Overview

TDM (Threat Detection Module) displays the top 10 alert trends, top 10 events, host event list, and network event list for a default period of one week on the TDM overview page. Users can change the data range using the Time Picker.

over_view.png1. Alerts

    (1) Alert Pie Chart: Divides alerts by severity in a pie chart.

    (2) Alert Event List: Lists the last alert time, alert count, and severity based on rule name.

    (3) Click "View Detection" to open the TDM detection dashboard page.

2. Top 10 Alert Trends: Displays a time trend chart of TDM detection alerts for a default period of one week.

    Click "View Detection" to open the TDM detection dashboard page.

3. Top 10 Events: Displays a time trend chart of host events for a default period of one week.

    Click "View Events" to open the TDM host event dashboard page.

4. Host Events: Displays a statistical list of host events for a default period of one week.

    Click "View Host" to open the TDM host dashboard page.

5. Network Events: Displays a statistical list of network events for a default period of one week.

    Click "View Network" to open the TDM network event dashboard page.

AD Dashboard

In the left menu, select "TDM" -> "AD" to access the AD Event Dashboard. By default, it displays the following information for the past 7 days:

  • Host events with the tag safe_tag:AD in Timeflow.
  • Counts of account creation, deletion, lockout, enablement, and disablement events.
  • A list of hosts with login failures exceeding three attempts.

Host

Select "TDM" → "Host" from the left menu to enter the host dashboard, displaying the number of hosts, user authentications, and a unique IP time trend chart at the top.

1. Host Tab: Shows host name, last log time, operating system, and OS version.

2. Authentication Tab: Displays host and user authentication information for the last seven days.

(1) Host Authentications Events:Time trend chart of host authentication events.

(2) User Authentications Events:List of user authentication event details.

auth_event.png

3. Event Tab: Displays the top 10 host events and event information list for the last seven days.

event.png

User

Select "TDM" → "User" from the left menu to enter the user dashboard, displaying the user count and user authentication time trend chart at the top.

1. User Tab: Shows user name, last log time, host name, domain, and OS version for the last seven days.

2. Authentication Tab

userauth.png

(1) Displays a timeline of host authentication events for the last seven days.

(2) User Authentication Events: List showing user name, total success and failure authentication events, last successful authentication time, source host IP and domain, and last failed authentication time, source host IP, and domain.

3. Event Tab: Displays the top 10 user events and user event information list for the last seven days.

user_event.png

Detections

Select "TDM" → "Host" from the left menu to enter the host dashboard, displaying the top 10 detection event time trend chart at the top, with a detection event list below.

1. Detection Rule Management: Click "Rule Management" to enter the rule management page.

detection222.png

Custom Tab

Rule Management EN
(1) Add Custom Rule: Click "Add" to open the add rule edit page.

 add1.png

 1-1. Basic Information

  1-1-1. Name: Required. Enter the custom detection rule name (under 128 characters).

  1-1-2. Description: Required. Enter a description for the custom detection rule (under 1024 characters).

  1-1-3. Severity: Required. Select severity from a dropdown menu (Critical/High/Medium/Low).

  1-1-4. Risk Score: Required. System auto-populates based on severity, but admins can manually enter a score between 1 and 100.

  1-1-5. Tag: Optional. Admins can assign tags to the detection rule.

  1-1-6. URL: Click the icon to add a reference URL.

  1-1-7. MITRE ATT&CK™ threat: Click the icon to add a tactic URL.

 1-2. Condition Settings

add2.png

  1-2-1. Filter Name: Required. Select a filter condition name from the dropdown. Click "Preview" to view log data matching the filter condition for the last seven days.

  1-2-2. Counting Time Interval: Required. Input the query data range for the schedule, which must be a number between 1 and 99,999 and cannot exceed the execution frequency.

  1-2-3. Threshold: Required. Select a condition from the dropdown and input a count between 1 and 99,999.

  1-2-4. Frequency: Required. Input the schedule’s execution frequency, which must be a number between 1 and 99,999.

 1-3. Notification Mechanism:

1-3-1. Email Detection Notification:Select the recipient role group from the drop-down menu. System administrators can manually enter email addresses and customize the email subject.

