Create TDL Content
You can create content in the Threat Defender Library (TDL) using different methods depending on the type of content. You can use the following methods to create content in TDL:
Upload Files: You can upload files to TDL in formats such as YML, YAML, YAR, YARA and more. To view validated content examples for all the supported file formats, see TDL Content Examples.
Create content using code editor: You can create and validate content using the built-in code editor and file validator. You can create content in formats such as YML, YAML, YAR, YARA, SPL, RULES, and JSON. To view validated content examples for all the supported file formats, see TDL Content Examples.
Create content by selecting a category: You can create TDL content by selecting a content category. This makes TDL content creation easier without technical expertise, and makes it more accessible to wide range of users. The content creation form provides a list of categories widely used by security analysts for threat detection and response. You can select from the supported categories to create TDL content. For more information, see TDL Content Categories.
Before you Start
The recipient groups you are part of must have permission to create TDL content. For assistance, contact your Collaborate administrator.
Steps
To create TDL content, follow these steps:
In the Member Portal, click Threat Defender Library in the sidebar.
Click Create Content. Use one of the following methods to create TDL content:
Drag and drop the files or click Browse to upload the files. You can upload a maximum of 10 files, and the maximum size limit for each file is 2 MB. For content examples of the supported file formats, see TDL Content Examples.
After you upload files, you can view the file name, size, and title of uploaded files. The displayed title is based on the title in file content. Click Edit to modify the details of the uploaded files. For more information about the file fields, see step 3.
In the Write Code section, select a file category for the content you want to create. For example, Threat Detection (YARA Rules).
Select a file extension for the file category. For example, yara. You can select file extensions based on the file category you select.
Click Go to open the code editor. The following code is an example of a detection YARA rule:
rule blackhole2_jar : EK { meta: author = "John Doe" date = "2016-06-27" description = "BlackHole Exploit Kit Detection" hash0 = "sfhbdkblSKDJHBADKBAD" sample_filetype = "unknown" yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" strings: $string0 = "k0/3;N" }Click Validate to verify the format of the content. Refer to the validated content examples for all the supported file formats to create content in a valid format.
Click Save Changes, and enter a name for the file. For example, Blackhole Exploit Kit Detection.
Click Save.
The page displays the file name, size, and title of newly created content. The title is retrieved from the file content. If there is no title provided, then a default file name is auto-populated. Click Edit to modify the details of the code. For more information about the fields, see step 3.
In the Select Content Category, select a category for the content you want to create and click Go. For example, Threat Detection (SNORT/Suricata).
The page populates the fields for the selected category. This includes basic details such as the title, description, and ATT&CK tactic-technique pairs. For more information about the fields, see step 3.
Use the following information while creating content:
Title: The uploaded content in TDL automatically retrieves the title from the file content. You can modify the title as required. For example, Detect Intrusion: Zeus Botnet C&C Traffic. The title is used to identify the uploaded file and its related details.
Description: The uploaded file automatically retrieves the description from the file contents. You can modify the description as required. For example, The below Snort rule creates an alert if it sees a TCP connection with a payload with a specific sequence of bytes (in this case, the string “ZOOM”).
Use the Matrix, Tactic, and Technique options to add the tactics, techniques, and sub-techniques used by the threat actors. This helps you map the threat to the ATT&CK Navigator dashboard and predict the attacker's behavior. You can map multiple tactic and technique pairs by clicking More.
Code Preview: The code editor shows the file contents in text view. Use the following information to modify the file content.
Use Edit to modify the content of the uploaded file.
Use Copy to copy the content of the uploaded file to the clipboard.
Use Expand to switch focus to the code editor by expanding the code editor.
Use Download to download the file content to your computer.
Additional Information: Enter additional information to the content. The fields for additional information are automatically populated based on the uploaded file format or selected content category. For example, log sources can be additional information for SIEM-related files. The log sources have security-based logging information for detecting and investigating security threats.
Click Save as Draft to save the file as a draft in My Repo. You can make changes to the draft file before sharing it for preview or publishing.
Click Share as Preview to share your file as a preview with other members of your organization. The content is shared for preview and is available in My Org Repo by other members of your organization.
Click Submit for Analyst Review to submit the content for analyst review. If analysts approve and publish this content, it is available in the Shared Repo of the Member Portal. If the peer review step is enabled, then you can submit content for analyst review only after peer review.
If the peer review step is enabled for you, click Submit for Peer Review to submit the content to your organization members for peer review. Peer members can subsequently submit the content for analyst review. For more information about the review process, see the Peer Review TDL Content.