View Alerts
Use the following sections to know more about alerts displayed on the alerts details page:
View Alerts in Channels
Alerts are displayed and grouped according to the channels they belong to. Channels group alerts based on info sources, recipients, and tags. Click All to view all alerts created in the Analyst Portal. To know more about channels, see Create a Channel in the Analyst Portal.
View Alert List
The alert list displays the following information:
Alert ID: View the unique alert ID. Click to open the alert details page.
Title: View the alert title that is added during alert creation. Both analysts and members can use keywords in the alert title to search for the alert.
Category: View the categories that are assigned to alerts published from the Analyst Portal. Examples of categories are Cyber Incident, Malware Advisories, Informational, and other categories.
TLP: View the TLP associated with the alert. An alert can only be associated with one TLP.
Publisher: View the name of the alert publisher.
Last Updated: View the date and time the alert is published, edited, or updated.
Status: View the status of the alert. Alerts can have the following status:
PUBLISHED: Indicates published alerts. Alerts that are edited within an hour of publishing also have the status PUBLISHED.
DRAFTED: Indicates alerts saved as drafts. In the alert creation form, when you click Save as Draft, the alert is saved as a draft.
EXPIRED: Indicates alerts that are expired. The alert is deactivated and can no longer be edited or published.
SUBMITTED: Indicates alerts that are submitted by creators for review.
SCHEDULED: Indicates alerts that are scheduled to be published at a specified time.
REVERTED: Indicates alerts that are reverted to creators by publishers while reviewing.
Mobile: Displays if mobile notifications are enabled for the alert.
Email: Displays if email notifications are enabled for the alert.
Search and Filter Alerts
You can find specific alerts by searching with keywords and applying filters to narrow down the alert list. Combining search and filters helps you quickly locate relevant alerts.
You can refine the alert list using the following filters:
Filter | Description |
|---|---|
ATT&CK Matrix | Choose from Enterprise, Mobile, or ICS in the MITRE ATT&CK framework to filter alerts. This filter is available only if the feature is enabled. For more information, see Configure Collaborate Features. |
Announcement Type | Choose from predefined announcement types such as Report, Information, News, Advisory, or more to filter alerts. |
Campaign | Choose from available campaigns to filter alerts associated with specific threat campaigns. |
Category | Choose one or more system-defined or custom categories to filter alerts. |
Confidence | Choose confidence levels to filter alerts based on the assessed reliability of the information. |
Creator | Choose from the list of users to filter alerts by the analyst or system that created them. |
Credibility | Choose from values such as Verified, Unknown, Suspect, or more to filter alerts by the believability of the information. |
Cyber Threat Type | Choose from predefined threat types such as Malware, Phishing, or more to filter alerts. For example, select Ransomware to quickly locate alerts related to ransomware activity. |
Detection Method | Choose from detection methods such as AV Logs, Audit, Customer, or more to filter alerts. For example, select Employee Reports to focus on alerts raised by internal staff. |
Document Type | Select a document type to narrow your search. For example, select Cyber Security Best Practices to focus on recommended security measures. |
Exploit Likelihood | Filter alerts based on the assessed chance of exploitation. |
Exploited Wild | Filter alerts by whether the related vulnerability is actively being used in real-world attacks. |
Info Source | Choose the origin of the alert to quickly narrow down alerts from specific intelligence providers or organizations. |
Kill Chain Phase | Filter alerts by the stage of the attack lifecycle, such as Reconnaissance or Command and Control, to focus on threats at specific phases. |
Locations | Filter alerts based on geographical locations. You can search by country, state, city, or site to narrow down alert results. |
Number of Systems Affected | Filter alerts based on the number of systems or computers affected by a threat or incident. |
Organizations | Filter alerts based on the organizations associated with alert recipients. |
Physical Threat Type | Filter alerts by the type of physical security threat, which may impact people, resources, or infrastructure. |
Priority | Filter alerts based on their priority level. Higher numbers indicate alerts that require greater attention and faster handling. |
Published Date | Filter alerts based on the date they were published. Use this to narrow results to alerts created within a specific time range. |
