Integrate Intel Exchange
Intel Exchange is a smart, client-server threat intelligence platform (TIP) for ingestion, enrichment, analysis, and bi-directional sharing of threat data within your trusted network. Integrate Intel Exchange with Respond, to access the real-time and enriched threat data for better threat response.
Before you Start
Ensure that you have Create/Update permission to Configurations.
Ensure that you have the Intel Exchange API credentials.
Steps
Generate Intel Exchange API Credentials
To generate Intel Exchange API credentials, follow these steps:
Note
To generate API credentials for Intel Exchange, you must have Update Tool Integrations permission.
Sign in to Intel Exchange.
Go to Administration > Integration Management > Third Party Developers > CTIX Integrators.
Click Add New.
Enter the following details:
Name: Enter a unique name for the API integration.
Description: Enter a description for the API integration.
Expire Date: Select an expiry date for the open API keys. You can select Notify me before the expiration date to get notified through email about the expiration.
Associated User: Select a user to associate with the API credentials.
Note
The API credentials have the same permissions as the associated bot user. Ensure that you select a user who has admin-level permissions in CTIX.
Click Add New.
Ensure that you download the API credentials, as you cannot generate the same credentials again. Click Download to download the credentials in CSV format.
Configure Intel Exchange API Credentials in Respond
To configure the Intel Exchange API credentials in Respond, follow these steps:
Go to Admin Panel > Configurations > Integration > CTIX.
Click Edit and enter the Intel Exchange API credentials.
Enable CTIX by turning on the toggle.
Click Save.
To verify the integration, click Test Connection.
Map Data Fields
After integrating Intel Exchange with Respond, you can map the Intel Exchange threat data objects to Respond threat intel types. This enables Respond to identify threat objects and connect them to appropriate threat intel types in Threat Intel for an incident in Respond.
To map threat data, follow these steps:
Go to Admin Panel > Configurations > Integration > CTIX.
In Map Data Fields, click Edit.
Click Add Threat Intel.
In CFTR Threat Intel, select a threat intel type.
Under CTIX Objects, select a corresponding object type to map with the selected threat intel.
Click Save.
Update Data Fields Mapping
After mapping Respond and Intel Exchange data fields, you can update or delete the mappings.
Note
You cannot update or delete a mapping if the Intel Exchange objects of the mapping are already linked to an incident.
To update or delete the mappings, follow these steps:
Go to Admin Panel > Configurations > Integration > CTIX.
On Map Data Fields, click Edit.
To update a mapping, select the appropriate Threat Intel and CTIX Object.
To delete a mapping, click the Delete icon corresponding to the mapping.
Click Save. In the confirmation message, click Yes, Save.
Set Default TLP
You can configure the default TLP for threat intel added to Intel Exchange from Respond. By default, the TLP is set to amber, and you can update this based on your requirements.
Note
To ingest and enrich threat intel in Intel Exchange, you must first configure Process Intel. For more information, see Configure Process Intel.
To set the default TLP, follow these steps:
Note
This feature is available in Respond v3.4.7 (Early Access) onwards.
Go to Admin Panel > Configurations > Integration > CTIX.
In TLP Settings, click Edit and select the TLP using the dropdown.
Click Save. In the confirmation pop-up, click Yes, Save.