Skip to main content

Cyware Threat Intelligence eXchange

Create an Incident in Respond with Intel Exchange

Respond is a threat response automation platform that combines cyber fusion, advanced orchestration, and automation to help enterprises stay ahead of increasingly sophisticated cyber threats in real time.

You can integrate Intel Exchange with Respond to automatically create incidents on the Respond platform for malicious threat objects that require further investigation and response.

Before you Start

Ensure that you have the following permissions in Intel Exchange and Respond applications to integrate both applications:

  • Intel Exchange: View CTIX Integrators, Create CTIX Integrators, View & Update Integrators, View Threat Data, View and Manage Threat Investigations, Create Rule, View Rule, and View & Update Rule.

  • Respond: Create and Update permissions in the Configurations section.

Steps

Generate Open API Credentials in Intel Exchange

Intel Exchange integrates with Respond by generating Open API credentials that establish a secure connection for seamless information exchange between the two applications.

To generate Open API credentials in Intel Exchange, follow these steps:

  1. Sign in to Intel Exchange.

  2. Navigate to Administration > Integration Management > THIRD-PARTY DEVELOPERS > CTIX Integrators.

  3. Click Add New.

  4. Enter a unique name for the API integration.

  5. Provide a description with key details about the integration.

  6. Set the expiration date for the credentials.

  7. Intel Exchange automatically assigns a default associated user for the integration. This cannot be modified.

  8. Click Generate.

Once generated, Intel Exchange displays the Access ID, Secret Key, and Endpoint URL. These values are required for configuring the integration in Respond.

Note

These credentials are visible only once at the time of generation and cannot be retrieved later. To access the API, you must create a signature using the Access ID, Secret Key, and API URL.

Configure Intel Exchange in Respond

After generating the Open API credentials in Intel Exchange, you must configure Intel Exchange within the Respond platform to begin receiving threat intelligence data.

To configure Intel Exchange in Respond, follow these steps:

  1. Sign in to Respond.

  2. Navigate to Admin > Configurations > Integrations, then click CTIX.

  3. Click Edit, and enable the toggle switch to activate the integration.

  4. In the Base URL field, enter the Endpoint URL generated in Intel Exchange.

  5. Enter the Access ID and Secret Key values obtained from Intel Exchange.

  6. Click Save.

Map Data Fields in Respond

After you configure Intel Exchange in Respond, map the threat data objects received from Intel Exchange to the corresponding indicator types in Respond.

Mapping data fields ensures that Respond correctly categorizes threat data under the appropriate indicator types when it creates incidents. If you do not map the fields properly, Respond will not display Intel Exchange objects under the correct indicator types.

To map data fields in Respond, follow these steps:

  1. Sign in to Respond.

  2. Go to Admin > Configurations > Integration, and click CTIX.

  3. Click Edit, then click Add Threat Intel.

  4. Select a data field from the Respond drop-down and the corresponding Intel Exchange object (CTIX) from the drop-down menus. Add multiple indicators if needed.

  5. Click Save.

Generate Open API Credentials in Respond

Respond integrates with Intel Exchange by generating Open API credentials that establish a secure connection for information exchange between the two applications.

To generate new Open API credentials in Respond:

  1. Sign in to Respond.

  2. Go to Admin, then select Open APIs.

  3. Click Add New API.

  4. Enter the following details:

    1. Title: Enter a unique title for the Open API.

    2. Description: Provide a brief description of the Open API.

    3. Expiry Date: Set an expiry date for Open API keys.

    4. Status: Use the toggle to set the label status to Active or Inactive.

      Note

      If a bot user needs to access the Open API keys, the status must be set to Active.

    5. User: Select the user who will use the Open API.

  5. Click Save.

  6. Click Download as CSV to export the API URL, Access ID, and Secret Key in CSV format. Alternatively, click Copy to individually copy the API URL, Access ID, or Secret Key.

    Note

    These credentials are visible only once at the time of generation and cannot be retrieved later. To access the API, you must create a signature using the Access ID, Secret Key, and API URL.

Configure Respond in Intel Exchange

After you generate the Open API credentials in Respond, configure Respond in Intel Exchange to enable incident creation.

