Create an Incident in CFTR with CTIX
Respond is a threat response automation platform that combines cyber fusion, advanced orchestration, and automation to stay ahead of increasingly sophisticated cyber threats affecting enterprises in real-time.
When you integrate Intel Exchange and Respond, Intel Exchange allows you to create incidents in Respond, which further gets assigned to a security analyst for detailed investigations.
Before you Start
You must have the following permissions in Intel Exchange and Respond applications to integrate both applications:
Intel Exchange: View CTIX Integrators, Create CTIX Integrators, and View & Update Integrators, View Threat Data, Threat Investigations, Create Rule, View Rule, View & Update Rule, Threat Investigations
Respond: Create and Update permissions in Configurations
Steps
Generate Intel Exchange Open API Credentials in Intel Exchange
Intel Exchange integrates with Respond by generating appropriate Open API credentials. These Open API credentials create a secure connection between the applications for information exchange.
To generate Open API credentials in Intel Exchange, follow these steps:
Sign in to Intel Exchange.
Go to Administration > Integration Management > THIRD-PARTY DEVELOPERS > CTIX Integrators.
Click Add New.
Enter a unique name for the API integration.
Enter a description with key details about the integration.
Specify the expiry date of the credentials.
Intel Exchange picks a default associated user for the integration. You cannot modify this name.
Click Generate.
Intel Exchange displays the access ID, secret key, and endpoint URL to use in the Respond application for configuring the integration. Retain these values as they will not be accessible after you close the screen.
Configure Intel Exchange in Respond
After you generate the Open API credentials in Intel Exchange, configure Intel Exchange in Respond to receive threat intel from Intel Exchange.
To configure Intel Exchange in Respond, follow these steps:
Sign in to Respond.
Go to Admin > Configurations > Integration, and click CTIX.
Click Edit, and enable the toggle switch.
Enter the endpoint URL generated in Intel Exchange in the base URL.
Enter the access ID and secret key values generated in Intel Exchange.
Click Save.
Map Data Fields in Respond
After you configure Intel Exchange in Respond, you must map the threat data objects received from Intel Exchange to the indicator types of Respond. Data field mapping helps in connecting Intel Exchange threat data objects to incidents under the appropriate indicator types in Respond. If the data fields are not mapped properly the Intel Exchange objects will not appear under the correct indicator type.
To map data fields in Respond, follow these steps:
Sign in to Respond.
Go to Admin > Configurations > Integration, and click CTIX.
Click Edit and click Add Threat Intel.
Choose a data field from the Respond drop-down and the corresponding Intel Exchange object in the CTIX drop-down. You can add multiple indicators.
Click Save.
Generate Open API Credentials in Respond
Respond integrates with Intel Exchange by generating appropriate Open API credentials. These Open API credentials create a secure connection between the applications for information exchange.
To generate new Open API credentials, follow these steps:
Sign in to Respond.
Go to Admin and select Open APIs.
Click Add New API.
Enter the following details:
Enter a unique title for the Open API.
Enter a description for the Open API.
Enter an expiry date for Open API keys.
Set the label status as Active or Inactive using the toggle button. If the bot user needs to use the Open API keys, then the Open API must be in active status.
Select the user that can use the Open API.
After entering the required details, click Save.
Click Download as CSV to download the API URL, Secret Key, and Access ID in the CSV file format. You can also click Copy to copy the API URL, Secret Key, or Access ID.
Note
These credential details appear only at this time and cannot be recovered at a later point in time. To access the API, a signature needs to be created from an Access ID, Secret Key, and URL.
Configure Respond in Intel Exchange
After you generate the Open API credentials in Respond, configure Respond in Intel Exchange to create an incident.
To configure Respond in Intel Exchange, follow these steps:
Sign in to Intel Exchange.
Go to Administration > Integration Management > TOOL INTEGRATIONS > Cyware Products.
Select CFTR and click Add Account.
Enter a unique name for the CFTR account.
Enter the API URL value generated in the CFTR application in the Base URL.
Enter values of access ID and secret key generated in Respond.
To secure the connection between Respond and Intel Exchange, enable SSL Verify. By default, this option is enabled.
Click Save.
Create CFTR Incident from Threat Data in Intel Exchange
After you configure Intel Exchange and Respond, you can create a CFTR incident from Intel Exchange for the threat data objects in Threat Data Details to perform a detailed investigation.
Important
Respond provides you with the ability to customize the incident UI element. Hence, the UI element Create CFTR Incident may vary based on the name you provide on the CFTR platform. For more information about CFTR, see the documentation for Respond.
To create a CFTR incident from Threat Data, follow these steps:
Sign in to Intel Exchange.
Go to Main Menu > Collection > Threat Data.
Create a CFTR incident in one of the following:
Click the ellipsis of a threat data object, select Create CFTR Incident, enter a title, and click Save. By default, the title will be the same as the object name.
Bulk select the threat data objects, click Bulk Actions, select Create CFTR Incident, enter a title, and click Save.
Open a threat data object, select Create CFTR Incident in Quick Actions, enter a title, and click Save. By default, the title will be the same as the object name.
Note
When you create an incident from a report object, only IOCs that are mapped in Respond will be connected to the incident. For more information, see CFTR documentation.
After you create a CFTR incident, a unique ID is assigned to the incident and you can view it under CFTR Incidents in the Quick Actions section. Click the CFTR incident to open it on the Respond platform. You must have active accounts with the same email addresses on Respond and Intel Exchange to perform this function.
Create CFTR Incident using Threat Investigations in Intel Exchange
After you configure Intel Exchange and Respond, you can create a CFTR incident from Intel Exchange for the threat data objects in Threat Investigations if you want to perform a detailed investigation.
Note
Respond provides you with the ability to customize the incident UI element. Hence, the UI element Create CFTR Incident may vary based on the name you provide on the Respond platform. For more information, see the documentation of Respond.
To create an incident from the Threat Investigations, follow these steps:
Sign in to Intel Exchange.
Go to Main Menu > Analysis > Threat Investigations.
Create a new threat investigation canvas or select an existing canvas.
Right-click a node and select Create CFTR Incident.
Enter a title for the CFTR incident and click Save. By default, the title will be the same as the threat investigation name.
Note
When you create an incident from a report object, only IOCs that are mapped in Respond will be connected to the incident. For more information, see CFTR documentation.
After you save a CFTR incident, a unique ID is assigned to the incident and you can view it in Basic Details. Click the CFTR incident to open it on the CFTR platform. To perform this functionality, you must have active accounts with the same email addresses on Respond and Intel Exchange.
Create CFTR Incident using Threat Bulletin in Intel Exchange
After you configure Intel Exchange and Respond, you can create a CFTR incident from Intel Exchange for the threat data objects in Threat Bulletin if you want to perform a detailed investigation.
Note
Respond provides you with the ability to customize the incident UI element. Hence, the UI element Create CFTR Incident may vary based on the name you provide on the Respond platform. For more information, see the documentation of Respond.
To create a CFTR incident from Threat Bulletin, follow these steps:
Sign in to Intel Exchange.
Go to Main Menu > Collection > Threat Bulletin and select a published threat bulletin.
Click the ellipsis, select Create CFTR Incident and enter the title for the incident. By default, the title will be the same as the threat bulletin name.
Note
When you create an incident from a report object, only IOCs that are mapped in Respond will be connected to the incident. For more information, see CFTR documentation.
Click Save.
After you save the incident a unique incident ID is assigned. You can click on the incident ID which redirects and opens the incident in the CFTR platform. To perform this functionality, you must have active accounts with the same email addresses on Intel Exchange and Respond.