Threat Defender Library
Notice
This feature is available on the Intel Exchange applications deployed on Cyware Cloud only.
Threat Defender Library acts as a central repository to contain information and files used in threat detection, hunting, and threat defense. The unique content in this repository adds value to the existing threat-hunting and detection workflows by allowing analysts to quickly respond to organization-specific threats.
Using the Threat Defender Library in CTIX, analysts can do the following:
Upload and create threat defender content, such as YARA rules.
Detect potential malicious patterns encrypted in a file by evaluating and analyzing it with threat defender content present in the platform.
Threat Defender Library provides the following benefits:
Reduce time spent by analysts researching the threats and provides ways to defend against threats.
Reuse on-the-ground proven defender content generated in different parts of the world or industry for similar threats.
Increase threat-hunting capabilities and significantly reduce the time taken to detect and respond to a potential security incident.
In this section
Create Threat Defender Content
Create threat defender content by uploading or manually writing a YARA rule to build your personalized repository.
Before you Start
Ensure that you have the following permissions:
Create Threat Defender
View Threat Defender
Steps
Navigate to Main Menu and select Threat Defender Library under Analysis.
Click Create Content.
Do any one of the following to create new content:
Click Upload File and browse for an existing YARA rule file to import into the platform. The file size must be less than or equal to 1 MB and of types .txt, .yara, and .yar. The file name must be less than or equal to 50 characters.
Manually enter a rule script in the code block. Ensure that the script size limit is 1 MB to successfully submit the threat defender content.
Click Validate to verify the script syntax. Ensure that the script is valid and has a size limit of 1 MB to successfully submit the threat defender content.
To categorize or group rules, add tags. You can add a maximum of 25 tags to one rule.
To define additional conditions for the rule, select Add External Variable. You can define external variables based on the following:
Select a variable type, such as string, boolean, or numeric. The default variable type is String.
Enter a key for the selected variable type.
Enter a value for the selected variable type.
You can add a maximum of 15 external variables to a rule.
Click Submit.
Evaluate Files using Threat Defender Library
Analysts can evaluate potentially malicious files by analyzing the file content with threat defender content available in the platform. This allows you to evaluate potentially malicious files without compromising your organization's network.
Before you Start
Ensure that you have the following permissions:
Check File Threat Defender
View Threat Defender
Steps
Navigate to Main Menu and select Threat Defender Library under Analysis.
Click Check File.
Upload a file to validate the existing threat defender content in the platform.
Note
The file size must be less than or equal to 10 MB and of types .exe, .docx, .doc, .txt, .csv, .pdf, .xls, .xlsx, .jar, .js, .apk, .html, .xlsm, .vbs, .ppt, and .pcap.
The file name must be less than or equal to 50 characters. The platform throws an error if the filename exceeds 50 characters.
Search for a file based on appropriate tags or content files that could be used to analyze the uploaded file.
From the search results, select a threat defender content and click Check File to obtain a matching percentage. The platform returns a matching percentage based on the matching strings found between the uploaded malicious file and the threat defender content selected.
You can check the matching percentages and matching strings with all results and choose an ideal threat defender content file to scan for the malicious file.
Click Done to exit the window.
The evaluated files appear in the Checked Files tab with details, such as file name, file extension, user that checked the file, rule used to evaluate the file, and more. In case any threat defender content is deleted from the library, the respective evaluated files display NA under the rule details.
Manage Threat Defender Content
After you create threat defender content, you can view it on the Library tab and manage it as per your requirements.
Before you Start
Ensure that you have the following permissions:
Enabled Delete for All > Threat Defender
Update Threat Defender
You can do the following actions to manage threat defender content:
Search: Search for content based on created date, created by, and tags. You can view a maximum of 1000 threat defender content records at a moment and can search for specific records.
Edit: Modify content details such as adding or removing tags and external variables. Use the ellipsis to edit.
Export: Export details of the individual content record in .yar format to your system to analyze and evaluate the content offline. Use the ellipsis to export.
Delete: Delete an individual content record that is no longer required. Use the ellipsis to delete. Your user group must have Enable Delete for All > Threat Defender permission. When you delete a threat defender content, the file you verified using that rule will showcase the rule name as NA in Checked Files tab.