Intel 471 Alerts Watchlist

Updated 9 months ago by Elvis Hovor

Introduction

TruSTAR is a cyber intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description of how paying customers of Intel 471 can ingest reports and indicators from their Intel 471 Alerts Watchlist into their enclave in TruSTAR and correlate with other data sources stored in their TruSTAR enclaves. 

Prerequisites

This integration requires TruSTAR users to be paying customers of Intel 471 and have access to Intel 471 API keys. Users can generate their API keys from the Intel 471 Titan portal or reach out to the Intel 471 support team.

Configure Integration

After you have retrieved your Intel 471 API key follow these steps:

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on Intel 471 Alert Watchlist logo and fill in your API key.
  4. Click Submit.

TruSTAR will validate and enable your Intel 471 Alert Watchlist Intelligence integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.

After the integration is enabled you should see reports from Intel 471 Alert Watchlist being submitted into an enclave you control.

FAQ

What data do you currently pull from Intel 471 Watchlist ? 

Our integration currently pulls reports from Intel 471 Alert Watchlist and can extract and correlate the cyber IOC’s listed below

These include:

  • IP
  • Domain
  • URL (Domains are extracted from URL)
  • SHA256
  • SHA1
  • MD5
  • REGISTRY_KEY
  • Malware
  • Bitcoin Addresses

Please contact us if you would like to discuss additional indicators that should be extracted and correlated.

How often is the data pulled?

Our integration retrieves data from Intel 471 Watchlist every 15mins.

Technical Details 

Intel 471 Alert Watchlist
Workflow:
  • Get alerts from intel471 based on checkpointed timestamp. (foundTime field will be considered for filtering of alerts)
  • Iterate over each record of alert. If alert is of type report, fetch detailed report information using report uid and update current alert report data with detailed report information.
  • Submit alert as report to Trustar
  • TruStar Report content should be reported as json formatted.

Report Title - uid field of response + subject field of response if available(e.g 59413a3c441d6663bf8795bc Important message from the forum administration!)

External ID - encoded value of (uid field of response (e.g 59413a3c441d6663bf8795bc))

Report Body - individual item of json response

Time Begun - foundTime field of response(e.g. 1497446972076)

Tags - Tags field of response when alert is of type report(e.g. ["Denial of Service", "Tools"])

Deeplink - portalReportUrl field of response when alert is of type report(e.g. https://titan.intel471.com/report/6b186800c30789)

Request Example: https://api.intel471.com/v1/alerts?from=1539085956900&until=1539099756977

How Did We Do?