Manage TDL Content
Use the following information to know more about the supported options to manage TDL content. Hover over the content to view the following options:
View: View TDL content details by either clicking View or by directly clicking the content from the list.
Edit: Edit the TDL content you have created which has the Draft or Shared as Preview statuses.
Clone: Create an editable copy of already existing TDL content. This helps you create content based on existing information.
Share: Share TDL content with recipient groups and individual recipients.
Expire: Expire content to make the content outdated. Expiring content does not permanently remove the TDL content from the library, but the content status is marked as Expired. Other analysts and members can still view and clone expired content in the library.
Delete: Delete content from the library. Deleting content permanently removes the TDL content from the library and is no longer accessible to analysts and members. You can only delete expired content that you have created.
Comments: View the declined comment for content that has been declined by analysts. Hover over the icon to view the reason provided by analysts for declining TDL content submitted for analyst or peer review.
This document shows the list of content categories supported by TDL. Analysts can use these categories to create TDL content.
It is a knowledge base developed by the MITRE corporation, initially known as MITRE Shield. It provides active defense information based on ten years of adversary engagement experience. Engage provides information for a range of levels, including practitioner-friendly discussions of defense tactics, techniques, and procedures (TTP) and CISO-ready considerations of objectives and opportunities.
CAR analytics is a repository of analytical tools created by MITRE, primarily based on the MITRE ATT&CK adversary model. These analytics are designed to analyze various data domains (such as host, network, process, and external data) and are aimed at providing effective and well-explained analytics.
CAR analytics category is not supported when you create content by selecting a category.
SIEM software collects log and event data generated by applications, devices, infrastructure, networks, and systems to analyze and provide complete visibility into view of an organization’s data. SIEMs also analyze data in real-time using SIEM rules and statistical correlations to give SOC analysts actionable insights they can use in investigations.
When you create TDL content by selecting a category, you can only create rules for Devo, General(Other) SIEM, and IBM Qradar SIEM.
Threat detection content identifies threats using data from various sources, such as log files, monitoring tools, error messages, intrusion detection systems, and firewalls. Analysts can perform analysis after detection to understand its exact nature and the scope of the threat.
Orchestration playbooks are a well-defined set of actions that are organized as a workflow to respond to an incident or a threat. They are designed to perform a multitude of security automation and orchestration tasks that are part of the incident response process. Security analysts can use playbooks to automate various manual and repetitive tasks, as well as to orchestrate common scenarios including but not restricted to analyzing vulnerabilities, IOCs (Indicators of Compromise), searching for suspicious logs, and more.
Response (Playbook) category is not supported when you create content by selecting a category.
Threat detection content identifies threats using data from various sources. Snort and Suracata are some of the detection methods used by security analysts. Snort is an open-source intrusion detection and intrusion prevention system (IDS/IPS) that monitors and analyzes network traffic in real-time to help identify and prevent potential security breaches. Suricata is a Network Security Monitoring (NSM) tool that can detect and block attacks against your network using rules.
Threat Detection (Snort/Suricata) category is not supported when you create content by selecting a category.
MITRE framework TTP analysis can help security teams detect and mitigate attacks by understanding the way threat actors operate. Tactics are types of activity that cyber criminals use to carry out an attack while techniques are general methods that attackers use to achieve their goals. A procedure is a specific series of steps that cybercriminals can use to carry out an attack.
Warning lists are lists of well-known indicators that can be associated with potential false positives, errors, or mistakes.
YARA rules are used to identify malware files and various indicators, including IP addresses, hashes, domains, and more by matching familiar patterns. YARA rules can identify distinctive traits like patterns and strings associated with malware or entire malware families.
Threat Detection (YARA Rules) category is not supported when you create content by selecting a category.
Important
This category is available in Collaborate v3.8.5 onwards.
Zeek is an open-source network monitoring tool that detects threats through real-time network traffic analysis. It identifies suspicious activity and security breaches with deep protocol analysis and detailed session logs. Zeek’s customizable scripting language enables you to create specific rules for detecting network anomalies and potential threats.
Threat Detection (Zeek) category is not supported when you create content by selecting a category.