1-3-2. IFTTT: Check the checkbox to enable the IFTTT notification function.

tdm notify en

 1-4. Click "Finish" to save the custom detection rule. Click "Apply" on the custom detection management page to activate detection operations.

(2) Import: Click the import icon to open a file upload window and import custom rules as .des3 files. 

import en

(3) Export: On the custom rule management list page, check the desired custom rules, click "Export", and export the selected rules as .des3 files.

Rule Export EN

AD Tab

Only detect log host events that contain safe_tag:AD, and a license with AD permissions must be used.

AD EN

(1) Edit AD Detection Rules: Click the edit icon to open the rule editing page.

 1-1. Basic Information: The system automatically fills in the default data, and only the Recommended Measures can be edited.

edit_ad.png

 1-2. Condition Settings

edit222.png

  1-2-1. Filter Name: Non-editable.

  1-2-2. Counting Time Interval:Required. Enter the schedule query data range (must be a number between 1 and 99,999, not exceeding the execution frequency).

  1-2-3. Threshold: Required. Select a condition from the dropdown and input a count (between 1 and 99,999).

  1-2-4. Frequency: Required. Input the schedule execution frequency (between 1 and 99,999).

1-3. Notification Mechanism:

1-3-1. Email Detection Notification:Select the recipient role group from the drop-down menu. System administrators can manually enter email addresses and customize the email subject.

1-3-2. IFTTT: Check the checkbox to enable the IFTTT notification function.

tdm notify en

 1-4. Click "Finish" to save the official detection rule. Click "Apply" on the detection management page to activate detection operations.

apply.png

 2. Click the view safe3126icon to see the event list, which includes basic data and an event list.

event1.png

event2.png

Malicious Tab
(1) In The Relay list alert settings, only editing schedules and notification settings is allowed.

relay en

(2) List Features

 1.Click the edit icon to open the edit rule page. the system will fill in the default values automatically.

relay en2

1-2. Condition settings

relay en3

1-2-1. Filter: Not editable.
1-2-2. Counting Time Interval: Required field. the system administrator enters the data range for the scheduled query. only numbers between 1 and 99999 can be entered, and the data range cannot be greater than the execution frequency.
1-2-3. Threshold: Required field. the system administrator selects a condition from the dropdown menu and enters the number of records. only numbers between 1 and 99999 can be entered.
1-2-4. Frequency: Required field. the system administrator enters the execution frequency for the schedule. only numbers between 1 and 99999 can be entered.

1-3. Notification Mechanism:

1-3-1. Email Detection Notification:Select the recipient role group from the drop-down menu. System administrators can manually enter email addresses and customize the email subject.

1-3-2. IFTTT: Check the checkbox to enable the IFTTT notification function.

tdm notify en

1-4. Click "Finish" to save the relay list alert. You must also click "Apply" on the detection management page to enable the detection operation.

relay en4

 2. Click thesafe3126 icon to view the event list. The content includes basic information and the event list.

relay en5

event2.png

3.Whitelist Settings

3-1. Click whitelist chto open the whitelist settings page, where you can enter IPv4 and domain. After entering the information, click Save, and then click "Apply" again on the list page.

white list en

OS Tab
(1) OS alert settings only allow editing schedules and notification settings.

os en

(2) List Features

 1.Click the edit icon to open the edit rule page. the system will fill in the default values automatically.

1-1. Basic Information: The system will fill in the default values automatically.

os en2

1-2. Condition settings

os en3

1-2-1. Filter: Not editable.
1-2-2. Counting Time Interval: Required field. the system administrator enters the data range for the scheduled query. only numbers between 1 and 99999 can be entered, and the data range cannot be greater than the execution frequency.
1-2-3. Threshold: Required field. the system administrator selects a condition from the dropdown menu and enters the number of records. only numbers between 1 and 99999 can be entered.
1-2-4. Frequency: Required field. the system administrator enters the execution frequency for the schedule. only numbers between 1 and 99999 can be entered.

1-3. Notification Mechanism:

1-3-1. Email Detection Notification:Select the recipient role group from the drop-down menu. System administrators can manually enter email addresses and customize the email subject.

