Skip to main content

Cyware Threat Intelligence eXchange

Create Intel from X (Twitter) Feeds

You can directly create intel for the IOCs received in a X (Twitter) feed.

To create intel from the X (Twitter) feeds, follow these steps:

  1. From Main Menu, open X (Twitter) Feeds under Collection.

  2. From the Home Timeline, select a feed, and click Parse.

    You can view the list of extracted threat data objects that are categorized into various STIX object types. You can edit an object to modify the object value. You can also add new objects if no object is extracted, or add more objects to the intel. You can add new object types and add objects to an extracted object type.

    To add a new object type, follow these steps:

    1. In STIX Data, click Add Object.

    2. Select an object type. For example, Ipv4 addr.

    3. Enter a valid value for the selected object type. For example, 1.1.1.1.

    4. Click Save.

    To add an object to an object type, follow these steps:

    1. In STIX Data, select an object type and click Add. For example, Domain.

    2. Enter a valid value for the selected object type. For example, sampledomain.com.

    3. Click Save.

  3. To add additional information about the feed, click + Add Metadata and enter the following details:

    1. Enter the title and description for the feed.

    2. Select a TLP and confidence score.

    3. Set the default custom score values.

    4. Set the Deprecates after duration in days to define when the threat data (indicator) should be deprecated, unless the source provides an expiry duration (Range: 1–180 days). If the same indicator is received from multiple sources, the longest valid duration is applied.

    5. To identify and categorize feeds, add tags.

      By default, Intel Exchange collects all this information from the feed and allows you to modify or add more information if required.

  4. Click Create Intel.

    If you are creating intel for the first time from this feed, Intel Exchange automatically creates a new report object. Whereas if you are creating intel again with the same feed, Intel Exchange prompts you to choose a report object to store the intel:

    • Add to Existing Report: Select to create the intel in an existing report.

    • Create New Report: Select to create a new report object to create the intel.

    You can also create intel from partially processed IOCs. This enables you to utilize the available IOCs and track.

  5. Click Save.

You can view the intel created in Threat Data by the given report name.