Threat Defender Library
Notice
This feature is only available for Cyware cloud-based deployments
Threat Defender Library (TDL) is a repository that helps you utilize content for threat detection, analysis, and response. In Collaborate, TDL serves as a repository for collecting and distributing this threat defender content, enabling you to respond to threats faster and with greater accuracy.
You can create, upload, manage, and share files such as:
SIEM rules files, for example, Splunk, Devo, and Sigma
Threat detection files, including YARA Rules, log sources, Suricata, Snort Rules, and more
Analytics files such as Cyber Analytics Repository (CAR) reports
Orchestrate Playbooks
How does it work?
TDL simplifies the process of creating, sharing, and collaborating on threat defender rules and content.
Let us take an example of a Snort detection rule and see how TDL helps you, as a member, respond to threats faster:
Create a Snort rule and share it as a preview with other members for feedback. The following Snort rule creates an alert in the IPS system when it identifies a TCP connection with a payload with a specific sequence of bytes (in this case, the string “ZOOM”).
alert tcp any any -> any any (msg:”Possible Zeus Botnet C&C Traffic”; flow:established,to_server; content:”|5a 4f 4f 4d 00 00|”; depth:6; sid:1000005; rev:1;)
To create TDL content, see Create TDL Content.
If the peer review step is enabled, you can share the content with other members (peers) of your organization for peer review before submitting it for analyst review.
After the content is reviewed and approved by analysts, it is available in the Shared Repo of the TDL and can be utilized by members.
Analysts can also publish and share the TDL content with other member organizations to help them in the detection of the Zeus Botnet.
What are the use cases of Threat Defender Library?
Security teams often face challenges in establishing consistent detection and containment processes, resulting in slower incident response and reduced effectiveness. TDL simplifies this by providing verified content and facilitating the sharing of important detection files like Yara, Snort, and Suricata, which significantly enhances threat detection capabilities and overall incident handling efficiency.
Creating defender content often requires specialized knowledge and adherence to specific formats, which can hinder efficient content creation. TDL overcomes this challenge by allowing you to easily create content without additional expertise. You can either upload supported files for validation or use the versatile code editor to streamline content creation.
Existing SIEM detection rules are confined within vendor or platform-specific silos, posing challenges when it comes to sharing them with the broader cybersecurity community. TDL solves this by letting you create and distribute verified SIEM rules across the cybersecurity community, ensuring agility in responding to evolving threats. Additionally, you can use these rules to publish Collaborate alerts for quick action in SIEM or XDR tools.
Security teams require rapid threat detection and mitigation to prevent damage. They take actions like isolating systems, deactivating compromised accounts, and blocking malicious network traffic. Sharing TDL content or attaching it to alerts allows quick access to validated information enabling swift responses to common and organization-specific threats.
Utilize the publicly available information from the open-source OSINT repository to create TDL content for known threats. The availability of OSINT content is managed from the Analyst Portal.
TDL Repositories
The content in the Threat Defender Library (TDL) is organized into the following four repositories:
My Repo | Contains the content you have created. The content in this section has statuses such as Draft, Shared as Preview, Under Peer Review, Under Analyst Review, Declined by Peer, Declined by Analyst, Published, and Expired. |
My Org Repo | Contains the content created by other members of your organization in the Member Portal. The content in this section can contain statuses such as Shared as Preview, Under Peer Review, Under Analyst Review, Declined by Analyst, Declined by Peer, Expired, and Published. |
Shared Repo | Contains the content that is published and shared with you by analysts. |
OSINT Repo | Contains external content created by open-source repositories. Open-source intelligence (OSINT) is the intel produced by collecting, evaluating, and analyzing publicly available information with the purpose of answering specific intel queries. The availability of OSINT content in the Member Portal is managed by analysts. |
TDL Statuses
The TDL content organized in My Repo, Analyst Repo, Members Repo, and OSINT Repo can have the following statuses:
Draft | This status indicates content drafted by you in My Repo. |
Shared as Preview | This status indicates that the content is shared as a preview with peer members from the same organization. Members who are part of your organization can view the content shared for preview in My Org Repo. |
Under Analyst Review | This status indicates that the TDL content is shared with analysts for review. After approval, analysts can publish the content to recipient groups and individual recipients. The TDL content with Under Analyst Review status is available in My Repo and My Org Repo. |
Under Peer Review | This status indicates the content is shared for peer review with members of your organization. Members who are part of your organization can view and review this content in My Org Repo. |
Declined by Analyst | This status indicates content that is declined by the analyst after review. The review approval process allows members to submit TDL content to analysts for approval. If analysts find the content to be incorrect or not relevant, they can decline the content with a comment. The TDL content with the status is available in My Repo and My Org Repo. |
Declined by Peer | This status indicates content that is declined by other members of your organization after review. Other members can review your content when the peer review step is configured in the Analyst Portal. The TDL content with the status is available in My Repo and My Org Repo. |
Published | This status indicates content published by analysts. The TDL content with this status is available in Shared Repo. |
Expired | This status indicates content that is expired by analysts and members. As a member, you can only expire content that you create. The TDL content with this status is available in My Repo and My Org Repo. |