Skip to main content

Cyware Threat Intelligence eXchange

Threat Data

Cannot find an object in the Threat Data list that exists in the platform.

If Threat Data does not list an existing object, then the object must be associated with a restricted tag and your user group does not have permission to access the object.

I want to add a specific tag to an object, but the search does not list the tag.

If a tag exists in the platform and the search does not list the tag, then either the tag is disabled or the tag is a privileged access tag and you do not have permission to add or remove privileged access tags.

Cannot search and add a privileged tag despite having Tag Categories Management permission to privileged tags.

If a privileged access tag exists in the platform and the search does not list the tag even if you have permission to add or remove privileged access tags in threat data objects, then either the tag is disabled or the tag is added as a restricted tag in your user group configuration and cannot be accessed by your user group.

Is there a default deprecation time for threat objects?

Yes. The default deprecation time is of six months provided the deprecated object is not reported by any other source.

What are the reasons for IOC deprecation?

Consider the following scenarios for IOC deprecation:

  • Manual Deprecation: When an IOC no longer serves the purpose and is taking up space in the database, you can deprecate it from Threat Data.

  • Automatic Deprecation: As an analyst, you can identify the IOCs that no longer serve the purpose and can write a rule to deprecate the IOCs automatically.

  • Valid Until Surpassed: If an IOC has surpassed its expiration date marked by an analyst, the application will automatically mark the IOC as deprecated.

  • 6 Months Old Unmodified Data: If an IOC is not modified or reported again over a period of 6 months, the application will automatically mark the IOC as deprecated.

When does an IOC get undeprecated?

Consider the following scenarios to undeprecate an IOC:

  • You can manually undeprecate an IOC for a set period of time.

  • If you receive the intel that a deprecated IOC is malicious, CTIX automatically undeprecates it.

What do System Created and System Modified Date mean?

System Created Date: The date and time when an object is first received from any source or imported manually in CTIX. For example, CTIX receives an indicator on May 28, 2023, at 11:30 AM for the first time, then the platform displays May 28, 2023, 11:30 AM as the System Created Date.

System Modified Date: The date and time when the details of an object are modified in CTIX. For example, CTIX automatically deprecates an object using a rule on May 31, 2023, at 4:00 AM, then the platform displays May 31, 2023, 4:00 AM as the System Modified Date.

What are the scenarios for System Modified Date?

CTIX updates the System Modified Date for an object based on the following scenarios:

  • When any manual or automated action impacts an object.

  • When we receive the same object from a different source.

  • When we receive additional data, such as TLP, tags, and more, from various sources.

Does CTIX parse the compressed version of IPv6?

No. CTIX supports parsing of expanded IPv6 only. Compressed IPv6 indicators must be converted to the expanded version to ingest into CTIX.

Supported: 2603:1040:0000:0000:0000:0000:0000:0248 (Expanded IPv6)

Unsupported: 2603:1040::248 (Compressed IPv6)