Intel 471 Malware Intelligence

Updated 1 week ago by Elvis Hovor

Introduction

TruSTAR is a cyber intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description of how paying customers of Intel 471 Malware Intelligence can ingest indicator reports from Intel 471 into the enclave in TruSTAR and correlate with other data sources stored in their TruSTAR enclaves. 

Prerequisites

This integration requires TruSTAR users to be paying customers of Intel471 and have access to Intel 471 Malware Intelligence API keys. Users can generate their API keys from the Intel 471 Titan portal or reach out to the Intel 471 support team.

Configure Integration

After you have retrieved your Intel 471 Malware Intelligence API key follow these steps:

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on Intel 471 Malware Intelligence logo and fill in your API key.
  4. Click Submit.

TruSTAR will validate and enable your Intel 471 Malware Intelligence integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.

After the integration in enabled you should see reports from Intel 471 Malware Intel being submitted into an enclave you control.

FAQ

Do i have to be a company admin in TruSTAR to configure integration? 

Yes, a user needs to have company admin privilege in TruSTAR to be able to setup Intel 471 Malware Intelligence Integration

What data do you currently pull from Intel 471 Malware Intelligence? 

Our integration currently pulls reports from Intel 471 Malware Intelligence and can extract and correlate the cyber IOC’s listed below

These include:

  • IP
  • Domain
  • URL (Domains are extracted from URL)
  • SHA256
  • SHA1
  • MD5
  • REGISTRY_KEY
  • Malware
  • Bitcoin Addresses

Please contact us if you would like to discuss additional indicators that should be extracted and correlated.

How often is the data pulled?

Our integration retrieves data from Intel 471 Malware Intelligence every 15mins.

Technical Details 

Malware Intelligence

Intel 471 Malware Intelligence

WorkFlow - Fetch records from below API as per checkpointed timestamp.

Submit individual item/record response as TruSTAR report

Max number of indicators pulled will be 500.

Indicators API - https://api.intel471.com/v1/indicators?lastUpdatedFrom=1539011369295&lastUpdatedUntill=1539010379287&indicator=*

Sample Response -

{

"indicatorTotalCount": 2,

"indicators": [{

"data": {

"threat": {

"type": "malware",

"data": {

"family": "emotet",

"malware_family_profile_uid": "5333f9a7036ae7d10e81cb5fc558a20d"

},

"uid": "5333f9a7036ae7d10e81cb5fc558a20d"

},

"expiration": 1541603377000,

"confidence": "high",

"context": {

"description": "emotet controller URL"

},

"mitre_tactics": "command_and_control",

"intel_requirements": ["1.1.6"],

"indicator_data": {

"url": "http://200.6.168.98:8080"

},

"indicator_type": "url"

},

"meta": {

"version": "0.1"

},

"last_updated": 1539011379287,

"uid": "dda8fa741b08915824bfdaf246de6fea",

"activity": {

"last": 1539011377000,

"first": 1537887748000

}

}, {

"data": {

"threat": {

"type": "malware",

"data": {

"family": "emotet",

"malware_family_profile_uid": "5333f9a7036ae7d10e81cb5fc558a20d"

},

"uid": "5333f9a7036ae7d10e81cb5fc558a20d"

},

"expiration": 1541603366000,

"confidence": "medium",

"context": {

"description": "emotet download location URL"

},

"mitre_tactics": "command_and_control",

"intel_requirements": ["1.1.6"],

"indicator_data": {

"url": "http://200.6.168.98:8080"

},

"indicator_type": "url"

},

"meta": {

"version": "0.1"

},

"last_updated": 1539011369295,

"uid": "f155a2ffcd9d8cf610360752671fd3a5",

"activity": {

"last": 1539011366000,

"first": 1537967841000

}

}

]

}

TruStar Report - content should be reported as json formatted.

Report Title -  UID (eg f155a2ffcd9d8cf610360752671fd3a5)

External ID - uid field of response(e.g f155a2ffcd9d8cf610360752671fd3a5)

Report Body - individual item of json response

Time Begun - None

Tags - confidence field of response(e.g. [“Confidence: high”])

Deeplink - None


How Did We Do?