Intel 471 Adversary Intelligence

Updated 1 month ago by TruSTAR

This document describes how to set up the Intel 471 Adversary Intelligence premium intelligence source in the TruSTAR platform.

Adversary Intelligence provides proactive and groundbreaking insights into the methodology of top-tier cybercriminals: target selection, assets and tools used, associates and other enablers that support them. Intel 471’s field-driven collection and headquarters-based analysis is able to directly support the intelligence needs across an organization spanning security, executive, vulnerability, risk, investigation and fraud teams.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Time to Install: 10 minutes

Observables Supported


  • A subscription to Intel 471 Adversary Intelligence
  • Intel 471 Adversary Intelligence API ID (Intel 471 portal login email)
  • Intel 471 Adversary Intelligence API Key
    TruSTAR Admin rights are required to activate this Premium Intelligence feed.

Getting Started

  1. Log into the TruSTAR Web App.
  2. Click the Marketplace icon on the left side icon list.
  3. Choose Premium Intel.
  4. Click Subscribe on the Intel 471 Adversary Intelligence box.
  5. Enter the information requested and click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

Report Mapping

The information retrieved from this intelligence source is stored in the Intel 471 Adversary Intelligence Enclave using this format.




Report Title

UID: Subject field of response

For subsequent reports, the Report Title increments the title using the format UID-{incremental No}: subject field of response. Example: xxxx-2: Actor plans to privatize, partner with regular client

xxxx: Actor partners with regular c

External ID

Encoded value of (UID field of response.

For subsequent reports, External ID increments the external ID.



Report Body

Individual item of json response (fields to be added in report body - uid, subject, created , Tags , portalReportUrl, reportIOCs - list of report indicators : ReportIOCs - List of unique values from {entities + derivedEntities} field of json response

Time Begun

Created field of response.



Tags field of response.

["Malware - Usage", "Vulnerabilities & Exploits"]


portalReportUrl field of response.

Client Type


Client Meta Tag


Known Issues

No reported issues.

Please contact if you have issues with this integration.

How Did We Do?