Overview

TDM (Threat Detection Module) displays the top 10 alert trends, top 10 events, host event list, and network event list for a default period of one week on the TDM overview page. Users can change the data range using the Time Picker.

over_view.png1. Alerts

    (1) Alert Pie Chart: Divides alerts by severity in a pie chart.

    (2) Alert Event List: Lists the last alert time, alert count, and severity based on rule name.

    (3) Click "View Detection" to open the TDM detection dashboard page.

2. Top 10 Alert Trends: Displays a time trend chart of TDM detection alerts for a default period of one week.

    Click "View Detection" to open the TDM detection dashboard page.

3. Top 10 Events: Displays a time trend chart of host events for a default period of one week.

    Click "View Events" to open the TDM host event dashboard page.

4. Host Events: Displays a statistical list of host events for a default period of one week.

    Click "View Host" to open the TDM host dashboard page.

5. Network Events: Displays a statistical list of network events for a default period of one week.

    Click "View Network" to open the TDM network event dashboard page.

AD Dashboard

In the left menu, select "TDM" -> "AD" to access the AD Event Dashboard. By default, it displays the following information for the past 7 days:

  • Host events with the tag safe_tag:AD in Timeflow.
  • Counts of account creation, deletion, lockout, enablement, and disablement events.
  • A list of hosts with login failures exceeding three attempts.

ad_dash-en.png

Host

Select "TDM" → "Host" from the left menu to enter the host dashboard, displaying the number of hosts, user authentications, and a unique IP time trend chart at the top.

host.png

1. Host Tab: Shows host name, last log time, operating system, and OS version.

2. Authentication Tab: Displays host and user authentication information for the last seven days.

(1) Host Authentications Events:Time trend chart of host authentication events.

(2) User Authentications Events:List of user authentication event details.

auth_event.png

3. Event Tab: Displays the top 10 host events and event information list for the last seven days.

event.png

User

Select "TDM" → "User" from the left menu to enter the user dashboard, displaying the user count and user authentication time trend chart at the top.

user.png

1. User Tab: Shows user name, last log time, host name, domain, and OS version for the last seven days.

2. Authentication Tab

userauth.png

(1) Displays a timeline of host authentication events for the last seven days.

(2) User Authentication Events: List showing user name, total success and failure authentication events, last successful authentication time, source host IP and domain, and last failed authentication time, source host IP, and domain.

3. Event Tab: Displays the top 10 user events and user event information list for the last seven days.

user_event.png

Detections

Select "TDM" → "Host" from the left menu to enter the host dashboard, displaying the top 10 detection event time trend chart at the top, with a detection event list below.

detection.png

1. Detection Rule Management: Click "Rule Management" to enter the rule management page.

detection222.png

Custom Tab

c.png
(1) Add Custom Rule: Click "Add" to open the add rule edit page.

 add1.png

 1-1. Basic Information

  1-1-1. Name: Required. Enter the custom detection rule name (under 128 characters).

  1-1-2. Description: Required. Enter a description for the custom detection rule (under 1024 characters).

  1-1-3. Severity: Required. Select severity from a dropdown menu (Critical/High/Medium/Low).

  1-1-4. Risk Score: Required. System auto-populates based on severity, but admins can manually enter a score between 1 and 100.

  1-1-5. Tag: Optional. Admins can assign tags to the detection rule.

  1-1-6. URL: Click the icon to add a reference URL.

  1-1-7. MITRE ATT&CK™ threat: Click the icon to add a tactic URL.

 1-2. Condition Settings

add2.png

  1-2-1. Filter Name: Required. Select a filter condition name from the dropdown. Click "Preview" to view log data matching the filter condition for the last seven days.

  1-2-2. Counting Time Interval: Required. Input the query data range for the schedule, which must be a number between 1 and 99,999 and cannot exceed the execution frequency.

  1-2-3. Threshold: Required. Select a condition from the dropdown and input a count between 1 and 99,999.

  1-2-4. Frequency: Required. Input the schedule’s execution frequency, which must be a number between 1 and 99,999.

 1-3. Notification Mechanism: Check the checkbox to send detection alerts via email, select a recipient role group from the dropdown, and enter an email address and custom subject.

add3.png

 1-4. Click "Finish" to save the custom detection rule. Click "Apply" on the custom detection management page to activate detection operations.

