In this article:

Overview

There are three types of Content Lists that differ both in the method of adding content and in intended use.

Type	Method of Adding Content	Intended Use
Static	Add content items manually one by one from the SOC Prime Threat Detection Marketplace. Curating a List of this type, you can also remove content items. Thus, Static Lists contain items that you specifically included.	To automate the deployment of manually curated content.
Dynamic	Add and continuously update content items automatically based on defined criteria. Currently, Dynamic Lists can include up to 500 content items to prevent overloading your security technology. You can't remove a specific item from a Dynamic List.	To automate the management of continuously updated content items matching the selected criteria.
Inventory	Add content items manually one by one from the Inventory page. Added detections can be edited without modifying the original content items on the Inventory page and then deployed to another SIEM instance using separate jobs. Lists of this type have “Inventory” added in parentheses after the name to differentiate them. Curating an Inventory List, you can also remove content items.	To copy content items that are already being streamed to a SIEM instance, and then edit the copied items and deploy them to a different Data Plane without modifying the original detections.

To learn more about using Lists for automation, see here.

On the Lists page, you can see Content Lists that are available to you.

Tab	Description
Global	Lists created by the SOC Prime Team and shared with the companies. Users without Admin privileges can only view these Lists, copy them, or use them in Jobs.
My	Lists created by you. Other people from your company can view them by default or edit them if the Allow other users from my company to edit this list checkbox is set.
Company	Lists created by the users from your company (including the Lists created by you).

Here you can see the following information about Content Lists:

Name	Description
Type	Static Contains manually curated items Dynamic Is continuously updated based on the added tags Inventory Is intended to copy content items that are already being streamed to a SIEM instance, and then edit the copied items and deploy them to a different Data Plane without modifying the original detections
List Name	Name defined by the List author
Author	Company or user who created the Content List
Data Plane	What Data Planes are set in the Job that deploys the List
Job	What Jobs deploy the List
Rule Count	On the My and Company tabs: The number of content items within the list, which is updated on the fly according to the corresponding list changes. On the Global tab: The maximum number of content items that can match filter conditions set for the Content List. The actual amount of content for Global Lists depends on the current subscription plan and the company-wide content availability. For Lists with automatic unlocking of Premium Sigma rules enabled, this column includes the Auto Unlock label. The first number above the label indicates how many rules from the List are available to your team. The second shows the total number of rules in the List. Hover over the numbers to see the legend and the number of Premium rules that can be unlocked.
Last Updated	Date of the latest update to the Content List

Hover over a List and click on it to see the content it includes.

All content included in the selected List is displayed. If you click a content item, its page in the Threat Detection Marketplace is opened.

For Dynamic Lists, the Rule column shows the rule's availability status:

Available: the rule is available to your team.
Premium: the rule needs to be unlocked for your team to use it. You can unlock the rule manually by opening the code tab on its page or automatically by setting a corresponding checkbox in the List settings.

List Settings

Lists of all types have the following settings:

Setting	Description
Content List Name (Required)	Name defined by the List author
Automatically unlock Premium Sigma rules using your team's balance when Jobs deploy content (only for Dynamic Lists) (Optional)	Set this checkbox to allow automatic unlocking of Premium Sigma rules included in the List. Unlocking takes place right before the rules from the List are deployed via a CCM Job or downloaded via API. A Dynamic List can include up to 500 rules. If you configure inclusion criteria that return more than 500 rules, only the most recently updated 500 rules are included. Accordingly, automatic unlocking will be applied only to the locked Premium rules that are included in the most recently updated 500 rules. Users with the View Only permission level cannot set this checkbox. Note that a List with Auto Unlock enabled can be deployed via a CCM Job or downloaded via API by a user with the View Only permission level. Please, use automatic unlocking of Premium Sigma rules with caution since this may result in heavy usage of your team's Premium Sigma rule balance.
Allow other users from my company to edit this list (Optional)	Set this checkbox to allow your teammates to edit the List
Description (Optional)	Information about the List provided by its author
Category (Optional)	Custom category to group Content Lists. You can select an existing category from the drop-down or create a new one.
Type (Required)	Static — contains manually curated items Dynamic — is continuously updated based on the added tags Inventory — is intended to copy content items that are already being streamed to a SIEM, and then edit the copied items and deploy them to a different Data Plane without modifying the original detections
Repository selection (only for Static and Dynamic Lists) (Required)	Select the type of the repositories from which you'll be able to add content to the current List: Platform Repos (content published on TDM) My Repos (content created or copied by your organization and saved to your custom repositories) Select the specific repositories of the chosen type. Platform Repos include: SOC Prime: content authored by the in-house SOC Prime team Threat Bounty: content authored by developers from the Threat Bounty Program SigmaHQ: content sourced from the open-source SigmaHQ project on GitHub Microsoft Sentinel: content for Microsoft Sentinel sourced from the Azure-Sentinel project on GitHub My Repos include the custom repositories created by you or shared with you by your teammates. For more details, see here. You can use this setting as an additional filter for a Dynamic List or to limit the sources of content for a Static List. Notes: For the Lists created before the repository functionality has been released, repository selection was applied retrospectively to ensure the same scope is kept: all Platform Repos You cannot update the repository selection in a Static List once it's been created

