Skip to main content

Cyware Threat Intelligence eXchange

Submit Detailed Intel

Analysts can create detailed threat intel and publish intel to their subscribers in CTIX by submitting detailed information for the supported STIX objects. You can perform the following actions:

  • Create detailed intel for indicators, malware, attack pattern, vulnerability, and threat actor objects.

  • Include basic details, custom details, STIX related information in the intel

  • Add relations to threat data objects

  • Add sightings to threat data objects

  • Publish intel to subscribers

  • Analyze Intel Submission Failures

Before you Start

Ensure that you have Create Import Intel and View Import Intel permissions to create detailed intel in CTIX.

Steps

Use the following procedure to submit detailed intel in CTIX.

  1. From the Main Menu, navigate to Dissemination and select Detailed Submission.

  2. Click Add New Submission.

  3. Enter a title and click Add.

  4. Select from the listed STIX components to create intel and enter information. You must fill out a detailed form for every component.

  5. To add relations to two threat data objects that you created, select Relations.

    1. Select the Primary Object and the title of the object.

    2. Select the Secondary Object and the title of the object.

    3. Select the STIX relationship between the two objects. Intel Exchange supports all the relationship types in compliance with the STIX 2.1 standards.

    4. Click the green checkmark to save the created relationship details.

    5. To add more relationships click Add New Relation.

  6. To add sightings to the threat data objects, select Sightings.

    1. Enter a name and description to identify the sighting.

    2. Select a Sighting of Reference and select the threat data object.

    3. Select the date range during which the threat data object has been sighted.

    4. In count, enter the number of times this object has been sighted.

    5. Select Summary to indicate that aggregation of previous sightings should be considered for this object.

    6. Enter tags and TLP values for the sighting.

    7. Select Revoked to mark the sighting as revoked.

    8. Add custom attributes to this sighting and click Save.

    If you leave this screen after clicking Save, CTIX will display it as a draft intel that you can revisit to make any changes if required.

    You can also create draft intel from rules, using the Publish to Collection action type. For more information, see Publish to Collection Using Rules.

  7. To publish the intel, select Publish.

    1. Choose To a Collection and choose a collection, toggle the status to active, and click Publish.

    2. Choose To Inbox and choose a collection, toggle the status to active, and click Publish.

The platform processes the detailed intel submission and then publishes it.