Create Threat Intel
You can create and submit threat intel reports in the Member Portal to analysts. Analysts can review the intel and subsequently publish them as alerts.
If the automated flow is enabled for your tenant, you can directly share intel as alerts without analyst review. For more information, contact your administrator.
Note
If you want to scan an external web page to detect and extract threat data objects to create intel in Collaborate, you can configure the Cyware Threat Intel Crawler browser extension.
Steps
To share threat intel, follow these steps:
In the Member Portal, click New > Threat Intel. Alternatively, you can click the side menu bar and click Share Threat Intel > Create.
Select the category of the intel that you are creating. The corresponding fields are based on the category you select. Use the following information while adding information to the threat intel form:
Title: Enter the title of the intel.
Description: Enter the description. If you are adding IOCs to the description, you can choose to fang or defang them using the Fang Defang option before submitting.
TLP: Select a TLP for the intel.
Share with: If direct sharing of intel is enabled for you, you can directly share the intel as an alert to other members. The recipient groups are displayed based on the TLP you select.
Note
Each recipient group is linked to a TLP, configured by analysts in the Analyst Portal. When you select a specific TLP, you can view a list of recipient groups whose TLPs are equal to or higher than the selected TLP. For example, if you choose TLP: AMBER, you can view recipient groups with TLPs of RED, AMBER+STRICT, and AMBER. Similarly, selecting TLP: CLEAR will display recipient groups with TLPs of RED, AMBER+STRICT, AMBER, GREEN, and CLEAR.
For the direct sharing of intel as an alert, one of these options for recipients is available to you:
Recipient groups only: Select the recipient groups with whom you want to share the intel as an alert. You can choose from the list of all the recipient groups you belong to.
Recipient groups or your organization: Select if you want to share the intel with the recipient groups, or with the organization you belong to.
Recipient groups or all organizations: Select if you want to share the intel with the recipient groups you belong to, or with all organizations in the Member Portal.
(Optional) Enter Additional Info. The fields available in this section are based on the configuration in the Analyst Portal.
(Optional) Add Attachments to support the intel. Attachments are pieces of information that are more relevant to intel and can help in the incident investigation.
For example, incidents based on computers and networks may contain documentable evidence such as IOCs, screenshots, forensic details, logs, etc. This evidence can help in the investigation and eradication of an incident. The maximum file size for attachments is 20 MB. You can add up to five attachments to a threat intel submission.
View Preview to view and check the details provided in the threat intel form.
Click Submit.
Manage Submitted Intel
After submitting threat intel, you can view if your submission is approved, rejected, or reverted. Navigate to Share Threat Intel from the main menu.
Approved: View all the intel submitted by you that are approved by analysts.
Rejected: View all the submissions that were rejected by analysts. You can also view the rejection comment from the analysts to gain more insight into why the intel was rejected.
Reverted: Analysts can revert intel submissions to you when they want additional information about the threat intelligence. You can view the revert comment from the analyst. You have the option to edit reverted intel by clicking Edit Intel.
Drafted: View all intel submissions that were drafted by you. When you click Save as Draft while submitting threat intel, it is available in this section.