Configure Intel Exchange in Elastic
Cyware Intel Exchange is available as an integration in Elastic Security. It enables you to bring threat intelligence directly into Elastic for detection and threat hunting. By connecting Intel Exchange with Elastic, you can ingest indicators for deeper investigation and detection in Elastic. This integration strengthens security operations by correlating Intel Exchange indicators with Elastic events for faster and more effective analysis.
This integration with Elastic offers the following capabilities:
Ingest threat indicators from Intel Exchange into Elastic using an agentless or agent-based setup.
Configure multiple integration instances to collect indicators based on tags, collections, or saved result sets.
Automatically maps ingested indicators into Elastic's Indicator data stream for use in detections and dashboards.
View and manage indicators directly in the Threat Intelligence view in Elastic Security.
Use built-in or custom indicator match rules in Elastic to enrich security detections with Intel Exchange intelligence.
Prevent duplication through Elastic’s deduplication and indexing logic.
Configuration
You must configure the integration in both Intel Exchange and Elastic before you can start ingesting and enriching threat intelligence.
Before you Start
Ensure you are using Kibana 8.18.0 or higher, or 9.0+ to ensure compatibility with the integration.
Ensure you have permissions to create and manage CTIX Integrators.
Ensure you can access Management > Integrations in Kibana to enable the integration.
Ensure you are operating within Elastic Cloud or Serverless for agentless setup, or have Elastic Agent installed for agent-based integrations.
To configure the Intel Exchange integration in Elastic, follow these steps:
In Intel Exchange, rules are automated tasks that can execute some actions on a trigger. Create a rule in the Intel Exchange application with the Saved Result Set action to poll threat intel in Elastic.
Before you Start
Ensure that you have the Create Rule, View Rule, and View & Update Rule permissions in Intel Exchange.
Steps
To create a rule, follow these steps:
Sign in to Intel Exchange.
From the Main Menu, select Rules under Actions.
Click New Rule.
Enter a Title and key details about the rules as the rule description.
To easily identify and categorize components in Intel Exchange, add Tags.
Click Submit.
Define the Source and Collections for the rule to poll data for Elastic.
Define the Condition based on which the rule is triggered. For more information about defining sources, collections, and conditions, see Automation Rules.
Enter the following to define the action:
Select Save Result Set V3 as the action from the drop-down menu.
The Save Result Set V3 action stores data from the Intel Exchange application and acts as a collection from which Elastic can poll data.
Select CTIX as the application from the drop-down menu.
Select an Account to specify the application instance to run the rule.
Select Tags to filter data in Intel Exchange.
Click Save.
To integrate Intel Exchange in Elastic, you require the API credentials of Intel Exchange.
Steps
To generate API credentials in Intel Exchange, follow these steps:
Sign in to Intel Exchange.
Go to Administration > Integration Management in Intel Exchange.
Under Third Party Developers, click CTIX Integrators.
Click Add New. Enter the following details:
Name: Enter a unique name for the API credentials.
Description: Enter a description for the credentials.
Expiry Date: Select an expiration date for the API key. Select Expires On to set a specific date, or select Never Expire to keep the credentials valid indefinitely.
Click Add New.
Click Download to get the credentials in CSV format.
Configure the Intel Exchange application to poll threat intel in Elastic.
Steps
To enable and configure the integration, follow these steps:
Sign in to Kibana.
Go to Management > Integrations.
Search and select Cyware Intel Exchange.
Click Add Cyware Intel Exchange.
Fill in the required details:
Integration settings: Enter the basic details to identify and manage the integration.
Integration name: Enter a unique name for the integration.
Description (Optional): Provide additional details about the integration.
Namespace: Change the default namespace inherited from the parent agent policy. This also updates the integration's data stream name.
Output: Change the default output inherited from the parent agent policy. This determines where the integration data is sent.
Deployment options: Choose a deployment method for the integration.
Agentless: Set up the integration without installing an agent.
Agent-based: Deploy an Elastic Agent into your cloud environment.
Collect Cyware Intel Exchange logs via API: Provide the API details to collect threat intel from Intel Exchange.
