Custom Entities Management
Custom Entities Management includes components like Custom Objects, Custom Attributes, and Custom Kill Chain Phases. These entities are intended to define objects, attributes, or kill chain phases that are not covered by the standard STIX scheme or traditional kill chain models.
You can configure each of these entities based on your organization's unique requirements and use them across threat intelligence workflows in Intel Exchange.
Custom Attributes: Enhance threat intelligence by allowing you to add detailed, business-specific information. These attributes are flexible and not restricted to predefined STIX fields. You can define attributes such as Credit Card number, CVV, or expiry date. Custom attributes must be linked to a custom object and can then be used while creating Quick Intel or importing intel into Intel Exchange. For more information, see Custom Attributes.
Custom Objects: Custom STIX objects that provide additional context to threat intelligence. These objects represent threat data elements not covered by standard STIX types. You can create custom objects, map them with custom attributes, and include them in custom intel packages. Examples include Payment Card numbers, IMEI numbers, SIM Card details, and other organization or sector-specific elements. For more information, see Custom Objects.
Custom Kill Chain Phases: The Cyber Kill Chain, outlines the typical stages of a cyberattack and helps identify opportunities for detection and mitigation. Similarly, MITRE ATT&CK offers a framework of tactics and techniques to structure threat behaviour. Intel Exchange allows you to define custom kill chain phases to reflect your internal or industry-specific models, enabling more tailored analysis and threat response. For more information, see Custom Kill Chain.
Entity Metadata and Source Behavior
Intel Exchange tracks additional metadata to ensure visibility into how custom entities are created and maintained:
SourceInformation
Each custom entity (attribute, object, or kill chain) includes a Source field:
If created manually in Intel Exchange, the source displays your tenant name.
If ingested, it displays the source name.
If received from multiple sources, all source names are listed, with the most recent one on top.
You can filter the attributes and objects tables by source to narrow down entries.
CreatedBy
The Created By field helps distinguish between manually created and ingested entities:
System: Shown for ingested entities (from internal or external sources).
Username: Shown for entities created manually by users.
DeduplicationBehavior
Intel Exchange automatically deduplicates custom entities during ingestion to prevent redundancy:
Custom Attributes are deduplicated based on the
name: type
combination.Custom Objects are deduplicated based on the
type:primary attribute
combination.This ensures that identical entries from multiple sources are recognized and merged into a single entity record.