Publish to Collection Using Rules
Configure Publish to Collection as a rule action to publish threat intel to server collections for the subscribers to take actions, if required, and share it with others.
To use Publish to Collections as a rule action, do the following:
In the action box, select Publish to Collection as the rule action.
Select CTIX as the application to implement the rule.
Select an account to identify the instance to run the rule.
Set the Analyser to either of the following:
Publish intel submission: Publish the threat intel to the selected server collection directly.
Create draft intel submission: Create intel in the draft state and store it in the selected server collection.
Note
When you create a draft intel submission, the action is not logged in Action Taken > Action Taken Details > CTIX Specific Actions of the threat objects.
When the rule is triggered automatically, the related objects of the selected object in the rule condition are pushed to the server collection. Whereas, when the rule is triggered manually, only the selected object is pushed to the server collection.
You can edit the draft intel submission created using the rule in Dissemination > Detailed Submission. You can view and publish the draft intel created here, in Submit Detailed Intel.
For every unique encounter with the selected object in the platform, CTIX will create a unique draft intel submission. For example, a source first reports an IOC with a TLP, then the second time the same source reports the same IOC with metadata. Therefore, CTIX will create two unique draft intel submissions for the same IOC as both occurrences contain unique information.
Tip
Cyware recommends configuring draft intel for sources configured for manual or limited threat intel polling to avoid flooding the platform with endless draft intel submissions.
Select the server collections to push the intel with objects and respective metadata.
For more information about creating a rule, see Create a New Rule.