Enricher - Intel 471 Adversary Intelligence Enricher

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Specifications

Enricher name

Intel 471 Adversary Intelligence Enricher

Supported observable types

  • actor-id

  • handle

  • name

Output

Enriching an obervable looks up information associated with the actor-id, handle, or name being enriched and attaches that information to the enriched observable as new observables.

API endpoint

  • https://api.intel471.com/v1/actors?actor=<enriched_observable>`

Description

This enricher looks up information associated with threat actors on the Intel 471 Adversary Intelligence database.

Requirements

  • Email address registered with Intel 471.

  • Intel 471 API key.

Automatic enrichment

Avoid setting up enrichment rules for the Intel 471 enricher.

Setting up enrichment rules for this enricher allows it to automatically run and rapidly consume your API request quota.

Instead, Intel 471 recommends you run the enricher manually.

Set up the enricher

Before using the enricher, configure it to add your Intel 471 credentials:

  1. Open an enricher from the Enrichers view.

  2. In the Edit enricher task view, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    API key*

    Set this to your Intel 471 API key.

    Email*

    Set this to the email address associated with your Intel 471 account.

  3. Click Save to store your changes.

Default configuration

These are the default configuration parameters for the Intel 471 enricher:

Required fields are marked with an asterisk (*).

Field

Description

Name

Leave this as “Intel 471 Adversary Intelligence Enricher”. Set by default.

Override TLP

Forces all entities and observables produced by this extension to inherit this TLP value.

Description*

Enter a description for this enricher.

Cache validity (sec)*

Set to 2592000 seconds (30 days) by default.

Rate limit (per sec)*

Set to 1000 seconds by default.

Monthly execution cap (runs)*

Set to 1000000 runs by default.

Source reliability*

Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System.

Observable types*

Observable types to enrich. By default, this is set to the observables supported by the Intel 471 enricher: actor-id, name.

Enabled

Select to enable this enricher.

API URL*

Set to https://api.intel471.com/v1/ by default.

API key*

Set this to your Intel 471 API key.

Email*

Set this to the email address associated with your Intel 471 account.

SSL verification

Selected by default. Select to enable SSL verification.

Path to SSL certificate file

Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

Enrichment result

When the Intel 471 enricher is applied to an observable, it attaches new observables extracted from the results returned from the Intel 471 Adversary Intelligence database, such as:

  • domain

  • email

  • forum-name

  • actor-id

  • handle

  • If the results include contact information for the threat actor, the following observables are created:

    Type

    Ingested result

    ICQ handles

    handle observables named: icq|<handle_name>

    Jabber handles

    handle observables named: jabber|<handle_name>

    MSN handles

    Treated as email observables.

    YahooIM handles

    handle observables named: yahoo|<handle_name>

    AIM handles

    handle observables named: aim|<handle_name>

    Skype handles

    handle observables named: skype|<handle_name>

    BitcoinWalletID handles

    Treated as bank-account observables.