Skip to main content

Cyware Threat Intelligence eXchange

Create STIX Collection

STIX collections are an interface to a logical repository of threat intel collected from various sources. You can segregate and group different types of threat intel into separate collections. You can then enable access to these collections for required subscribers.

CTIX provides a default collection that analysts can use to publish and poll data.

Before you Start

You must have Create STIX Collections, Update STIX Collections, and View STIX Collections permissions to access the STIX Collections.

Steps

To create a STIX collection, do the following:

  1. Go to Administration > STIXCollections.

  2. Click Add STIX Collection.

  3. Enter the following details:

    • Collection Name: Enter a unique name for the STIX collection.

    • Description: Enter a description with the key details of a STIX collection, such as collection details, type of threat intel data shared, and technologies used for an actionable feature.

    • Type: Select the following options to define the collection type:

      • Polling: To activate polling and sharing services for a STIX collection.

      • Inbox: To activate the inbox service for a STIX collection. Collections that are enabled with the Inbox feature allow a CTIX subscriber to submit threat intel back to this CTIX collection.

    • Data Marking Type: Select the default access control marking type to assign to the threat data objects stored in the collection. The default marking type is applied if a threat data object does not include data marking details. Select one of the following marking types:

      • TLP: Select this option to mark objects as per Traffic Light Protocol (TLP). TLP is the default data marking type. Also, select the default TLP marking for the objects from Red, Amber, Green, White, and None. The default TLP marking is Amber.

      • ACS: Select this option to mark objects as per Access Control Specification (ACS). Also, upload the default ACS identity for the objects in JSON format and click Validate to verify if the uploaded JSON data is valid.

        Note

        You can select the ACS marking type if the administrator has enabled ACS as the data marking preference in Administration > Configuration > General Settings > Data Marking Preference.

  4. Click Save Collection.

You can now view details, such as the name of the collection, collection type, creation information, and status of the collection. You can also assign them to the subscribers.