Member Submissions
Members submit threat intel analysis and request for information forms from the Member Portal. Analysts receive these requests in the Analyst portal and can review, approve, and manage them. This enables a bi-directional sharing of threat information between the Analyst and the Member Portals. Analysts can share all member submissions as alerts from the Analyst Portal.
Manage Intel Submissions
A member can submit threat intel reports from the Member Portal. The intel submissions include information to help you, as an analyst, understand the risks of an organization's most common or severe external threats. Analysts can further share this information as alerts to all the other members of the organization. This facilitates the sharing and dissemination of information between the Analyst and the Member Portals.
Accessing Intel Submissions When the Analyst Group Feature is Enabled
When the Analyst Groups feature is enabled, analysts can access intel submissions based on the category selected during submission. Members select a category while submitting intel, and analysts can view the submission only if they belong to a group associated with that category. This ensures the right analysts handle relevant threat intel.
View Received Intel Submissions
Use the following section to view the intels submitted by members from the Member Portal in the Analyst Portal. The visibility of submissions depends on your analyst group configuration:
If the Analyst Group feature is enabled, you can only view the submissions associated with categories assigned to your analyst group.
If the Analyst Group feature is disabled, you can view all submissions based on your individual category access.
Before you Start
Ensure that you have the View permission to the Intel Submissions module.
Steps
To view all the received intel submissions, follow these steps:
Sign in to the Analyst Portal.
Go to Main Menu > Intel Submissions. You can perform the following actions:
Click All to view all the submissions.
Click Pending to view submissions that are pending for analyst review.
Click Accepted to view submissions that are accepted by analysts.
Click Rejected to view submissions that are rejected by analysts.
Click Reverted to view submissions that are routed back to members to include additional information.
Click Open Filters to show or hide the filter. Enter search keywords or use the filters to look for information.
Click Export CSV to export the intel submission details in a .csv format. You will receive the link to the exported file in your email from where you can download it. The link can only be used once and expires in 72 hours from the time you receive it.
The background process may take a short time to compile the report, depending on the amount of intel submission details exported.
Click Refresh to refresh the intel submissions list.
View the intel submitter's name in the Reported by column.
Note
You can control the visibility of the intel submitter's name in the Analyst Portal through various settings. For more information, see Member Submissions.
To review an intel submission, click the intel that has the SUBMITTED status, and click Review Intel. You can now review all the details of the intel submitted by the member. To approve the intel, click Approve. After approval, you can immediately create an alert from the intel submissions to ensure the information reaches a wider audience.
If you want to revert the intel to the member who has submitted the intel, click Revert. You can enter a comment informing the member to provide more clarity to the intel submission. The member who submitted the intel will be able to view your comment in the Member Portal.
To reject an intel submission, click Reject. Enter a comment informing the member of the reason for your rejection.
Create Alerts from Intel Submissions
Analysts can create and publish alerts based on the submitted intel. The analyst has to review and approve the alert to create intel from it.
Before you Start
Ensure that you have the View and Create or Update permissions to access the Intel Submissions module. These permissions can be assigned only to a role.
Steps
To create alerts from intel submissions, follow these steps:
Go to Main Menu > Intel Submissions.
Select a submitted intel that is in the Pending state and click Review Intel.
Review the details of the intel and you can Approve, Revert or Reject. You can create intel from the Approved submitted intel. Click Approve. Alternatively, you can select any Approved intel and click Create Alert.
The alert creation form opens with key fields pre-filled from the intel. Use the following information to enter the details:
If you are using the older alert for, see Create Alerts. If you are using the new alert form, see Create Alerts.
In the new alert form, if the Analyst Groups feature is enabled, you can select the Analyst Groups field to assign relevant groups.
Click Publish. The alert will be published to members on the Member Portal.
Parsing Indicators
When creating an alert from the intel submissions, alert publishers can parse indicators to verify if any CSAP users have added them to the allowed list. If a particular indicator is added to the allowed list by a member, then the indicator will automatically be categorized as an allowed list. If no member has added to the allowed list of the indicators, they will automatically be categorized as blocked list.
