Integrate CSAP with CTIX
Cyware Situational Awareness Platform (CSAP) acts as a feed source for CTIX. When you integrate CSAP with CTIX, it ingests the strategic information and refines and enriches it to act on the received threat intel. Additionally, CTIX communicates essential information to CSAP using rules, which include reports and associated objects. CSAP analysts can then map this data into an accessible format and distribute it among their subscribers.
CTIX shares intel in reports and CSAP comprehends information in the form of alerts. Therefore, CSAP maps the CTIX report title as the alert title and the report details as the alert description. Ensure that the CTIX report object consists of a title and details to create an alert in CSAP.
Note
CTIX sends either the latest analyst description or the latest source description to CSAP, whichever is available in CTIX. When both descriptions are available, the latest analyst description is sent. This description is sent as part of the report details
Before you Start
Ensure that you have the following access and permissions to integrate CSAP with CTIX:
Access to the CSAP application.
View and Update Tool Integration permission in CTIX.
View Rule, Create Rule, and View & Update Rule permissions in CTIX.
Steps
Activate CSAP in CTIX
Before you Start
You must have Update Tool Integrations and View Tool Integrations permissions.
Steps
Sign in to CTIX.
Navigate to Administration and open Integration Management.
Select Cyware Products under Tool Integrations.
Select CSAP and click Add Account.
Enter a unique account name to identify the alert type sent to CSAP.
Enter the endpoint value generated in the CSAP application in the Base URL. The base URL directly connects with the application server.
Enter values of access ID and secret key generated in CSAP. These values authenticate the connection between the CTIX and CSAP applications and ensure secure communication is established between them.
Select Verify SSL to verify and secure the connection between the CTIX and CSAP servers.
If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection. It is recommended to select this option.
Click Save.
Enable CSAP Alert
Enable the CSAP account alert to manage the CSAP account. This alert enables you to send alerts to CSAP in the form of rules and related objects.
To manage the CSAP account, do the following:
In CTIX, navigate to Administration and select Integration Management.
Select Cyware Products under Tool Integrations, and select CSAP.
Select the ellipsis on the top right side of the screen, and select Manage.
Click Manage Actions.
Click the arrow and enable the toggle switch to activate the CSAP account.
Click Save.
Send an Alert to CSAP
Before you Start
You must have Create Rules, View Rules, and Update Rules permissions.
Steps
To send an alert from CTIX to CSAP, do the following:
In CTIX, navigate to Main Menu and open Rules under Actions.
Click New Rule.
Enter a unique rule name to identify the alert in CSAP.
Click Add.
Select a source and collection. You can select multiple sources and collections.
Hover below the source and collection box or expand Conditions under Component on the left side of the screen, and select a condition.
Enter the following fields:
Select Report as an intent type.
Select a rule type based on which the condition is applicable. You can apply a condition on TLP, description, title, or more.
Set the selector, such as equal, greater, or more.
Set a value.
Enable Select Object for Actioning to set an object when you select Report or Note as the Intent Type.
You can apply multiple conditions by selecting the AND, OR operators.
Hover below the conditions box or expand Actions under Component on the left side of the screen, and select Create CSAP Alert as the action.
Select CSAP as the application and select the CSAP account.
To send notifications, select mobile, and email notifications.
Select groups to send the notifications about the alert.
Set the status of the alert to draft or published.
Set a category and click Save in the top right corner.