Intel 471 Alerts Watchlist

Updated 1 week ago by Elvis Hovor

Introduction

TruSTAR is a cyber intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description of how paying customers of Intel 471 can ingest reports and indicators from their Intel 471 Alerts Watchlist into their enclave in TruSTAR and correlate with other data sources stored in their TruSTAR enclaves. 

Prerequisites

This integration requires TruSTAR users to be paying customers of Intel 471 and have access to Intel 471 API keys. Users can generate their API keys from the Intel 471 Titan portal or reach out to the Intel 471 support team.

Configure Integration

After you have retrieved your Intel 471 API key follow these steps:

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on Intel 471 Alert Watchlist logo and fill in your API key.
  4. Click Submit.

TruSTAR will validate and enable your Intel 471 Alert Watchlist Intelligence integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.

After the integration is enabled you should see reports from Intel 471 Alert Watchlist being submitted into an enclave you control.

FAQ

What data do you currently pull from Intel 471 Watchlist ? 

Our integration currently pulls reports from Intel 471 Alert Watchlist and can extract and correlate the cyber IOC’s listed below

These include:

  • IP
  • Domain
  • URL (Domains are extracted from URL)
  • SHA256
  • SHA1
  • MD5
  • REGISTRY_KEY
  • Malware
  • Bitcoin Addresses

Please contact us if you would like to discuss additional indicators that should be extracted and correlated.

How often is the data pulled?

Our integration retrieves data from Intel 471 Watchlist every 15mins.

Technical Details 

Intel 471 Alert Watchlist
Workflow:
  • Get alerts from intel471 based on checkpointed timestamp. (foundTime field will be considered for filtering of alerts)
  • Iterate over each record of alert. If alert is of type report, fetch detailed report information using report uid and update current alert report data with detailed report information.
  • Submit alert as report to Trustar
  • TruStar Report content should be reported as json formatted.

Report Title - uid field of response + subject field of response if available(e.g 59413a3c441d6663bf8795bc Important message from the forum administration!)

External ID - encoded value of (uid field of response (e.g 59413a3c441d6663bf8795bc))

Report Body - individual item of json response

Time Begun - foundTime field of response(e.g. 1497446972076)

Tags - Tags field of response when alert is of type report(e.g. ["Denial of Service", "Tools"])

Deeplink - portalReportUrl field of response when alert is of type report(e.g. https://titan.intel471.com/report/6b186800c307897f15e5ebc7d317309e)

Request Example: https://api.intel471.com/v1/alerts?from=1539085956900&until=1539099756977

Sample Response -

{

"alertTotalCount": 2,

"alerts": [

{

"uid": "59413a3c441d6663bf8795bc",

"status": "read",

"watcherUid": "aa957845d56c4773f379843afc507ea9",

"watcherGroupUid": "f5db9f26-f0c6-408d-8dac-542e8c036aa2",

"foundTime": 1497446972076,

"privateMessage": {

"uid": "6613f939099a5db1b7b627478c74f6e9",

"date": 1265707719000,

"subject": "Important message from the forum administration!",

"message": "Dear, Волна!\r\n\r\nA virus alert was noticed on your computer. \r\nWe highly recommend you to check your computer and perform online virus check at our site immediately: [url]http://security-tool2010.com/Волна[/url]\r\n----------------------------------------------------\r\nForum Administration [url]www.carder.info[/url].",

"links": {

"authorActor": {

"uid": "5328c3099dbc67b62cf7ee620ffee4c2",

"handle": "BestForumTeam"

},

"recipientActor": {

"uid": "37fb05bc65bf6a1435e06a98e4266bc7",

"handle": "Волна"

},

"forum": {

"uid": "96a3be3cf272e017046d1b2674a52bd3",

"name": "carder.pro",

"description": "carder.pro is a forum focused on carding (credit card fraud)."