Manage Request for Information
In , members can submit Requests for Information (RFIs), facilitating the exchange of insights for optimizing their organization's security posture. As an analyst, you can review these RFIs and publish them as alerts to a larger network. This collaborative approach fosters an environment that empowers members to seamlessly share information on diverse topics, thereby enhancing overall security strategies.
You can view the RFIs submitted by members in the Analyst Portal and directly create alerts from them. Analysts can also view RFIs that are directly published as alerts without analyst review.
Members can collaborate, share, and comment on the RFIs. All the information shared in comments and responses is available to the RFI creator and analysts for a better assessment of the data.
Accessing RFIs When the Analyst Group Feature is Enabled
When the Analyst Groups feature is enabled, you can access RFIs assigned to your groups. Members can submit RFIs to one or more groups, and you can view those submitted to the groups you belong to. This helps you easily find and review relevant RFIs.
Configure RFI
As an analyst, you can configure the Request for Information (RFI) settings for members.
Before you Start
Ensure you have View and Update permissions for Configurations
Steps
To configure RFI-related settings, follow these steps:
Sign in to the Analyst Portal.
Go to Administration > Configuration.
Go to the following sections, and click Edit:
Features: Turn on the Request for Information toggle to enable this feature in the Member Portal. Enabling this option also enables the Request for Information system category in Administration > Settings > Core Settings > Category in the Analyst Portal. This category is used while creating alerts from RFI submissions.
Member Submission:
Display Disclaimer on RFI Form?: Turn on the toggle to enable or disable the disclaimer on the request for information (RFI) form. Members can view this disclaimer while submitting RFIs.
RFI Disclaimer: Enter a disclaimer which is displayed in the RFI form in the Member Portal. The default disclaimer is Please do not submit any personally identifiable information, including credit card or bank account information; social security, passport, or driver’s license number; date of birth; account PINs, passwords, or any other sensitive information in the report. This form should be used for requesting information that may be related to physical or cyber security. If it is life-threatening or emergency, close the app and call 911 or the emergency contact number of your country.
Directly Publish Alerts from RFI: Turn on the toggle to enable members to publish RFI as alerts without analyst review. Members can directly select recipients for the RFI alert. By default, this option is not enabled.
Display RFI Responder Details to Members: Turn on the toggle to enable the recipients of the RFI alert, as well as the RFI submitter, to view the details (name and email) of the RFI responders. By default, this option is not enabled.
Allow Members to Share RFI With: Specify the recipients of the RFI alert if members can directly publish alerts from an RFI. By default, it is set to Only Recipient Groups.
If you select Recipient Groups or Member's Organization, the member can either choose to publish the alert to recipient groups of their choice or the organization that they belong to. If you select Recipient Groups or All Organizations, the member can choose to publish the alert to recipient groups of their choice or all organizations in the instance.
Mobile App/ Web Portal:
Show RFI Responses to Other Members: Turn on the toggle to allow members to view RFI responses and comments from other members or analysts. By default, the toggle is turned off.
After making the required changes, click Update.
After configuring RFI settings, you can customize the fields displayed in the RFI form in the Member Portal through the Request for Information system category. For more information, see View System Alert Categories.
Create Alerts from RFIs
Create alerts in Analyst Portal from the received RFIs.
Before you start
Ensure that you have the View and Update permissions to the Request For Information module.
Steps
To create an alert from an RFI, follow these steps:
Go to Main Menu > Request for Info.
Select an RFI item, and click Create Alert. Alternatively, you can hover over an RFI item, click the vertical ellipsis, and click Create Alert.
Use the following information to enter all the required details:
If you are using the older alert for, see Create Alerts. If you are using the new alert form, see Create Alerts.
In the new alert form, if the Analyst Groups feature is enabled, you can edit the Analyst Groups field to select the relevant groups. However, the Category field will always remain set to Request for Information and cannot be modified.
Click Publish. The alert with the RFI details will be published to members on the Member Portal.
