SOC Prime Introduces Continuous Content Management

December 22, 2020

SOC Prime Introduces Fully Automated System of Continuous Content Management

Continuous Content Management (CCM) is an add-on module for SOC Prime Threat Detection Marketplace. In the November release, we introduced the Automated Content Management system to create a more intuitive platform experience. Here we are going to cover the principal capabilities of the CCM module and how the fully automated Content Management system enables security experts to stream the latest SOC content right into their SIEM instance and take content management to a new level.

Read our blog post on how to gain access to the module and properly set up integrations for your SIEM to enable Continuous Content Management.

Organizing SOC Content Into Static and Dynamic Content Lists

The newly released functionality of the Continuous Content Management module enables security performers who use Microsoft Azure Sentinel and Elastic Cloud to arrange all their SOC content in the form of neatly structured content lists. Customization to the environment settings and content preferences can be applied to:

Dynamic lists that are continuously updated based on the previously added tags
Static lists that display all saved user preferences

All lists are grouped in the following way:

All — all content lists (both static and dynamic)
My — content lists created by the specific user
Recommended — content lists recommended by the Threat Detection Marketplace Admins. They normally address the latest and most topical threats or possess another tangible value to security practitioners.

Security professionals can search for the specific lists by:

Name
List type (static or dynamic)
Number of items the list contains

The following actions are available with the content lists depending on their types:

With all content lists:
- Creating new lists
- Editing lists
- Deleting lists
- Copying lists
With static content lists only
- Adding items to the content list manually
- Deleting specific items
With recommended lists only
- Copying lists*

*Recommended lists can be edited only by the Threat Detection Marketplace Admins. If you do not have Admin privileges, you won’t be able to edit or delete these lists, only copy them.

You can delete specific items only from the static content lists. Dynamic lists can be deleted only with all items they contain.

Copying Content Lists

Where before you had to create content lists from scratch, you can now streamline building your new content lists based on the already existing items. This can be useful when you need to create a new list that only slightly differs from the already existing one. You can create a copy of a similar list by selecting the Copy List option, add all the required changes and save the list copy. After saving, the item will be added to the Content Lists page with the word “copy” in the list name.

Automated Content Deployment and Updates Using Jobs

On the Jobs page, you can now deploy new and update all the existing content items available in your Azure Sentinel or Elastic Cloud instance by setting up and scheduling jobs for created content lists. This allows viewing all action logs and tracking all successful and failed content deployments.

A job compares each content item from the content list with all the existing content that is listed on the Inventory page. If there is no such content item on the Inventory page, such an item will be automatically deployed in the configured API profile of your SIEM.

A job can run under the following conditions:

If the inventory was successful at least once for the last 24 hours

Once it is enabled on the Jobs page by turning the switcher toggle ON under the corresponding column

NEW: Creating and Linking Custom Rule Templates to Jobs

The new functionality in the latest CCM module release allows creating and managing custom rule templates and linking them to newly created jobs. This helps streamline the content management operations and avoid errors that can occur when manually editing the rule.

You can create rule templates for the following platforms:

Azure Sentinel
Elastic
Humio
Sumo Logic*

*You can create rule templates for all these platforms, but currently you can link and then run associated jobs only for Azure Sentinel and Elastic Cloud.

To create a new rule template:

Select Automation > Templates.
Click the Add Rule Template button.
Select the supported platform and content type (if applicable).
Click the Add new template option from the Template drop-down list.
Provide the rule template name and choose whether you want to share it with your company.
Fill in all the required fields, which will differ depending on the platform you’ve selected, like Query Period, Severity (“Low”, “Medium”, “High”, “Critical”), Rule Status (“Enabled”, “Disabled)”, etc.
Optionally, you can configure exceptions by clicking the Exceptions Settings button.
Click the Save Changes button, and the created rule template will appear at the top on the Templates page.

All available rule templates are listed on the separate Templates page within the Continuous Content Management module:

Templates created by you
Templates created by your team members and shared across your organization

After creating a new rule template, you can then link it to the specific job before running this job for automated content deployment or other actions.

You can also manage rule templates in the following way:

Edit the template
Delete the template*

*By deleting the rule template, all active jobs linked to it will be disabled.

Threat Detection Marketplace users can perform the following actions with the created job:

Edit this job
Debug logs for failed content item deployments
Delete this job from the list

Reviewing Content Inventory in Your SIEM

On the Inventory page, you can review and update all the content items available in your Azure Sentinel or Elastic Cloud instance. The inventory is scheduled to run every hour. Users cannot change these settings.

Edit a Single Content Item

You can update content items that are of various sources, even those that do not stem from Threat Detection Marketplace by selecting the Edit Content option from the action menu.

After making changes to the source code, you can then deploy them on the fly right into your SIEM instance with a single click.

Actions with Multiple Content Items

You can also manage multiple content items at a time by selecting one of the available actions:

Enable All — turn on all selected content items that were disabled
Disable All — turn off all selected content items that were enabled
Delete — delete all selected content items
Clear Deleted — remove all content items that were marked as “Deleted” (deleted from your Azure Sentinel or Elastic Cloud instance) from the Inventory page

Marking content as “Deleted” helps check out all content items that have been removed from your SIEM instance. By clicking the Clear Deleted button, these content items will no longer be listed on the Inventory page, but if they are still available in your SIEM instance, they will appear here on the Inventory page once again.

Streamlined Logging with the History Page

Each automated or manual action within the CCM module is logged with the detailed results and can be reviewed on the History page. Here you can see all the logs from jobs, manual deployments, and updates.

The Inventory Log switcher toggle on the History page allows controlling which logs to display. When the switcher toggle is off, you will be able to focus only on the deployment logs rather than being distracted by all logs sent by the system.

To view the deployment result for each content item on the History page, click the Deployment Result status in the corresponding content item row for the content item you want to inspect. You will see the notification pop-up with the details of the rule deployment (successful or failed).

In case of a successful deployment result, you will be notified that content has been successfully deployed to your SIEM environment with the details of the HTTP request.

If the deployment has failed, you will be notified of an issue with the error details, including the failed HTTP request.

Advanced Search Capabilities with Lucene Query Syntax

You can use the Lucene query syntax on the Inventory and History pages using supported fields in the queries to search for the specific SOC content. For example, to display only queries for the Azure Sentinel platform, use the following syntax that includes the content.type field and its predefined value:

content.type:”query”

You can search for content using all fields available for the advanced search with the Lucene queries.

Want to delve into more detail? Check out the CCM Guide we’ve added to the Help Center, so the Threat detection Marketplace users who are new to this module can explore all the content management capabilities it offers for a more streamlined platform experience.

Visit our website for more details on how to purchase the CCM module or try it for free.

New to Threat Detection Marketplace? Sign up to supercharge your security capabilities with access to 85,000+ threat detection and response algorithms, machine learning models, dashboards, parsers, and configs convertible to 20+ SIEM, EDR, and NTDR technologies and mapped to MITRE ATT&CK®.

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.