Email Sources
CTIX allows you to integrate email accounts into the dashboard. This dashboard locates the mailbox of a client and views the emails they share. When an email is received, you can view it in the Threat Mailbox. The application also allows you to create STIX packages based on the email reports directly from the Threat Mailbox.
Feature availability matrix
CTIX Enterprise | CTIX Lite | CTIX Spoke |
|---|---|---|
Yes | No | No |
Before you Start
You must have the view, create, and update threat mailbox permissions to access the Threat Mailbox.
You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions.
Steps
To map and integrate an email account into the email feed source, do the following:
Navigate to Administration, select Integration Management, and select Email under FEED SOURCES.
Click Add Email Source.
Enter a unique client name to identify the account for the emails received.
Select an account type from the drop-down. You can choose from IMAP, POP3, and EWS.
Specifying account types instructs the email configuration to access the email server with the selected protocol. The selected account type protocol should be configured for the email account from the domain as well.
The port number automatically appears as you select the account type. For more information, see Configure Threat Mailbox in CTIX using OAuth authentication for EWS.
Select SSL Encrypted to verify and secure the connection between the CTIX and email servers.
If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection. It is recommended to select this option.
By default, this check box is selected.
Enter the email address to integrate it into the Threat Mailbox.
All the emails that you receive on the entered email address appear in the Threat Mailbox. By default, it displays your CTIX email address.
Enter the password for the email authentication.
You have to generate this password in the email account settings.
Enter a domain for the email account. This allows the Threat Mailbox to use the exact domain for the emails with the specified account type and port.
To parse IOCs only from the title and the description of an email, select Parse IOCs only from visible content.
HTML tags in the email are not considered while parsing.
Click Save and Continue.
After you click Save and Continue, CTIX prompts you to configure the optional Advanced Settings. To configure these settings, refer to Step 3 of Configure Advanced Settings.
Supported Actions for Email Sources
After you add an email source, you can do the following:
Edit: Edits the configurations of the email source, such as account type and related port, updated password, add or remove any domains, and more.
Delete: Deletes the email account and revokes access to the account's emails.
Search: Filters the email accounts by the created date range and status of the account.
Enable/Disable: Enable or disable the account using the toggle switch. If you disable an account, you will not receive any emails from the selected account.