Threat Defender Library
Notice
This feature is only available for Cyware cloud-based deployments
Threat Defender Library (TDL) is a repository that allows security analysts to store and share content with analysts and members for threat detection, analysis, and response. In Collaborate, TDL serves as a repository for collecting and distributing this content, enabling security teams to respond to threats faster and with greater accuracy.
You can create, upload, manage, and share files such as:
SIEM rules files, for example, Splunk, Devo, and Sigma
Threat detection files, including YARA rules, log sources, Suricata, Snort rules, and more
Analytics files such as Cyber Analytics Repository (CAR) reports
Orchestrate playbooks
How does it work?
TDL simplifies the process of creating, sharing, and collaborating on threat detection rules and content.
The following is an example of a Snort detection rule and how TDL helps you, as an analyst, respond to threats faster using this rule:
Create a Snort rule and share it with your team for feedback. The following Snort rule creates an alert in the intrusion prevention system (IPS) system when it identifies a transmission control protocol connection with a payload with a specific sequence of bytes (in this case, the string “ZOOM”).
alert tcp any any -> any any (msg:”Possible Zeus Botnet C&C Traffic”; flow:established,to_server; content:”|5a 4f 4f 4d 00 00|”; depth:6; sid:1000005; rev:1;)
To create TDL content, see Create TDL Content.
Publish the Snort rule to the TDL repository so that your team can use it.
You can share the TDL content with members to help them in the detection of the Zeus Botnet. To share TDL content, see Share TDL Content.
To notify your members about the Zeus botnet malware, you can attach the Snort rule to an alert and share it with the intended recipients.
What are the use cases of the Threat Defender Library?
Security teams often face challenges in establishing consistent detection and containment processes, resulting in slower incident response and reduced effectiveness. TDL simplifies this process by providing verified content and sharing important detection files like Yara, Snort, and Suricata, which enhances threat detection and overall incident handling efficiency.
Creating defender content often requires specialized knowledge and adherence to specific formats, which can hinder efficient content creation. TDL helps you easily create content without additional expertise. You can either upload supported files for validation or use the versatile code editor to streamline content creation.
Existing SIEM detection rules are confined within vendor or platform-specific silos, posing challenges when it comes to sharing them with the broader cybersecurity community. TDL enables you to create and distribute verified SIEM rules across the cybersecurity community, ensuring agility in responding to evolving threats. Additionally, you can use these rules to issue Collaborate alerts for quick action in SIEM or XDR tools.
Security teams require rapid threat detection and mitigation to prevent damage. They take actions like isolating systems, deactivating compromised accounts, blocking malicious network traffic, and more. Sharing TDL content or attaching it to alerts allows quick access to validated information from analysts, enabling swift responses to common and organization-specific threats.
Utilize the publicly available information from the open-source intelligence (OSINT) repository to create TDL content for known threats.
TDL Repositories
The content in the Threat Defender Library (TDL) is organized into the following repositories:
My Repo | Contains the content you have created. The content in this section has statuses such as Draft, Shared as Preview, Published and Expired. |
Analyst Repo | Contains the content created by other analysts in the Analyst Portal. The content in this section has statuses such as Shared as Preview, Expired and Published. |
Member Repo | Contains the content created by members in the Member Portal. The content in this section has statuses such as Under Analyst Review, Declined by Analyst, Expired, and Published. To know more about the member and analyst collaboration on TDL content, see Review TDL Content. |
OSINT Repo | Contains external content from open-source repositories. Open-source intelligence (OSINT) is the intel produced by collecting, evaluating, and analyzing publicly available information with the purpose of answering specific intel queries. You can configure the Analyst Portal to automatically publish threat defender content from OSINT Repo to required recipient groups. To know more about auto-publishing OSINT content, see Configure TDL. |
TDL Statuses
In the Analyst Portal, the TDL content can have the following statuses:
Draft | This status indicates content drafted by you in My Repo. |
Shared as Preview | This status indicates that the content is shared for preview with other analysts in the Analyst Repo. |
Under Analyst Review | This status indicates that the content is submitted to analysts for review by members. After you, as an analyst, approve the content, you can publish it to the intended recipients. Content associated with this status is available in Member Repo. |
Declined by Analyst | This status indicates content (submitted by members) that is declined by analysts. Content associated with this status is available in Member Repo. |
Published | This status indicates content published by analysts. Content associated with this status is available in My Repo, Analyst Repo, and Member Repo. |
Expired | This status indicates content expired by analysts. Content associated with this status is available in My Repo, Analyst Repo, and Member Repo. |