Create Intel from Sandbox
You can create intel directly from the data extracted in a sandbox analysis report. Intel Exchange auto-generates threat data elements such as indicators, file metadata, and detection summaries, helping you accelerate threat enrichment workflows.
Before you start
Ensure your user group has the following permissions:
Create Intel
Create Sandbox Records
View Sandbox Records
Steps
To create intel from a successfully analyzed sandbox record:
Go to Main Menu and select Analysis > Sandbox.
In the listing, open a record with Success status.
Click Create Intel in the upper-right corner of the report view. The system retrieves all threat data elements identified in the sandbox analysis report.
Select the IOCs you want to include in the intel. Then, click + Add Metadata to enrich the selected data. You can customize the following fields:
Title: Auto-filled using the sandbox record name. You can modify this if needed (maximum 100 characters).
Description: Auto-filled with extracted HTML content from the report.
Note
The description is added only to the report object, not to the individual threat data elements.
TLP: Select a Traffic Light Protocol (TLP) level for sharing sensitivity.
Deprecates after: Set the number of days (1-180) after which the threat data (indicator) should be deprecated, unless an expiry is provided by the source. If the same indicator is received from multiple sources, the longest valid duration is applied.
Risk Score: Assign a risk score to help prioritize the intel.
Tags: Add tags to classify and group intel.
Apply Metadata to All Objects: Enable this option to apply the selected metadata to all threat objects included in the intel. If left disabled, metadata will only apply to the report object created from the sandbox analysis.
Click Create Intel to proceed.
If this is the first time intel is being created from this artifact, Intel Exchange automatically creates a new report object using the title of the file or URL.
For subsequent intel from the same artifact, intel is added to the existing report object.
Click Save.
Post Intel Creation
After the intel is created:
A report object is generated in Threat Data, representing the analyzed file or URL.
Individual threat data entries are created for each selected object, such as IOCs or detection signatures.
All created objects will show Cyware Sandbox as the source of intel.
You can search, view, and take further action on these intel objects from the Threat Data section.