Skip to main content

Repositories

S
Written by Sergey Bayrachny

In this article:

A custom repository is a dedicated storage for an organization's detection content within a separate database integrated into SOC Prime Platform's cloud infrastructure (with an encrypted rule body at rest). Custom repositories provide SOC Prime Platform users with a secure environment to store and organize Content, either uploaded by users or copied from the SOC Prime Platform.

Content items stored in a custom repository can be grouped the same way as on Threat Detection Marketplace (TDM), with multiple translations of the same rule linked together.

Create and Manage a Custom Repository

To create or manage custom repositories, go to Threat Detection Marketplace > Repositories.

  • My tab displays all custom repositories created by you (both shared and not shared to company)

  • Company tab displays all custom repositories created by your team (including you)

    • You can view and manage your own repositories and shared repositories created by your teammates

    • You can see in the list the non-shared repositories created by your teammates but cannot access them

Create Custom Repository

Click Add Repository to create a new custom repository. The Create New Repository modal appears:

  1. Give your repository a meaningful name.

  2. Select if you want to share the repository with other users from your company

    • Not shared repositories are visible and available only to you

    • Shared repositories are visible to your team and any team member can add/delete content or manage repository settings (except for the sharing setting)

  3. Select the Data Planes you'd like to associate with this repository.

  4. Select the platforms you'd like to associate with this repository. You'll still be able to add content for platforms not selected in this field.

  5. In the External Access section, turn on the Make available for DetectFlow toggle to allow synchronization with your organization’s DetectFlow instance. This section is visible only for the DetectFlow users. With this toggle turned on, content updates made in DetectFlow will be reflected on the TDM platform, and updates on the TDM platform will be synchronized to DetectFlow.

  6. Click Apply.

Edit Custom Repository

To edit a custom repository, select the pencil icon on the repository record, make the needed changes in the modal, and select Save Changes.

Delete Custom Repository

To delete a custom repository, on the repository record, click the three-dot menu, select Delete, and confirm your action.

Bulk Translate

To translate the rules from the custom repository:

  1. On the repository record, click the three-dot menu, select Bulk Translate.

  2. In the modal, select the source language of the rules in the input panel and the target language for the translation in the output panel.

  3. Select Translate.

  4. The Translation Results modal summarizes the translation outcome, showing the percentage of content that was successfully translated, partially translated, or failed in translation. Select View all to view detailed information for translation statuses.

Export All Sigmas

You can export all Sigma rules from the custom repository to Detect Flow if access to DetectFlow is enabled for the organization.

  1. On the repository record, click the three-dot menu, select Export All Sigmas.

  2. Select Download File to download a ZIP archive containing the detection rules in YAML format. Use the password from the modal to access the files.

    If the export file has been previously prepared and updates were made in the repository, click Regenerate File to include the latest changes. Then select Download File.

Note: It is possible to run only one export operation at a time.

You can find details about importing in the DetectFlow guide.

View Content in a Custom Repository

You can view the content stored in a custom repository by clicking the corresponding icon on the repository record on the My Repositories page or via TDM's Search.

For viewing the content in a custom repository from the Search page, first, use the switch under the search bar to toggle between Platform repositories and Custom repositories. By default, the Platform Repos option is selected. To see and search content from custom repositories, toggle the switch into the My Repos state.

By default, content from all custom repositories available to you is shown (both created by you and shared with you by your teammates). If you want to see and search content only from specific repositories, choose them in the selector and click Apply.

You can search for and filter content in custom repositories the same way as the content published on TDM. However, note that some filters such as Content Availability and Content Action State are not applicable to custom content. Additionally, filtering will work only as long as corresponding metadata is present in the custom content.

Add and Manage Content

You can add content to a custom repository in one of two ways:

  1. Fork an existing content item from TDM.

  2. Add content via Uncoder AI.

To edit a content item stored in a custom repository, open it in Uncoder AI.

Forking Content from TDM

You can copy any Sigma rule or its translation available to you on TDM to your custom repository. This action is referred to as forking.

  1. Go to TDM's Search and select content items by setting checkmarks next to them.

  2. Click Fork to My Repo.

    You can also fork all detection rules from your search results across all pages. For this, select at least one checkbox next to a rule to reveal the Select All Items button, click it to select all rules, and then choose Fork to My Repo. Please note that selecting all detections is available only for the Fork to My Repo action.

    This feature is available according to the users’ subscription plan.

  3. In the modal, provide the following information:

    • Repository: Specify the repository to fork the rules to.

    • Translation: Specify which translations to fork.

  4. Select Fork.

    If the selection includes rules that are locked, the modal will display the number of available and locked rules. To fork only available rules, select Fork Available Only. To include Premium rules, select Unlock & Fork All.

When you fork a content item, its metadata is also copied. When you fork a translation of a Sigma rule, the original Sigma rule is copied together with the translation.

Adding and Editing Content via Uncoder AI

You can add content to your custom repositories in Uncoder AI:

  • Save content created from scratch

  • Add a new translation to an existing rule

  • Update an existing translation

  • Open an existing translation and save it as a new rule

Save rule created from scratch

  1. Go to Uncoder AI and write/paste a rule/query in any of the supported languages.

  2. Click Save As > New Rule in the panel with the content.

  3. Fill in saving parameters:

    • Save to. Select the custom repository to save your content.

    • Platform. Double-check the selected platform to make sure everything is correct.

    • Content Name. Give your content a name. In the case of a Sigma rule, this field is pre-filled with the Sigma title.

    • Description. Provide a description of your content.

  4. Click Save.

Note: In case of a Sigma rule, all available metadata is parsed and will be displayed on the Intelligence page of the rule in TDM. Yet, if you only save a query or rule in a different language, most metadata and intelligence fields will be empty.

Add a new translation to an existing rule

  1. Open a Sigma rule or a content item in another format from its page on TDM using the Open in Uncoder AI button.

  2. In Uncoder AI, generate/write a translation of the opened content and select Save As > Update to my Rule in the panel with the translation you want to add.

  3. If the panel with the translation was on the right, it will move to the left and the saving settings will appear. Note that you cannot change the custom repository for saving. Ensure the platform and content name are correct, add an optional description, and click Save.

  4. If you now want to update the current translation and save the updated version, select Save As > Update to my Rule and ensure that the current platform name is selected in the Platform field of the saving settings.

Update an existing translation

  1. Open a translation from its page on TDM using the Open in Uncoder AI button. Note that you can update only translations stored in your custom repositories, not those that are published on TDM.

  2. In Uncoder AI, update the translation code as needed and select Save As > Update to my Rule. Ensure that the current platform name is selected in the Platform field of the saving settings.

Open an existing translation and save it as a new rule

  1. Open a translation from its page on TDM using the Open in Uncoder AI button. Note that you can update only translations stored in your custom repositories, not those that are published on TDM.

  2. In Uncoder AI, update the translation code as needed and select Save As > New Rule. Ensure that the settings are correct (in particular, use a unique name if you save the rule to the same repository) and click Save. When you save a translation of a Sigma rule from a Platform repo, the original Sigma rule is copied together with the translation.

Deleting Content

You can delete any content item from custom repositories created by you and shared with you by your teammates.

  1. Go to TDM's Search > My Repos and select content items by setting checkmarks next to them.

  2. Click Delete.

Note: If you delete a custom repository from the My Repositories page, it will be permanently deleted together with all the content it holds.

Did this answer your question?