Skip to main content

Configure the Intel Exchange App

To enable threat intelligence retrieval and operationalization, you must configure both Cyware Intel Exchange and Cortex XSOAR. This includes generating API credentials in Cyware Intel Exchange and configuring the integration in Cortex XSOAR to retrieve threat intelligence data. Ensure that you have access to both Cyware Intel Exchange and Cortex XSOAR to complete the configuration.

Before you Start 

Ensure that you meet the following prerequisites before configuring the integration:

  • Ensure that you have access to the Cyware Intel Exchange application and the Cortex XSOAR platform.

  • Ensure that you have the Create Rule, View Rule, and View & Update Rule permissions in Cyware Intel Exchange to create and manage automation rules.

  • Ensure that you have generated API credentials in Cyware Intel Exchange to authenticate the integration with Cortex XSOAR.

To configure the Intel Exchange integration in Cortex XSOAR, follow these steps:

  1. Create a Rule in Intel Exchange 

  2. Generate API Credentials in Intel Exchange 

  3. Install the Intel Exchange Application 

  4. Add an Intel Exchange Instance in Cortex XSOAR 

Create a Rule in Intel Exchange

In Intel Exchange, rules are automated tasks that execute actions based on a trigger. Create a rule using the Saved Result Set action to save threat intelligence into a result set for the Cortex XSOAR integration.

Steps 

To create a rule, follow these steps:

  1. Sign in to Intel Exchange.

  2. Go to Main Menu, select Rules under Actions.

  3. Click New Rule.

  4. Enter a Title and key details about the rules as the rule description. To easily identify and categorize components in Intel Exchange, add tags.

  5. Click Submit.

  6. Define the Source and Collections for the rule to poll data for Cortex XSOAR.

  7. Define the Condition based on which the rule is triggered. For more information about defining sources, collections, and conditions, see Automation Rules.

  8. Enter the following to define the actions:

    1. Select Saved Result Set v3 as the action. This action stores data from Intel Exchange and creates a result set from which Cortex XSOAR can poll data.

    2. Select CTIX as the application.

    3. Select an Account to specify the application instance that runs the rule.

    4. Select Tags, if required, to filter the data stored in the result set.

    5. Select threat data objects to store their details in the database from which the Open API can retrieve data.

  9. Click Save.

Generate API Credentials in Intel Exchange

To integrate Intel Exchange in Cortex XSOAR, you require the API credentails in Intel Exchange.

Steps 

To generate API credentials in Intel Exchange, follow these steps:

  1. Sign in to Intel Exchange.

  2. Go to Administration > Integration Management in Intel Exchange.

  3. Under Third Party Developers, click CTIX Integrators.

  4. Click Add New. Enter the following details:

    • Name: Enter a unique name for the API credentials.

    • Description: Enter a description for the credentials.

    • Expiry Date: Select an expiry date for open API keys. To apply an expiration date for the credentials, you can select Expires On and select the date. To ensure the credentials never expire, you can select Never Expire.

  5. Click Add New.

  6. Click Download to download the API credentials in CSV format. You can also click Copy to copy the endpoint URL, secret key, and access ID.

It is recommended to download the API credentials since you cannot recover them later.

Install the Intel Exchange Application

Install the Intel Exchange application in Cortex XSOAR to configure the application to integrate the flow of data from Intel Exchange to Cortex XSOAR.

Steps 

To install the Intel Exchange application, follow these steps:

  1. Sign in to Cortex XSOAR.

  2. Go to Marketplace from the left navigation pane.

  3. Perform one of the following:

    • If you are installing the application for the first time, select Browse, search for Cyware Intel Exchange, and click Install.

    • If the application is already installed, go to INSTALLED CONTENT PACKS, search for Cyware Intel Exchange, and click Update to 2.4.0 to update to the latest supported version.

Add an Intel Exchange Instance in Cortex XSOAR

Add an Intel Exchange instance to configure the Intel Exchange application in Cortex XSOAR.

Steps 

To add an instance, follow these steps:

  1. Sign in to Cortex XSOAR,

  2. Go to Settings from the left navigation pane.

  3. Search for Cyware Intel Exchange and click Add Instance on the Cyware Intel Exchange data enrichment and threat intelligence searches.

  4. Enter a Name for the instance. For example, CTIX v3_instance_1.

  5. Enter the following connection details generated in Intel Exchange:

    • Endpoint URL: The endpoint URL of the Intel Exchange instance.

    • Access Key: The API access key generated in Intel Exchange.

    • Secret Key: The API secret key associated with the access key.

  6. To test connection issues or connect to a server without a valid certificate, select Trust any certificate (not secure).

  7. Enter a Timeout value (in seconds) to define the maximum time Cortex XSOAR waits for a response from the Intel Exchange server. The default value is 180 seconds.

  8. To add an extra layer of protection while connecting to the internet to fetch data from Intel Exchange, select Use system proxy settings.

  9. Configure the Collect parameters to define how Cortex XSOAR retrieves data from Intel Exchange.

    • Source Reliability: Select the reliability level assigned to retrieved indicators.

    • First Fetch Time: Define the time range for the initial data retrieval. By default, this value is set to 3 days.

      Note

      To ensure smooth data ingestion and avoid excess API calls, set the first fetch time to within the last 1–15 days.

    • Indicator Fetch Interval: Specify the polling interval for retrieving indicators from Intel Exchange.

    • Incident Fetch Interval: Specify the polling interval for retrieving incidents from Intel Exchange.

    • Incidents Fetch CQL Query: Enter a CQL query to filter the data retrieved from Intel Exchange.

    • Saved Result Set Version: Select the version configured in the Save Result Set action within Rules.

    • Saved Result Set Label: Enter a tag name to filter data. All data associated with the specified tag is returned.

    • Maximum Number of Incidents per Fetch: Specify the maximum number of incidents to fetch during each interval. Allowed range is 1–200. The default value is 10.

    • Retrieve Enriched Data: Select this option to retrieve additional indicator context such as tags, scores, and related metadata.

  10. To override the global Cortex XSOAR exclusion list, select Bypass exclusion list.

  11. Select one of the following Log Level options to retrieve error logging while testing the connection between Intel Exchange and Cortex XSOAR:

    • Off: No error logs are generated.

    • Debug: Generates summarized or confined error logs.

    • Verbose: Generates detailed error logs.

  12. Select one of the following Run on to define the load on the XSOAR machine:

    • Single engine: Uses a single engine to process retrieved data from Intel Exchange.

    • Load-balancing group: Uses multiple engines to process data retrieved from Intel Exchange and helps handle larger volumes of incoming data.

  13. Click Test to validate the endpoint URL, credentials, and connection between the Intel Exchange and Cortex XSOAR.

  14. Click Save & Exit.

Cortex XSOAR now polls threat intelligence data from Intel Exchange based on configured playbooks and CLI actions.