Skip to main content

Create Intel from Sandbox

You can create intel directly from the data extracted in a sandbox analysis report. Intel Exchange auto-generates threat data elements such as indicators, file metadata, and detection summaries, helping you accelerate threat enrichment workflows.

Before you start

Ensure your user group has the following permissions:

  • Create Intel

  • Create Sandbox Records

  • View Sandbox Records

Steps

To create intel from a successfully analyzed sandbox record:

  1. Go to Main Menu and select Analysis > Sandbox.

  2. In the listing, open a record with Success status.

  3. Click Create Intel in the upper-right corner of the report view. The system retrieves all threat data elements identified in the sandbox analysis report.

  4. Select the IOCs you want to include in the intel, click+ Add Metadata and enter the following details:

    1. Title: Auto-filled using the sandbox record name. You can modify this if needed (maximum 100 characters).

    2. Description: Auto-filled with extracted HTML content from the report.

      Note

      The description is added only to the report object, not to the individual threat data elements.

    3. TLP: Set the Traffic Light Protocol (TLP) level for feeds that do not already have a TLP assigned. The default value is Amber.

    4. Deprecates after: Set the number of days (1-180) after which the threat data (indicator) should be deprecated, unless an expiry is provided by the source. If the same indicator is received from multiple sources, the longest valid duration is applied. 

    5. Risk Score: Assign a risk score to help prioritize the intel.

    6. Tags: Add tags to classify and group intel.

    7. Apply Metadata to All Objects: Enable this option to apply the selected metadata to all threat objects included in the intel. If left disabled, metadata will only apply to the report object created from the sandbox analysis.

  5. Click Create Intel to proceed.

  6. Click Save.

For subsequent intel from the same artifact, the system adds the intel to the existing report object.

Post Intel Creation

Creating intel from a sandbox report results in the following:

  • A report object is created in Threat Data for the analyzed artifact.

  • For the first intel created from an artifact, Intel Exchange creates a new report object using the artifact title.

  • For subsequent intel created for the same artifact, you can choose to add the intel to the existing report or create a new report.

  • Intel Exchange creates individual threat data objects for each selected item and maps them as related objects to the Report.

  • All created objects show Cyware Sandbox as the source of intel.

  • Selecting View in Threat Data redirects to the Threat Data listing page.

  • The Report object includes a View in Sandbox option that redirects to the corresponding sandbox analysis.