Dynamic Lists have additional settings that allow you to continuously deliver newly released content based on the specified parameters:

Setting	Description
Content Platform	Select one or multiple platforms the content should be intended for: Microsoft Sentinel Rule Microsoft Sentinel Query Elastic Rule Alert Elastic Watcher Alert Google SecOps Rule Humio Alert Splunk Alert Sumo Logic Query Sumo Logic CSE Rule LimaCharlie
Include Tags	Include Sigma detections that match the specified tags. Start typing and select tags from the drop-down list. You can select the logic of combining multiple tags: OR — content matching any of the tags is included AND — content matching all the tags is included
Exclude Tags	Exclude Sigma detections that match the specified tags. Start typing and select tags from the drop-down list. You can select the logic of combining multiple tags: OR — content matching any of the tags is excluded AND — content matching all the tags is excluded
Lucene Query	Build a query in Lucene to define what content to include in the List or exclude from it. See Lucene fields and available values. In Content Lists created before deprecation of the SOC Prime verified field, the Lucene Query field is pre-filled with a query that corresponds to the value of the deprecated field: Yes → `is_verified:true` No → `is_verified:false` You can delete or modify it.
Author	Select content author(s) specified in the "author" field in Sigma detection as per the DRL license.
Technique	Select one or multiple MITRE ATT&CK® techniques or sub-techniques to filter content covering them.
Created Date	Specify the time range when content was created.
Severity	Specify Severity of a Sigma detection. Available values: Informational — intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match them Low — notable event but rarely an incident. Such events can be relevant in high numbers or in combination with others. Immediate reaction shouldn't be necessary, but a regular review is recommended Medium — relevant event that should be reviewed manually on a more frequent basis High — relevant event that should trigger an internal alert and requires a prompt review Critical — highly relevant event that indicates an incident and should be reviewed immediately
Sigma Status	Available statuses: Experimental — experimental rule that could lead to false results or be noisy, but could also identify interesting events Stable — rule that is considered stable and may be used in production systems or dashboards Testing — an almost stable rule that possibly could require some fine-tuning
Sigma Product	Use this filter to select all log outputs of a certain product, e.g. all Windows Eventlog types including "Security", "System", "Application", and the new log types like "AppLocker" and "Windows Defender".
Sigma Category	Use this filter to select all log files written by a certain group of products, like firewalls or web server logs.
Sigma Service	Use this filter to select only a subset of product logs, like the "sshd" on Linux or the "Security" Eventlog on Windows systems.

How To

Here you can find instructions on how to work with Content Lists:

Create Content List
Edit Content List
Copy Content List
Delete Content List
Delete Content Item from List
Add Content Item to List

Create Content List

To create a content list:

Click the Create List button in the upper right-hand corner of the Lists page.
Specify the list details that depend on the list type (“static”, “dynamic”, or “inventory”). See List Settings to find out more about particular fields.
Click the Save Changes button to add the list.

To prevent the platform overload when deploying content via the Automation module (previously called Continuous Content Management), Dynamic Lists can contain no more than 500 items of content. The information about content limit is visible on the Create Content List pop-up when selecting the Dynamic list type.

Edit Content List

You can edit all Static, Dynamic, and Inventory Lists (except for Global ones):

Open the editing modal in one of the following ways:
- Click the More (...) button and select Edit List in the upper right-hand corner of the page with the List you want to update.
- Click the Edit icon on the right-hand side of a List on the Lists page.
Update the list details in the corresponding fields. See List Settings to find out more about particular fields.
Click the Save Changes button.