Add RFI Comments in the Analyst Portal
After an RFI is submitted by members, you can comment on the published RFI to share ideas, and improvement tips, or ask for more context. Comments include interaction between the member that submits the RFI and analysts. After an RFI is published as an alert, members can also respond to the RFI alert. As an analyst, you can choose to enable members to view RFI responses from other members. For more information, see Configure Mobile App or Web Portal Preferences.
Before you Start
You must have the View and Update permissions for the Request For Information section.
Steps
To comment or respond to an RFI, follow these steps:
In the Analyst Portal, go to Request for Info from the main menu.
Select the RFI you want to view or comment on. Alternatively, you can click the vertical ellipsis and click View.
In the Comment section, enter a comment. You can also add content from your local device as an attachment to the comment. Additionally, you can fang and defang IOCs in the comment using Fang and Defang.
Note
You can only add comments for RFI which are in the OPEN status.
You can view responses to the RFI alert in the RFI Responses section. You can also hover over the responder's name to view the username and email address of the responder.
Additionally, you can delete responses if the response is no longer relevant to the RFI. Hover over the response, and click Delete.
Click Export to export the RFI responses.
Manage RFIs
As an analyst, you can manage the RFIs submitted by members.
Note
If the Analyst Groups feature is enabled, you will only see the list of RFIs submitted to the Analyst Groups you belong to.
Before you Start
Ensure that you have the View and Update permissions for RFI in the Analyst Portal.
Steps
To manage RFIs, follow these steps:
Sign in to the Analyst Portal.
Go to Main Menu > Request for Info. Use the following information while viewing and managing RFIs:
On the listing page, you can view details such as RFI ID, title, submitted by, TLP, and more. You can also view All, Open or Closed RFIs in the respective sections.
Click the RFI to view all the details. While viewing the RFI, you can perform the following actions:
Create Alert: If you want to create an alert from the RFI, click Create Alert. The alert creation form opens and information from the RFI is automatically populated in the alert. You can make further edits and publish the RFI as an alert.
Close: To close an RFI, click the Status dropdown, and select Close. You can enter a comment stating the reason for closing the RFI. The member who submitted this RFI can view this comment.
Comment: Add comments to an RFI if you need more details from the member who submitted the RFI. Members can reply or add comments to the RFI from the Member Portal.
Manage Email Submissions
Administrators can integrate and map email accounts in the Analyst Portal. The emails sent to the configured email account are received in Email Submissions.
Before you Start
Configure the Email Accounts from Other Settings. See Email Accounts.
From Main Menu, select Email Submissions to view the emails received.
Select the email account from the drop-down in the top right corner. Select From all accounts to view emails from all configured email accounts, else select one account.
Click Star to mark an email as important.
You can mark a read email as Mark as Unread.
Create Alerts from Email Submissions
Analysts can create, share, and publish alerts from the emails received in email submissions.
Steps
From Main Menu, navigate to Email Submissions.
Click Create Alert to create an alert out of the email.
Enter the recipient groups to share the alert with users.
Enter the Category, TLP, and the Info Source for the alert.
Click Create.
An alert is created in the Draft state. You can view and publish from Alerts.
If an alert is already created out of the email, you can view the Alert ID. Click the Alert ID to view the alert details.
Manage Event Submissions
Manage event requests from members events such as summits, expert webinar series, meetings, and more. You can either choose to approve the request and create an event alert, or reject the event request.
Steps
To review event submissions, do the following:
In the Analyst Portal, go to the Main Menu, and click Event Submissions.
Click the event request you want to review.
If you approve the event request, click Approve & Create Alert. You can now create and publish an alert from this request. After you publish the event, the recipients can view this event in the Events calendar. For more information about scheduling events through alerts, see Schedule Events with Alerts.
If you do not want to create an alert immediately, you can close the alert creation form. The event request will be in the Approved status and you can choose to create an alert at any point.
If you want to reject the event request, click Reject. You can enter a comment describing the reason. The member who submitted the event request will be able to view this comment. All declined event requests will be in the Rejected status.