Intel 471 Malware Intelligence
Introduction
TruSTAR is a cyber intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description of how paying customers of Intel 471 Malware Intelligence can ingest indicator reports from Intel 471 into the enclave in TruSTAR and correlate with other data sources stored in their TruSTAR enclaves.
Prerequisites
This integration requires TruSTAR users to be paying customers of Intel471 and have access to Intel 471 Malware Intelligence API keys. Users can generate their API keys from the Intel 471 Titan portal or reach out to the Intel 471 support team.
Configure Integration
After you have retrieved your Intel 471 Malware Intelligence API key follow these steps:
- Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
- Click on Closed Sources.
- Click on Intel 471 Malware Intelligence logo and fill in your API key.
- Click Submit.
TruSTAR will validate and enable your Intel 471 Malware Intelligence integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.
After the integration in enabled you should see reports from Intel 471 Malware Intel being submitted into an enclave you control.
FAQ
Do i have to be a company admin in TruSTAR to configure integration?
Yes, a user needs to have company admin privilege in TruSTAR to be able to setup Intel 471 Malware Intelligence Integration
What data do you currently pull from Intel 471 Malware Intelligence?
Our integration currently pulls reports from Intel 471 Malware Intelligence and can extract and correlate the cyber IOC’s listed below
These include:
- IP
- Domain
- URL (Domains are extracted from URL)
- SHA256
- SHA1
- MD5
- REGISTRY_KEY
- Malware
- Bitcoin Addresses
Please contact us if you would like to discuss additional indicators that should be extracted and correlated.
How often is the data pulled?
Our integration retrieves data from Intel 471 Malware Intelligence every 15mins.
Technical Details
Malware Intelligence
Intel 471 Malware Intelligence
WorkFlow - Fetch records from below API as per checkpointed timestamp.
Submit individual item/record response as TruSTAR report
Indicators API - https://api.intel471.com/v1/indicators?lastUpdatedFrom=1539011369295&lastUpdatedUntill=1539010379287&indicator=*
Sample Response -
{
"indicatorTotalCount": 2,
"indicators": [{
"data": {
"threat": {
"type": "malware",
"data": {
"family": "emotet",
"malware_family_profile_uid": "5333f9a7036ae7d10e81cb5fc558a20d"
},
"uid": "5333f9a7036ae7d10e81cb5fc558a20d"
},
"expiration": 1541603377000,
"confidence": "high",
"context": {
"description": "emotet controller URL"
},
"mitre_tactics": "command_and_control",
"intel_requirements": ["1.1.6"],
"indicator_data": {
"url": "http://200.6.168.98:8080"
},
"indicator_type": "url"
},
"meta": {
"version": "0.1"
},
"last_updated": 1539011379287,
"uid": "dda8fa741b08915824bfdaf246de6fea",
"activity": {
"last": 1539011377000,
"first": 1537887748000
}
}, {
"data": {
"threat": {
"type": "malware",
"data": {
"family": "emotet",
"malware_family_profile_uid": "5333f9a7036ae7d10e81cb5fc558a20d"
},
"uid": "5333f9a7036ae7d10e81cb5fc558a20d"
},
"expiration": 1541603366000,
"confidence": "medium",
"context": {
"description": "emotet download location URL"
},
"mitre_tactics": "command_and_control",
"intel_requirements": ["1.1.6"],
"indicator_data": {
"url": "http://200.6.168.98:8080"
},
"indicator_type": "url"
},
"meta": {
"version": "0.1"
},
"last_updated": 1539011369295,
"uid": "f155a2ffcd9d8cf610360752671fd3a5",
"activity": {
"last": 1539011366000,
"first": 1537967841000
}
}
]
}
TruStar Report - content should be reported as json formatted.
Report Title - UID (eg f155a2ffcd9d8cf610360752671fd3a5)
External ID - uid field of response(e.g f155a2ffcd9d8cf610360752671fd3a5)
Report Body - individual item of json response
Time Begun - None
Tags - confidence field of response(e.g. [“Confidence: high”])
Deeplink - None
