TDL Content Examples
The folloing sections contain validated examples of all the content types supported in the Threat Defender Library. You can use these examples to create valid TDL content in the supported file formats.
YARA rules are used to identify malware files and various indicators, including IP addresses, hashes, domains, and more by matching familiar patterns. YARA rules can identify distinctive traits like patterns and strings associated with malware or entire malware families. TDL allows analysts to create and validate personalized YARA rules that align with their organization's security needs. Additionally, TDL enables the swift duplication of pre-existing YARA rules for the detection of security threats and newly unearthed malware patterns. Users can also import YARA rules in .yara and .yar file formats. The following YARA rule is an example of successfully validated TDL content:
rule blackhole2_jar : EK
{
meta:
author = "John Doe"
date = "2016-06-27"
description = "BlackHole Exploit Kit Detection"
hash0 = "sjhbsvkiusbdosdbvskdvbsd"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "k0/3;N"
$string1 = "g:WlY0"
$string2 = "(ww6Ou"
$string3 = "SOUGX["
$string4 = "7X2ANb"
$string5 = "r8L<;zYH)"
$string6 = "fbeatbea/fbeatbee.classPK"
$string7 = "fbeatbea/fbeatbec.class"
$string8 = "fbeatbea/fbeatbef.class"
$string9 = "fbeatbea/fbeatbef.classPK"
$string10 = "fbeatbea/fbeatbea.class"
$string11 = "fbeatbea/fbeatbeb.classPK"
$string12 = "nOJh-2"
$string13 = "[af:Fr"
condition:
13 of them
}YAML is a human-readable data-serialization language and useful for managing data. It is often used as a format for configuration files, but its object serialization abilities make it a substitute for languages such as JSON. YAML is used as a format to create detection rules in the security community and one such example is Sigma rules created in YAML format. Sigma makes it easy to perform content matching based on collected logs to create threat alerts for analysts to investigate. Sigma rules and CAR Analytics support yaml and yml as well. Log files are usually collected and stored in a database or SIEM solution for further analysis. YAML files are also used to create MITRE Cyber Analytics Repository (CAR) files for detection. The following YAML rule is an example of successfully validated TDL content:
title: Antivirus Hacktool Detection id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool status: experimental date: 2021/08/16 author: Florian Roth references: - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/ logsource: product: antivirus detection: selection: - Signature|startswith: - 'HTOOL' - 'HKTL' - 'SecurityTool' - 'ATK/' # Sophos - Signature|contains: - 'Hacktool' condition: selection fields: - FileName - User falsepositives: - Unlikely level: high tags: - attack.execution - attack.t1204
A Splunk query is used to run a specific operation within the Splunk software. A Splunk query uses the software’s Search Processing Language to communicate with a database or source of data. This allows data users to perform analysis of their data by querying it. It can be compared to SQL in that it is used for updating, querying, and transforming the data in databases. Splunk’s query language is mainly used for parsing log files and extracting reference information from machine-produced data. Splunk query files are saved in .spl format. The following Splunk query is an example of successfully validated TDL content:
index=main earliest=-7d sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" LogName=System EventCode=7009 Message="A timeout was reached*" | table host _time Message
Snort is an open-source intrusion detection and intrusion prevention system (IDS/IPS) that monitors and analyzes network traffic in real-time to help identify and prevent potential security breaches. It analyzes network activity and compares it to predefined Snort rules to identify unusual patterns or behaviors that might indicate an intrusion or attack attempt. Besides, Snort rules can be configured to actively block or prevent malicious traffic from getting to its target, making it an effective tool for intrusion prevention. Snort rule files are saved in .rules format. The following Snort rule is an example of successfully validated TDL content:
