What can I provide?
Content developed by you as a person or by eligible partner companies for the purpose of threat detection, threat hunting and incident response. In SIEM terms we are talking about Sigma Rules, correlation rules, queries, dashboards, parsers. In EDR & Endpoint Protection - Yara rules, Network Based detection - Snort rules. Attack simulation content for open-source instruments is also supported.
(such as Atomic Red Team)
SIEM rule packages
(.ARB, .gzip etc.)
(logstash configs, Flex connectors, technology add-ons, DSM’s etc.)
Data enrichers & response actions
(e.g. python, bash, powershell scripts)
Incident Response playbooks
How to make money with SOC Prime Threat Bounty
SOC Prime Threat Bounty Program has transitioned to the rank based rewards. Key unlocks did not work so we have removed a reward per unlock as per July 1st 2019 and informed all developers in email.
What happened in the backend is that SOC Prime team has reached out to every client we have, shared the Threat Bounty story, advised which rules would be of high use to clients. Some clients proceeded with Key unlocks but the majority provided feedback on the difficulty of such system for enterprise. Our TAMs have further collected feedback from customers to see what we can do better and this is how the Wanted! list was created. A monthly tradition that we intend to follow.
As our mission is to build and back an active and involved community with fair compensation to the developers. Unlocks were low and initial plan was to provide Payouts only from new sales generated monthly. So to live up to the promise we have provided payouts for June even if some things did not work. You may have had 0 unlocks and still received a payout, as we highly value your effort and want to get things right. Most important news is that SOC Prime Threat Bounty is live and working on both ends, even though there are some initial bumps to overcome. July and onwards rewards will be paid based on the ranking system. Here is how to increase your rank: create requested content, address the latest threats, build detections for latest exploits before patches are available (with or without CVE), create content that correlates with Wanted! list (threats and log sources of interest for paying clients), create resilient rules which are hard to circumvent and remain accurate for long time (a rule based on IP address will have a short lifespan as opposed to behavior rule). All of these actions will impact both monthly reward and long-term reputation. Free and paid rules matter, so it is up to you to decide how to balance it. On our end, SOC Prime equally supports free and paid content.
Sigma can change not the way of how organizations build their cyber defense but the entire scenario for blue and red teams
SIGMA enables the sharing of detection logic between organizations with dissimilar architectures but familiar data...
Nate GuagentiEndpoint & NSM & Elastic
The Threat Bounty Program provides similar benefits as to how IDS rulesets are already used in thousands of organizations
Florian RothNextron Systems
New rule authors, that haven’t been in the market before, add content to market places like TDM and more content...
Go ahead, do some cool reseach and make a Sigma rule out if it.
EXAMPLES OF THREAT DETECTION CONTENT
With Developer program for TDM you can get your content in front of 5000+ users from 2700+ organizations from 128 countries. We have created the 1st cross-platform cyber threat detection security marketplace in the world so that defenders can fight the adversaries together. SOC Prime has proven its capabilities many times by sprinting the cutting-edge detection content for threats like WannaCry, NotPetya as well as leveraging MITRE ATT&CK™ since 2016 for threat actor attribution. We know exactly how much hard work it goes into making the good rules, testing them and hunting for the next threat or exploitation technique.
Our mission is to help the security researchers with reaching to global customers and get rewarded for their work on regular basis. While SOC Prime handles the QA and sales, we want you to help us with content! If we talk numbers we get 2000+ content views and 700+ downloads per months. Top authors on TDM have 1000+ views and downloads of their content and receive special spotlight at the Leaderboards. Over 95% of the content is tagged with ATT&CK using the marketplace engine so that clients can see both technical and strategic value of the rules. See the most popular rules below.
- Sigma rules
- Yara rules
- Snort rules
- Red tests (such as Atomic Red Team)
- SIEM rule packages (.ARB, .gzip etc.)
- Parsers (logstash configs, Flex connectors, technology add-ons, DSM’s etc.)
- Data enrichers and response actions (e.g. python, bash, powershell scripts)
- Incident Response playbooks
Sigma is a generic rule format for SIEM systems. Just like Yara for binaries and Snort for network. In 2018 Sigma was acknowledged by MISP to be a de-facto standard for SIEM queries. In 2019 SANS has recommended Sigma for threat hunting with MITRE ATT&CK.
The TDM API enables to:
- get the list of all Sigma rules without specified platform;
- get the list of all Sigma rules with specified ID without specified platform;
- get the list of all Sigma rules with specified ID and platform;
- get the list of all Sigma rules for all platforms or other specified filtering parameters.
Enhanced Sigma capabilities
If you use enhanced Sigma capabilities (for example regex, base64, etc.), please make yourself aware of the following article:
Before creating a new rule, please make sure that there are no similar rules on the Threat Detection Marketplace knowledge base - use search
Content naming and description
The content naming basic rule is that the name should explicitly describe the content’s functionality. Herewith we suggest avoiding using “Detection” in favor of “Behavior”, i.e. behavior typical for particular APT group. You can give more specific information in the Description section.
The content “Cover” stands for the content theme, e.g. wrapper image. The content “Images” stands for the attached screenshots containing the confirmation of the content workability. We recommend using only English letters for Author name/nickname. This will improve the searchability of your content.
How do I determine the content Paid Type?
Sigma rules that have the "experimental" or "testing" status shall be published only on a free cost basis (Paid Type: Free). The rules that are to be published on a paid basis (Paid Type: Paid) shall have the “stable” status and shall be thoroughly checked and functionally operative. To substantiate the rule workability, the author shall attach screenshots containing the confirmation data evidence. The author shall also attach the link to the original source of data (reference) (If not internal research)
It is highly important to properly tag your content because it influences its recognizability and searchability. We highly do not recommend to assign your content with any improper tags. This leads to the result that SOC Prime specialists reject publishing such content and forward it to the Draft status to be modified by the creator, which causes content publication lags. Use the attack.XXX tags. https://attack.mitre.org/ Example use in the body of Sigma rule:
We highly recommend desisting from publishing Sigma rules based on Indicators of Compromise seeing that such rules suffer from low relevance. Indicators of Compromise become obsolete and have low consumer potential, except for the cases of immediate threat and high-demand content. ThreatHunting Sigma rules are the most requested and marketable because they track the abnormal behavior instead of certain names, hash marks, and other quick-changing attributes.
It is highly important to correctly specify the product/category/service. This affects the quality and quantity of available translations for other SIEM. Example:
(refers only to logic that is relevant for sysmon data)
(refers only to logic that is relevant for windows security logs data)
service: auditd/auditbeat etc.
(refers only to logic that is relevant for Linux auditd/auditbeat data)
(refers only to logic that is relevant for data from any source where commandline/process name/parent process name/parent command line appears. For example, it includes logic that is based on - event id - 1, CarbonBlack EDR - event name == process_creation, etc. )
It is not recommended to create rules based on keywords, especially when the search is bulky because it loads SIEM during the events search.
- There exists a rule with similar logic on the Threat Detection Marketplace https://tdm.socprime.com/ ;
- There are rule syntax mistakes;
- The rule logic is wrong;
- The rule logic does not conform with the rule name;
- There are no attached screenshots containing the confirmatory data evidence (for the Paid Type rules),
- There are no tags;
- There is no attached the link to the original source of data (reference);
- The content author is not specified (author).