Cyware Intel Exchange Integration for Elastic

Stack 9.0.0 Serverless Observability Serverless Security

Cyware Intel Exchange is an intelligent client-server exchange that leverages advanced technologies like Artificial Intelligence and Machine Learning to automatically ingest, analyze, correlate and act upon the threat data ingested from multiple external sources and internally deployed security tools.

The Cyware Intel Exchange integration for Elastic allows you to collect logs using CTIX API v3, then visualise the data in Kibana.

The Cyware Intel Exchange integration is compatible with CTIX API version v3.

This integration periodically queries the CTIX API to retrieve Indicators of Compromise (IOCs).

This integration collects threat intelligence indicators into the following datasets:

• Indicator: This fetches all the saved result set data for conditional IOCs present in the application via Indicator endpoint.

Integrating Cyware Intel Exchange Indicator data streams with Elastic SIEM provides centralized visibility into threat intelligence indicators such as malicious IPs, domains, URLs, and file hashes. By correlating indicator metadata (including source, type, TLP markings, revocation/deprecation status, and provider context) within Elastic analytics, security teams can strengthen threat detection, accelerate incident triage, and enrich investigations. Dashboards in Kibana present breakdowns by indicator type, source, TLP, score, and trends over time — enabling faster detection of emerging threats, improved prioritization of high-risk indicators, and enhanced accountability across the threat intelligence lifecycle.

This integration installs Elastic latest transforms. For more details, check the Transform setup and requirements.

To collect data from the CTIX APIs, ensure that you have Create and Update permissions for CTIX Integrators.

1. Go to Administration > Integration Management.
2. In Third Party Developers, click CTIX Integrators.
3. Click Add New. Enter the following details:
   • Name: Enter a unique name for the API credentials up to 50 characters long.
   • Description: Enter a description for the credentials up to 1000 characters long.
   • Expiry Date: Select an expiry date for open API keys. To apply an expiration date for the credentials, you can select Expires On and select the date. To ensure the credentials never expire, you can select Never Expire.
4. Click Add New.
5. Click Download to download the API credentials in CSV format. You can also click Copy to copy the endpoint URL, secret key, and access ID.

For more details, refer to the Authentication documentation and the guide on how to Generate Open API Credentials.

This integration supports both Elastic Agentless-based and Agent-based installations.

Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to Agentless integrations and the Agentless integrations FAQ.

Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.

Elastic Agent must be installed. For more details, check the Elastic Agent installation instructions. You can install only one Elastic Agent per host.

1. In the top search bar in Kibana, search for Integrations.

2. In the search bar, type Cyware Intel Exchange.

3. Select the Cyware Intel Exchange integration from the search results.

4. Select Add Cyware Intel Exchange to add the integration.

5. Enable and configure only the collection methods which you will use.

   • To Collect Cyware Intel Exchange logs via API, you'll need to:

     • Configure URL, Access ID, and Secret Key.
     • Enable the Indicator dataset.
     • Adjust the integration configuration parameters if required, including the Initial Interval, Interval, Batch Size etc. to enable data collection.

6. Select Save and continue to save the integration.

1. In Kibana, navigate to Dashboards.
2. In the search bar, type Cyware Intel Exchange.
3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated.

1. In Kibana, navigate to Management > Stack Management.
2. Under Data, select Transforms.
3. In the search bar, type Cyware Intel Exchange.
4. All transforms from the search results should indicate Healthy under the Health column.

For more information on architectures that can be used for scaling this integration, check the Ingest Architectures documentation.

