This article is a consolidated list of common questions and answers. It's intended for users who are new to the product, but can be of use to all users.
Recent updates to this article
| Date |
Update |
| November 30, 2022 |
Minor formatting changes made; no content changes |
| September 01, 2022 |
Updated brand references |
What are Content Packs?
ESM allows you to simplify operations with "ready to go" security use-case oriented Content Packs.
Through the automated content bundles, you can select, download, and deploy critical SIEM configuration settings that are focused on monitoring use cases. The cases monitored include insider threat, data leakage, email content, firewall, malicious activity, malware, policy, reconnaissance, suspicious activity, web filtering, and authentication. The Content Packs are preconfigured to offer you fast access to advanced threat or compliance-management capabilities.
Content Packs can contain predefined ESM
Views,
Reports,
Watchlists,
Alarms,
Correlation Rules, and
Variables. You can browse through them and select only the content that you require.
How are Content Packs created and distributed?
Trellix experts collaborate with partners and customers to create the Content Packs. After development and testing, Content Packs are hosted on the SIEM Rules Server. No additional network or firewall configurations are needed to review and download Content Packs. In addition, Content Packs are also available for download from the Knowledge Base.
Which ESM versions are compatible with Content Packs?
Content Packs are currently compatible with all supported versions of ESM. Most Content Packs consist of one .zip file that can be used on all ESM versions. Some Content Packs consist of two .zip files (one for older and one for newer ESM versions). The Content Pack documentation contains information regarding which .zip file is to be used for your ESM installation.
How often are new Content Packs created? Can I review which packages are available?
Content Packs are released as often as needed and in response to prioritized use cases.
For a full catalog of available Content Packs, see the Trellix
Content Catalog.
You can browse, update, install, or uninstall Content Packs anytime from inside the ESM User Interface by clicking
System Properties. You can review details of the Content Packs before installation. The items that can be reviewed are targeted use cases, applicable device types, requirements, correlation rules, reports, watchlists, alarms, and variable names.
How do I find Content Packs in the Knowledge Base?
To help our customers implement Content Packs, Trellix adds individual articles to the Knowledge Base for each Content Pack that we provide. These articles contain the Content Pack in a .zip attachment, together with detailed use information in PDF form.
New Content Pack articles are added regularly. View the
current list of Content Pack articles or follow the steps below to perform a manual search for the Content Pack articles:
- Go to the Trellix Enterprise Knowledge Center.
- On the Knowledge Center tab of the ServicePortal, type SIEM Content Pack in the Search Term field, and in the Match drop-down list, select Exactly.
- In the Product field, select SIEM - All Products.
- Click Search.
NOTE: The SIEM Content Pack articles are available only to registered ServicePortal users. Log on to the ServicePortal to access them.
Who can receive Content Packs?
Content Packs are offered to all ESM customers and are included in their annual maintenance contract. There are no additional costs.
