Add Indicators to the Alert
Analysts can add threat indicators such as URLs, IPs, domains, hashes, and emails to provide context to the alert. This helps members to respond to existing or potential cyber threats. The Indicators section is mapped to the category selected for the alert. Administrators can map the Threat Indicators text box to categories from Settings. See Create Custom Alert Categories.
Note
Use the following section to manually add indicators to the alert. However, if you have a file containing indicators, attach the file in the Attachments section. To know more about this, see Add Attachments to the Alert. After the indicators are extracted, it is visible in the Indicators section.
Before you Start
Add required information such as alert title, summary, TLP, and category.
Steps
To add indicators while creating alerts, follow these steps:
In the alert creation form, click Indicators.
Add indicators to the alert. Use the following information while adding indicators:
Threat Indicators: Add IOCs in the threat indicators field. Enter IP addresses, URLs, hashes, and other IOCs. Click Visible to Members to show indicators to members.
Click Defang to add text to an IOC so that it is not potentially malicious or harmful when members unintentionally click them in the shared alert. To ensure proper defanging, ensure that you clear formatting if you are pasting URLs. For example, IP address 192.158.1.38 becomes 192[.]158[.]1[.]38 after it is defanged. Similarly, https://example.com becomes hXXps[:]//example[.]com after it is defanged.
If you do not want to defang the IOC, click Fang. By default, IOCs are fanged.
Parse Indicators: Click Parse Indicators to parse the indicators and check if they are on the allowed or blocked list on the Analyst and Member Portal. By default, any indicator that is not added will be placed on the blocked list. After parsing, you can view the total count of successfully parsed indicators in the Parsed Indicators section.
In Collaborate, the indicators that are supported for parsing from Threat Indicators section are IPv6, IPv4, IPv4 CIDR, email ID, domain, URL, CVE, MD5, SHA1, SHA256, SHA224, SHA384, SHA512, ssdeep, file path, windows registry key, autonomous system, directory, and MAC address.
Note
While creating alerts from member intel submissions, you can parse IOCs extracted from attachments in the Indicators section. For more information, see Add Attachments to the Alert.
Attach Blocked IOCs: Attach blocked IOCs as CSV, XML, and JSON attachments to the alert. Members can download the blocked indicators as files to their computers from the alert.
Additional Indicators: Add email descriptions and email subjects as IOCs in this field. From the dropdown, select your preference, enter the content, and click Add. After adding, you can view the total count of successfully added indicators in the Additionally Parsed Indicators section. By default, the email subjects and descriptions you add will be considered blocked indicators.
Note
If you post the alert to Intel Exchange, some indicator types such as SHA-224, SHA-384, ssdeep, file path, Windows registry key, autonomous system, directory, and MAC addresses may not ingest correctly. Upgrading to Intel Exchange v3.6.2.1 will ensure proper handling of these indicators.
Related Alerts for IOCs: View alerts related to the parsed IOCs. After parsing an IOC, click View Related Alerts to view all published alerts with the same parsed IOC.
After adding indicators, the next step is to add recipients to the alert. To know more about this, see Add Recipients to the Alert.