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET RuggedCom default backdoor login attempt"; flow:to_server,established; flowbits:isset,telnet.ruggedcom; content:"factory"; metadata:policy security-ips drop, service telnet; reference:cve,2012-1803; reference:url,www.securityfocus.com/archive/1/522467; classtype:attempted-admin; sid:21938; rev:4;) # alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login failed"; flow:to_client,established; content:"Login failed"; nocase; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:492; rev:15;) # alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login incorrect"; flow:to_client,established; content:"Login incorrect"; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:718; rev:16;)
Suricata is a Network Security Monitoring (NSM) tool that can detect and block attacks against your network. Suricata rules are pluggable intelligence components that are used to detect known threats in network traffic. Suricata rules are also used for sharing and matching threat intelligence against network traffic. Suricata rules are saved in .rules format. The following Suricata rule is an example of successfully validated TDL content:
alert ip any any -> any any (msg:"SURICATA Applayer Mismatch protocol both directions"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260000; rev:1;) alert ip any any -> any any (msg:"SURICATA Applayer Wrong direction first Data"; flow:established; app-layer-event:applayer_wrong_direction_first_data; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260001; rev:1;) alert ip any any -> any any (msg:"SURICATA Applayer Detect protocol only one direction"; flow:established; app-layer-event:applayer_detect_protocol_only_one_direction; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260002; rev:1;) alert ip any any -> any any (msg:"SURICATA Applayer Protocol detection skipped"; flow:established; app-layer-event:applayer_proto_detection_skipped; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260003; rev:1;) # alert if STARTTLS was not followed by actual SSL/TLS alert tcp any any -> any any (msg:"SURICATA Applayer No TLS after STARTTLS"; flow:established; app-layer-event:applayer_no_tls_after_starttls; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260004; rev:2;) # unexpected protocol in protocol upgrade alert tcp any any -> any any (msg:"SURICATA Applayer Unexpected protocol"; flow:established; app-layer-event:applayer_unexpected_protocol; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260005; rev:1;) #next sid is 2260006
Orchestrate playbooks are a well-defined set of actions that are organized as a workflow to respond to an incident or a threat. They are designed to perform a multitude of security automation and orchestration tasks that are part of the incident response process. Security analysts can use playbooks to automate various manual and repetitive tasks, as well as to orchestrate common scenarios including but not restricted to analyzing vulnerabilities, IOCs (Indicators of Compromise), searching for suspicious logs, and more. Using playbooks, you can accelerate the entire incident response process by enabling security teams to quickly detect, and remove false positives, respond intelligently, and mitigate increasingly complex malicious attacks. The following JOSN is an example playbook exported from the Orchestrate application:
{
"title": "Enrich IP Address",
"start_node": "start",
"nodes": {
"1": {
"type": "MEMORY",
"internal_id": "1",
"title": "Memory Node 1",
"description": null,
"actions": [],
"conditions": [],
"extra_params": {
"position": {
"x": 280,
"y": 150
},
"validations": {
"is_not_valid": false
}
},
"io_params_format": {},
"stop_on_error": true,
"memory_params": {
"ip_address": "1.1.1.1"
},
"sub_type": "PREDEFINED",
"condition_type": null,
"io_params_email_details": null,
"enable_io_param_email_details": false,
"enable_app_notification": false,
"data_storage_params": {},
"storage_manager_reference": []
},
"start": {
"type": "START",
"internal_id": "start",
"title": "Start",