(2) Import: Click the import icon to open a file upload window and import custom rules as .des3 files. 

up.png

(3) Export: On the custom rule management list page, check the desired custom rules, click "Export", and export the selected rules as .des3 files.

export.png

AD Tab

Only detect log host events that contain safe_tag:AD.

ad.png

(1) Edit AD Detection Rules: Click the edit icon to open the rule editing page.

 1-1. Basic Information: The system automatically fills in the default data, and only the Recommended Measures can be edited.

edit_ad.png

 1-2. Condition Settings

edit222.png

  1-2-1. Filter Name: Non-editable.

  1-2-2. Counting Time Interval:Required. Enter the schedule query data range (must be a number between 1 and 99,999, not exceeding the execution frequency).

  1-2-3. Threshold: Required. Select a condition from the dropdown and input a count (between 1 and 99,999).

  1-2-4. Frequency: Required. Input the schedule execution frequency (between 1 and 99,999).

 1-3. Notification Mechanism: Check the checkbox to send detection alerts via email, select a recipient role group from the dropdown, and enter an email address and custom subject.

edit3.png

 1-4. Click "Finish" to save the official detection rule. Click "Apply" on the detection management page to activate detection operations.

apply.png

 2. Click the view safe3126icon to see the event list, which includes basic data and an event list.

event1.png

event2.png

SAFE3 Tab
(1) SAFE3 Official Detection Rules Management List: Includes blacklists, relay station lists, and all items from https://github.com/elastic/detection-rules/tree/main/rules. Only schedule and notification settings can be edited.

safe3_tab.png

(2) List Features

 2-1. Click the official detection alert title’s "^" icon to expand the rule list.

safe3107

 

safe3_tab2.png

 2-2. Click the copysafe3126 icon to copy the official rule to the custom rules tab.

 2-3. Click the view safe3126icon to see the event list, which includes basic data and an event list.

event_info.png 

event_flow.png

(3) Edit Official Detection Rules: Click the edit icon to open the rule editing page.

 3-1. Basic Information: Pre-filled by the system and non-editable.

edit1.png

 3-2. Condition Settings

edit222.png

  3-2-1. Filter Name: Non-editable.

  3-2-2. Counting Time Interval:Required. Enter the schedule query data range (must be a number between 1 and 99,999, not exceeding the execution frequency).

  3-2-3. Threshold: Required. Select a condition from the dropdown and input a count (between 1 and 99,999).

  3-2-4. Frequency: Required. Input the schedule execution frequency (between 1 and 99,999).

 3-3. Notification Mechanism: Check the checkbox to send detection alerts via email, select a recipient role group from the dropdown, and enter an email address and custom subject.

edit3.png

 3-4. Click "Finish" to save the official detection rule. Click "Apply" on the detection management page to activate detection operations.

apply_safe3.png

Network

1. Displays network traffic on a world map.

network_map.png

2. Quad Chart: Displays network event count, DNS queries, unique traffic IDs, network input, and network output traffic.

3. Line Chart: Shows a timeline of unique private source/destination IP counts.

network2.png

BlackList

1. Select "TDM" → "Blacklist" from the left menu to enter the blacklist management page, where admins can add or delete blacklist hosts and activate blacklist alerts on the official detection tab.

blacjlist

(1) Add to Blacklist: Click the add icon, enter the blacklist host IP in the input box, and click "Save".

add blacklist

(2) Import Blacklist

import blacklist

2-1. Download Import Template: Click the "Template" icon to download the blacklist import template (CSV).

2-2. Update Blacklist: Upload the blacklist CSV file, then click "Update" to complete the blacklist update.

(3) Edit Blacklist: Click the safe3 1 225 icon to edit the blacklist host.

editblacklist

(4) Delete Blacklist: Click thesafe3140 icon to delete the blacklist host.

(5) Enable Blacklist: Change the source IP and destination IP fields in the parsing rule page settings to "safe_sourceIP" and "safe_destinationsIP", then click "Apply". Finally, enable the Blacklist Alert on the detection official tab.

blacklist parser

applyblacklist