}

},

"lastUpdated": 1497370483069

}

},

{

"uid": "59413a3c441d6663bf8795bb",

"status": "read",

"watcherUid": "aa957845d56c4773f379843afc507ea9",

"watcherGroupUid": "f5db9f26-f0c6-408d-8dac-542e8c036aa2",

"foundTime": 1497446972076,

"post": {

"uid": "41ca85374b5e87717a8474c6add09292",

"date": 1265916553000,

"message": ":) kit for anonymous Web surfing which helps to protect your [COLOR=\"Yellow\"]ASS[/COLOR]: from cyber frens\r\n\r\n1) hide your real IP address\r\n2)send anonymous love letters or Emails (just kidding)\r\n3) chat with [COLOR=\"Yellow\"](ur ass hidden)[/COLOR] with ur fren when is the next tea party held :p\r\n4)clear browser history and much more.\r\n5)and more and more etc etc\r\n6)dont be F**king lazy check it urself\r\n\r\n:D Contents :D\r\n\r\nSteganos Internet Anonym VPN 2008\r\nHide-Ip-Browser v1.5\r\nAuto Hide IP v4.6.3.2\r\nEasy-Hide-IP v2.1\r\nHide IP NG v1.53\r\nReal Hide IP v3.5.4.2\r\nIP Address Shield 9.21\r\nProxy Switcher 4.2.0.5101\r\nMax AnonySurf 1.9\r\nMask Surf Pro v2.3\r\nInvisible Browsing v7.0 2009\r\nSun River Systems Heatseek Gold v1.4.1.8\r\nHistory Sweeper v3.04\r\nHistory Killer Pro 4.1.1\r\nWinMend History Cleaner 1.3.2\r\nAuto Clear History v2.1.2.6\r\nAuto Clear Cookies v2.1.2.6\r\n\r\n\r\nDOWNLOAD:\r\n\r\n[QUOTE][url]http://rapidshare.com/files/349243995/Anonymous_Surfing_Kit_2010_by_Robinhood.rar.html[/url][/QUOTE]\r\n[QUOTE]\r\n[url]http://www.filefactory.com/file/b00eh7d/n/Anonymous_Surfing_Kit_2010_by_Robinhood.rar[/url][/QUOTE] \r\n\r\n[QUOTE][url]http://hotfile.com/dl/28162874/e2ecae0/Anonymous_Surfing_Kit_2010_by_Robinhood.rar.html[/url][/QUOTE]\r\n\r\n[QUOTE][url]http://rapidshare.de/files/49138439/Anonymous_Surfing_Kit_2010_by_Robinhood.rar.html[/url]\r\n[/QUOTE]\r\n\r\nps: check it with ur anti virus , i have checked it showed me clean \r\nagain the false alarm is for patch but still check it again \r\ngr8 stuff if u like it leave a comment",

"links": {

"authorActor": {

"uid": "237c5e85787983f58c13ec1591e6d489",

"handle": "axelevents"

},

"forum": {

"uid": "96a3be3cf272e017046d1b2674a52bd3",

"name": "carder.pro",

"description": "carder.pro is a forum focused on carding (credit card fraud)."

},

"thread": {

"uid": "41ca85374b5e87717a8474c6add09292",

"topic": "Anonymous Surfing Kit 2010",

"count": 233

}

},

"lastUpdated": 1497370111457

}

}

],

{

"uid": "5bbc99e986209a4254ff2fe9",

"status": "unread",

"watcherUid": "3edc5451de1e5270002b57d0ac0a8e29",

"watcherGroupUid": "a0154f8a-90d6-4093-8e44-99fc02b71917",

"foundTime": 1539086825556,

"report": {

"uid": "a147475cad6cedc41637ee3b2d05a38cb793e02426db585e01aed3183dcd87b7",

"admiraltyCode": "B3",

"motivation": ["CC"],

"subject": "Iranian actor saman666sh (aka samangamerone, blockmaster) shares Python-based distributed denial of service tool",

"dateOfInformation": 1538344800000,

"sourceCharacterization": "Information was derived from the Iranian cybercrime forum guardiran.org primarily focusing on exploits, remote access trojans and general programming.",

"portalReportUrl": "https://titan.intel471.com/report/6b186800c307897f15e5ebc7d317309e"

},

"highlights": []

}

}

We explicitly remove field rawTextTranslated, rawText, researcherComments from detailed report.

API to get detailed report information :- https://api.intel471.com/v1/reports/a147475cad6cedc41637ee3b2d05a38cb793e02426db585e01aed3183dcd87b7

Response -

{

"uid": "a147475cad6cedc41637ee3b2d05a38cb793e02426db585e01aed3183dcd87b7",

"admiraltyCode": "B3",

"motivation": ["CC"],

"subject": "Iranian actor saman666sh (aka samangamerone, blockmaster) shares Python-based distributed denial of service tool",

"researcherComments": "<p>This serves as an Activity Report on the Iranian actor&nbsp;<strong>saman666sh</strong>, a new member of the forum&nbsp;guardiran.com&nbsp;who claims to be a coder of hacking tools.&nbsp;</p>\r\n\r\n<p><br />\r\n<strong>Assessment of credibility</strong></p>\r\n\r\n<p>The actor has been a member of the Iranian cybercrime forum guardiran.org since Sept. 18, 2018, and contributed 28 posts. Since he is a new member of the forum, the actor doesn&rsquo;t enjoy a&nbsp;high reputation and senior members of the forum have not shown interest in his posts.&nbsp;All the above leads us to assign his claim with a Credibility of &ldquo;3 &mdash;The DDoS Python code in .txt format.</p>",

