Enter Basic Information
Add basic information such as the alert title, summary, category, IOCs, and tags to define the alert. Based on the selected category, additional fields may appear to capture all relevant details. To customize the fields in the alert creation form, see Field Management Settings.
Before you Start
Ensure that you have configured categories. Only admin and root admin roles can create and update categories. For more information, see Categories.
If you want to add tag groups to the alert, create tag groups in the Tags Library. For more information, see Tag Library.
Steps
To create an alert with basic information, follow these steps:
In the alert creation form, click Basic Information.
Use the following information to enter the required information for the alert:
Title: Enter an alert title within 150 characters. Members can search for alerts based on keywords present in the alert title. For example, ImBetter: New Information Stealer Spotted Targeting Cryptocurrency Users.
Summary: Enter a text summary for the alert that describes what the alert is about. Members can search for alerts based on keywords present in the alert summary.
If you add indicators of compromise (IOCs) in the summary, click Defang to add text to the IOCs so that it is not potentially malicious or harmful when members unintentionally click them in the shared alert. For example, IP address 192.158.1.38 becomes 192[.]158[.]1[.]38 after it is defanged. If you do not want to defang the IOC, click Fang. By default, IOCs are fanged.
Category: Select a category for the alert. The category gives information about the type of alert, for example, Vulnerability Advisories, Educational, RSS Alerts, Malware Advisories, and other categories. Admins and root admins can create and update all categories. For more information, see Categories.
Campaign (Optional): Select an associated campaign for the alert. This field shows only active campaigns. For more information, see Create Campaigns.
Traffic Light Protocol (TLP): Select a TLP for the alert. TLP ensures that the alert information is shared with the corresponding recipients. The default TLP value is based on what is configured in the settings. For more information, see Configure Alerts Settings.
Note
The selected TLP determines the visibility of the alert based on the TLP hierarchy of the recipient groups. Only recipients whose TLP permissions align with or exceed the selected TLP level will have access to the alert. For more information, see Configure Sharing Options.
Alert Image (Optional): Upload an image for the alert. You can upload an alert image with a maximum size of 1.5 MB. To use the default image, select Default Image. To create an alert without any image, select None. This field is displayed based on the configuration in settings. For more information, see Configure Alerts Settings.
Note
The recommended dimension for images is 750*250 px in a 3:1 aspect ratio. The accepted image size is greater than 3 KB and less than 2 MB.
Indicators (Optional): Add IOCs in the indicators field. Enter IP addresses, URLs, hashes, and other IOCs. Click Visible to Members to show indicators to members.
Click Defang to add text to an IOC so that it is not potentially malicious or harmful when members unintentionally click it in the shared alert. To ensure proper defanging, ensure that you clear formatting if you are pasting URLs. For example, IP address 192.158.1.38 becomes 192[.]158[.]1[.]38 after it is defanged. Similarly, https://example.com becomes hXXps[:]//example[.]com after it is defanged.
If you do not want to defang the IOC, click Fang. By default, IOCs are fanged.
To add email descriptions and email subjects as IOCs, click Add. From the dropdown, select your preference, enter the content, and click Add. By default, the email subjects and descriptions you add will be considered blocked indicators.
Note
If you post the alert to Intel Exchange, some indicator types such as SHA-224, SHA-384, ssdeep, file path, Windows registry key, autonomous system, directory, and MAC addresses may not ingest correctly. Upgrading to Intel Exchange v3.6.2.1 will ensure the proper handling of these indicators.
Parse Indicators: Click Parse Indicators to parse the indicators and check if they are on the allowed or blocked list on the Analyst and Member Portal. By default, any indicator that is not added to the allowed list will be placed on the blocked list.
In Collaborate, the indicators that are supported for parsing from the Indicators section are IPv6, IPv4, IPv4 CIDR, email ID, domain, URL, CVE, MD5, SHA1, SHA256, SHA224, SHA384, SHA512, ssdeep, file path, windows registry key, autonomous system, directory, and MAC address.
Note
While creating alerts from member intel submissions, you can parse IOCs extracted from attachments in the Indicators section. For more information, see Add Additional Information.
Attach Blocked IOCs: Attach blocked IOCs as CSV, XML, and JSON attachments to the alert. Members can download the blocked indicators as files to their computers from the alert.
Related Alerts for IOCs: View alerts related to the parsed IOCs. After parsing an IOC, click View Related Alerts to view all published alerts with the same parsed IOC.
Tags (Optional): Tags are text labels that you can assign to identify information in alerts. Analysts can use tag groups to quickly add a group of tags instead of applying multiple tags individually. To add tags, use the following information:
Tag Group: If you want to add tag groups to the alert, click Tag Group. Start typing the tag group name and select the required tag group to associate it with the alert. For more details, see Create a Tag Group.
Based on the tag groups selected, the Tags field is auto-populated.
Tags: If you want to add tags to the alert, start typing the tag name in Tags. You can create new tags or choose the required tags from the suggested tags. Collaborate automatically suggests you create a new tag if it does not exist.
Note
After publishing the alert, you can modify (add or remove) tags directly from the alert details page.
Based on the selected category, additional fields may appear in the configured field order, ensuring all relevant details are captured. After entering the basic information, click Next to continue or Save as Draft to save your progress and complete the alert later. The next step is to add additional information to the alert. For more information, see Add Additional Information.