Skip to main content

Cyware Threat Intelligence eXchange

Integrate Orchestrate with CTIX

Orchestrate is an any-to-any vendor-agnostic orchestration platform for connecting and automating cyber, IT, and DevOps workflows across cloud, on-premise, and hybrid environments. Integrate CTIX with Orchestrate application using Open APIs. You can leverage Orchestrate Playbooks and perform various orchestration tasks on the threat indicators that it received from the CTIX application.

To integrate Orchestrate with CTIX:

  1. Create Open API credentials in Orchestrate

  2. Configure Orchestrate Integration in CTIX

  3. Create Label in Orchestrate

  4. Configure Trigger in Orchestrate

  5. Create a Rule in CTIX to trigger the playbook

Create Open API credentials in Orchestrate

Create Open API credentials in Orchestrate to integrate it with CTIX.

  1. Sign in to Orchestrate as an administrator.

  2. Navigate to Admin Panel and select Open API.

  3. Click Add Open API.

  4. Enter the API Title as CTIX integration.

  5. Choose an Expiration Date for your API credentials.

  6. For Bot User, choose your name. Bot Users can access Orchestrate Open API endpoints based on the permissions assigned.

  7. Toggle the status to Active.

  8. Click Create.

  9. Click Download credentials to download API authentication credentials such as API URL, Access ID, and API Key. Save the credentials as you will not be able to recover them again after you navigate away from this page.

Configure Orchestrate Integration in CTIX

Add Orchestrate credentials in CTIX and enable Trigger Playbook action.

  1. Sign in to CTIX as an administrator.

  2. Navigate to Administration and click Integration Management.

  3. From Tool Integrations, select Cyware Products to see the Orchestrate integration.

  4. Click CSOL.

  5. Click Add Account.

  6. Enter a name for the integration. For example, Block Hashes.

  7. Provide Orchestrate API credentials that you generated such as API URL, Access ID, and Secret Key.

  8. Click Save.

  9. Click on the ellipse in the top-right corner and select Manage to view the successful configuration.

  10. Now click on Manage Actions to see the available endpoints.

  11. Enable the Trigger Playbook V3 for Orchestrate and Trigger Playbook for CSOL. You can also enable these actions from the integration details page.

Create Label in Orchestrate

A label serves as a link between events and playbooks, initiating the playbooks when the events occur. Labels are attached to playbooks to automatically trigger the execution of the playbook. These events are received as event data in Orchestrate or from external platforms such as CFTR, CTIX, Splunk, and more.

To create a label, do the following:

  1. Sign in to the Orchestrate application as an administrator.

  2. From Main Menu and navigate to Triggers > Labels.

  3. Click Add Label.

  4. Enter a title and description for the label.

  5. Choose a color for the label and set the Status to Active.

  6. Click Create.

Configure Trigger in Orchestrate

Configure a trigger in the Orchestrate application to automatically execute a playbook on the occurrence of an event. When the configured trigger details match with the incoming event data, the playbooks execute automatically.

  1. Sign in to the Orchestrate application as an administrator.

  2. From Main Menu, navigate to Triggers > Configure Triggers.

  3. Click Add Configure Event.

  4. Enter Event Source App as ctix.

    Important

    Make sure to enter this value as ctix only. If you enter anything else, this trigger will not be visible in CTIX.

  5. Enter an Event Type. For example, block_ctix_hash.

  6. Attach the label that you created in the previous topic to this trigger. You can choose one or more labels. When the Event Source App and Source Event Type details match with the incoming event data, all the Playbooks associated with the chosen label will execute automatically.

  7. Make sure the status toggle is Active.

  8. Click Create.

Create a Rule in CTIX to trigger the playbook

Create a rule in CTIX to trigger Orchestrate Playbooks. Rules are automation tasks in CTIX that execute a configured action based on incoming data and the conditions you set up in CTIX.

For example, you can create a rule in CTIX to trigger Orchestrate playbooks to block a particular malicious IP address, when that IP address is received in CTIX.

  1. Sign in to CTIX as an administrator.

  2. From the Main Menu, navigate to Actions > Rules.

  3. Click New Rule.

  4. Enter a rule name.

  5. Configure a source and collection for your rule.

  6. Specify your conditions.

  7. Select the following values in Actions.

    1. Action as Trigger Playbook V3 to trigger a Playbook in Orchestrate.

    2. Action as Trigger Playbook to trigger Playbook in CSOL.

    3. Application as CSOL or CO as required.

    4. Choose your configured Orchestrate account. In this example, you can select Block Hashes.

    5. Choose the Event Type you have configured in Orchestrate. In this example, you can select block_ctix_hash.

  8. Click Save.

Result

  • After configuring this workflow, CTIX automatically sends the event date to the required playbook in Orchestrate.