1-3-2. IFTTT: Check the checkbox to enable the IFTTT notification function.

tdm notify en

1-4. Click "Finish" to save the OS list alert. You must also click "Apply" on the detection management page to enable the detection operation.

os en4

 2. Click thesafe3126 icon to view the event list. The content includes basic information and the event list.

os event en

Cloud Tab
(1) Cloud alert settings only allow editing schedules and notification settings.

cloud en

(2) List Features

 1.Click the edit icon to open the edit rule page.

1-1. Basic Information: The system will fill in the default values automatically.

cloud en2

1-2. Condition settings

cloud en3

1-2-1. Filter: Not editable.
1-2-2. Counting Time Interval: Required field. the system administrator enters the data range for the scheduled query. only numbers between 1 and 99999 can be entered, and the data range cannot be greater than the execution frequency.
1-2-3. Threshold: Required field. the system administrator selects a condition from the dropdown menu and enters the number of records. only numbers between 1 and 99999 can be entered.
1-2-4. Frequency: Required field. the system administrator enters the execution frequency for the schedule. only numbers between 1 and 99999 can be entered.

1-3. Notification Mechanism:

1-3-1. Email Detection Notification:Select the recipient role group from the drop-down menu. System administrators can manually enter email addresses and customize the email subject.

1-3-2. IFTTT: Check the checkbox to enable the IFTTT notification function.

tdm notify en

1-4. Click "Finish" to save the OS list alert. You must also click "Apply" on the detection management page to enable the detection operation.

cloud en4

 2. Click thesafe3126 icon to view the event list. The content includes basic information and the event list.

cloud event en

Elastic Tab
(1) Elastic alert settings only allow editing schedules and notification settings. The rules can be referenced from the website https://github.com/elastic/detection-rules/tree/main/rules.

elastic en

(2) List Features

 1.Click the edit icon to open the edit rule page. the system will fill in the default values automatically.

 1-1. Basic Information: The system automatically fills in the default data, and only the Recommended Measures can be edited.

elastic en2

1-2. Condition settings

 elastic en4

  1-2-1. Filter Name: Non-editable.

  1-2-2. Counting Time Interval:Required. Enter the schedule query data range (must be a number between 1 and 99,999, not exceeding the execution frequency).

  1-2-3. Threshold: Required. Select a condition from the dropdown and input a count (between 1 and 99,999).

  1-2-4. Frequency: Required. Input the schedule execution frequency (between 1 and 99,999).

1-3. Notification Mechanism:

1-3-1. Email Detection Notification:Select the recipient role group from the drop-down menu. System administrators can manually enter email addresses and customize the email subject.

1-3-2. IFTTT: Check the checkbox to enable the IFTTT notification function.

tdm notify en

 1-4. Click "Finish" to save the Elastic rule. Click "Apply" on the detection management page to activate detection operations.

elastic en5

 2. Click the view safe3126icon to see the event list, which includes basic data and an event list.

elastic en3

Network

1. Displays network traffic on a world map.

2. Quad Chart: Displays network event count, DNS queries, unique traffic IDs, network input, and network output traffic.

3. Line Chart: Shows a timeline of unique private source/destination IP counts.

network2.png

BlackList

1. Select "TDM" → "Blacklist" from the left menu to enter the blacklist management page, where admins can add or delete blacklist hosts and activate blacklist alerts on the official detection tab.

(1) Add to Blacklist: Click the add icon, enter the blacklist host IP in the input box, and click "Save".

add blacklist

(2) Import Blacklist

import blacklist

2-1. Download Import Template: Click the "Template" icon to download the blacklist import template (CSV).

2-2. Update Blacklist: Upload the blacklist CSV file, then click "Update" to complete the blacklist update.

(3) Edit Blacklist: Click the safe3 1 225 icon to edit the blacklist host.

editblacklist

(4) Delete Blacklist: Click thesafe3140 icon to delete the blacklist host.

(5) Enable Blacklist: Change the source IP and destination IP fields in the parsing rule page settings to "safe_sourceIP" and "safe_destinationsIP", then click "Apply". Finally, enable the Blacklist Alert on the detection official tab.

blacklist parser

applyblacklist