Cyware Threat Intelligence eXchange

Product

Mandatory

The name of the analysis engine or tool used, formatted in all lowercase with words separated by a dash ('-'). If the product name cannot be specified, the value 'anonymized' must be used

Product Version

Optional

The version of the analysis tool used to conduct the analysis.

Configuration Version

Optional

This property records the named configuration of additional parameters for the analysis run. For example, if a product is set up to perform a full-depth analysis of Windows™ PE files, this configuration may have a specific name that can be documented here. This ensures that subsequent runs can be configured similarly.

Module(s)

Optional

This property records the specific analysis modules that were used and configured in the product during this analysis run. For example, it may include modules configured to support the analysis of Dridex.

Analysis Engine Version

Optional

The version of the analysis engine or product (including antivirus engines) used to conduct the analysis.

Analysis Definition Version

Optional

The version of the analysis definitions used by the analysis tool (including antivirus tools).

Start Date

Optional

Specify the date on which the malware analysis was first initiated.

End Date

Optional

Specify the date on which the malware analysis was completed.

Submission Date

Optional

The date and time when the malware was first submitted for scanning or analysis. This value remains constant, while the scan date may vary. For example, when Malware was submitted to a virus analysis tool.

Result Name

Optional

The classification result assigned to the malware instance by the antivirus scanner tool. If the AV scanner does not provide a specific classification value, the result name should be derived from the malware-av-result-ov open vocabulary.

Result 

Optional

The classification result assigned to the malware instance by the antivirus scanner. If no specific classification value is provided, refer to the malware-av-result-ov open vocabulary for an appropriate result.

Host Virtual Machine

A description of the virtual machine environment used to host the guest operating system (if applicable) for the dynamic analysis of the malware instance or family. If this value is not provided alongside the operating_system_ref property, it indicates that the dynamic analysis may have been conducted on bare metal (without virtualization) or that the information was redacted. The value of this property must be the identifier for a SCO software object.

Operating System

The operating system utilized for the dynamic analysis of the malware instance or family, applicable to both virtualized environments and bare metal systems. The value of this property must be the identifier for a SCO software object.

Installed Software(s)

Any non-standard software installed on the operating system (as specified in the operating system field) used for the dynamic analysis of the malware instance or family. The value of this property must be the identifier for a SCO software object.

Analysis SCO Ref

This property contains references to the STIX Cyber Observable Objects that were captured during the analysis process.

Add Custom Attribute 

Specify the additional information that helps in improving the threat intelligence details. CTIX displays custom attributes created in Administration > Custom Entities Management. You can create multiple custom attributes for the report.

Source Name

Enter a source name.

Description

Enter a description.

External ID

Enter an external ID.

URL

Enter the URL of the external reference.

Hash Type

Select the hash type.

Hash Value

Enter the hash value.