URL: Enter the tenant base URL. For example,
https://<tenant_code>.cyware.com/ctixapi.Access ID: Enter the Intel Exchange access ID.
Secret Key: Enter the Intel Exchange secret key.
Initial Interval: Defines the time range for fetching indicator logs from Intel Exchange, backwards from the current time. Supported units are h,m, and s.
Interval: Define the polling interval for fetching logs. Supported units are h,m, and s.
Preserve original event: Store a raw copy of the original event in the field
event.original.
Advanced options: Configure additional settings to fine-tune API behavior.
Batch Size: Define the batch size for API responses.
Label Name: Fetch only those indicators that are tagged in Intel Exchange with the specified tag.
HTTP Client Timeout: Define the wait duration before timing out an HTTP request. Supported units are ns, us, ms, s, m, h.
Enable request tracing: Enable request and response logging for debugging. Use only for troubleshooting, as it may expose sensitive data.
Preserve duplicate custom fields: Retain duplicate
ti_cyware_intel_exchange.indicatorfields that are mapped to Elastic Common Schema (ECS).Tags: Assign custom tags at the Elastic side. These tags are attached to ingested events in Elastic for easier searching, filtering, and dashboard grouping.
Processors (Optional): Use processors to reduce fields or add metadata before parsing logs.
Proxy URL (Optional): Provide a proxy connection in the format
http[s]://<user>:<password>@<server name/ip>:<port>. Ensure the credentials are URL encoded.SSL configuration (Optional): Configure SSL settings if required.
Assign integration to hosts: Assign the integration to a new or existing agent policy.
New hosts: Create a new agent policy for a new set of hosts.
New agent policy name: Enter a name for the new policy.
Collect system logs and metrics: Select this option to collect system data.
Existing hosts: Assign the integration to an existing agent policy.
Agent policies: Select from the available policies.
Click Save and continue to complete the configuration.
Verify that Elastic is receiving threat intel from Intel Exchange.
Steps
To check the data stream, follow these steps:
Sign in to Kibana.
Go to Discover.
From the Data view selector, choose a logs data view. For example,
logs-*.In the KQL bar, filter for the Intel Exchange dataset. For example,
ti_cyware_intel_exchange.indicator.Set an appropriate time range and confirm documents are present.
Expand a document to review key fields under
threat.indicator.*.
If you enabled Preserve original event, open event.original to view the raw payload.
The Intel Exchange app provides prebuilt dashboards in Elastic to graphically display retrieved threat intelligence indicators.
Steps
To view the Intel Exchange Indicator dashboard, follow these steps:
Sign in to Kibana.
In the left pane, select Dashboards.
Under Custom Dashboards, open [Logs Cyware Intel Exchange] Indicator.
You can refine the dashboard view using the following filters:
SDO Type: Filter indicators by STIX Domain Object type.
Indicator Type: Filter indicator by their specific artifact type.
Source Type: Filter indicators based on their originating source category in Intel Exchange.
The Intel Exchange Indicator dashboard displays:
Total Indicators: Displays the total number of threat indicators ingested from Intel Exchange.
Total Deprecated Indicators: Displays the count of indicators marked as deprecated in Intel Exchange.
Total Revoked Indicators: Displays the count of indicators marked as revoked in Intel Exchange. A revoked indicator is one that was unintentionally published or later identified as a false positive.
Indicators by Country Name: A geographic distribution of indicators based on country-related attributes.
Indicators Over Time: A time-series chart of indicator creation.
Indicators by CTIX Score: Breakdown of IOCs based on assigned risk scores.
Indicators by TLP: Distribution of IOCs across Traffic Light Protocol values.
Indicators by Type: Classification of IOCs (domains, IP, and URLs).
Top 10 Sources [Logs Cyware Intel Exchange]: Lists the top 10 sources reporting threat intelligence into Intel Exchange (visible when source data is available).
Indicators Essential Details [Logs Cyware Intel Exchange]: Provides detailed logs of all indicators ingested from Intel Exchange.