Cyware Threat Intelligence eXchange

Tags are labels or keywords used to categorize and organize threat intel. You can assign tags such as user tags, source tags, and system tags to the threat data object. Based on the access provided to your user group, you can also assign privileged access tags to the threat data object.

Click Add and select or search for a tag from the dropdown. To create a new tag, enter a tag name and click Add Tag. A new user tag is created and assigned to the threat data object. After adding the tags, ensure you click Save to save your changes.

For more information about tags and categories of tags, see Tag Management.

The Add Relation feature enables you to establish relationships between threat data objects, enhancing your analysis by clarifying the connections among various threat data objects such as indicators, threat actors, and vulnerabilities.

To add a relationship to a threat data object, select the Add Relation.

You can specify whether the relationship is forward or reverse and choose the object that you wish to relate to the current threat data object. You can subsequently enter the necessary details about the relationship, such as relation type, relationship confidence, start and end date, and more.

The relations you create will be available in the Relations tab for further reference and analysis.

Custom attributes allow you to include additional details about threat data objects. This enables you to track specialized information, such as internal risk ratings or operational context, enhancing your analysis.

To add custom attributes to the threat data object, select Add Custom Attribute. You can subsequently select a custom attribute you previously added and enter the corresponding value. You must additionally provide a reason for adding the attribute, which makes it easier for other users to understand why the attribute was added.

These attributes added by you are available in the Overview tab of the threat data object.

For more information about custom attributes, see Custom Attributes.

When an indicator is marked as malicious and you find the indicator as non-malicious, you can mark the indicator as a false positive. This mitigates the calculation of the confidence score of the indicator on each occurrence in the platform. 

Select False Positive and click Mark False Positive, the CTIX confidence score will be zero as the indicator is considered non-malicious.

Based on your analysis, if you find the indicator to be malicious, you can unmark the indicator. Select False Positive and click Unmark False Positive. After you unmark, the CTIX confidence score is recalculated.  

A watchlist is any object value that you can add surveillance for, or closely monitor, within the intel received in Intel Exchange. Adding an object value to the watchlist enables you to track the number of times the value is observed in the platform from various sources. To add an object to the watchlist, select Add to Watchlist. 

You can also view the object value added to the watchlist in My Org  > Watchlist. 

You can also remove the object from the watchlist. Select Add to Watchlist and click Remove from Watchlist.

When indicators are ingested into Intel Exchange, they undergo a series of steps, including processing, enrichment, analysis, and dissemination. To safeguard your trusted indicators from undergoing the standard processing in Intel Exchange, you can mark them as allowed indicators. This action ensures that the allowed indicators are exempted from the extensive list of incoming indicators.

Select Indicator Allowed, click Add to Indicator Allowed, and provide a reason based on your analysis. After you add the indicator to the allowed list, the CTIX confidence score will be zero. 

When you find the indicator to be malicious and you no longer consider the indicator safe, you can also remove the indicator from the allowed list. Select Indicator Allowed and click Remove from Indicator Allowed. After you remove the indicator from the allowed list, the confidence score is recalculated.

You can also view the allowed indicators in My Org > Indicators Allowed > My Allowed Indicators. For more information, see Allowed Indicators.

Deprecation is the process of marking an indicator as not relevant. When an indicator surpasses the valid until date or when any source has not reported or modified the indicator in 180 days, the indicator no longer serves the purpose and is considered as not relevant anymore. Intel Exchange automatically deprecates such indicators. For more information, see Threat Data FAQs.

You can manually deprecate indicators that you find not relevant or useful anymore. To manually deprecate, select Deprecate. After you deprecate the indicator, the CTIX confidence score will be zero and is considered non-malicious.

You can also undeprecate the indicator if the indicator is found relevant and useful based on your analysis. Select Deprecate, and click Undeprecate. After you undeprecate, the confidence score is recalculated.

You can automatically deprecate indicators using rules. For more information, see Deprecate IOCs using Rule.

When you want the object to be reviewed manually and monitored, you can mark the object for manual review. Click Manual Review to add the object to manual review. 

After the review is done, you can mark the object as reviewed. To mark the object as reviewed, select Under Manual Review and click Mark as Reviewed.

You can create a new note on the threat data object based on your analysis. Click New Note, enter details within 2000 characters, and click Save.

You can also view the created note in the Notes tab.

You can create a new task and assign it to analysts to perform. Click New Task, enter the details about the task to be performed, assign the task to the analyst, and click Save. You can also add a priority and a due date to complete the task. 

You can also view the created task in the Tasks tab.

Rules are configurable sets of instructions that perform tasks for defined conditions. You can manually run rules that are created using Run Rule Manually Only on the threat data object.

Select Run Rule and select a rule. 

You can choose the rule to run on the selected objects of type indicator, malware, threat actor, vulnerability, attack pattern, campaign, course of action, identity, infrastructure, intrusion set, location, tool, report, observable, incident, and note.

You can create a CFTR incident from Intel Exchange which further gets assigned to a security analyst for detailed investigations. You can create incidents for indicator, report, and campaign object types. 

Select Create CFTR Incident and enter the title of the incident. By default, the title is the object value. Click Save. You can view the incident ID in CFTR incidents.

Revokes an object in the platform if it is unintentionally published to the collections or is now marked as a false-positive. After revoking an object, the platform re-publishes the object to all published collections with a flag (is_revoked = true) conveying that the object is revoked. Intel Exchange re-publishes this information in STIX 1.x and STIX 2.x formats.

If a revoked object is received from any source, the revoked status of the object is reset in the platform automatically. However, the object flag is_revoked = false is not automatically published in the collections.

When a threat data object is not relevant or deprecated or is not valid anymore, you can delete the threat data object that you no longer find useful. When you delete a threat data object the associated notes, tasks, and the relationship with other objects are also deleted. The object is removed from the threat investigation canvas. 

When you delete a published object, the object is revoked from all published collections, and a flag revoked = true is sent to the collections.

You can visualize the relationships in the threat investigation canvas for a better understanding of the relations of the object. 

In the View Mode section, click View in Threat Investigations to view the relations in Threat Investigation Canvas and save the canvas for further actions. 

If intel is created from a threat investigation canvas, click View in Threat Investigations and select one of the following options:

For more information, see Threat Investigations.

Opens the analysis report of the threat data object in Sandbox. This is only available for the report object type. For more information, see Malware Analysis using Sandbox.