Release Notes 3.7.4 (Early Access)
April 8, 2025
We are excited to introduce you to the latest version of Intel Exchange v3.7.4.0 (EA). This is a limited-availability release that includes new features, enhancements, and integrations.
Risk Score Engine Beta
The Confidence Score Engine feature in Intel Exchange has been revamped and rebranded as the Risk Score Engine, introducing an improved design and enhanced customization options for indicator risk scoring.
Users can now:
Customize the Risk Score by adjusting the weightage of source credibility, enrichment tools, and attributes to align with your internal risk assessment standards, enabling precise threat prioritization.
Leverage external risk scores from trusted third-party sources as the final Risk Score to ensure a consistent and reliable threat evaluation with prioritized assessments.
For more information, see Risk Score Engine.
Dark Mode New
Intel Exchange now supports Dark Mode for improved readability and focus. However, some sections remain in Light Mode, including exported dashboards (PDFs/PNGs), the Analyst Description editor in Threat Data, and the Threat Bulletin editor.
 |
Threat Data UI Enhanced
Threat Data UI has been enhanced to provide a more seamless and user-friendly experience.
The Basic Details section in the Overview tab is now Key Details, which aggregates essential information from multiple sources that reported the object.
The Sources section in the Overview tab now sorts sources by their source modified date instead of the source creation date, improving threat data analysis.
The Basic Details tab is now Analysis, which consolidates analyst-related details such as descriptions, custom scores, and source information.
 |
Threat Data Enhanced
Threat data object details have been enhanced for a more intuitive user experience.
The Relationship Details section now includes All, Forward, and Reverse tabs, clearly displaying forward and reverse object relationships. The table view no longer has a 10,000-relation limit, providing unrestricted visibility into all related threat data objects.
Quick Actions now include:
Add Relation: Add and edit relationships between threat data objects to enhance analysis and clarify interconnections.
Add Custom Attribute: Assign custom attributes to threat data objects to track specialized information, such as internal risk ratings or operational context, improving analysis.
You can now add object-specific tags when manually running rules under the Actions section on Threat Data Objects, ensuring that rules apply only to the selected objects. If no tags are added, manual rules will run on all objects by default.
For more information, see Action on Threat Data Objects.
Quick Add Intel Enhanced
Quick Add Intel now offers the following enhancements:
Apply Metadata to All Objects: When creating intel, this option ensures that specified metadata is applied to all associated objects. If not selected, the report object's title is used as the description for related objects.
File Support: You can now parse threat data objects from
.docxand.tsvfiles and manually add them, broadening the range of supported formats for data extraction.
For more information, see Quick Add Intel.
Detailed Submission Enhanced
Detailed Submission now offers the following enhancements:
Submit and curate a broader range of threat data objects with support for additional STIX components, including Course of Action, Grouping, Incident, Intrusion Set, Malware Analysis, Observed Data, Opinion, Note, and Custom Object.
Specify the Relation Type when linking primary and secondary objects, simplifying the definition and understanding of connections between STIX components for more precise threat intelligence submissions.
Assign Custom Scores to all STIX components in Common Fields to prioritize threat intelligence analysis and dissemination more effectively.
For more information, see Detailed Submission.
Threat Investigation Canvas Enhanced
The Threat Investigation Canvas offers the following enhancements:
Create intel with up to 50,000 nodes on a canvas while maintaining optimal performance and stability.
Set the layout to Custom mode to retain node positions and preserve modifications on the canvas.
Select all objects, specific objects, or clear them before analyzing relationships in Analyze Relations, giving you greater control over the analysis process.
For more information, see Threat Investigations.
Tag Management Enhanced
Tag Management now offers the following enhancements:
You can now edit the name of the user, system, and privileged access tags, giving you greater flexibility in tag management.
You can now view the source of creation for source tags in the new Source column, improving visibility and context
Manage privileged access tags more intuitively with updated fields and UI enhancements, offering better visibility and control.
For more information, see Tag Management.
Export Campaign Threat Data Enhanced
You can now export campaign threat data in XLSX format, including relations, custom attributes, and fields such as duration and risk score. This enhancement provides a structured view of campaign data, enabling better analysis of complex threat intelligence and threat object relationships.
