reports Feed from the drop-down menu.

    Content type*

    Select Intel 471 Malware Reports JSON from the drop-down menu.

    API URL*

    Set this to the Intel 471 REST API endpoint.

    By default, this is set to https://api.intel471.com/v1/.

    API key*

    Set this to your Intel 471 API key.

    Email*

    Set this to the email address associated with your Intel 471 account.

    Indicator buffer size

    Avoid changing default value.

    Default: 1000

    Sets the number of indicators to buffer for ingestion. Optimizes overall ingestion speed for this feed. Downloaded indicators are cached in the background to be processed in batches. Time between package download and successful ingestion may appear longer because of this.

    Lower values may make the feed appear more responsive, but causes overall ingestion speed to be slower. Higher values causes the on-disk cache to take up more disk space during ingestion.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    Start ingesting from*

    Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

  3. Under Schedule, set an Execution schedule according to instructions in the Execution schedule recommendation section.

  4. Store your changes by selecting Save.