In this article: |
Overview
On the Inventory page, you can review and update all the content managed in Automation:
If the Inventory synchronization is enabled, you can manage all the content available in your organization's SIEM.
If the Inventory synchronization is disabled, content from your organization's SIEM is not pulled to the Inventory. This way, you can limit the content managed in Inventory to detections deployed from the Threat Detection Marketplace.
Note: If you disable Inventory synchronization:
|
To enable Inventory synchronization:
Select the SIEM you want to synchronize with. At the top of the page choose:
The Tenant that holds the Data Plane you want to enable Inventory for.
Notes:
Any Data Planes that haven't been added to a Tenant, will be displayed as belonging to the default None tenant.
If the Tenants feature is not available to your organization, the Tenants dropdown is inactive and the Data Planes dropdown includes all your Data Planes.
The Data Plane for which you want to view the content. If you don't have a Data Plane integration yet, set it up to use the Inventory.
Click the Off/On Inventory switch.
When enabled, the Inventory is run each hour to synchronize with your organization's SIEM instance pulling all available content. Users cannot change this schedule. Still, you can turn the Inventory on or off with the toggle in the upper right-hand corner of the page. You can also run the Inventory manually by clicking the Run button.
Note: Inventory can run as soon as the Data Plane integration is set up. |
If there is an update for a content item (the version of the item in the Threat Detection Marketplace is more recent than the one on the Inventory page), you can manually review and update this detection from Inventory by clicking the green icon that appears next to the content item name:
Content from the Threat Detection Marketplace is checked for updates even when the Inventory script is disabled.
The Inventory page displays all content items for the selected Data Plane as a table with the following columns:
Column Name | Description |
Content Name
| The name of the content item |
Author | The content author (available only for the content from the Threat Detection Marketplace) |
Type
| The content type that depends on the platform of the selected Data Plane:
Note: For GitHub integration, the Type column is accompanied by the Platform column. The integration supports the following content formats:
|
Status
| Available statuses:
|
Source | The content source:
|
Hits
| The number of alerts triggered by the content item |
Deployed | The date of the last content item deployment or update from the SOC Prime Platform (either manually or automatically using the corresponding job). A dash in this column means that the content item has not been deployed or updated yet. |
You can:
Sort by Content Name, Author, Hits and Deployed with the arrow up and arrow down icons
Search for a particular content name and author
Filter by Type, Status, or Source selecting the desired value in the drop-down.
Note: For the Elastic platform, the Hits column will always display n/a for the Saved Search content type. Similarly, for Microsoft Sentinel, n/a will appear under the Hits column for Queries and Functions. |
The content deleted from your organization's SIEM is marked as Deleted in Inventory. You can remove this content from Inventory or keep it.
If you choose to keep the content, you can re-deploy it manually into your SIEM at any point using the Edit Content feature. To do it, click the Edit Content icon, make any changes to the content (if needed), and click Deploy Changes.
Note: If an issue with your Data Plane credentials occurs, Inventory won't synchronize properly and all content from your organization's SIEM will have the Deleted status. After the issue is resolved, all the content will be re-deployed. |
How To
Here you can find instructions on how to work with Inventory:
Edit Content
You can manually edit the selected content item listed on the Inventory page and deploy the changes right into your organization's SIEM.
To do it, click the Edit Content icon next to the content item you want to update.
A pop-up appears that opens the content item code in the edit mode. You can update the content on the fly and then click Deploy Changes for automated deployments right into your organization's SIEM.
View History
You can view all the logs associated with the specific content item by drilling down directly to the History page from the Inventory page.
To do it, click the History icon next to the content item you want to inspect.
The History page opens, showing all the logs related to the content item (if any).
Open Content on the SOC Prime Platform
If the content source is the SOC Prime Platform itself, this detection is linked to the Platform. To go directly to the content item page, click the View Content icon next to the content item you want to open.
The content item page on Threat Detection Marketplace opens with the Intelligence tab selected.