Publisher | Filter alerts based on the entity that published them. |
RFI Response | Filter alerts based on the content of RFI responses. Enter text to search for specific keywords or phrases within the response field. |
Recipient Group | Filter alerts based on the recipient groups they are shared with. |
Report Source | Filter alerts based on the entity that reported the information. Report sources can include a person, publication, or organization, such as a Government Agency, Law Enforcement, or Friend. |
Risk | Filter alerts based on their risk value. Higher numbers indicate a greater level of risk associated with the alert. |
Root Cause | Filter alerts based on the initiating cause of the threat or incident. |
Severity | Filter alerts by severity to focus on threats with the desired impact, such as Informational, Minimal, Moderate, Major, or Significant. |
Status | Filter alerts to display only those corresponding to a specific status. You can filter by DRAFT, SUBMITTED, PUBLISHED, SCHEDULED, EXPIRED, or REVERTED. |
SubTechnique | Filter alerts to display only those associated with a specific MITRE ATT&CK sub-technique. This allows you to focus on alerts relevant to particular adversary behaviors or tactics. This filter is available only if the feature is enabled. For more information, see Configure Collaborate Features. |
TLP | Filter alerts to display only those assigned a specific Traffic Light Protocol (TLP) level. Available levels include RED, AMBER+STRICT, AMBER, GREEN, and CLEAR. |
Tactic | Filter alerts to display only those associated with a specific MITRE ATT&CK tactic. This helps focus on alerts related to particular adversary objectives or goals. This filter is available only if the feature is enabled. For more information, see Configure Collaborate Features. |
Tags | Use this filter to display alerts associated with one or more tags. You can select multiple tags in a single query to view results that match any of the selected tags. |
Targeted Sector | Filter alerts to include only those associated with specific sectors. For example, select Healthcare and Finance to focus on alerts affecting those sectors. |
Technique | Filter alerts to include only those associated with specific MITRE ATT&CK techniques. This filter is available only if the feature is enabled. For more information, see Configure Collaborate Features. |
Threat Actor | Filter alerts to include only those associated with specific threat actors. |
Threat Indicators | Filter alerts by entering specific threat indicators. For example, enter an IP address, domain, or malware name to focus on alerts containing that indicator. |
Threat Method | Filter alerts based on the method used by a threat actor. |
Title | Filter alerts by entering keywords or phrases from the alert title. Use this to narrow results to alerts whose titles match your search criteria. |
Urgency | Filter alerts based on their urgency level. Higher urgency values indicate that the alert requires faster attention or response. |
Vendors | Filter alerts based on the vendor associated with the alert. A vendor can be a supplier, manufacturer, or member organization within your network. |
Vulnerability Source | Filter alerts based on the source reporting the vulnerability. For example, select NVD, CVE, or other vulnerability intelligence sources to focus on alerts from those sources. |
Vulnerability Type | Filter alerts to include only those associated with specific types of vulnerabilities. |
View Alert Details
To view alert details, click the alert of your preference or hover over an alert, click the vertical ellipsis, and click View. Use the following information to view the details:
To view the alert title, description, alert ID, and more, select Alert Content. If the alert is matched with any Intelligence Requirements (IRs), you can also view them in this section. Additionally, you can click Add to match IRs to the alert.
To view the list of recipients of the alert and the associated publishing preferences, select Other Details. You can also find the total number of recipients when the alert was published and the current count of recipients in this section.
To view the Threat Defender Library content attached to the alert, select Threat Defender. To view files in detail, hover over a file, click the vertical ellipsis, and click View.
To view the feedback details provided by recipients for an alert, select Feedback. You can view the engagement count, number of readers, content and relevancy rating, and feedback comments. Additionally, you can filter the results based on details such as content rating, engagement, organizations, and more.
To export the feedback details in .csv format, click Export CSV. You will receive the link to the exported file in your email from where you can download it. The link can only be used once and expires in 72 hours from the time you receive it.