Skip to main content

Cyware Threat Intelligence eXchange

Create Intel from Threat Mailbox

You can directly create intel from the parsed IOCs and attachments received in an email feed.

Before you Start

Ensure that you have Create Intel, Create Threat Mailbox, View Threat Mailbox, and Update Threat Mailbox permissions.

Steps 

To create intel from the Threat Mailbox, follow these steps:

  1. Go to Main Menu > Collection > Threat Mailbox.

  2. Select a feed, and click Create Intel.

  3. Select the required IOCs and attachments. Additionally, you can also create objects for a Threat Mailbox feed. For more information, see Create Objects for Threat Mailbox Content

    CTIX supports zip, pdf, docx, doc, xls, xlsx, rtf, txt, csv, and eml attachment types to create intel in the application.

  4. To add additional metadata to the intel, click + Add Metadata. You can view the metadata retrieved from the email feed. You can modify the following details to create intel:

    • Title: Enter a title for intel within 100 characters.

    • Description: Enter a description for the intel within 2000 characters.

    • TLP: Select a TLP for the intel.

      Note

      If the email content includes any TLP, then the same TLP is automatically assigned to the intel submission. If multiple TLPs are found then, the TLP with the highest value is assigned. Otherwise, the default configured TLP is assigned. For more information, see→ Configure Data Marking Type.

    • Confidence score: Select a confidence score for the intel.

    • Tags: Add tags to categorize the intel.

    • Custom Scores: Enter the values for the custom scores configured by the administrator in Administration > Configuration > Custom Scores.

    • Apply Metadata to all Objects: Select this option to apply the metadata to all selected objects of the intel. If you do not select this option then the metadata is applied only to the report object created for the email feed.

      Note

      The description is added only to the report object and not to the objects you selected to include in the intel.

  5. Click Create Intel and select one from the following report object:

    • To add the intel to an existing report object, select Add to Existing Report.

    • To create a new report object for the intel, select Create New Report.

  6. Click Save.

    You can view the intel created in Threat Data by the given report name.

Create Objects for Threat Mailbox Content

You can create new threat data objects while creating intel for Threat Mailbox feeds. This functionality proves useful when the platform misses parsing specific items during feed scanning. You can either establish a new object type or choose from existing parsed object types to introduce a new object.

Steps

To create objects while creating intel for Threat Mailbox feeds, do the following:

  1. Go to Main Menu > Collection > Threat Mailbox.

  2. Select a feed, and click Create Intel.

    If the platform is unable to parse any objects in the selected feed, you can manually add objects if you find any.

  3. Do one of the following to create new objects:

    • Create a new object type: Click Add Object opposite to Content and enter the following details:

      1. Select an object type to assign to the new object. You can choose from ipv4 addr, ipv6 addr, Email addr, and more. 

      2. Enter the object value to create the same. For example, to create an ipv4 address object, select ipv4 addr as the object type, and enter 1.1.1.1 as its value.

      3. Click Save.

      4. To reset the fields, click Remove.

    • Create an object for parsed object types: Select a parsed object type, and click Add opposite to the selected type. Perform the following steps to create an object for a parsed object type:

      1. Enter the object value to create the same. For example, to create a domain object type, click Add Domain opposite to Domain and enter a domain value.

      2. Click Save.

      3. To reset the fields, click Remove.

      Similarly, you can create objects for other parsed object types.

  4. Click Create Intel.

    If you are creating intel for the first time from this feed, the platform automatically creates a new report object. Whereas if you are creating intel again with the same feed, the platform prompts you to choose a report object to store the intel:

    • Add to Existing Report: Select to create the intel in an existing report.

    • Create New Report: Select to create a new report object to create the intel.

  5. Click Save

    You can view the intel created in Threat Data by the given report name.