Skip to main content

Cyware Situational Awareness Platform

Add Indicators to the Alert

Analysts can add threat indicators such as URLs, IPs, domains, hashes, and emails to provide context to the alert. This helps members to respond to existing or potential cyber threats. The Indicators section is mapped to the category selected for the alert. Administrators can map the Threat Indicators text box to categories from Settings. See Create Custom Alert Categories.

Note

Use the following section to manually add indicators to the alert. However, if you have a file containing indicators, attach the file in the Attachments section. To know more about this, see Add Attachments to the Alert. After the indicators are extracted, it is visible in the Indicators section.

Before you Start

Add required information such as alert title, summary, TLP, and category.

Steps

To add indicators while creating alerts, do the following:

  1. In the alert creation form, click Indicators.

  2. Add indicators to the alert. Use the following information while adding indicators:

    • Threat Indicators: Add IOCs in the threat indicators field. Enter IP addresses, URLs, hashes, and other IOCs. Click Visible to Members to show indicators to members. By default, it is hidden from members.

      Click Defang to add text to an IOC so that it is not potentially malicious or harmful when members unintentionally click them in the shared alert. To ensure proper defanging, ensure that you clear formatting if you pasting URLs. For example, IP address 192.158.1.38 becomes 192[.]158[.]1[.]38 after it is defanged. Similarly, https://example.com becomes hXXps[:]//example[.]com after it is defanged.

      If you do not want to defang the IOC, click Fang. By default, IOCs are fanged.

    • Parse Indicators: Click Parse Indicators to verify if any of the indicators are allowed or blocked on the Analyst Portal and the Member Portal. In Collaborate, the supported indicators that can be parsed are IPv6, IPv4, IPv4 CIDR, email, domain, URL, CVE, SHA, SHA256, and MD5.

      Note

      While creating alerts from member intel submissions, you can parse IOCs extracted from attachments in the Indicators section. For more information, see Add Attachments to the Alert.

    • Attach Blocked IOCs: Attach blocked IOCs as CSV, XML, and JSON attachments to the alert. Members can download the blocked indicators as files to their computers from the alert.

    • Related Alerts for IOCs: View alerts related to the parsed IOCs. After parsing an IOC, click Related Alerts to view all published alerts with the same parsed IOC.

  3. After adding indicators, the next step is to add recipients to the alert. To know more about this, see Add Recipients to the Alert.