Cyware Intel Exchange is an intelligent client-server exchange that leverages advanced technologies like Artificial Intelligence and Machine Learning to automatically ingest, analyze, correlate and act upon the threat data ingested from multiple external sources and internally deployed security tools.

The Cyware Intel Exchange integration for Elastic allows you to collect logs usingCTIX API v3, then visualise the data in Kibana.

The Cyware Intel Exchange integration is compatible with CTIX API versionv3.

This integration periodically queries theCTIX API to retrieve Indicators of Compromise (IOCs).

This integration collects threat intelligence indicators into the following datasets:

• Indicator: This fetches all the saved result set data for conditional IOCs present in the application viaIndicator endpoint.

Integrating Cyware Intel Exchange Indicator data streams with Elastic SIEM provides centralized visibility into threat intelligence indicators such as malicious IPs, domains, URLs, and file hashes. By correlating indicator metadata (including source, type, TLP markings, revocation/deprecation status, and provider context) within Elastic analytics, security teams can strengthen threat detection, accelerate incident triage, and enrich investigations. Dashboards in Kibana present breakdowns by indicator type, source, TLP, score, and trends over time — enabling faster detection of emerging threats, improved prioritization of high-risk indicators, and enhanced accountability across the threat intelligence lifecycle.

This integration installsElastic latest transforms. For more details, check theTransform setup and requirements.

To collect data from the CTIX APIs, ensure that you haveCreate andUpdate permissions forCTIX Integrators.

1. Go toAdministration >Integration Management.
2. InThird Party Developers, clickCTIX Integrators.
3. ClickAdd New. Enter the following details:
   • Name: Enter a unique name for the API credentials up to 50 characters long.
   • Description: Enter a description for the credentials up to 1000 characters long.
   • Expiry Date: Select an expiry date for open API keys. To apply an expiration date for the credentials, you can selectExpires On and select the date. To ensure the credentials never expire, you can selectNever Expire.
4. ClickAdd New.
5. ClickDownload to download the API credentials in CSV format. You can also clickCopy to copy the endpoint URL, secret key, and access ID.

For more details, refer to theAuthentication documentation and the guide on how toGenerate Open API Credentials.

This integration supports both Elastic Agentless-based and Agent-based installations.

Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer toAgentless integrations and theAgentless integrations FAQ.

Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.

Elastic Agent must be installed. For more details, check the Elastic Agentinstallation instructions. You can install only one Elastic Agent per host.

1. In the top search bar in Kibana, search forIntegrations.

2. In the search bar, typeCyware Intel Exchange.

3. Select theCyware Intel Exchange integration from the search results.

4. SelectAdd Cyware Intel Exchange to add the integration.

5. Enable and configure only the collection methods which you will use.

   • ToCollect Cyware Intel Exchange logs via API, you'll need to:

     • ConfigureURL,Access ID, andSecret Key.
     • Enable theIndicator dataset.
     • Adjust the integration configuration parameters if required, including the Initial Interval, Interval, Batch Size etc. to enable data collection.

6. SelectSave and continue to save the integration.

1. In Kibana, navigate toDashboards.
2. In the search bar, typeCyware Intel Exchange.
3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated.

1. In Kibana, navigate toManagement >Stack Management.
2. UnderData, selectTransforms.
3. In the search bar, typeCyware Intel Exchange.
4. All transforms from the search results should indicateHealthy under theHealth column.

For more information on architectures that can be used for scaling this integration, check theIngest Architectures documentation.

