Skip to main content

Cyware Threat Intelligence eXchange

Integrate CTIX with Slack

Notice

This feature is available in CTIX from the release version v3.3.2 and later.

Slack is a messaging platform used by teams to share and communicate information. If you are using Slack to collaborate within your organization, you can also use it to send threat intel like indicators of compromise (IOCs) to CTIX.

Analysts can send threat intel to CTIX using simple Slack messages. After this threat intel resides in CTIX, analysts can further enrich, enhance, share, or publish them using CTIX's features such as threat data, threat investigations, and confidence score calculation.

The following illustration demonstrates the process of integrating CTIX with Slack:

CTIX_in_Slack_2x__3_.png

Feature availability matrix

CTIX Enterprise

CTIX Lite

CTIX Spoke

Yes

Yes

Yes

Steps

Generate CTIX OpenAPI Credentials

Generate CTIX OpenAPI credentials to set up CTIX app in Slack.

Before you Start

  • You must have Create CTIX Integrators, View CTIX Integrators, and Update CTIX Integrators permissions to generate OpenAPI Credentials.

  • You must have View Quick Add Intel permission.

Steps

  1. Sign in to CTIX.

  2. Follow the steps mentioned in Configure Open API to obtain the necessary credentials.

  3. Download the OpenAPI credentials that include Access ID, Secret Key, and Endpoint URL, and keep them handy.

Install CTIX App in Slack Workspace

Install the CTIX app in Slack workspace so that members of any Slack channel can access and use it.

Before you Start

  • You must be a Slack workspace administrator to install an app or approve a request raised by a slack member to install the app. For more information, see Slack Documentation.

  • You must add the Cyware domain and the CTIX-Slack integration URL to your organization's allowed list.

  • Use the latest versions of Google Chrome or Mozilla Firefox browser for best results.

Steps

  1. Open a browser, and go to CTIX-Slack Integration.

  2. Click Add to Slack to integrate the CTIX app in Slack.

  3. On Request to install, add a short description defining your use case to integrate the CTIX app into the Slack platform.

    You can review the permissions required by the CTIX app to access your Slack workspace in Review permissions.

  4. Click Submit to provide consent to the CTIX app to access your Slack workspace.

If you are a Slack workspace administrator, the CTIX app is installed in your workspace and ready to use. In case you are a Slack member, you must reach out to the workspace administrator to approve your request to install the app. For more information, see Slack Documentation.

Configure CTIX App in a Slack Channel

Configure the CTIX app in a Slack channel and enable the channel members to submit IOCs.

Before you Start

You must be the creator of the Slack channel to configure the CTIX app.

Steps

  1. Sign in to Slack.

  2. Perform either one of the following:

    • Open a Slack channel where you are a channel manager.

    • Create a new Slack channel, using Add channels from the left-hand panel. You can choose to create a private channel with limited members who can submit IOCs to CTIX. Private channels with limited members ensure minimal or no duplicate IOCs are sent to CTIX.

  3. Type @CTIX to add the CTIX app to the channel and click Invite Them to add the app to the channel.

  4. Type ctix_config <Base_URL> <Access_ID> <Secret_key> to configure a unique instance of CTIX in Slack.

    Use the OpenAPI credentials that you previously generated in CTIX to establish a connection between CTIX and Slack. Use the Endpoint URL as the Base URL to connect the Slack and CTIX servers.

    After the CTIX app is configured in a channel, all members of this channel can submit IOCs.

    Tip

    Cyware recommends deleting the configuration message from the channel after the configuration is successful so that the credentials are not visible to everyone in the channel.

In case, the channel creator leaves the channel, the added OpenAPI credentials will work until the assigned expiration date, and all the members of the channel will be allowed to submit IOCs to CTIX.

If you are unable to configure CTIX in Slack:

  • Make sure that your CTIX Open API credentials are valid and not expired. Check with your CTIX administrator to activate your user credentials.

  • Make sure that your command syntax is correct.

  • If you encounter error 500, wait for some time and try again.

Submit IOCs from Slack

After the CTIX app is configured in a Slack channel, all members in the channel can submit IOCs through messages.

You can type the IOCs in a Slack message or attach a .CSV or .txt file that has a list of IOCs.

Steps

  1. Open the Slack channel to submit IOCs.

  2. Type one of the following commands in one of the following syntaxes:

    • ctix_submit <IOC_value> tlp <TLP_value>: Submit an IOC with a TLP. For example, ctix_submit 92.242.40.21 TLP green.

    • ctix_submit <IOC_value>: Submit an IOC without a TLP. TLP AMBER is assigned to the IOC. For example, ctix_submit 62.243.60.71.

    • ctix_submit <IOC_value> tlp <TLP_value>, <IOC_value>,...: Submit multiple IOCs with or without TLP value separated by commas. For example, ctix_submit 92.242.40.21 TLP RED, 62.342.50.11, 98.345.12.87 tlp white.

    • ctix_submit and attach a .csv or .txt file: Submit a file containing IOCs. The IOCs in the file must be in <IOC_value> tlp <TLP_value> or <IOC_value> formats. Each row must contain a single IOC. You can attach one file of size up to 10 MB in one Slack message. For example, ctix_submit and click + to browse and attach a file.

      A report object with the name slack-messageid is created in CTIX and it has relations with all the submitted IOCs. Any invalid IOCs in the submission are ignored and not ingested in CTIX.

Note

You can submit a maximum of 1000 IOCs in one Slack message. If there are more than 1000 IOCs, only the first 1000 IOCs are analyzed and valid IOCs are ingested in CTIX. If you have more than 1000 IOCs, submit them in batches of 1000 using different Slack messages.

View IOCs Received from Slack in CTIX

After submitting IOCs from Slack, you can view the created report object in CTIX Threat Data.

Before you Start

Ensure that you have View Threat Data permission.

Steps

  1. Sign in to CTIX.

  2. Navigate to Main Menu and select Threat Data under Analysis.

  3. On the top right corner, switch to CQL.

  4. In the Search Query, type 'Object Type' = "Report" AND 'Source' = "Slack" AND 'Source Collections' = "<Name of Slack Channel>" and press Enter to retrieve the list of reports received from Slack.

    You can also choose to apply these filters from the left-hand menu to obtain the required results. You can further enrich, analyze, and investigate these reports to take necessary actions.

CTIX Commands in Slack

Use the following commands in Slack while configuring or making IOC submissions to CTIX:

  • ctix_help: Returns the list of commands supported for CTIX - Slack integration. For example, ctix_config and ctix_submit.

  • ctix_config: Configures the CTIX app in Slack. For more information, see Configure CTIX App in a Slack Channel.

  • ctix_submit: Submits the list of IOCs to CTIX. For more information, see Submit IOCs from Slack.