You can also edit the current list by clicking Edit in the List Settings section on the right-hand side of a specific list page.

Copy Content List

Copying content lists allows creating a new list based on the already existing one to streamline content management. To make a copy of the selected list:

Open the copying modal in one of the following ways:
- Click the More (...) button and select Copy List in the upper right-hand corner of the page with the List you want to update.
- Click the Copy icon on the right-hand side of a List on the Lists page.
Update the list details in the corresponding fields, which you want to make different from the original list. Note that the Type field is not editable since the list type may only be defined during the original list creation.
Click the Save Changes button.

After saving, the list copy will be added to the Lists page with the word "copy' in the name.

Delete Content List

To delete a Static, Dynamic, or Inventory List with all items it includes:

Initiate the delete action in one of the following ways:
- Click the More (...) button and select Delete List in the upper right-hand corner of the page with the List you want to update.
- Click the Delete icon on the right-hand side of a List on the Lists page.
Confirm the action in the pop-up.

Delete Content Item from List

Note:

You can delete specific items only from the Static or Inventory Content Lists. Dynamic Lists can be deleted only with all items they contain.

If you want to update content on a Dynamic Content List, try changing the inclusion or exclusion criteria.

To delete a specific item from a Static or Inventory Content List:

Select the Static or Inventory List you want to update.
Hover over the content item you want to delete and click the More (...) button.
Select Delete.
Confirm the action in the pop-up.

Add Content Item to List

Note:

You can add specific items only to Static or Inventory Content Lists. Content items on Dynamic Lists can't be added manually.

If you want to update content on a Dynamic Content List, try changing the inclusion or exclusion criteria.

Static Lists

You can manually add content items to existing or new Static Lists:

From a rule's page in TDM
From TDM's Search page using bulk adding

Note:

You can add only those content items that are available for the platforms currently supported by the Automation module (previously called Continuous Content Management).

Adding Content to a Static List from a Rule's Page

Select a certain content item available on the SOC Prime Platform and drill down to its Code page.
Select the platform and content type.
Click the Add to List icon.
A modal appears that displays all existing Static Lists where one of the selected repositories in settings matches the repository of the current rule. The first repository name is displayed in the List details. To show all the others (if any), hover over the three dots. To add the rule to one or multiple Lists:
1. Set the checkbox next to the Content Lists to which you'd like to add the rule.
2. Click Done to add the rule to the selected lists.
Note: If the rule has already been added to a displayed List, the checkmark next to such a List is pre-set. Removing the checkmark will result in removing the rule from the List.

If there are no Static Lists available, the pop-up will display the corresponding message. You can add a new list by clicking the Create New Content List button. An express List creation modal appears. The Repositories field is pre-filled with the repository that the selected content lives in. You can add more repositories of the same type using the dropdown.

Adding Content to a Static List from Search

From the Search page, you can add multiple rules to one or multiple Static Lists.

Set the checkboxes next to the rules you want to add and click Add to List above the search results.
In the modal that appears, set the checkmark next to the Lists you want to add the content to and click Done. Note that the modal only includes Lists set to work with the repositories that the selected content lives in. The first repository name is displayed in the List details. To show all the others (if any), hover over the three dots.

If you create a new List from this modal, an express List creation modal that appears now includes the Repositories field. It's pre-filled with the repositories that the selected content lives in. You can add more repositories of the same type using the dropdown.

Inventory Lists

You can manually add content items to existing or new Inventory Content Lists from the Inventory page.

Note:

You can add only those content items that are available for the platforms currently supported by the Automation module (previously called Continuous Content Management).

To add a new content item to an Inventory List:

On the Inventory page, choose the platform and Data Plane you need.
Select the desired content items by setting the checkboxes on the left of them. If you want to select all content items on the current page, set the checkbox next to the Content Name column header.
In the menu that appears above the content table, select the Add To List icon.
The pop-up shows all existing Inventory Content Lists. To add a content item to a specific list:
1. Click the content list or set the checkbox next to it.
  Click Done to add the content item to the selected list.
If there are no Inventory Lists available, the pop-up displays the corresponding message. You can add a new list by clicking the Create New Content List button that will redirect you to the list creation page.