{    "@timestamp": "2025-06-30T10:28:16.273Z",    "agent": {        "ephemeral_id": "564d667a-00c9-4e00-9ab8-83d06a278a71",        "id": "cbb58b66-1bb2-4d64-8aaa-7104d6d448d0",        "name": "elastic-agent-48249",        "type": "filebeat",        "version": "8.18.0"    },    "data_stream": {        "dataset": "ti_cyware_intel_exchange.indicator",        "namespace": "57221",        "type": "logs"    },    "ecs": {        "version": "8.17.0"    },    "elastic_agent": {        "id": "cbb58b66-1bb2-4d64-8aaa-7104d6d448d0",        "snapshot": false,        "version": "8.18.0"    },    "event": {        "agent_id_status": "verified",        "category": [            "threat"        ],        "created": "2025-05-27T14:04:51.651Z",        "dataset": "ti_cyware_intel_exchange.indicator",        "id": "f36749f2-776f-4153-b840-08bad5fb18b1",        "ingested": "2025-09-11T10:50:05Z",        "kind": "enrichment",        "original": "{\"analyst_score\":null,\"analyst_tlp\":null,\"country\":null,\"created\":1746812972,\"ctix_created\":1748354691.651628,\"ctix_modified\":1751279296.273555,\"ctix_score\":90,\"ctix_tlp\":null,\"custom_scores\":{\"x_ctix_customscore_2\":2},\"id\":\"f36749f2-776f-4153-b840-08bad5fb18b1\",\"indicator_type\":{\"attribute_field\":\"MD5\",\"type\":\"file\"},\"ioc_type\":\"file\",\"is_actioned\":false,\"is_deprecated\":false,\"is_false_positive\":false,\"is_reviewed\":false,\"is_revoked\":false,\"is_whitelist\":false,\"modified\":1748354676.716103,\"name\":\"e8c5c5829b630dcf61b55f271ac6c085\",\"sdo_name\":\"e8c5c5829b630dcf61b55f271ac6c085\",\"sdo_type\":\"indicator\",\"severity\":\"UNKNOWN\",\"source_tlp\":\"NONE\",\"sources\":[{\"first_seen\":1746812972,\"last_seen\":null,\"name\":\"Vault\",\"score\":100,\"tlp\":\"WHITE\"}],\"tags\":[\"brand impersonation\",\"cryptocurrency\",\"Apple\"],\"valid_from\":1746812972,\"valid_until\":null}",        "severity": 99,        "type": [            "indicator"        ]    },    "input": {        "type": "cel"    },    "observer": {        "product": "Threat Intelligence Management",        "vendor": "Cyware"    },    "tags": [        "preserve_original_event",        "forwarded",        "ti_cyware_intel_exchange-indicator",        "brand impersonation",        "cryptocurrency",        "Apple"    ],    "threat": {        "indicator": {            "first_seen": [                "2025-05-09T17:49:32.000Z"            ],            "marking": {                "tlp": [                    "WHITE"                ]            },            "modified_at": "2025-05-27T14:04:36.716Z",            "name": [                "e8c5c5829b630dcf61b55f271ac6c085"            ],            "provider": [                "Vault"            ],            "type": "file"        }    },    "ti_cyware_intel_exchange": {        "indicator": {            "created": "2025-05-09T17:49:32.000Z",            "ctix_score": 90,            "custom_scores": {                "x_ctix_customscore_2": 2            },            "deleted_at": "2025-09-28T10:28:16.273Z",            "indicator_type": {                "attribute_field": "MD5",                "type": "file"            },            "ioc_expiration_duration": "90d",            "is_actioned": false,            "is_deprecated": false,            "is_false_positive": false,            "is_reviewed": false,            "is_revoked": false,            "is_whitelist": false,            "name": "e8c5c5829b630dcf61b55f271ac6c085",            "sdo_name": "e8c5c5829b630dcf61b55f271ac6c085",            "sdo_type": "indicator",            "source_tlp": "NONE",            "sources": [                {                    "score": 100                }            ],            "tags_list": [                "brand impersonation",                "cryptocurrency",                "Apple"            ],            "valid_from": "2025-05-09T17:49:32.000Z"        }    }}

These inputs can be used in this integration:

• cel

This integration dataset uses the following API:

• Indicator:CTIX API.

Cyware Intel Exchange now support indicator expiration. The threat indicators are expired after the durationIOC Expiration Duration is configured in the integration setting. AnElastic Transform is created for every source index to make sure only active threat indicators are available to the end users. Each transform creates a destination index namedlogs-ti_cyware_intel_exchange_latest.dest_indicator-1* which only contains active and unexpired threat indicators. The indicator match rules and dashboards are updated to list only active threat indicators.Destination index is aliased tologs-ti_cyware_intel_exchange_latest.indicator.

To facilitate IoC expiration, source data stream-backed indices.ds-logs-ti_cyware_intel_exchange.indicator-* are allowed to contain duplicates from each polling interval. ILM policylogs-ti_cyware_intel_exchange.indicator-default_policy is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after5 days from ingested date.

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.

×