Skip to main content

Cyware Threat Intelligence eXchange

Configure General Settings

You can configure the general settings of the application, such as the logo, tenant settings, general user account settings, and Google reCAPTCHA.

Steps

To configure general settings, follow these steps:

  1. Go to Administration > Configuration > General Settings.

  2. Upload a logo that appears on the left top bar of the application. You can choose to upload your organization logo for a personalized experience. Ensure that you upload an image with 160 pixels of width and 38 pixels of height and a blank background. The supported image types are .jpeg, .png, and .svg.

  3. Click Edit and set the following configurations:

    • Data Marking Preference: Set the data marking preference to define the access control mechanism for threat data objects. For more information, see Configure Data Marking Preference.

    • Inactivity Timeout: Set a period you can be inactive without interacting with the system. After this set period, the application will log you out and you will have to sign in again.

    • Lock Users upon Failed Login: Set the number of times a user can try to log in to the application before getting locked out. You can define to permanently or temporarily lock out the user.

    • Automatic Account Deactivation: Set the time interval after which a user account will automatically get deactivated due to inactivity in the application. For example, if a user account has not logged in to the application for over 30 days, Intel Exchange will deactivate that account.

    • Concurrent Session: Enables you to use the application on two systems or browsers simultaneously by the same user account.

    • Login Session Timeout: Specify a time limit for your session login in Intel Exchange application. You are automatically logged out of the Intel Exchange application after the specified time limit. This time limit is only applicable to users who are added after this configuration is set up.

    • Google Recaptcha: Google reCAPTCHA helps detect abusive traffic and stops bots from accessing the CTIX application without user interaction. You can use this option to enable Google reCAPTCHA for users at the login page of the application.

    • Max Polling Time: Set the time interval when the CTIX tenant automatically retrieves Threat Intel from the configured Sources.

    • Max Poll Result Size: Set the maximum number of packages that can be received from a source for an API call.

    • Email Connection Retry Count: Specify the number of times the application attempts to connect to the configured Threat Mailbox.

    • Email Connection Retry Interval: Set the time interval at which the application will attempt to retry connecting to the configured Threat Mailbox. 

    • Max Feed Channels Polled: Set the number of API feeds that can concurrently poll data at the same time. You can set the value to a maximum of eight feeds to concurrently poll data. 

    • Parse Domain: Turn on the URL or Email toggle to automatically parse the domain values from URLs and emails from the configured Threat Mailbox and RSS feeds.

    • Parse Email from URL: Turn on the URL to automatically parse the emails from URLs from the configured Threat Mailbox and RSS feeds.

    • Import Intel Preference: To set your preference to import intel in Intel Exchange, select one of the following:

      • Ingest partial correct file: Allows you to import all valid objects of a STIX bundle.

      • Do not ingest incorrect file: Does not allow you to import objects from an STIX bundle if the bundle includes invalid objects. By default, this option is selected.

    • IOC Enrichment Validity: Specify a period either on an hourly basis or a daily basis after which the application can re-enrich a threat data object. Setting this configuration allows you to conserve quota and prevent duplicate enrichment. This helps in the calculation of the confidence score. You can day basis or hour basis as well. 

    • AI Assist: Enable users to get AI assistance in threat investigation operations, such as advanced parsing and extraction of threat data, reporting, and more.

  4. Click Save.

For information about the email server and proxy, see Configure Email Server and Configure Proxy Server.

Configure Data Marking Preference

Notice

Traffic Light Protocol (TLP) Version 2.0 is available in Intel Exchange from the release version v3.7.1.0 (Early Access).

Data marking of the threat data objects helps you to define the sensitivity of threat data objects and control access of objects with in the platform and sharing of threat intel to the subscribers. Intel Exchange supports the marking of data as per Traffic Light Protocol (TLP) color codes and supports both TLP version 1.0 and 2.0 designations. The color codes as per TLP 1.0 and 2.0 designations are:

  • TLP 1.0: RED, AMBER, GREEN, WHITE

  • TLP 2.0: RED, AMBER+STRICT, AMBER, GREEN, CLEAR

To configure data marking preference for threat data objects, follow these steps:

  1. Go to Administration > Configuration > General Settings.

  2. Go to Data Marking Preference and click Edit.

  3. Traffic Light Protocol (TLP) is the default data marking type and cannot be disabled.

  4. Specify your preference for ingesting threat data marked as TLP RED. This setting provides enhanced control over the sharing of sensitive data.

  5. In Threat Data Export, select the TLP version to apply to the threat data objects. 

  6. In TLP Mapping, choose a corresponding TLP 1.0 color to automatically convert the TLP 2.0 Amber+Strict designation.

  7. Click Save.

Priority Polling for Feed Sources

Notice

This feature is available in Intel Exchange from the release version v3.4.0 and later.

Select up to five feed channels to prioritize data ingestion. The platform prioritizes the selected critical feed channels as per your selection to poll threat intel in a shorter period.

Priority polling only supports limited feed channels that provide restricted but meaningful feeds to avoid any system overload.

Note

Ensure that you enable the feed source and respective feed channel under Administration > Integration Management > Feed Sources > API to poll the required threat intel successfully.

Third-Party Allowed Indicators

Notice

This feature is available from the release version v3.4.3 and later that are deployed on Cyware Cloud.

Configure third-party repositories, such as Majestic Million to search and retrieve well-known indicators. The third-party repositories provide a list of potentially safe indicators. With access to millions of indicators, Intel Exchange can verify qualified incoming data to automatically mark them as allowed indicators.

The platform fetches the latest potentially trusted indicators automatically at 00:00 hrs UTC every day. After you enable this option, the platform may take several seconds to connect with the repository to get access to the array of indicators. 

You can access the latest indicators in Main Menu > My Org > Indicators Allowed > Third-Party Indicators.

Note

Currently, indicators ingested from the API feed sources are not verified with the third-party allowed indicator list. 

For more information, see Third-Party Allowed Indicators.