Skip to main content

How to Explore TDM Content

S
Written by Sergey Bayrachny

With Uncoder AI, you can explore Sigma rules from the Threat Detection Marketplace, the world's largest detection content repository:

  • Sigma and Roota rules published on Threat Detection Marketplace

  • Sigma and Roota rules from your custom repositories

  • Hot OSINT indicators

How to Search for Sigma Rules

Type a search term in the search bar and click on one of the suggested options. Use filters on the left to refine your search. You can search for rules by related CVEs, MITRE ATT&CK, exploit names, log sources, and much more.

By default, only freely available rules sourced from SigmaHQ are displayed. To search all rules published on TDM, click Select All in the Platform Repositories filter.

You can use this and other filters on the left to narrow down the search results:

  • Platform Repositories. Different categories of content published on Threat Detection Marketplace in terms of its source:

    • Threat Bounty. Content authored by developers from the Threat Bounty Program

    • SigmaHQ. Content sourced from the open-source SigmaHQ project on GitHub

    • SOC Prime. Content authored by the in-house SOC Prime team

  • Actors. MITRE ATT&CK® actors associated with the behavior that the rule is intended to detect.

  • Product. A Sigma log source identifier to select all log outputs of a certain product, for example, Linux, Windows, Cisco, etc. Learn more in Sigma specification.

  • Event ID. Windows event identifiers used in the detection logic.

  • CVE. CVE IDs the rules are mapped to.

  • Timeline. What key stages of the threat lifecycle are present in the intelligence of the rule. If a stage is preset, it includes one or multiple external references about the threat or the detection to help you quickly dive into the context:

    • Exploit

    • SVE

    • OST

    • Detection

    • Mitigation

    • #threatintel

    • Media

  • Techniques. MITRE ATT&CK® techniques related to the behavior that the rule is intended to detect.

  • Category. A Sigma log source identifier to select all log files written by a certain group of products, for example, process_creation, file_access, etc. Learn more in Sigma specification.

  • Tools. MITRE ATT&CK® tools related to the behavior that the rule is intended to detect.

Once you've found a Sigma rule that matches your needs, click on it to open its code and intelligence.

Intelligence and Metadata

A Sigma rule's intelligence and metadata include the following:

  • Title

  • Author

  • Date of release on the Threat Detection Marketplace

  • Severity if the rule has triggered

    • Critical: Highly relevant event that indicates an incident. Critical events should be reviewed immediately.

    • High: Relevant event that should trigger an internal alert and requires a prompt review.

    • Medium: Relevant event that should be reviewed manually on a more frequent basis.

    • Low: Notable event but rarely an incident. Low-severity events can be relevant in high numbers or in combination with others. An immediate reaction shouldn't be necessary, but a regular review is recommended.

    • Informational: Rule is intended for enrichment of events, e.g. by tagging them. No alerts should be triggered by such rules because it is expected that a huge amount of events will match these rules.

  • Category and Product of log data on which the detection is meant to be applied to

    • Category: All log files written by a certain group of products, like firewalls or web server logs

    • Product: All log outputs of a certain product, e.g. all Windows Eventlog types including Security, System, Application and the new log types like AppLocker and Windows Defender.

  • Short Summary. An AI-generated executive summary to get a quick insight into the rule.

  • Extended Summary. An AI-generated detailed explanation of the rule's logic and fine points.

  • Decision Tree. An AI-generated explanation on how the rule works step by step, with all the embeddings, branches, and other intricate logic.

  • Description of the rule that explains what activity is detected and in what way

  • Action Loop. If you launch or deploy a translation of a Sigma rule from our collection, we encourage you to mark its results using the Action Loop feature. This will help your peers pick the best algorithms, and you can benefit from the aggregated feedback yourself. Click the result line to see its legend in a popup, or the globe icon to provide your own feedback.

    • Confirmed. There's enough data and context to confirm an incident or successful simulation

    • False positive. There's enough data and context to dismiss the query/rule result as noise

    • No root cause. It's clear that the query/rule has found something but there's no data on surrounding events or inside a specific event to make a decision on whether it was a true positive, false positive, or benign behavior

    • Benign behavior. There's enough data to determine that the activity led to no harm and enough context to understand that the same event can be a true positive given different surrounding events (other hits)

    • Tuning required. The query/rule works but needs further optimization to reduce noise or improve performance

  • Timeline with key references about the related threat ordered by its lifecycle stages. Use the Timeline to quickly dive into the context

  • Audit configuration with info on what logs sources are required for the rule to work and how to enable them. Some sections are augmented by AI technologies such as ChatGPT

  • False Positives that the rule may produce. Some sections are augmented by AI technologies such as ChatGPT

  • Triage Recommendations to validate and investigate activity associated with the rule. Some sections are augmented by AI technologies such as ChatGPT

  • MITRE ATT&CK coverage: techniques, sub-techniques, mitigations, tools, and actors to which the query is mapped. Click a value to see its short description and select More Details in the description to learn more at attack.mitre.org

  • Binaries on whose behavior the query is based. You can learn more about them to speed up your investigation. Click a value and select EchoTrail.io in the description to learn more

  • Techniques simulations you can use to test the rule. Click a value to see its short description and select View Simulations in the description to go to the Red Canary GitHub repo with the simulation

  • Use case documentation feature to automatically document the use case based on the rule's intelligence and metadata by creating a structured page in your Confluence. Requires setting up an Integration. Learn how to use this feature here.

You can always display the currently selected rule's intelligence and metadata by clicking the Intelligence button.

Saving to a Custom Repository

You can fork (i. e. copy) a Sigma rule or any of its translations published on TDM to your custom repository.

  1. Click Save As > New Rule in the panel with the content.

  2. Fill in saving parameters:

    • Save to. Select the custom repository to save your content.

    • Platform. Double-check the selected platform to make sure everything is correct.

    • Content Name. Give your content a name. In the case of a Sigma rule, this field is pre-filled with the Sigma title.

    • Description. Provide a description of your content.

  3. Click Save.

Note: In case of a Sigma rule, all available metadata is parsed and will be displayed on the Intelligence page of the rule in TDM. Yet, if you only save a query or rule in a different language, most metadata and intelligence fields will be empty.

To learn more about working with custom repositories, go here.

Did this answer your question?