"rawText": "<p>On Oct.&nbsp;1, 2018, the Iranian actor ((<strong>saman666sh</strong>))<strong>&nbsp;</strong>posted the following in the Iranian cybercrime forum guardiran.com:<br />\r\n---</p>\r\n\r\n<p>سلام امروز براتون یک اسکریپت عالی دیداسر اوردم</p>\r\n\r\n<p>cd Desktop</p>\r\n\r\n<p>git clone https://github.com/ZonePy/Ddoser</p>\r\n\r\n<p>خب حالا ddos.py میاریم روی دسکتاپ و توی ترمینال میزنیم</p>\r\n\r\n<p>python ddos.py</p>\r\n\r\n<p>امید وارم موفق باشید<br />\r\n----</p>",

"rawTextTranslated": "<p>On Oct.&nbsp;1, 2018, the Iranian actor <strong>saman666sh </strong>posted the following in the Iranian cybercrime forum guardiran.com:<br />\r\n---</p>\r\n\r\n<p>Hello today I bring you an excellent Ddoser script&nbsp; &nbsp; &nbsp;</p>\r\n\r\n<p>cd Desktop</p>\r\n\r\n<p>git clone https://github.com/ZonePy/Ddoser</p>\r\n\r\n<p>Ok now we put ddos.py on the desktop and we put it inside the terminal</p>\r\n\r\n<p>I wish you good luck</p>\r\n\r\n<p>---</p>",

"created": 1539060301000,

"dateOfInformation": 1538344800000,

"sourceCharacterization": "Information was derived from the Iranian cybercrime forum guardiran.org primarily focusing on exploits, remote access trojans and general programming.",

"entities": [{

"type": "ActorDomain",

"value": "bluehosting.ir"

}, {

"type": "ActorDomain",

"value": "gamerproo.ir"

}, {

"type": "ActorDomain",

"value": "mcserver021.ir"

}, {

"type": "ActorDomain",

"value": "tgamerproo.ir"

}, {

"type": "ActorDomain",

"value": "www.blmsgaming.ir"

}, {

"type": "EmailAddress",

"value": "blockmastertm@gmail.com"

}, {

"type": "EmailAddress",

"value": "gamermodserver@gmail.com"

}, {

"type": "EmailAddress",

"value": "kamran.it404@gmail.com"

}, {

"type": "EmailAddress",

"value": "samangamerone@gmail.com"

}, {

"type": "Handle",

"value": "BlmsGaming"

}, {

"type": "Handle",

"value": "blmsgaming.ir"

}, {

"type": "Handle",

"value": "BlockMaster"

}, {

"type": "Handle",

"value": "blockmaster"

}, {

"type": "Handle",

"value": "saman vahabi sharif"

}, {

"type": "Handle",

"value": "saman666sh"

}, {

"type": "Handle",

"value": "samanblockmasterbot"

}, {

"type": "Handle",

"value": "samangamerone"

}, {

"type": "Handle",

"value": "The404Hacking"

}, {

"type": "Handle",

"value": "ѕαмαɴ|ᵍaᵐeʳ]ᵒᶰᵉ]"

}, {

"type": "Handle",

"value": "سعیده محمدی"

}, {

"type": "Handle",

"value": "هک MCPE"

}, {

"type": "Phone",

"value": "+989198609149"

}, {

"type": "Phone",

"value": "+989332187846"

}, {

"type": "Skype",

"value": "live:parhamjamali2"

}, {

"type": "Telegram",

"value": "https://t.me/saman666sh"

}, {

"type": "Telegram",

"value": "https://telegram.me/BlockMaster"

}, {

"type": "Telegram",

"value": "https://telegram.me/Hackesv"

}, {

"type": "Telegram",

"value": "https://telegram.me/the404hacking"

}

],

"locations": [{

"region": "Middle East",

"country": "Iran",

"link": "originated_from"

}

],

"tags": ["Denial of Service", "Tools"],

"portalReportUrl": "https://titan.intel471.com/report/6b186800c307897f15e5ebc7d317309e",

"lastUpdated": 1539085656854,

"actorSubjectsOfReport": [{

"handle": "saman666sh",

"aliases": ["samangamerone", "blockmaster"]

}

],

"reportAttachments": [{

"fileName": "attachment-153900482507527.txt",

"url": "https://api.intel471.com/v1/reports/a147475cad6cedc41637ee3b2d05a38cb793e02426db585e01aed3183dcd87b7/download/cf437b806b7b4526d90e4c7148402904/attachment-153900482507527.txt",

"fileSize": 1447

}

]

}


How Did We Do?