How to implement SIEM Content Packs
Last Modified: 2023-03-24 20:43:33 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
How to implement SIEM Content Packs
Technical Articles ID:
KB83783
Last Modified: 2023-03-24 20:43:33 Etc/GMT Environment
SIEM Enterprise Security Manager (ESM) 11.x
SummaryIn ESM, you can download and implement Content Packs that Trellix creates and distributes. This article describes how to implement Content Packs.
NOTES:
Content Packs allow you to easily select, download, and deploy critical SIEM configuration settings. These settings are focused on monitoring use cases such as insider threat, data leakage, email content, firewall, malicious activity, malware, policy, reconnaissance, suspicious activity, web filtering, and authentication. These Content Packs are preconfigured to offer users fast access to advanced threat or compliance management capabilities.
A single Content Pack might contain combinations of one or more of the following components:
To install Content Packs
Content Packs are automatically downloaded as part of the rules update process. If your ESM doesn't have external internet access, see the section below titled "To locate and install Content Packs from the Knowledge Base" for installation instructions.
When new Content Packs are released, a separate article for each Content Pack is added to the Knowledge Base. These articles contain the Content Pack in a .zip file, and detailed usage information in PDF form. NOTE: The SIEM Content Pack articles are available only to registered ServicePortal users. You must log on to the ServicePortal to access them. New Content Pack articles are added regularly. Follow the steps below to manually search for and install a Content Pack:
How to change alarm components
You can change alarms within Content Packs to take more actions. For example, to send emails to recipients, tag systems within ePO, and execute remote commands. To change these settings:
NOTE: Additional configurations made to alarms from Content Packs aren't carried over if the content pack is updated.
For more information about alarms, see the "Working with Alarms" section in the ESM online Help. To access online Help from within the ESM, click the help icon in the upper-right corner of the ESM windows, or click the Help menu on the ESM console. How to change Correlation Rule parameters
To change Correlation Rules:
For more information about Correlation Rules, see the "Correlation Rules" and "Example of custom correlation rule or component" sections in the ESM online Help. To access online Help from within the ESM, click the help icon in the upper-right corner of ESM windows, or click the Help menu on the ESM console.
How to change reports and report layouts
Content Packs can contain reports and report layouts. Report layouts are the templates for reports. You can change the look and content of the report by changing the layout to better suit your needs. For example, you can change a report to automatically run at a specific time, be sent to specific recipients, or be stored to specified/alternate locations. To change the report:
For more information about reports and report layouts, see the following topics in the ESM online Help:
To access online Help from within the ESM, click the help icon in the upper-right corner of ESM windows, or click the Help menu on the ESM console.
How to change variables Variables added through Content Packs can be changed to fit your organization's needs. To change a variable:
For more information about how to manage variables and how to use them, see the "Variables" section in the ESM online Help. To access online Help from within the ESM, click the help icon in the upper-right corner of ESM windows, or click the Help menu on the ESM console.
How to change Views You can change Views provided by Content Packs to change their appearance or the filters used with them. Any changes you make to the Views are reverted to default during an update to a Content Pack. You can create a version of the View to save your customizations. Views can be further filtered through the Filter pane on the right side of the screen. To change the view:
For more information about how to manage views, see the "Manage views" section in the ESM online Help. For information about how to use filters, see the "Filtering views" section of the ESM online Help. To access online Help from within the ESM, click the help icon in the upper-right corner of ESM windows, or click the Help menu on the ESM console.
How to change Watchlists You can add values to the lists of Static Watchlists provided by Content Packs. If a Content Pack is updated, values that you've appended to the Watchlist aren't carried over. To add more items to a Watchlist:
For more information about Watchlists, see the "Watchlists" section in the ESM online Help. To access online Help from within the ESM, click the help icon in the upper-right corner of ESM windows, or click the Help menu on the ESM console.
Affected ProductsLanguages:This article is available in the following languages: |
|