Attach TDL Content
Threat Defender Library (TDL) stores information and files utilized in threat detection, threat hunting, and threat defense. The unique content stored in TDL adds value to existing threat hunting and threat detection workflows thereby helping members to proactively defend against organization-specific threats.
For example, if there is a ransomware threat that has an identified malicious code, you can attach a specific rule (YARA, SIEM, or other supported rules) that impacts that specific malicious code. This helps analysts detect or respond to the ransomware. In this case, members can use the attached content from TDL to defend against the ransomware threat. For more information about Threat Defender Library, see Threat Defender Library.
Before you Start
Add content to the Threat Defender Library so that it is available while creating alerts. For more information, see Create TDL Content.
Alternatively, you can attach already existing content from the Analyst or Member Repo of TDL.
Steps
To attach TDL content to alerts, follow these steps:
In the alert creation form, click Threat Defender Library to attach content from TDL.
Click Browse and select the required TDL content from the list. You can attach up to 20 TDL content to an alert.
After attaching content from TDL, click Next. The next step is to finish alert creation. To know more about this, see Finish Alert Creation.