Configure Intel Exchange in Cortex XSOAR
Intel Exchange is available as an integration in the Cortex XSOAR marketplace that enables threat intelligence enrichment and orchestration from Intel Exchange directly within Cortex XSOAR. With this integration, you can enrich indicators of compromise (IOCs) with CTIX confidence scores, contextualize threat data from multiple sources, and manage indicator workflows using Cortex XSOAR playbooks.
This integration enhances your SOAR workflows in Cortex XSOAR by providing contextual and scored threat intelligence that helps you automate detection and response more effectively.
With Intel Exchange integration in Cortex XSOAR, you can:
Leverage the Intel Exchange confidence scoring algorithm to enrich indicators of compromise (IOCs).
Contextualize the IOCs by correlating data from multiple Intel Exchange configured sources.
Manage indicators ingested into Intel Exchange by identifying whether an indicator is blocked, deprecated, or added to the allowed list across one or more environments.
Create intelligence records in the Intel Exchange platform based on indicator analysis and enrichment.
The Intel Exchange integration in Cortex XSOAR supports the following actions, which you can use in the CLI or Cortex XSOAR playbooks:
Add or remove indicators from the allowed list.
Search allowed indicators using defined query parameters.
Add, remove, and list tags associated with indicators.
Search indicators based on indicator attributes and source information.
Fetch threat data from Intel Exchange based on configured criteria.
Retrieve detailed information for specific indicators.
Search STIX Domain Objects (SDOs) available in Intel Exchange.
Fetch saved result sets created in Intel Exchange rules.
List configured sources, source collections, and enrichment tools.
Mark indicators for false positive or manual review.
Deprecate indicators that are no longer valid.
Configuration
You must configure the integration in both Intel Exchange and Cortex XSOAR before you can start ingesting and enriching threat intelligence.
Before you Start
Ensure you have access to the Intel Exchange application and the Cortex XSOAR platform.
Ensure you have the Create Rule, View Rule, and View & Update Rule permissions in Intel Exchange to create and manage automation rules.
Ensure you have generated API credentials on Intel Exchange to integrate Intel Exchange with Cortex XSOAR.
To configure the Intel Exchange integration in Cortex XSOAR, follow these steps:
In Intel Exchange, rules are automated tasks that execute actions based on a trigger. Create a rule using the Saved Result Set action to save threat intelligence into a result set for the Cortex XSOAR integration.
Steps
To create a rule, follow these steps:
Sign in to Intel Exchange.
Go to Main Menu, select Rules under Actions.
Click New Rule.
Enter a Title and key details about the rules as the rule description.
To easily identify and categorize components in Intel Exchange, add Tags.
Click Submit.
Define the Source and Collections for the rule to poll data for Cortex XSOAR.
Define the Condition based on which the rule is triggered. For more information about defining sources, collections, and conditions, see Automation Rules.
Enter the following to define the action:
Select Save Result Set V3 as the action. This action stores data from Intel Exchange and creates a result set from which Cortex XSOAR can poll data.
Select CTIX as the application.
Select an Account to specify the application instance that runs the rule.
Select Tags, if required, to filter the data stored in the result set.
Select threat data objects to store their details in the database from which the Open API can retrieve data.
Click Save.
To integrate Intel Exchange in Cortex XSOAR, you require the API credentials of Intel Exchange.
Steps
To generate API credentials in Intel Exchange, follow these steps:
Sign in to Intel Exchange.
Go to Administration > Integration Management in Intel Exchange.
Under Third Party Developers, click CTIX Integrators.
Click Add New. Enter the following details:
Name: Enter a unique name for the API credentials.
Description: Enter a description for the credentials.
Expiry Date: Select an expiration date for the API key. Select Expires On to set a specific date, or select Never Expire to keep the credentials valid indefinitely.
Click Add New.
Click Download to get the credentials in CSV format.
Save the Endpoint URL, Access ID, and Secret Key. You will need them while configuring the integration in Cortex XSOAR.
Configure the Intel Exchange to poll threat intel in Cortex XSOAR.
Install the Intel Exchange Application
Install the Intel Exchange application in Cortex XSOAR to configure the application to integrate the flow of data from Intel Exchange to Cortex XSOAR.
Steps
To install the Intel Exchange application, follow these steps:
Sign in to Cortex XSOAR.
Go to Marketplace from the left navigation pane.
Perform one of the following:
If you are installing the application for the first time, select Browse, search for CTIX, and click Install.
If the application is already installed, go to INSTALLED CONTENT PACKS, search for CTIX, and click Update to 2.3.0 to update to the latest supported version.
Add a Intel Exchange Instance in Cortex XSOAR
Add a Intel Exchange instance to configure the Intel Exchange application in Cortex XSOAR.
Steps
To add an instance, follow these steps:
Sign in to Cortex XSOAR.
Go to Settings from the left navigation pane.
Search for CTIX and click Add Instance on the CTIX data enrichment and threat intelligence searches.
Enter a Name for the instance.
Enter the endpoint URL, access key, and secret key generated in Intel Exchange.
To test connection issues or connect to a server without a valid certificate, select Trust any certificate (not secure).
To add an extra layer of protection while connecting to the internet to fetch data from Intel Exchange, select Use system proxy settings.
Select one of the following to retrieve the error logs while testing the connection between the Intel Exchange and XSOAR servers:
Off: No error logs are generated.
Debug: Generates summarized or confined error logs.
Verbose: Generates detailed error logs.
Select one of the following Run on to define the load on the XSOAR machine:
Single engine: Select to use a single engine to handle the data coming from Intel Exchange.
Load-balancing group: Select to use multiple engines to handle the data coming from Intel Exchange. This allows to handle large amounts of data coming in XSOAR.
Click Test to validate the endpoint URL, credentials, and connection between the Intel Exchangeand Cortex XSOAR.
Click Save & Exit.
Cortex XSOAR now polls threat intelligence data from Intel Exchange based on configured playbooks and CLI actions.
After you configure the integration, Cortex XSOAR automatically starts polling threat intelligence from Intel Exchange based on the defined polling interval.
You can verify and view the ingested Intel Exchange data using the Command Line Interface (CLI) in Cortex XSOAR.
Steps
To view the threat intelligence fetched from Intel Exchange, follow these steps:
Sign in to Cortex XSOAR.
Use the Automation browser on the bottom of the screen.
Enter a Intel Exchange command preceded by an exclamation mark (!) to retrieve data from Intel Exchange. For example, use
!ctix-get-threat-datato fetch threat data received from Intel Exchange.Press the Enter key.
Click Yes, execute in the playground to fetch the data received from Intel Exchange.
Use Show Commands to see all the commands that you can use to view data from CTIX. To see all the commands, navigate to Settings and search for CTIX. Under CTIX, click Show commands to see the commands.