"description": null,
"actions": [],
"conditions": [],
"extra_params": {
"position": {
"x": 400,
"y": 50
}
},
"io_params_format": {},
"stop_on_error": true,
"memory_params": {},
"sub_type": "start",
"condition_type": null,
"io_params_email_details": null,
"enable_io_param_email_details": false,
"enable_app_notification": false,
"data_storage_params": {},
"storage_manager_reference": []
},
"2": {
"type": "REGULAR",
"internal_id": "2",
"title": "AbuseIPDB - Get IP Address Reputation Details - Version 1.0.1",
"description": null,
"actions": [
{
"action": "check_ip_address",
"parameter_data_source": {
"loop_keys": [],
"ip_address": "${const::ip_address}"
},
"action_type": "PREDEFINED",
"code": null,
"app_instances": [
"abuseipdb_ip_enrichment"
],
"playbook": null,
"playbook_data": null,
"action_data": {
"action_identifier": "check_ip_address",
"app": "abuse_ipdb",
"app_slug": "abuse_ipdb_1_0_1",
"app_version": "1.0.1",
"app_title": "AbuseIPDB",
"action_title": "Get IP Address Reputation Details",
"is_system": true
},
"output_params": {},
"save_customized_result": false,
"run_async": false,
"action_run_attempt": 1,
"action_run_buffer_time": 1,
"save_result": true,
"save_input_keys": "ip_address,get_report_since,detailed_report",
"storage_manager_reference": []
}
],
"conditions": [],
"extra_params": {
"position": {
"x": 280,
"y": 290
},
"validations": {
"is_not_valid": false
}
},
"io_params_format": {},
"stop_on_error": true,
"memory_params": {},
"sub_type": "PREDEFINED",
"condition_type": null,
"io_params_email_details": null,
"enable_io_param_email_details": false,
"enable_app_notification": false,
"data_storage_params": {},
"storage_manager_reference": []
},
"3": {
"type": "REGULAR",
"internal_id": "3",
"title": "Cyware Email Service - Send Email - Version 1.3.0",
"description": null,
"actions": [
{
"action": "send_email",
"parameter_data_source": {
"loop_keys": [],
"sender_name": "John Doe",
"sender_email": "coqa@cyninjadev.com",
"email_message": "Attached IP Enrichment Results",
"email_subject": "IP Enrichment Results",
"recipient_list": "john.doe@example.com"
},
"action_type": "PREDEFINED",
"code": null,
"app_instances": [
"orchestrate_email_service"
],
"playbook": null,
"playbook_data": null,
"action_data": {
"action_identifier": "send_email",
"app": "cyware_email",
"app_slug": "cyware_email_1_3_0",
"app_version": "1.3.0",
"app_title": "Cyware Email Service",
"action_title": "Send Email",
"is_system": true
},
"output_params": {},
"save_customized_result": false,
"run_async": false,
"action_run_attempt": 1,
"action_run_buffer_time": 1,
"save_result": true,
"save_input_keys": "sender_name,reply_to,sender_email,recipient_list,cc_list,bcc_list,email_message,file_attachment,email_subject",
"storage_manager_reference": []
}
],
"conditions": [],
"extra_params": {
"position": {
"x": 280,
"y": 430
},
"validations": {
"is_not_valid": false
}
},
"io_params_format": {},
"stop_on_error": true,
"memory_params": {},
"sub_type": "PREDEFINED",
"condition_type": null,
"io_params_email_details": null,
"enable_io_param_email_details": false,
"enable_app_notification": false,
"data_storage_params": {},
"storage_manager_reference": []
}
},
"edges": [
{
"source_node": "1",
"destination_node": "2",
"label": "DEFAULT_LABEL",
"extra_params": {
"source_port": "bottom",
"target_port": "top"
}
},
{
"source_node": "2",
"destination_node": "3",
"label": "DEFAULT_LABEL",
"extra_params": {
"source_port": "bottom",
"target_port": "top"
}
},
{
"source_node": "start",
"destination_node": "1",
"label": "DEFAULT_LABEL",
"extra_params": {
"source_port": "bottom",
"target_port": "top"
}
}
],
"type": "UI",
"labels": [],
"tags": [],
"extra_params": {
"current_node": "start"
},
"status": "ACTIVE",
"script_content": "",
"cron_expression": null,
"output_params": {
"Result": "IP Enrichment Successful"
},
"is_runnable": true,
"description": null,
"auto_terminate": false,
"auto_terminate_interval": null,
"categories": [],
"schedule_info": {
"details": {
"ends": "never",
"mode": "once",
"end_value": true,
"repeat_on": [],
"run_count": 0,
"start_time": "2023-09-04T09:43:38.935Z"
},
"is_scheduled": false
},
"storage_manager_reference": [],
"priority": "2"
}