{
    "@timestamp": "2025-06-30T10:28:16.273Z",
    "agent": {
        "ephemeral_id": "564d667a-00c9-4e00-9ab8-83d06a278a71",
        "id": "cbb58b66-1bb2-4d64-8aaa-7104d6d448d0",
        "name": "elastic-agent-48249",
        "type": "filebeat",
        "version": "8.18.0"
    },
    "data_stream": {
        "dataset": "ti_cyware_intel_exchange.indicator",
        "namespace": "57221",
        "type": "logs"
    },
    "ecs": {
        "version": "8.17.0"
    },
    "elastic_agent": {
        "id": "cbb58b66-1bb2-4d64-8aaa-7104d6d448d0",
        "snapshot": false,
        "version": "8.18.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "threat"
        ],
        "created": "2025-05-27T14:04:51.651Z",
        "dataset": "ti_cyware_intel_exchange.indicator",
        "id": "f36749f2-776f-4153-b840-08bad5fb18b1",
        "ingested": "2025-09-11T10:50:05Z",
        "kind": "enrichment",
        "original": "{\"analyst_score\":null,\"analyst_tlp\":null,\"country\":null,\"created\":1746812972,\"ctix_created\":1748354691.651628,\"ctix_modified\":1751279296.273555,\"ctix_score\":90,\"ctix_tlp\":null,\"custom_scores\":{\"x_ctix_customscore_2\":2},\"id\":\"f36749f2-776f-4153-b840-08bad5fb18b1\",\"indicator_type\":{\"attribute_field\":\"MD5\",\"type\":\"file\"},\"ioc_type\":\"file\",\"is_actioned\":false,\"is_deprecated\":false,\"is_false_positive\":false,\"is_reviewed\":false,\"is_revoked\":false,\"is_whitelist\":false,\"modified\":1748354676.716103,\"name\":\"e8c5c5829b630dcf61b55f271ac6c085\",\"sdo_name\":\"e8c5c5829b630dcf61b55f271ac6c085\",\"sdo_type\":\"indicator\",\"severity\":\"UNKNOWN\",\"source_tlp\":\"NONE\",\"sources\":[{\"first_seen\":1746812972,\"last_seen\":null,\"name\":\"Vault\",\"score\":100,\"tlp\":\"WHITE\"}],\"tags\":[\"brand impersonation\",\"cryptocurrency\",\"Apple\"],\"valid_from\":1746812972,\"valid_until\":null}",
        "severity": 99,
        "type": [
            "indicator"
        ]
    },
    "input": {
        "type": "cel"
    },
    "observer": {
        "product": "Threat Intelligence Management",
        "vendor": "Cyware"
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "ti_cyware_intel_exchange-indicator",
        "brand impersonation",
        "cryptocurrency",
        "Apple"
    ],
    "threat": {
        "indicator": {
            "first_seen": [
                "2025-05-09T17:49:32.000Z"
            ],
            "marking": {
                "tlp": [
                    "WHITE"
                ]
            },
            "modified_at": "2025-05-27T14:04:36.716Z",
            "name": [
                "e8c5c5829b630dcf61b55f271ac6c085"
            ],
            "provider": [
                "Vault"
            ],
            "type": "file"
        }
    },
    "ti_cyware_intel_exchange": {
        "indicator": {
            "created": "2025-05-09T17:49:32.000Z",
            "ctix_score": 90,
            "custom_scores": {
                "x_ctix_customscore_2": 2
            },
            "deleted_at": "2025-09-28T10:28:16.273Z",
            "indicator_type": {
                "attribute_field": "MD5",
                "type": "file"
            },
            "ioc_expiration_duration": "90d",
            "is_actioned": false,
            "is_deprecated": false,
            "is_false_positive": false,
            "is_reviewed": false,
            "is_revoked": false,
            "is_whitelist": false,
            "name": "e8c5c5829b630dcf61b55f271ac6c085",
            "sdo_name": "e8c5c5829b630dcf61b55f271ac6c085",
            "sdo_type": "indicator",
            "source_tlp": "NONE",
            "sources": [
                {
                    "score": 100
                }
            ],
            "tags_list": [
                "brand impersonation",
                "cryptocurrency",
                "Apple"
            ],
            "valid_from": "2025-05-09T17:49:32.000Z"
        }
    }
}
		

These inputs can be used in this integration:

• cel

This integration dataset uses the following API:

• Indicator: CTIX API.

Cyware Intel Exchange now support indicator expiration. The threat indicators are expired after the duration IOC Expiration Duration is configured in the integration setting. An Elastic Transform is created for every source index to make sure only active threat indicators are available to the end users. Each transform creates a destination index named logs-ti_cyware_intel_exchange_latest.dest_indicator-1* which only contains active and unexpired threat indicators. The indicator match rules and dashboards are updated to list only active threat indicators. Destination index is aliased to logs-ti_cyware_intel_exchange_latest.indicator.

To facilitate IoC expiration, source data stream-backed indices .ds-logs-ti_cyware_intel_exchange.indicator-* are allowed to contain duplicates from each polling interval. ILM policy logs-ti_cyware_intel_exchange.indicator-default_policy is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after 5 days from ingested date.

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.

×