General options for reports

To populate reports with general information such as title, summary, and so on, do the following:

  1. Assign the new report entity a clear and descriptive Title. The title appears also in the entity detail pane header section.

  2. In the Summary field, write a short summary to highlight the main points and/or the core concepts discussed in the report.

  3. In the Analysis field, write a story to clearly communicate the core message of the report.
    Organize your information to set the stage (background details and context), unfold the timeframe of the events the report describes, and introduce the characters such as threat actors, targeted victims, as well as any malicious sidekicks such as (money) mules.
    These are the foundations shaping the threat scenario under analysis.

  4. Click Section to add another content section to the report, such as a Recommendations field.

  5. In the Recommendations field, formulate a set of recommendations to reduce risk and to mitigate possible or likely damage.
    You can make recommendations on areas such as prevention, detection, and response.

    • Proceed to describe motives and intentions, behaviors, strategies, tactics, and techniques. Include any relevant details about resources and infrastructure, be it a C2 server or targeted assets.
      In short, this is where analysts use their story-telling skills to make their point to the stakeholders who will read the report and who may or may not decide to (re)act on the basis of the intelligence value of the report.

    • When you position the cursor inside the Summary, Analysis or Recommendations field, a rich text editor becomes available to help you format content:
      You can format text, create ordered/numbered and unordered/bulleted lists, undo and redo actions, as well as insert relationships, observables, and references.

  6. From the Intents drop-down menu, select one or more options to define the main purpose of the report, that is, the main item(s) discussed in the report, and the main topic(s) it focuses on.

  7. Use the Attachment section to drag and drop relevant files to the upload area.
    Alternatively, click anywhere in the upload area, browse to the location where the file you want to upload is stored, and then select it.

    • To remove an uploaded file from the attachment list, click Remove file.
      The attachment is instantly removed, without prompting you to confirm the action.

When you publish the report, any inserted relationships, observables and references are indexed and made searchable.
You can click these links to open the detail pane of the selected relationship or observable, or to follow a link to a reference.

If you publish reports with attachments through an outgoing feed, attachments are excluded from the feed. Only the report entity without attachments is included in the outgoing feed.