Delete Content
To delete content from Inventory alone or both from Inventory and your organization's SIEM, follow these steps:
Select the content you want to delete using the checkboxes on the left.
In the menu that shows above the content table, select Delete all selected.
A pop-up appears asking if you want to delete the selected content from your SIEM as well. Set the checkbox if you want to do it, and confirm the deletion by clicking Ok.
Enable/Disable Content in SIEM
To enable or disable content in your organization's SIEM, follow these steps:
Select the content you want to enable or disable using the checkboxes on the left.
In the menu that shows above the content table, select Enable or Disable.
Confirm the action in the pop-up.
Note:
For a GitHub Data Plane, Enable and Disable buttons are grayed out since the rules are pushed to the configured repo rather than deployed.
Enable/Disable Curated Rule Sets for Google SecOps
When managing Curated Rule Set content type for Google SecOps, you can separately enable or disable Broad and Precise rule groups.
Select Curated Rule Set from the Type dropdown.
Select the content you want to enable or disable using the checkboxes on the left.
In the menu that shows above the content table, select Enable or Disable.
In the pop-up, configure Precise and Broad rule groups by using the toggles:
Turn on/off the Enable toggle to enable or disable the rule group.
Turn on/off the Alerting for a rule group.
Confirm the action by clicking Apply.
The Status column in Inventory reflects the selected configuration:
P indicates that the Curated Rule Set is enabled as Precise
B indicates that the Curated Rule Set is enabled as Broad
Remove Content Deleted in Your SIEM
Note: The content deleted from your organization's SIEM is marked as Deleted in Inventory. You can remove this content from Inventory or keep it. By choosing to keep the content, it will be re-deployed into the SIEM during the next run of the Inventory. |
To remove from Inventory all the content deleted in your organization's SIEM, follow these steps:
Click the Clear Deleted Items icon. You can hover over this icon to view a tooltip with the number of items with the Deleted status.
A confirmation pop-up appears listing all the content items marked as deleted in your SIEM. Confirm the removal by clicking the Remove Content button.
Sync SIEM Content to Custom Repositories
You can automatically sync your SIEM content to the selected custom repositories via Inventory. This allows you to automatically copy all the rules/alerts deployed into your SIEM to your custom repositories on the SOC Prime Platform to further facilitate content management.
Select the Data Plane you want to synchronize with and ensure the Off/On Inventory switch is turned on. Inventory synchronization is a prerequisite for custom repository synchronization.
Click the down arrow next to the Sync to Repos switch and select custom repositories you want to synchronize to.
Click Save in the repository selection window to turn on the repository synchronization. Once you've defined the repositories, you can turn synchronization on and off by clicking the Sync to Repos switch.
When the Sync to Repos is turned on, synchronization takes place once an hour following this logic:
All content from the SIEM is copied to the selected custom repositories
If a rule is added in the SIEM, it is added to the selected custom repositories
If a rule is updated in the SIEM, it is updated in the selected custom repositories
If a rule is deleted from the SIEM, it is NOT removed from the selected custom repositories
You can manually add, modify, or delete content in the selected custom repositories. These changes will not be synchronized back to the SIEM:
Rules manually added to a selected custom repository will NOT be deployed to the SIEM
Rules manually deleted in a selected custom repository will NOT be deleted in the SIEM (but will be re-added to the repository after synchronization)
Rules manually modified in a selected custom repository will NOT be modified in the SIEM (but will be overwritten with the respective rules from the SIEM after the synchronization)
Content is synchronized based on its name. If multiple content items have the same name (e. g. you have the same detection logic deployed into Microsoft Sentinel and Google SecOps under the same name and sync both SIEMs to one custom repository), they'll be stored in a selected custom repository as different translations of the same rule.
When you reach the limit on the amount of content for a repo, content from your Inventory stops syncing with it. Thus, the content that exceeds the limit is not copied to the custom repository. Note that the oldest content is copied first.
If the rule deployed in your SIEM is from TDM, the corresponding Sigma rule is also written to a selected custom repository.