Cyware Threat Intelligence eXchange

Perform malware analysis by uploading files or URLs and evaluate potentially malicious software for threats. They can view, analyze, and download the analysis reports.

View and analyze the verdict delivered for the malware analysis. The verdict includes Malicious, Non-Malicious, Suspicious, or Not Applicable.

Extract IOCs identified in the malware analysis report and create intel.

View, analyze, enrich, and score this intel using threat data and enrichment policies.

Bi-directional navigation between the threat data and sandbox records for better accessibility.

View both management and full reports in the respective sandboxing tool.

Evaluate and analyze zero-day threats.

Security teams to better understand sophisticated malware attacks.

Strengthen your organization's defense against new and emerging threats.

Upload and create threat defender content, such as YARA rules.

Detect potential malicious patterns encrypted in a file by evaluating it with threat defender content present in the application.

Reduce time spent by analysts researching the threats and provides ways to defend against threats.

Reuse on-the-ground proven defender content generated in different parts of the world or industry and respond to similar threats.

Improve threat-hunting capabilities and significantly reduce the time taken to detect and respond to a potential security incident.

Integrate CTIX app in Slack: The integration between CTIX and Slack allows analysts to send threat intel from Slack to CTIX. Slack channel administrators can configure the CTIX app in a slack channel for all the members of the channel to initiate sending IOCs from Slack to the CTIX platform. For more information, see Integrate CTIX with Slack

VirusTotal V3 Enrichment Tool: CTIX now integrates with the VirusTotal V3 version to analyze and add context to external threat intel data. Analysts can utilize this data to detect malicious content coming into the application and initiate necessary response actions to control a possible breach. For more information, see VirusTotal.

CrowdStrike API Feed Source: The integration between CTIX and CrowdStrike now allows analysts to configure one feed channel to fetch IP, URL, domain, and email feeds. Analysts can filter the feeds coming into this feed channel based on the selected confidence. For more information, see CrowdStrike.

Top Attack Patterns grouped by Incidents: Show details of the attack patterns that have maximum incidents associated with them.

Top Attack Patterns grouped by Indicators: Show details of the attack patterns that have maximum indicators associated with them.

Top Campaigns grouped by Indicators: Show details of the campaigns that have maximum indicators associated with them.

Top Malware Families grouped by Indicators: Show details of the malware families that have maximum indicators associated with them.

Top Threat Actors grouped by Indicators: Show details of the threat actors that have maximum indicators associated with them.

Top Log Sources with Blocked Alerts grouped by Incidents: Show details of log sources that blocked the maximum number of incidents.

Top Log Sources grouped by Incidents: Show details of the log sources that have maximum incidents associated with them, such as Windows Logs, Docker Logs, and more.

Command and Control: Top IPs grouped by Incidents: Show IPs that exhibit command and control attack patterns and have maximum incidents associated with them.

Command and Control: Top URLs grouped by Incidents: Show URLs that exhibit command and control attack patterns and have the maximum number of incidents associated with them.

Latest Vulnerabilities: Show details of the latest observed vulnerabilities in the system.

New parameters:

Use these parameters together to search for threat data objects that have specific custom attributes. For example, 'Custom Attribute' IN ("alert_disposition", "city") AND 'Custom Attribute Value' CONTAINS "Block"), to fetch threat data objects that have alert_disposition or city as the custom attributes with custom attribute value as block.

New operators:

For example, 'Object Type' = "Indicator" AND 'Value' BEGINS WITH "121" OR 'Value' ENDS WITH "34" to fetch indicators that either start with 121 or end with 34.

Analysts can now copy a valid CQL query from any text editor outside of the application and paste in Threat Data > CQL option to obtain relevant results.

Analysts can filter and query the threat data objects using the CVSS score. The CVSS score represents a scoring standard for vulnerabilities ranging between 1 - 10 and can have up to two decimal digits.

The threat data export limit is now increased from 10,000 records to 100,000 records.

CTIX can now ingest CIDR as a string in the form of IPv4 and IPv6 addresses while ingesting data using Quick Add.

The export limit for scheduling and generating reports is now increased from 10,000 records to 100,000 records.

In Threat Data, the Overall Relations widget under Relations, fetches the details every 30 minutes to obtain frequent updates. Relations show data from the last two months based on the system-created date.

In Main Menu > Rules, while defining a condition for a rule, the CUSTOM SCORE rule type is now renamed to ANALYST SCORE.

CTIX Webhook now supports data ingesting from Humio.

In Main Menu > Collections > Threat Data, analysts can view a maximum of 50 tags on the listing page. However, you can view all the attached tags to an object on its details page.

In Main Menu > Dissemination > Detailed Submission, analysts can add multiple tags at once and bulk assign a TLP value to objects defined for a selected STIX object.