Skip to main content

Cyware Threat Intelligence eXchange

Configure CTIX as a Server

Configure CTIX as a server in MISP to pull threat data from the collections associated with the MISP subscriber.

Before you Start

Ensure that you have the MISP URL and MISP Auth Key credentials as generated in CTIX handy to configure CTIX as a server.

Steps

  1. Sign in to MISP.

  2. Navigate to Sync Actions and select List Servers.

    CTIX-MISP1.png
  3. From the panel on the left side of the screen, select New Servers.

    CTIX-MISP2.png
  4. In Base URL, enter the MISP URL credentials that you generated in CTIX. This URL directly connects the CTIX and MISP application servers for the seamless sharing of threat data. For example, https://<domain>/ctixapi/misp/.

  5. Enter a unique name to identify the application instance. For example, Cyware-CTIX-Prod.

  6. Select an organization type to classify the feeds coming from CTIX. For example, select External Organization to classify feeds coming from CTIX under external organization.

  7. Based on the selected organization type, further select the organization name to identify the feeds coming from CTIX. For example, if you select an external organization as the organization type, MISP will prompt you to select a specific organization from the available list.

    You can create an organization in MISP from Administration > Add Organisation.

  8. In Authkey, enter the MISP Auth Key credentials you generated in CTIX to authenticate the application and establish a successful connection.

  9. Select Pull under Enabled synchronization methods to receive data from STIX collections selected in CTIX while adding MISP as a subscriber.

  10. Click Modify under Pull rules: to define additional sync parameters for the threat intel coming from CTIX into the MISP platform. In Additional sync parameters (based on the event index filter), you define the following parameters:

    CTIX-MISP3.png
    • Timestamp: Fetches threat intel published after the set timestamp. For example, {"timestamp": '30d"} fetches the last 30 days of threat intel published to the server collection in CTIX. You can define the timestamp based on the following valid values, days (d), hours (h), minutes (m), and seconds (s).

    • From and To: Fetches threat intel published during the set timestamp range. For example, {"from": "24h", "to": "4h"} fetches the threat intel published during the set time range to the server collection in CTIX.

    • Event_id: Fetches threat intel published for the mentioned event IDs. For example, {"event_id": "29641", "34142"} to fetch the threat intel pulled in the mentioned events IDs. You can add multiple event IDs separated by commas.

    • Sharing Group: Fetches threat intel from the mentioned server collections. For example, {"sharinggroup": "BreachAlerts-TLPAMBER"} to fetch threat intel from the mentioned server collections.

  11. Click Submit.

After you integrate CTIX with MISP, you can test if the connection between the two servers is established. Navigate to Sync Actions > List Servers, and select the server created for CTIX. For the selected server, click Run to test the connection.

In case the connection between both servers is not established successfully, you can check for the following points:

  • Ensure that the IP address of your MISP server is added to the allowed list of your firewall.

  • Ensure that your MISP URL and MISP Auth Key credentials are valid and are not expired.

  • In case you encounter error 504, contact your CTIX administrator.

AddCTIXinMISP.gif