Overview
Presets are templates for customizing parameters of content deployed to your organization's SIEM on the fly. This helps streamline content management operations and avoid errors that can occur when manually editing content. A Preset can be applied:
On a content item page before individual content item deployment
In a Job as part of automated deployment
In Uncoder AI when translating a Sigma rule
You can create Presets for the following platforms:
Microsoft Sentinel
Sumo Logic
Humio
Elastic
Google SecOps
Splunk
The Presets page lists all Presets available to you:
Presets created by you
Presets created by your team and shared across your organization
All Presets are displayed as a table with the following columns:
Column Name | Description |
Preset Name | The name defined during configuration |
Platform | Platform associated with the Preset |
Type | Content type that varies depending on the selected platform |
Created by | The user who created the Preset |
Last Updated By | The user who made the last update to the Preset |
Created | The date of the Preset creation |
Updated | The date of the last update to the Preset |
You can look for an existing Preset using the Search bar.
How To
Here you can find instructions on how to work with Presets:
Create Preset
To create a Preset:
Select the Account icon > Platform Settings > Presets.
Click the Add Presets button.
Select the supported platform and content type (if applicable).
Click the Create New Preset option from the Preset drop-down list or click the Create Preset button.
Provide the Preset name and choose whether you want to share it across your company.
Fill in all the required fields, which will differ depending on the platform you’ve selected, like Query Period, Severity ("Low", "Medium", "High", "Critical"), Rule Status ("Enabled", "Disabled"), etc. View tooltips to find out more about each available field.
Optionally, you can link filters by selecting them in the drop-down of the Filters field. To set up new Filters, click the Filters button.
Click the Save Changes button, and the created Preset will appear on the Presets page.
After creating a new Preset, link it to a Job before running this Job for customizing automated content deployment.
Apply or Add Preset from Content Item Page
Depending on your subscription, you can apply one of the existing Presets on the fly by selecting it from the Preset drop-down list on the Code tab of a content item page.
To create a new Preset from the selected content item page, follow these steps:
Select Create New Preset from the Preset drop-down list.
Provide the Preset name and choose whether you want to share it with your company.
Select the supported platform and content type.
Fill in all the required fields, which will differ depending on the platform you’ve selected, like Query Period, Severity ("Low", "Medium", "High", "Critical"), Rule Status ("Enabled", "Disabled"), etc. View tooltips to find out more about each available field.
Optionally, you can link filters by selecting them in the drop-down of the Filters field. To set up new Filters, click the Filters button.
Click the Save Changes button.
Once created, you can select this Preset from the drop-down list, and the detection content for the associated platform will be updated depending on the applied preset.
Manage Preset
On the Presets page, you can edit or delete all Presets created by you.
Note: If a Preset is deleted, all active Jobs linked to it will be disabled. |
To perform one of these actions, click the corresponding icon on the right of the desired Preset name.
Edit Preset. Edit the fields in the Presets pop-up and click Save Changes.
Delete Preset. Confirm the action in the pop-up that appears on the screen.