In this article: |
Overview
On the Jobs page, you can deploy content to your organization's SIEM by setting up and scheduling Jobs for available Content Lists.
A Job compares each content item from the associated Content List with all the existing content on the Inventory page for the Data Planes selected in the Job. If there is no such content item on the Inventory page, the item will be automatically deployed to the Data Planes.
The Jobs page includes two tabs:
My with Jobs configured by the current user
Company with jobs configured by the other users from the organization
Each tab displays all corresponding Jobs as a table with the following columns:
Column Name | Description |
Off/On | Whether the Job has been enabled |
Job Name | The name defined during configuration. Job ID is displayed along with a Job name in the Job Name column.
If the Job is linked to a List with automatic unlocking of Premium Sigma rules enabled, this column includes the Auto Unlock label |
Data Plane | The Data Planes associated with the Job, and the name of their platform. Data Planes created by other members of your team have status shared or not shared. You cannot modify a Data Plane that is not shared |
Tenants | The Tenants to which the linked Data Planes belong |
Content List | The Content Lists associated with the Job and their types |
Schedule | The frequency with which the Job is scheduled to run |
Status
|
Click the status icon to see the Job's logs in History |
Last Updated | The date of the last Job update |
On the right of each Job are action icons:
Run now | |
Debug logs | |
Edit | |
Delete (available only for Jobs created by you) |
Job Settings
The settings used to create or edit a Job are as follows:
Setting name | Description |
Job Name (Required) | The name defined during configuration |
Platform | Platform for content deployment. Available options:
|
Content type (Required) | Deployed content type that depends on the selected platform:
You can select multiple options (if available) |
Tenant (Required if Tenants are available for your organization)
| Select one or multiple Tenants. The Data Plane dropdown will include only those Data Planes that belong to the Tenants selected here. Note:
|
Data Plane (Required) | The configured integrations with your Data Planes. Select one or multiple options (available options depend on the choice in the Tenants dropdown). To set up a new Data Plane, click the Gear icon.
Note:
|
Use Default Custom Field Mapping based on Log Source (Optional) | When this checkmark is set, Custom Field Mapping is applied to content based on the log source products the content is intended for. For example, if you have rules that use Nginx logs and rules that use Apache logs as part of a Content List linked to the Job, your Custom Field Mapping profile for Nginx will be applied to the former, and your Custom Field Mapping profile for Apache to the latter. For a Custom Field Mapping profile to be applied as part of this feature, it should have the Make Default checkmark set in its settings. The profiles are applied as follows:
If you disable this option, a Custom Field Mapping dropdown appears. Use it to select a single Custom Field Mapping profile that should be applied to all content in the connected List, or leave the dropdown empty to apply no Custom Field Mapping within the Job.
To create a new Custom Field Mapping profile, go to Account icon > Platform Settings > Custom Field Mapping.
Note: This option is not applicable for Inventory Content Lists. To apply mapping to a List of this type, clear this option and select a pre-configured Custom Field Mapping profile. |
Config (Optional) | Config for the alternative translation format (if available) |
Content List (Required) | Configured Content Lists for automated deployment. Select one or multiple Content Lists from the available options. To create a new one go to Threat Detection Marketplace > Lists.
If any of the linked Lists has automatic unlocking of Premium Sigma rules enabled, the following warning appears below the field:
Auto unlock is allowed for some of the selected Lists. Before deployment or downloading via API, locked Sigma rules will be unlocked automatically
Note that to configure and enable a Job for deploying Lists with Auto Unlock, the user does not need the Can Unlock permission level. |
Presets (Optional) | Configured Presets. Select an available Preset or set up a new one by clicking the Gear icon. |
Schedule (Required) | Select the frequency with which you would like to run this Job:
Note: This option is not available for Splunk since Job execution for Splunk is managed in SOC Prime CCM App for Splunk - Optimized by querying the CCM API. |
How To
Here you can find instructions on how to work with Jobs:
Create Job
To create a Job:
On the Jobs page, click the Create Job button in the upper right-hand corner.
Configure the new Job settings.
Note:
For GitHub Data Plane to become available in the Data Plane field, first select Platform and Content Type that match the values you've set in the Content Platform field during the Data Plane setup. For example, if you've selected Microsoft Sentinel Rule as Content Platform during the Data Plane setup, set Microsoft Sentinel as Platform and Rule as Content Type to see your GitHub Data Plane in the Data Plane dropdown.
Click the Save Changes button.
Once created, the Job will be added to the Jobs page.
Enable/Disable Job
A Job can run if it is enabled on the Jobs page.
Single Job
To enable a single Job, move its Off/On toggle to On. To disable a single Job, move its Off/On toggle to Off.
Enabling/disabling may take a little while. After it's done, you'll see a success message.
Multiple Jobs
To enable/disable multiple Jobs, set checkmarks on their left-hand side and click Enable/Disable in the menu that appears above the Job list after selection.
Confirm your action in the modal that appears on the screen.
After enabling/disabling, you'll see a success message.
Edit Job
To edit a Job:
Click the Edit icon next to the Job you want to edit.
Update the Job settings in the corresponding fields.
Click the Save Changes button.
Note: You can also delete a Job right in the edit mode by clicking the Delete Job button and confirming the action. Only the user who has created the Job can delete it. |
Debug Logs
If some items within a Content List have failed to deploy, you can drill down to them to debug the deployment issues. You can do it in one of the following ways:
By clicking the Error status under the Status column.
By clicking the Debug Logs icon next to the corresponding Job
You will move to the History page where you can review all the Job logs.
Note: Debug Logs and Run Now options are not available for Splunk Jobs since they are run via SOC Prime CCM App for Splunk - Optimized. |
Run Job Manually
Note that this option is available only for enabled Jobs that have not run for the last 5 minutes.
Single Job
To run a Job manually:
Click the Run Now icon next to the Job you want to run.
Confirm the action in the pop-up that appears on the screen.
Note: Debug Logs and Run Now options are not available for Splunk Jobs since they are run via SOC Prime CCM App for Splunk - Optimized. |
Multiple Jobs
To run multiple Jobs, set checkmarks on their left-hand side and click Run Now in the menu that appears above the Job list after selection.
Confirm your action in the modal that appears on the screen.
Delete Job
Only the user who has created the Job can delete it. To delete a job:
Click the Delete icon next to the Job you want to delete.
Confirm the action in the pop-up.
Note: You can also delete a Job from the edit mode by clicking the Delete Job button and confirming the action. |
Add/Delete Data Planes Configured in Jobs
To add/delete Data Planes configured in Jobs:
Set the checkmarks on the left-hand side of the Jobs in which you want to add or delete Data Planes. If you select multiple Jobs, all of them must be linked to the same platform.
Click the Add Data Planes or Delete Data Planes button.
A modal appears. Select the Data Planes you want to add/delete from the available options in the dropdown.
A success popup appears.