Add Additional Information
Add relevant details in the Additional Information section to provide context and supporting references for the alert. You can link past alerts, attach files, include intelligence requirements, and more to help recipients assess and respond effectively.
Analysts can add additional information, such as a description and references that add significance to the alert. Use the following information to add additional information:
Description: Enter additional information related to the alert. Since the alert summary has a character limit of 150 characters, use this field to add more information to the alert. To add a reference link directly to the Description field, place the cursor after the information, click the Reference icon, select New Reference, and enter the reference URL and name. The link is automatically parsed into the Reference fields.
If you add IOCs as additional information, click Defang to add text to the IOCs so that it is not potentially malicious or harmful when members unintentionally click them in the shared alert. For example, IP address 192.158.1.38 becomes 192[.]158[.]1[.]38 after it is defanged. If you do not want to defang the IOC, click Fang. By default, IOCs are fanged.
Reference URL: Enter any reference links that can provide more information about the alert. Links added in the Description field using the Reference icon also appear here. Use Visible to Members to show or hide references to alert recipients.
Reference Name: Provide a name for each reference link to make it easily identifiable.
Link past alerts to provide historical context or reference related incidents. To link past alerts, click Search Alerts, enter the keyword, select the relevant alerts, and click Attach.
Linked alerts appear as metadata, categorized by alert ID. Members can access these alerts directly from the alert content.
Add attachments to enhance alert information and add credibility to the alert. Analysts can add attachments from the Doc Library or upload files from their computer to the alert. You can attach up to 20 files to an alert.
To add attachments while creating alerts, use the following information:
Drag & drop files or Browse: Click Browse to upload files from your computer. You can attach up to 20 files simultaneously. The file name can only have alphanumeric characters and () { } [ ] - _ +. The maximum file size is 100 MB. Some of the supported formats are .pdf, .txt, .doc, and more. To learn more about all supported formats, hover over the information icon.
You can modify the file name, provide a description, and add tags to the file while adding it to the Doc Library. The uploaded file is added to the Doc Library. By default, the file is saved in the root directory of the Doc Library. You can change this path and save the file by clicking Change Path.
Doc Library: Click Browse Doc Library to attach files directly from the Doc Library. You can sort the files in the Doc Library by their last updated date. To know more about this, see Upload Files to the Doc Library.
Send as Email Attachment: Select this to share the attachments with recipients in the email alert.
Note
If member intel submissions contain attachments, analysts can automatically extract IOCs from the attachments using Extract Indicators. The extracted IOCs are added to the Indicators section, where analysts can verify and parse them as allowed and blocked indicators. The supported indicator types include SHA256, domain, SHA1, URL, IP address, email, MD5, IPv4, IPv6, and CIDR.
Intelligence Requirements (IRs) are information requests for a specified period that help you gain insight over a period of time. While creating the alert, you can attach relevant IRs to enrich the information in the alert. For more information, see Intelligence Requirements.
To attach IRs to the alert, click Attach IRs. You can browse all the published IRs and select the IRs you want to attach to the alert.
Note
After the alert is published, you can view all the matched IRs in the alert details. You can also modify (add or remove) IRs attached to an alert directly from the alert details page in Matched IRs.
Threat Defender Library (TDL) stores information and files utilized in threat detection, threat hunting, and threat defense. The unique content stored in TDL adds value to existing threat hunting and threat detection workflows, thereby helping members to proactively defend against organization-specific threats.
For example, if there is a ransomware threat that has an identified malicious code, you can attach a specific rule (YARA, SIEM, or other supported rules) that impacts that specific malicious code. This helps analysts detect or respond to the ransomware. In this case, members can use the attached content from TDL to defend against the ransomware threat. For more information about Threat Defender Library, see Threat Defender Library.
Before you Start
Add content to the Threat Defender Library so that it is available while creating alerts. For more information, see Create TDL Content.
Alternatively, you can attach already existing content from the Analyst or Member Repo of TDL.
Steps
To attach TDL content to alerts, follow these steps:
In the alert creation form, click Additional Information and go to the Threat Defender section.
Click Attach Threat Defender and select the required TDL content from the list. You can attach up to 20 TDL content to an alert.
Use threat assessments to get a pulse of how many members were impacted by a vulnerability, malware, or threat activity. Add threat assessment questions with response options along with an alert, and publish them to members. You can also use pre-configured templates for threat assessments to save time. Based on the response provided by alert recipients, analysts can extract a consolidated report to assess the sector-wide impact. Threat assessment questions appear on top of the alert content in the Collaborate Member Portal. You can include service-level agreements (SLAs) for threat assessments to send automatic reminders to members at specified intervals to respond to the assessment.
Before you Start
Configure required threat assessment settings, such as templates and SLAs. For more information, see Threat Assessment.
Create a Threat Assessment
To create a threat assessment for the alert, follow these steps:
In the alert creation form, go to Additional Information and turn on the Threat Assessment toggle.
Select Create New and use the following information:
Question Type: Choose the type of assessment question. You can either have single-select or text questions for the assessment.
Title: Enter an appropriate title for the assessment.
Expiry: Choose a time of expiry for the threat assessment. Members cannot respond to an expired threat assessment.
SLA(Optional): Choose a preconfigured SLA using the drop-down list. SLAs allow you to send automatic reminders at specified time intervals to members for responding to threat assessments. For more information, see Threat Assessment SLA.
Add Threat Assessments from Templates
You can select threat assessments from pre-configured templates and attach them to your alert. This saves you time from entering repetitive data. To create pre-configured threat assessment templates, see Threat Assessment.
Steps
To add threat assessment from a template, follow these steps:
In the alert creation form, go to Additional Information and turn on the Threat Assessment toggle.
Select Choose from Templates and use the following information:
Template: Select the template for the threat assessment and edit it to your preference. You can either have single-select or text-based questions for the assessment.
Expiry: Choose a time of expiry for the threat assessment. Members cannot respond to an expired threat assessment.
SLA(Optional): Choose a preconfigured SLA using the drop-down list. SLAs allow you to send automatic reminders at specified time intervals to members for responding to threat assessments. For more information, see Threat Assessment SLA.
In an alert, actions are tasks assigned or recommended to members. This is based on the insights shared in the alert or as a course of normal security measures. As an analyst, you can recommend actions to members while creating alerts. For example, when there is a phishing threat, analysts can create an alert recommending actions to prevent the phishing attack, such as checking for suspicious links and other actions.
Steps
To create actions for the alert, follow these steps:
In the alert creation form, go to Additional Information and turn on the Recommended Actions toggle.
Enter a title and description for the action.
Click Add More to add more actions to the alert. You can add a maximum of five actions while creating an alert.
You can include conference call URLs in the alert. Connect using online conferencing applications such as Zoom, Google Meet, and Microsoft Teams. Members can view the conference call information in the alert. To configure numbers in the conference call directory, see Add Conference Call.
Steps
To add conference details to the alert, follow these steps:
In the alert creation form, go to Additional Information.
Turn on the Conference Details toggle and use the following information:
Create New: Select this to add new conference call details. Enter a new conference URL, number, and conference call time. The conference number must be in the format {Dial-in Number}, {PIN}#.
Existing in Directory: Select this to use pre-configured conference details. Select the conference directory from the dropdown. Add conference URL, number, and conference call date and time.
Next Steps
After entering the additional information, click Next to continue or Save as Draft to save your progress and complete the alert later. The next step is to configure sharing options. For more information, see Configure Sharing Options.