Quick Actions
Intel Exchange provides you with a certain set of actions that can be performed on a threat data object based on your analysis such as marking the threat data object as false positive, adding tags, and more.
Tags
Tags are labels or keywords used to categorize and organize threat intel. You can assign tags such as user tags, source tags, and system tags to the threat data object. You can also assign privileged access tags if your user group has access to restricted tags.
Click Add Tags and select or search for a tag from the dropdown. To create a new tag, enter a tag name and click Add Tags.A new user tag is created and assigned to the threat data object.
For more information about tags and categories of tags, see Tag Management.
False Positive
When an indicator is marked as malicious and you find the indicator as non-malicious, you can mark the indicator as false positive. This mitigates the calculation of the confidence score of the indicator on each occurrence in the platform.
Select False Positive and click Mark False Positive, the CTIX confidence score will be zero as the indicator is considered non-malicious.
Based on your analysis, if you find the indicator to be malicious, you can unmark the indicator. Select False Positive and click Unmark False Positive. After you unmark, the CTIX confidence score is recalculated.
Indicator Allowed
When indicators are ingested into Intel Exchange, they undergo a series of steps, including processing, enrichment, analysis, and dissemination. To safeguard your trusted indicators from undergoing the standard processing in Intel Exchange, you can mark them as allowed indicators. This action ensures that the allowed indicators are exempted from the extensive list of incoming indicators.
Select Indicator Allowed, click Add to Indicator Allowed, and provide a reason based on your analysis. After you add the indicator to the allowed list, the CTIX confidence score will be zero.
When you find the indicator to be malicious and you no longer consider the indicator safe, you can also remove the indicator from the allowed list. Select Indicator Allowed and click Add to Indicator Allowed. After you remove the indicator from the allowed list, the confidence score is recalculated.
You can also view the allowed indicators in My Org > Indicators Allowed > My Allowed Indicators. For more information, see Allowed Indicators.
Add to Watchlist
A watchlist is any object value that you can add surveillance for, or closely monitor, within the intel received in Intel Exchange. Adding an object value to the watchlist enables you to track the number of times the value is observed in the platform from various sources. To add an object to the watchlist, select Add to Watchlist.
You can also view the object value added to the watchlist in My Org > Watchlist.
You can also remove the object from the watchlist. Select Add to Watchlist and click Remove from Watchlist.
Deprecate
Deprecation is the process of marking an indicator as not relevant. When an indicator surpasses the valid until date or when any source has not reported or modified the indicator in 180 days, the indicator no longer serves the purpose and is considered as not relevant anymore. Intel Exchange automatically deprecates such indicators. For more information, see Threat Data FAQs.
You can manually deprecate indicators that you find not relevant or useful anymore. To manually deprecate, select Deprecate. After you deprecate the indicator, the CTIX confidence score will be zero and is considered non-malicious.
You can also undeprecate the indicator if the indicator is found relevant and useful based on your analysis. Select Deprecate, and click Undeprecate. After you undeprecate the confidence score is recalculated.
You can automatically deprecate indicators using rules. For more information, see Deprecate IOCs using Rule.
Run Rule
Rules are configurable sets of instructions that perform tasks for defined conditions. You can manually run rules that are created using Run Rule Manually Only on the threat data object.
Select Run Rule and select a rule.
You can choose the rule to run on the selected objects of type indicator, malware, threat actor, vulnerability, attack pattern, campaign, course of action, identity, infrastructure, intrusion set, location, tool, report, observable, incident, and note.
New Task
You can create a new task and assign it to analysts to perform. Click New Task, enter the details about the task to be performed, assign the task to the analyst, and click Save. You can also add priority and due date to complete the task.
You can also view the created task in the Tasks tab.
New Note
You can create a new note on the threat data object based on your analysis. Click New Note, enter details within 2000 characters, and click Save.
You can also view the created note in the Notes tab.
View in Sandbox
Opens the analysis report of the threat data object in Sandbox. This is only available for the report object type. For more information, see Malware Analysis using Sandbox.
Manual Review
When you want the object to be reviewed manually and monitored, you can mark the object for manual review. Click Manual Review to add the object to manual review.
After the review is done, you can mark the object as reviewed. To mark the object as reviewed, select Under Manual Review and click Mark as Reviewed.
Delete
When a threat data object is not relevant or deprecated or is not valid anymore, you can delete the threat data object that you no longer find useful. When you delete a threat data object the associated notes, tasks, and the relationship with other objects are also deleted. The object is removed from the threat investigation canvas.
When you delete a published object, the object is revoked from all published collections, and a flag revoked = true is sent to the collections.
Revoke Intel
Notice
This feature is available in CTIX from the release version v3.4.0 and later.
Revokes a published indicator in the platform if it is unintentionally published to the collections or is now marked as a false-positive. After revoking an indicator, the platform re-publishes the indicator to all the published collections with a flag conveying that the indicator is revoked. Intel Exchange re-publishes this information in STIX 1.x and STIX 2.x formats.
If the platform receives the revoked indicator from any source, the platform resets the status of the indicator automatically.
View Mode
You can visualize the relationships in the threat investigation canvas for a better understanding of the relations of the object.
Click View in Threat Investigations in View Mode. You can view the threat data objects in Threat Investigation Canvas and save the canvas for further actions.
For more information, see Threat Investigations.
Create CFTR Incident
You can create a CFTR incident from Intel Exchange which further gets assigned to a security analyst for detailed investigations. You can create incidents for indicator and report object types.
Select Create CFTR Incident and enter the title of the incident. By default, the title is the object value. Click Save. You can view the incident ID in CFTR incidents.