Skip to main content

Cyware Threat Intelligence eXchange

Quick Add Intel

You can quickly add intel to the platform by providing some basic details using Quick Add Intel. You can add various types of objects, such as indicators, domain objects, observables, relationship objects, and custom objects configured in the platform. Additionally, you can parse text data from files, free text, and URLs to extract threat data and ingest objects in bulk. Intel Exchange leverages artificial intelligence for advanced parsing and extraction of threat data, such as threat actors, malware, vulnerabilities, and more.

Note

You can add a maximum of 5000 threat data objects to create intel.

Before you start

  • You must have the Create/Update Intel permission to add intel in Intel Exchange.

  • It is recommended to enable AI Assist from Administration > Configuration > General Settings for advanced parsing of threat data using artificial intelligence.

Steps

To create intel with basic details, follow these steps:

  1. Click +New on the top bar and select Quick Add Intel.

  2. Enter the following details:

    • Title: Enter a title for the intel.

    • File and Text: Select this tab to parse data from text, URLs, and files to extract STIX objects and add them to the intel.

      • File Upload: Upload a file of up to 10 MB in size in .pdf, .csv, .txt, .json, .rtf, .xml, and .xls file formats. Click Extract to extract threat data objects. Parsing of data is limited to 1 MB of parsed data for .pdf, 40,000 cell records for.csv, and 50,000 characters for .txt, .json, .rtf, .xml, and .xls file formats.

        Note

        After uploading a CSV file, you can modify the data in the preview, such as adding or deleting columns and rows, modifying cell data 

      • Free Text: Enter text data within 50,000 characters. Click Extract to extract threat data objects.

      • URL: Enter a URL to scan the web page and extract objects. For example, https://www.sampledomain.com. A maximum of 50,000 characters from a web page is parsed to extract objects. Click Extract to extract threat data objects.

      You can view the list of extracted threat data objects that are categorized into various STIX object types. You can edit an object to modify the object value. You can also add new objects if no object is extracted or add more objects to the intel. You can add new object types and add objects to an extracted object type.

      To add a new object type, follow these steps:

      1. In STIX Data, click Add Object.

      2. Select an object type. For example, Ipv4 addr.

      3. Enter a valid value for the selected object type. For example, 1.1.1.1.

      4. Click Save.

      To add an object to an object type, follow these steps:

      1. In STIX Data, select an object type and click Add. For example, Domain.

      2. Enter a valid value for the selected object type. For example, sampledomain.com.

      3. Click Save.

    • Indicators: Select this tab to add various types of indicators, such as IPv4, IPv6, domain, URL, hashes, and more. Select an indicator type and enter the values separated by commas or in separate lines. For example,

      12.430.25.23
      www.sampleURL.com
      1.23.765.23
      www.CTIXsampleURL.com
    • Domain Objects: Select this tab to add STIX domain objects, such as vulnerabilities, malware, campaigns, and more. Select a domain object type and enter the values separated by commas or in separate lines.

    • Observables: Select this tab to add STIX observable objects, such as artifacts, directories, email messages, and more. Select an observable object type and enter the values separated by commas or in separate lines.

      Note

      When you create intel of type X.509 certificate, serial_number, validity_not_before, and validity_not_after observable objects are created and related to the ingested object.

    • Relations: Select this tab to associate specific threat data objects that exist in the platform with the report object that is created as part of this quick add submission. Enter a keyword to search and select the objects from the search result to associate. You can associate a maximum of 10 objects in a quick add submission.

      Note

      The following objects are not supported to add as relations:

      • Domain Objects: Observed Data, Opinion, Report, Note, Custom Object, and Location

      • Observables: Network Traffic and X.509 Certificate

      • Indicators: MD5, SHA1, SHA224, SHA384, SHA256, SHA512, and SSDEEP

    • Custom Objects: Select this tab to add the custom objects you have configured in Administration > Custom Entities Management. Select a custom object type and enter the value in the custom attribute. Click +Add More to add more custom attributes.

      Note

      The platform stores the objects using the value of the primary attribute as the object name. However, when a JSON attribute type is ingested as the primary attribute, the platform uses the object ID as the object name. This distinction in naming conventions ensures proper handling and identification of JSON attributes within the platform.

  3. To add additional details to the intel, click Add Metadata and enter the following details:

    • Confidence: Enter the Confidence Score for the intel. For example, 90. This score is added as the source Confidence Score. By default, the Confidence Score is 100.

    • Assign TLP: Select a Traffic Light Protocol (TLP) to assign to the intel. By default, the Amber TLP is selected.

    • Tags: Select the tags to associate with the intel. For example, Zeroday.

    • Description: Enter a description for the intel within 1000 characters. For example, Intel received from an external source.

    • Custom Scores: Enter the values for the custom scores configured by the administrator in Administration > Configuration > Custom Scores.

    • Apply Metadata to all objects: Select this option to apply the metadata, such as Confidence Score, TLP, and tags, to all objects that are part of the intel submission. Otherwise, the metadata is applied to the report object created as part of the quick add submission only. By default, the check box is unselected.

      Note

      The description is added only to the report object even if the Apply Metadata to all objects option is selected. However, the title of the report object is added as the description in all related objects.

  4. Click Create.

If you have selected more than 5000 objects, the platform prompts you to confirm if you want to create intel with the initial 5000 objects. Click Proceed to create intel.

Intel is created in the background. You can track the status in Quick Add History.

View Basic Data Intel History

You can view the list of intel submitted by various users under Quick Add History. You can also view a statistic of the number of quick add submissions based on the status. The following list explains the various status of quick add submissions:

  • Processing: Intel creation is in progress

  • Pending: Intel is submitted successfully and is in the queue for creation

  • Created: Intel is created successfully

  • Failed: Failed to create intel

  • Partially Successful: Intel is created with valid objects from the submitted list of objects. Download the log to view the list of invalid objects.

You can perform the following activities on Quick Add History:

  • Search submissions based on the title

  • Filter submissions based on the status, creator, and created date

  • View the details of the report object created from the intel submission. Click the ellipsis and select View to view the report details.