Skip to main content

Cyware Threat Intelligence eXchange

Configure CTIX in Cortex XSOAR

CTIX is available as an integration in the Cortex XSOAR marketplace and assists in the integration of CTIX in Cortex XSOAR. This integration enables the Cortex XSOAR playbooks to enrich the IOCs from the configured CTIX instance directly.

This integration with Cortex XSOAR offers the following capabilities:

  • Leverage the CTIX confidence scoring algorithm to enrich IOCs.

  • Contextualize the IOCs by correlating data coming from multiple CTIX configured sources.

  • Manage indicators coming into CTIX from various sources, by checking if an indicator has been blocked, deprecated, or added to the allowed list on one or more environments.

  • Create intel in the CTIX platform.

This integration enables end-to-end enrichment of threat intelligence indicators (IOCs), allowing you to orchestrate enrichment and detections from both Cortex XSOAR playbooks and Cortex XSOAR Command Line Interface (CLI).

Following is the list of actions supported in the CTIX integration in Cortex XSOAR:

  • Add or remove indicators from the indicators allowed list

  • Apply queries on the allowed indicators

  • Add, remove, and list tags

  • Search indicators based on the type, value, created and modified date, and source

  • Obtain threat data based on the type, created and modified date, value, and source

  • Fetch IOC details based on the type, created and modified date, value, and source

  • Search SDOs based on the type, created and modified date, value, and source

  • Fetch saved result set

  • List the sources, source collections, enrichment tools

  • Add indicators to false positive and manual reviews

  • Deprecate IOCs

  • Obtain the investigated data of the indicators

  • Obtain actioned or not actioned IOCs

Before you Start

Ensure that you have access to the CTIX and Cortex XSOAR applications.

Steps

To configure CTIX in Cortex XSOAR, do the following:

Create a Rule in CTIX to Poll Threat Intel in Cortex XSOAR

In CTIX, rules are automated tasks that can execute actions on a trigger. Create a rule in the CTIX application with the Saved Result Set action to poll threat intel in Cortex XSOAR. Save Result Set is a specification in CTIX that is designed to make CTIX data available over a web service, such as OpenAPI.

Before you Start

Ensure that you have the Create Rule, View Rule, and View & Update Rule permissions in CTIX.

Steps

To create a rule, do the following:

  1. Sign in to CTIX.

  2. Navigate to Main Menu and select Rules under Actions.

  3. Click New Rule.

  4. Enter a title and key details about the rule as the rule description.

    To easily identify and categorize components in CTIX, add tags.

  5. Click Submit.

  6. Define the source and collections for the rule to poll data for Cortex XSOAR.

  7. Define the condition based on which the rule is triggered.

    For more information about defining sources, collections, and conditions, see Automation Rules.

  8. Enter the following to define the action:

    1. Select Save Result Set as the action from the drop-down menu.

      The Save Result Set action stores data from the CTIX application and acts as a collection from where Cortex XSOAR can poll data.

    2. Select CTIX as the application from the drop-down menu.

    3. Select an account to specify the application instance to run the rule.

    4. Select tags to filter data in CTIX.

    5. Select threat data objects to store their details in the database from which Open API can retrieve data.

  9. Click Save.

Install CTIX App in Cortex XSOAR

Install the CTIX application in Cortex XSOAR to configure the application to integrate the flow of data from CTIX to Cortex XSOAR.

Before you Start

Ensure to generate the API credentials in CTIX to integrate the CTIX application in the Cortex XSOAR platform. For more information about API credentials in CTIX, see Configure Open API.

Steps

To install the CTIX application, do the following:

  1. Sign in to Cortex XSOAR.

  2. Navigate to Marketplace on the bottom left corner of the screen.

  3. Do one of the following to get CTIX:

    • If you are installing the application for the first time, search for CTIX in BROWSE, and click Install.

    • If you already have an installed application, navigate to INSTALLED CONTENT PACKS and type CTIX in the search bar, and click Update to 2.0.0.

Add a CTIX Instance in Cortex XSOAR

Add a CTIX instance to configure the CTIX application in Cortex XSOAR.

Steps

To add an instance, do the following:

  1. Sign in to Cortex XSOAR.

  2. Navigate to Settings on the bottom left of the screen.

  3. Type CTIX in the search bar of the INTEGRATIONS bar.

  4. Click Add Instance on the CTIX data enrichment and threat intelligence searches.

  5. Enter a name for the instance.

  6. Select Fetches incidents to pull events from CTIX and convert them into incidents.

    By default, Do not fetch is selected and events are not pulled from CTIX.

  7. Select a classifier to determine the type of incident created for the events ingested from CTIX.

    • If you do not select a classifier, select an Incident type to categorize the ingested events.

  8. Select a Mapper to map the events coming from CTIX in the incident fields of the Cortex XSOAR.

  9. Enter the endpoint URL, access key, and secret key generated in CTIX.

  10. To test connection issues or connect to a server without a valid certificate, select Trust any certificate (not secure).

  11. To add an extra layer of protection while connecting to the internet to fetch data from CTIX, select Use system proxy settings.

  12. Under Incidents Fetch Interval, enter the frequency interval with which XSOAR polls data from CTIX in hours or days.

    • Enter the polling frequency in minutes with which XSOAR polls data from CTIX.

      For example, to poll data after every 10 minutes in two hours from CTIX, enter 2 and select hours, and enter 10 minutes.

  13. To avoid exceeding API quota, select Do not use by default.

  14. Select one of the following to retrieve the error log details while testing the connection between the CTIX and XSOAr servers:

    • Off: You will not receive any error logs.

    • Debug: You will receive a summarised or confined error logs file.

    • Verbose: You will receive a detailed error logs file.

  15. Select one of the following Run on to define the load on the XSOAR machine:

    • Single engine: Select to use a single engine to handle the data coming from CTIX.

    • Load-balancing group: Select to use multiple engines to handle the data coming from CTIX. This allows to handle large amounts of data coming in XSOAR.

  16. Click Test to validate the URL, token, and connection between the CTIX and Cortex XSOAR servers.

  17. Click Save & exit.

View CTIX Data in Cortex XSOAR

After you configure CTIX, Cortex XSOAR automatically starts polling the threat data based on the defined polling interval.

Steps

To view the polled CTIX threat intel, do the following:

  1. Sign in to Cortex XSOAR.

  2. Use the Automation browser on the bottom of the screen to enter a command preceding with an exclamation mark to view data fetched from CTIX.

    For example, use !ctix-get-threat-data to fetch threat data received from CTIX.

  3. Press the Enter key.

  4. Click Yes, execute in the playground to fetch the data received from CTIX.

Use Show Commands to see all the commands that you can use to view data from CTIX. To see all the commands, navigate to Settings and search for CTIX. Under CTIX, click Show commands to see the commands.