Skip to main content

Cyware Threat Intelligence eXchange

Integrate Orchestrate with Intel Exchange

Orchestrate is an any-to-any vendor-agnostic orchestration platform for connecting and automating cyber, IT, and DevOps workflows across cloud, on-premise, and hybrid environments. Integrate Intel Exchange with Orchestrate application using Open APIs. You can leverage Orchestrate Playbooks and perform various orchestration tasks on the threat indicators that it received from the Intel Exchange application.

To integrate Orchestrate with Intel Exchange:

  1. Create Open API credentials in Orchestrate

  2. Configure Orchestrate Integration in Intel Exchange

  3. Create Label in Orchestrate

  4. Configure Trigger in Orchestrate

  5. Create a Rule in Intel Exchange to trigger the playbook

Create Open API credentials in Orchestrate

Create Open API credentials in Orchestrate to integrate it with Intel Exchange.

  1. Sign in to Orchestrate as an administrator.

  2. Navigate to Admin Panel and select Open API.

  3. Click Add Open API.

  4. Enter the API Title as CTIX integration.

  5. Choose an Expiration Date for your API credentials.

  6. For Bot User, choose your name. Bot Users can access Orchestrate Open API endpoints based on the permissions assigned.

  7. Toggle the status to Active.

  8. Click Create.

  9. Click Download credentials to download API authentication credentials such as API URL, Access ID, and API Key. Save the credentials as you will not be able to recover them again after you navigate away from this page.

Configure Orchestrate Integration in Intel Exchange

Add Orchestrate credentials in Intel Exchange and enable Trigger Playbook action.

  1. Sign in to Intel Exchange as an administrator.

  2. Navigate to Administration and click Integration Management.

  3. From Tool Integrations, select Cyware Products to see the Orchestrate integration.

  4. Click CSOL.

  5. Click Add Account.

  6. Enter a name for the integration. For example, Block Hashes.

  7. Provide Orchestrate API credentials that you generated, such as API URL, Access ID, and Secret Key.

  8. Click Save.

  9. Click on the ellipse in the top-right corner and select Manage to view the successful configuration.

  10. Now click on Manage Actions to see the available endpoints.

  11. Enable the Trigger Playbook V3 for Orchestrate and Trigger Playbook for CSOL. You can also enable these actions from the integration details page.

Create Label in Orchestrate

A label serves as a link between events and playbooks, initiating the playbooks when the events occur. Labels are attached to playbooks to automatically trigger the execution of the playbook. These events are received as event data in Orchestrate or from external platforms such as Respond, Intel Exchange, Splunk, and more.

To create a label, follow these steps:

  1. Sign in to the Orchestrate application as an administrator.

  2. From Main Menu and navigate to Triggers > Labels.

  3. Click Add Label.

  4. Enter a title and description for the label.

  5. Choose a color for the label and set the Status to Active.

  6. Click Create.

Configure Trigger in Orchestrate

Configure a trigger in the Orchestrate application to automatically execute a playbook on the occurrence of an event. When the configured trigger details match with the incoming event data, the playbooks execute automatically.

  1. Sign in to the Orchestrate application as an administrator.

  2. From Main Menu, navigate to Triggers > Configure Triggers.

  3. Click Add Configure Event.

  4. Enter Event Source App as ctix.

    Important

    Make sure to enter this value as ctix only. If you enter anything else, this trigger will not be visible in Intel Exchange.

  5. Enter an Event Type. For example, block_ctix_hash.

  6. Attach the label that you created in the previous topic to this trigger. You can choose one or more labels. When the Event Source App and Source Event Type details match with the incoming event data, all the Playbooks associated with the chosen label will execute automatically.

  7. Make sure the status toggle is Active.

  8. Click Create.

Create a Rule in Intel Exchange to trigger the playbook

Create a rule in Intel Exchange to trigger Orchestrate Playbooks. Rules are automation tasks in Intel Exchange that execute a configured action based on incoming data and the conditions you set up in Intel Exchange.

For example, you can create a rule in Intel Exchange to trigger Orchestrate playbooks to block a particular malicious IP address when that IP address is received in Intel Exchange.

  1. Sign in to Intel Exchange as an administrator.

  2. From the Main Menu, navigate to Actions > Rules.

  3. Click New Rule.

  4. Enter a rule name.

  5. Configure a source and collection for your rule.

  6. Specify your conditions.

  7. Select the following values in Actions.

    1. Action as Trigger Playbook V3 to trigger a Playbook in Orchestrate.

    2. Action as Trigger Playbook to trigger Playbook in Orchestrate.

    3. Application as CSOL or CO as required.

    4. Choose your configured Orchestrate account. In this example, you can select Block Hashes.

    5. Choose the Event Type you have configured in Orchestrate. In this example, you can select block_ctix_hash.

  8. Click Save.

Result

  • After configuring this workflow, Intel Exchange automatically sends the event date to the required playbook in Orchestrate.