Skip to main content

Cyware Threat Intelligence eXchange

Fill Indicator Details

An indicator contains a pattern that can be used to detect suspicious or malicious cyber activity.

Basic Details

Field Name

Required

Description

Name

Mandatory

Specify the name for the indicator.

Description

Optional

Specify the description that best describes the key details of the indicator.

Indicator Types

Optional

Specify the type of indicators, such as anonymization, C2, compromised PKI certificate, domain watchlist, and more.

The indicator type list is built on standard STIX package observable patterns.

Pattern Type

Mandatory

Specify the detection pattern to provide additional context about the Indicator.

STIX patterns are expressions that represent Cyber Observable objects within a STIX Indicator SDO.

This pattern type adds an additional tab to the indicator STIX component tabs.

Start Date*

Mandatory

Specify the start date from which the indicator is considered valid of its behaviors.

End Date*

Mandatory

Specify the end date till which the indicator is considered valid of its behaviors.

*For more details on dates across the platform, see General FAQs.

Custom Fields

Field Name

Description

Tags

Specify the tags for the indicator. Tags help in group-related information in CTIX.

TLP

Specify the TLP value for the indicator, such as RED, AMBER, GREEN, WHITE, and NONE.

Created by Reference

Specify the entity that created the CTIX object.

Revoked

Select this option to mark the component as revoked or invalid.

Custom Attributes

Field Name

Description

Add Custom Attribute

Specify the additional information that helps in improving the threat intelligence details. CTIX displays custom attributes created in Administration > Custom Entities Management. You can create multiple custom attributes for an indicator.

Kill Chain Phases

Include the kill chain phases for which this object can be used.

Field Name

Description

Kill Chain Name

Choose the kill chain name to associate with this object. You can choose Lockheed Martin or MITRE kill chains. You can also create and add custom kill chains in Administration > Custom Entities Management and associate them here.

Kill Chain Phase

Choose the kill chain phase associated with the kill chain.

STIX

STIX patterns are expressions that represent Cyber Observable objects within a STIX Indicator object. If the Pattern Type is selected as STIX, enter the following values.

Field Name

Description

Type

Select the type of the observable expression for the indicator.

Name

Enter the value of the observable expression for the indicator.

Comparator

Select AND or OR condition.

Add More

Click to add more observable expressions.

If you selected the Pattern Type as YARA, enter the YARA rule that represents the Cyber Observable objects for this indicator in the console.

External References

Use external references to include any non-STIX information that you may want to associate with this object.

Field Name

Description

Source Name

Enter a source name.

Description

Enter a description.

External ID

Enter an external ID.

URL

Enter the URL of the external reference.

Hash Type

Select the hash type.

Hash Value

Enter the hash value.