TDL Content Categories
This document shows the list of content categories supported by TDL. You, as a member, can use these categories to create TDL content.
MITRE Engage is a knowledge base developed by MITRE. Engage provides information for a range of levels, including practitioner-friendly discussions of defense tactics, techniques, and procedures (TTP) and CISO-ready considerations of objectives and opportunities.
CAR analytics is a repository of analytical tools created by MITRE, primarily based on the MITRE ATT&CK adversary model. These analytics are designed to analyze various data domains (such as host, network, process, and external data) and are aimed at providing effective and well-explained analytics.
CAR analytics category is not supported when you create TDL content by selecting a category.
SIEM software collects log and event data generated by applications, devices, infrastructure, networks, and systems to analyze and provide complete visibility into an organization’s data. SIEMs also analyze data in real-time using SIEM rules and statistical correlations to give you actionable insights.
When you create TDL content by selecting a category, you can only create rules for Devo, General(Other) SIEM, and IBM Qradar SIEM.
Threat detection content identifies threats using data from various sources, such as log files, monitoring tools, error messages, intrusion detection systems, and firewalls. Analysts can perform analysis after detection to understand its exact nature and the scope of the threat.
Orchestrate playbooks are a well-defined set of actions that are organized as a workflow to respond to an incident or a threat. They are designed to perform a multitude of security automation and orchestration tasks that are part of the incident response process. You can use playbooks to automate various manual and repetitive tasks, as well as to orchestrate common scenarios including but not restricted to analyzing vulnerabilities, IOCs (Indicators of Compromise), searching for suspicious logs, and more.
The Response (Playbook) category is not supported when you create content by selecting a category.
Threat detection content identifies threats using data from various sources. Snort and Suricata are some of the detection methods used by security analysts. Snort is an open-source intrusion detection and intrusion prevention system (IDS/IPS) that monitors and analyzes network traffic in real-time to help identify and prevent potential security breaches. Suricata is a Network Security Monitoring (NSM) tool that can detect and block attacks against your network using rules.
Threat Detection (Snort/Suricata) category is not supported when you create content by selecting a category.
MITRE framework TTP analysis can help security teams detect and mitigate attacks by understanding the way threat actors operate. Tactics are types of activity that cyber criminals use to carry out an attack while techniques are general methods that attackers use to achieve their goals. A procedure is a specific series of steps that cybercriminals can use to carry out an attack.
Warning lists are lists of well-known indicators that can be associated with potential false positives, errors, or mistakes.
YARA rules are used to identify malware files and various indicators, including IP addresses, hashes, domains, and more by matching familiar patterns. YARA rules can identify distinctive traits like patterns and strings associated with malware or entire malware families.
Threat Detection (YARA Rules) category is not supported when you create content by selecting a category.