Release Notes 3.6.2
June 14, 2024
We are excited to introduce you to the latest version of Intel Exchange v3.6.2. This release includes new features, new integrations, and a few enhancements.
Tag Management New
Notice
The Tags feature has been removed from Main Menu > My Org. Use the new Tag Management feature under Administration to manage tags.
The Tag Management feature has been introduced to streamline tag organization and administration. You can now manage tags from a centralized location, leveraging the following tag categories for improved clarity and ease of management:
User Tags: Tags that are manually created by the users to associate with threat data objects.
Source Tags: Tags that are associated with threat objects ingested from various threat intel feed sources, such as API feed sources, STIX sources, and other sources configured in Intel Exchange.
System Tags: Tags that are manually created by the users for use within Intel Exchange. System tags are not published to STIX collections or shared with the subscribers.
Privileged Access Tags: These tags enable you to restrict user access to the associated threat data objects. For example, if the threat data object 1.1.1.1 is associated with the privileged access tag Restricted_IP, then only users who are allowed to access the tag can access the object 1.1.1.1 from Threat Data.
By default, the Admin user group includes tag management permission for all categories.
With Tag Management, you can enhance the role-based access control (RBAC) capability of the platform to sensitive data by providing privileged tags access to specific user groups. Also, you have control over the user groups that can add or modify tags of specific tag categories.
 |
For more information, see Tag Management.
Custom Scores for Threat Objects New
Intel Exchange introduces the ability to configure custom scores for threat data objects, providing greater flexibility to tailor threat scoring based on organizational needs. You can now define custom scoring types aligned with specific requirements leveraging a range of parameters including risk level, severity, relevance, and more. Based on the analysis performed on threat data objects, analysts can assign custom threat scores to the objects. Custom scores enable security analysts to score threat data objects based on various parameters enabling them to conditionally prioritize threats, allocate resources efficiently, and make informed decisions about threats and response strategies.
You can define a default custom score for each intel source, update the scores for threat data objects based on the analysis, use custom scores as conditions to configure rules, and disseminate the scores to subscribers.
 |
For more information, see Configure Custom Scores.
Subscribers Polling Summary New
Intel Exchange introduces Subscriber Polling Summary that provides a graphical representation of the subscriber polling activity. This summary offers the following insights into subscriber polling activities:
Gain visibility into the subscribers that are actively polling data from Intel Exchange
Identify subscribers that encountered errors during polling
Track subscribers who have not yet initiated polling
This comprehensive summary equips administrators to ensure that all subscribers receive timely and relevant data while facilitating the quick identification and resolution of any polling-related issues.
 |
For more information, see View Subscriber Reports.
Support for New ISAC Feed Sources Enhanced
In addition to the existing ISAC feed sources, Intel Exchange now collaborates with the following ISACs to receive threat intel feeds directly from your communities of interest:
National Rural Electric Cooperative Association Research Threat Analysis Center (NRECA-TAC)
National Defense Information Sharing and Analysis Center (ND-ISAC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
Canadian Cyber Threat Exchange (CCTX)
Chemical Sector Information Sharing and Analysis Center (CI-ISAC)
Texas State ISAO
For more information, see Information Sharing Feed Sources.
ATT&CK Navigator Enhanced
The ATT&CK Navigator feature now includes the following enhancements:
Hover over a technique to view the associated MITRE technique ID
Search techniques based on the MITRE technique ID
Click a technique or sub-technique to view the aliases
Open a technique or sub-technique in Threat Data to retrieve a list of related threat data objects
 |
For more information, see ATTACK Navigator.
Other Enhancements
Intel Exchange extends its support to encompass all relationship types compliant with STIX 2.1 standards, such as targets, originates-from, compromises, and more. This enhancement enables you to associate threat objects with relevant relationship types, facilitating a comprehensive threat investigation and analysis.
Custom widgets for dashboards and reports now support the following options for the Primary Group by parameter:
Related Object Name: Groups data by the related object names and retrieves the names of the top related objects.
Custom Attribute Name: Groups data by the custom attribute names and retrieves the names of the top related custom attributes.
Enriching nodes from the Threat Investigation canvas has been significantly improved. You can seamlessly enrich objects, view retrieved enrichment details, and swiftly navigate to the enrichment details page from the canvas.
You can now view the tags associated with the related objects in the relationship details within the threat data objects.
In Threat Data, you can view the total number of objects available on the platform, dynamically adjusted based on applied filters and CQL queries.
In addition to indicators, malware, reports, and vulnerabilities, Intel Exchange now supports manually running rules on other threat data object types (threat actor, campaign, attack pattern, and more) in Threat Data and Threat Investigations. For more information, see Quick Actions.
Intel Exchange now supports the enrichment of email threat objects. You can leverage enrichment tools compatible with email enrichment to access additional details related to email objects for a comprehensive investigation.
Open API
The Quick Add Intel API (
{{server_url}}conversion/quick-intel/create-stix/) is now enhanced to return the background task ID to track the progress of intel creation. For more information, see Quick Add Intel.The Get Quick Add Intel Status API (
{{server_url}}conversion/quick-intel/receive-report/?task_id=<task id>) has been introduced to track the progress of intel creation using the background task ID. For more information, see Retrieve Quick Add Intel Status.
Integrations
The following integrations are now supported in Intel Exchange:
Microsoft Defender for Endpoint (Internal Application): This integration enables you to submit indicators from Intel Exchange to the Microsoft Defender for Endpoint platform to perform specific actions such as alert, block, allow, remediate, and more within the Microsoft Defender for Endpoint platform. For more information, see Microsoft Defender for Endpoint.
Infoblox (API Feed Source): This integration retrieves threat intelligence feeds related to domains, URLs, IP addresses, hashes, and email addresses from Infoblox Threat Intelligence Data Exchange (TIDE). For more information, see Infoblox.
Zerofox (API Feed Source): This integration retrieves threat intel feeds related to malware, botnet, ransomware, exploits, campaigns, command and control domains, disruptions, and phishing attacks from Zerofox. For more information, see ZeroFox.
urlscan.io (Enrichment Tool): This enrichment tool retrieves the details of URLs and domains to provide you insights into their safety, reputation, and potential security risks. For more information, see urlscan.io.
Have I Been Pwned (Enrichment Tool): This enrichment tool enables you to check email addresses and domains across various data breaches for potential compromises. For more information, see Have I Been Pwned.