For more information, see Export Threat Data Object Details.
Other Enhancements
When CFTR incidents are created from report objects or published threat bulletins, their associated threat data objects are automatically linked as Connect the Dots components, ensuring seamless integration and contextual threat analysis. For more information, see Create an Incident in CFTR with CTIX.
IPv6 short form is now supported in both ingestion and publishing, allowing for seamless processing of compressed IPv6 addresses without format restrictions.
Intel Exchange now supports IPv4 and IPv6 CIDR ranges across Threat Data CQL search, Rules, and Allowed Indicators for better IP subnet queries and threat management.
Custom Entities Management now supports multi-select custom attributes for more flexible threat data categorization. For more information, see Custom Attributes.
To optimize performance, the Threat Bulletin module now supports processing bulletins up to 10 MB, including content and attachments. This enhancement ensures efficient data handling and system stability. For more information, see Threat Bulletin.
The Source Confidence Value filter is now available across multiple modules, including Threat Investigation Canvas, CQL, and Search Filters. This enhancement enables you to set a confidence range (0–100) to refine threat data object filtering, enhancing threat assessment and analysis.
The Indicators Allowed module now automatically adds all variations of an IPv6 address when it is imported in its fully compressed (such as
::8a2e:370:7334) or fully expanded (0000:0000:0000:0000:0000:8a2e:0370:7334) format to the allowed list.However, if an IPv6 address is imported in an intermediate format (such as
::0:8a2e:370:7334), only that exact address is added to the allowed list, and its variations are not automatically included. For more information, see Allowed Indicator List.Configure rules to create CFTR incidents for specific campaigns, enabling real-time tracking of high-priority threats.
Integrations
This release includes new integrations and enhancements to existing integrations, improving functionality and expanding capabilities.
New
GreyNoise (API Feed Source): Retrieves actionable intelligence on IPv4 indicators, vulnerabilities, identities, and observables (ASNs, domains) with enriched geolocation data. For more information, see GreyNoise.
NCSC Netherlands (API Feed Source): Retrieves threat data objects related to vulnerabilities, tools, and reports. This integration enhances cyber threat intelligence with authoritative data from NCSC. For more information, see NCSC Netherlands.
TeamT5 (API Feed Source): Provides intelligence on various threat objects, including threat actors, malware, vulnerabilities, attack patterns, intelligence reports, indicators (IPv4, domains, hashes – MD5, SHA1, SHA256), tools, identities, and observables. This integration enhances threat analysis capabilities with in-depth intelligence. For more information, see TeamT5 ThreatVision.
HYAS (API Feed Source): Retrieves threat intelligence feeds related to malware, infrastructure, observed data (Autonomous System and File Objects), location, and indicators. This integration enhances threat hunting with valuable insights into adversary infrastructure. For more information, see Hyas.
ThreatFox (Enrichment Tool): Enhances threat data by providing critical insights into malware, hashes (MD5, SHA256), IPs, domains, and URLs. This enrichment helps analysts gain deeper context on malicious activity, empowering more informed decision-making and faster threat response. For more information, see Threatfox.
SpyCloud (Enrichment Tool): Ingests breach and malware intelligence for accelerated threat investigation. For more information, see SpyCloud.
Pangea (Enrichment Tool): Retrieves comprehensive threat intelligence about indicators of compromise. For more information, see Pangea.
Hunt.io (Enrichment Tool): Enriches IP intelligence with network scanning and cyberattack insights using a global sensor network. For more information, see Hunt.io.
Enhanced
NVD (API Feed Source): Enhanced this integration to poll data from the last 15 days instead of all data, improving efficiency and ensuring more relevant data retrieval. For more information, see NVD.
Group-IB (API Feed Source): Optimized for reduced latency and improved stability. For more information, see Group-IB.
MITRE (API Feed Source): Updated collection names ensure consistent data classification. For more information, see MITRE.
Microsoft Defender for Endpoint (MDE) (Internal Applications): API rate limits (100 calls/min, 1,500 calls/hour) have been implemented, along with new data fields for deeper security insights. For more information, see Microsoft Defender for Endpoint.