Create Intel from Sandbox
Create intel from the data identified from the sandbox malware analysis report.
Before you start
Your user group must have Create Intel, Create Sandbox Records, and View Sandbox Records permissions.
Steps
Go to Main Menu > Analysis > Sandbox.
Select a successfully analyzed record and click the ellipsis to Create Intel. You can also open successfully analyzed records and click Create Intel in the upper right corner.
Select the IOCs fetched from the report. You can filter the fetched IOCs on the basis of their verdict.
Additionally, you can also create objects for a Sandbox record. For more information, see Create Objects for Sandbox Content.
To add additional information to your intel, click + Add Metadata and enter the following details.
Enter the title and description. By default, the system picks the file or URL name, however, you can edit it.
Select a TLP and set a confidence score. By default, TLP is set to Amber and the confidence score is set to 100. For more information about confidence score, see CTIX Confidence Score Engine.
To identify and categorize intel created from this report, add tags.
To apply the metadata values to all the individual threat data items created from this report object, select Apply Metadata to all objects. If you do not select this option, the metadata is applied only to the report object.
Click Create Intel.
If you are creating intel for the first time from this feed, CTIX automatically creates a new report object with the title of the file or URL. Whereas, if you are creating intel again from the same feed, CTIX prompts you to choose a report object to store the intel.
Add to Existing Report: Create the intel in an existing report.
Create New Report: Create a new report object with the intel. Enter the name of the new report object.
Click Save.
You can view the intel created in Threat Data by the name of the report object. CTIX creates a report object from the threat intel identified in the malware analysis report. CTIX also creates individual threat data entries for all the selected threat data elements identified in the malware analysis report. The source of intel for these objects is listed as Joe Security.
Create Objects for Sandbox Content
You can create new threat data objects while creating intel for Sandbox records. This functionality proves useful when the platform misses parsing specific items during feed scanning. You can establish a new object type or choose from existing parsed object types to introduce a new one.
Steps
To create objects while creating intel for Sandbox records, do the following:
Go to Main Menu > Analysis > Sandbox.
Select a successfully analyzed record and click the ellipsis to Create Intel. You can also open successfully analyzed records and click Create Intel in the upper right corner.
If the platform is unable to parse any objects in the selected feed, you can manually add objects if you find any.
Do one of the following to create new objects:
Create a new object type: Click Add Object opposite to Content and enter the following details:
Select an object type to assign to the new object. You can choose from ipv4 addr, ipv6 addr, Email addr, and more.
Enter the object value to create the same. For example, to create an ipv4 address object, select ipv4 addr as the object type, and enter 1.1.1.1 as its value.
Click Save.
To reset the fields, click Remove.
Create an object for parsed object types: Select a parsed object type, and click Add opposite to the selected type. Perform the following steps to create an object for a parsed object type:
Enter the object value to create the same. For example, to create a domain object type, click Add Domain opposite to Domain and enter a domain value.
Click Save.
To reset the fields, click Remove.
Similarly, you can create objects for other parsed object types.
Click Create Intel.
If you are creating intel for the first time from this feed, the platform automatically creates a new report object. Whereas if you are creating intel again with the same feed, the platform prompts you to choose a report object to store the intel:
Add to Existing Report: Select to create the intel in an existing report.
Create New Report: Select to create a new report object to create the intel.
Click Save.
You can view the intel created in Threat Data by the given report name.