Create TDL Content
You can create content in the Threat Defender Library (TDL) using different methods based on the type of content. You can use the following methods to create content in TDL:
Upload files: You can upload files to TDL in formats such as YML, YAML, YAR, YARA and more. To view validated content examples for all the supported file formats, see TDL Content Examples.
Create content using code editor: You can create and validate content using the built-in code editor and file validator. You can create content in formats such as YML, YAML, YAR, YARA, SPL, RULES, and JSON. To view validated content examples for all the supported file formats, see TDL Content Examples.
Create content by selecting a category: You can create TDL content by selecting a content category. This makes TDL content creation easier without technical expertise, and makes it more accessible to wide range of users. The content creation form provides a list of categories widely used by security analysts for threat detection and response. You can select from the supported categories to create TDL content. For more information, see TDL Content Categories.
Before you Start
Ensure you have View and Create permissions for Threat Defender Library in Roles & Permissions.
Steps
To create TDL content, follow these steps:
In the Analyst Portal, click Threat Defender Library in the sidebar.
Click Create Content. Use one of the following methods to create TDL content:
Drag and drop the files or click Browse to upload the files. You can upload a maximum of 10 files, and the maximum size limit for each file is 2 MB. For content examples for the supported file formats, see TDL Content Examples.
After you upload files, you can view the file name, size, and title of uploaded files. The displayed title is based on the title key in file content. Click Edit to modify the details of the uploaded files. For more information about the file fields, see step 3.
Using Write Code, you can write custom threat defender codes.
Select a file category for the content you want to create. For example, Threat Detection (YARA Rules).
Select a file extension for the file category. For example, yara. You can select file extensions based on the file category you select.
Click Go to open the code editor. The following code is an example of a detection YARA rule:
rule blackhole2_jar : EK { meta: author = "John Doe" date = "2016-06-27" description = "BlackHole Exploit Kit Detection" hash0 = "sfhbdkblSKDJHBADKBAD" sample_filetype = "unknown" yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" strings: $string0 = "k0/3;N" }
Click Validate to verify the format of the content. Refer the validated content examples for all the supported file formats to create content in a valid format.
Click Save Changes, and enter a name for the file. For example, Blackhole Exploit Kit Detection.
Click Save.
The page displays the file name, size, and title of newly created content. The title is retrieved from the title key in file content. If there is no title key, then a temporary file name is provided. Click Edit to modify details of the files. For more information about the fields, see step 3.
In the Select Content Category, select a category for the content you want to create and click Go. For example, Threat Detection (SNORT/Suricata).
The page populates the fields for the selected category. This includes basic details such as the title, description, and ATT&CK tactic-technique pairs. For more information about the fields, see step 3.
Use the following information to update the details of the files:
Title: The uploaded content in TDL automatically retrieves the title from the file contents. You can modify the title as required. For example, Detect Intrusion: Zeus Botnet C&C Traffic. The title is used to identify the uploaded file and its related details.
Description: The uploaded file automatically retrieves the description from the file contents. You can modify the description as required. For example, The following Snort rule creates an alert if it sees a TCP connection with a payload with a specific sequence of bytes (in this case, the string “ZOOM”).
Use the Matrix, Tactic, and Technique options to add the tactics, techniques, and sub-techniques used by the threat actors. This helps you map the threat to the ATT&CK Navigator dashboard and predict the attacker's behavior. You can map multiple tactic and technique pairs by clicking More.
Code Preview: The code editor shows the file contents in text view. Use the following information to modify the file contents.
Use Edit to modify the contents of the uploaded file.
Use Copy to copy the contents of the uploaded file to the clipboard.
Use Expand to switch focus to the code editor by expanding the code editor. The expand option is not available when modifying TDL content.
Use Download to download the file content to your computer.
Additional Information: Enter additional information to the content. The fields for additional information are automatically populated based on the uploaded file format or selected content category. For example, log sources can be additional information for SIEM-related files. The log sources have security-based logging information for detecting and investigating security threats.
Click Save as Draft to save the file as a draft in My Repo. You can make changes to the draft file before sharing it for preview or publishing.
Click Share as Preview to share your file as a preview with other analysts. The content shared for preview is available in the Analyst Repo for other analysts.
After entering the details, click Next to save the content of the uploaded files. Use the following information to add recipients for the content:
By Group Set: Select a group set to add the associated recipient groups. Group sets allow the association of multiple recipient groups as a collection. To create a group set, see Create Groupsets for Recipient Groups.
By Traffic Light Protocol (TLP): Select a TLP value to add the associated recipient groups. Recipient groups in Collaborate are associated with a TLP classification to ensure that the alert information is rightly shared with the intended recipients.
By Group Type: Select a type to add the associated recipient groups. There are three types of recipient groups namely Public Groups, Invite-only Groups, and System Groups. See Recipient Group.
You can select individual recipients to the content using Select Individual Recipients.
Click Publish to publish the content to the recipients.
As the creator, you can view the published content in My Repo. Other analysts can view the content in the Analyst Repo. Members can access the published content in the Shared Repo of the Member Portal.