To configure Respond in Intel Exchange:

  1. Sign in to Intel Exchange.

  2. Go to Administration > Integration Management > TOOL INTEGRATIONS > Cyware Products.

  3. Select CFTR , then click Add Account.

  4. Enter a unique name for the Respond account.

  5. In the Base URL field, enter the API URL generated in the Respond application.

  6. Enter the Access ID and Secret Key values generated in Respond.

  7. Enable SSL Verify to secure the connection between Respond and Intel Exchange. This option is enabled by default.

  8. Click Save.

Create Respond Incident from Threat Data in Intel Exchange

After you configuring Intel Exchange and Respond, you can create a Respond incident in Intel Exchange for the threat data objects listed in Threat Data Details view. This allows you to perform a detailed investigation on the Respond platform.

Important

Respond lets you customize the incident UI label. As a result, the Create Respond Incident option may appear with a different name based on your configuration in the Respond platform. For more information, see the Respond documentation.

To create a Respond incident from Threat Data, follow these steps:

  1. Sign in to Intel Exchange.

  2. Go to Main Menu > Collection > Threat Data.

  3. Use one of the following methods to create a Respond incident:

    • Click the ellipsis next to a threat data object, select Create CFTR Incident, enter a title, and click Save. By default, the title matches the object name.

    • Select multiple threat data objects, click Bulk Actions, select Create CFTR Incident, enter a title, and click Save.

    • Open a specific threat data object, select Create CFTR Incident under Quick Actions, enter a title, and click Save. By default, the title matches the object name.

      Note

      When you create an incident from a report object, only IOCs mapped in Respond will be linked to the incident. For more information, see Respond documentation.

Once you create a Respond incident, Intel Exchange assigns it a unique ID. You can view the incident under CFTR Incidents in the Quick Actions section. Click the Respond Incidents to open it in the Respond platform.

Note

You must have active accounts with the same email address in both Respond and Intel Exchange to use this feature.

CreateRespond Incident using Threat Investigations in Intel Exchange

After you configure Intel Exchange and Respond, you can create a Respond incident from Intel Exchange for the threat data objects in Threat Investigations if you want to perform a detailed investigation.

Note

Respond provides you with the ability to customize the incident UI element. Hence, the UI element Create CFTR Incident may vary based on the name you provide on the Respond platform. For more information, see the documentation of Respond.

To create an incident from the Threat Investigations, follow these steps:

  1. Sign in to Intel Exchange.

  2. Go to Main Menu > Analysis > Threat Investigations.

  3. Create a new threat investigation canvas or select an existing canvas.

  4. Right-click a node and select Create CFTR Incident.

  5. Enter a title for the Respond incident and click Save. By default, the title will be the same as the threat investigation name.

    Note

    When you create an incident from a report object, only IOCs that are mapped in Respond will be connected to the incident. For more information, see Respond documentation.

After you save a Respond incident, a unique ID is assigned to the incident and you can view it in Basic Details. Click the Respond incident to open it on the Respond platform. To perform this functionality, you must have active accounts with the same email addresses on Respond and Intel Exchange.

Create Respond Incident using Threat Bulletin in Intel Exchange

After you configure Intel Exchange and Respond, you can create a Respond incident from Intel Exchange for the threat data objects in Threat Bulletin if you want to perform a detailed investigation.

Note

Respond provides you with the ability to customize the incident UI element. Hence, the UI element Create CFTR Incident may vary based on the name you provide on the Respond platform. For more information, see the documentation of Respond.

To create a Respond incident from Threat Bulletin, follow these steps:

  1. Sign in to Intel Exchange.

  2. Go to Main Menu > Collection > Threat Bulletin and select a published threat bulletin.

  3. Click the ellipsis, select Create CFTR Incident, and enter the title for the incident. By default, the title will be the same as the threat bulletin name.

    Note

    When you create an incident from a report object, only IOCs that are mapped in Respond will be connected to the incident.

  4. Click Save.

After you save the incident, a unique incident ID is assigned. You can click the incident ID, which redirects and opens the incident in Respond. To perform this functionality, you must have active accounts with the same email addresses on Intel Exchange and Respond.