Loading . . .

Developer Program for Threat Detection Marketplace

Do research, write and submit rules, earn money while you sleep

The opportunity to generate a steady income by writing threat detection rules. Join the defenders that work together for the better cyber security!

Join Now Log in or learn more About TDM

What can I provide?

Content developed by you as a person or by eligible partner companies for the purpose of threat detection, threat hunting and incident response. In SIEM terms we are talking about Sigma Rules, correlation rules, queries, dashboards, parsers. In EDR & Endpoint Protection - Yara rules, Network Based detection - Snort rules. Attack simulation content for open-source instruments is also supported.

Sigma rules
Yara rules
Snort rules
Red tests

(such as Atomic Red Team)

SIEM rule packages

(.ARB, .gzip etc.)

Parsers

(logstash configs, Flex connectors, technology add-ons, DSM’s etc.)

Data enrichers & response actions

(e.g. python, bash, powershell scripts)

Incident Response playbooks
Image_23

How to make money with SOC Prime Threat Bounty

SOC Prime Threat Bounty Program has transitioned to the rank based rewards. Key unlocks did not work so we have removed a reward per unlock as per July 1st 2019 and informed all developers in email.
What happened in the backend is that SOC Prime team has reached out to every client we have, shared the Threat Bounty story, advised which rules would be of high use to clients. Some clients proceeded with Key unlocks but the majority provided feedback on the difficulty of such system for enterprise. Our TAMs have further collected feedback from customers to see what we can do better and this is how the Wanted! list was created. A monthly tradition that we intend to follow.

Join Now or learn more About TDM

As our mission is to build and back an active and involved community with fair compensation to the developers. Unlocks were low and initial plan was to provide Payouts only from new sales generated monthly. So to live up to the promise we have provided payouts for June even if some things did not work. You may have had 0 unlocks and still received a payout, as we highly value your effort and want to get things right. Most important news is that SOC Prime Threat Bounty is live and working on both ends, even though there are some initial bumps to overcome. July and onwards rewards will be paid based on the ranking system. Here is how to increase your rank: create requested content, address the latest threats, build detections for latest exploits before patches are available (with or without CVE), create content that correlates with Wanted! list (threats and log sources of interest for paying clients), create resilient rules which are hard to circumvent and remain accurate for long time (a rule based on IP address will have a short lifespan as opposed to behavior rule). All of these actions will impact both monthly reward and long-term reputation. Free and paid rules matter, so it is up to you to decide how to balance it. On our end, SOC Prime equally supports free and paid content.

Developers feedback

ariel_millahuel
Ariel Millahuel Developer

Sigma can change not the way of how organizations build their cyber defense but the entire scenario for blue and red teams

Read more
adam_swan
ADAM SWAN Developer

SIGMA enables the sharing of detection logic between organizations with dissimilar architectures but familiar data...

Read more
nate_guagenti
Nate Guagenti Endpoint & NSM & Elastic

The Threat Bounty Program provides similar benefits as to how IDS rulesets are already used in thousands of organizations

Read more
florian
Florian Roth Nextron Systems

New rule authors, that haven’t been in the market before, add content to market places like TDM and more content...

Read more
thomas_patzke
Tomas Patzke Developer

Go ahead, do some cool reseach and make a Sigma rule out if it.

Read more
lee_archinal
Lee Archinal Developer

Once I got the main idea and a little bit of experience, I began designing content for my SOC in strictly Sigma...

Read more
osman-demir
Osman Demir Developer

Strong Cyber Security should consist of an active community of people.

Read more
den-iuzvyk
Den Iuzvyk Developer

Threat Bounty Program presents customers' needs and allows deep dive into research

Read more
emir-erdogan
Emir Erdogan Developer

Sharing intelligence and knowledge between researchers and institutions is very important to prevent cyber attacks

Read more
nextron
How to write Sigma Rules

Sigma rules can be converted and applied to many log management or SIEM systems

By Florian Roth, Nextron Systems GmbH

soc-av
SIGMA UI

SIGMA UI is a free open-source application based on the Elastic stack and Sigma Converter (sigmac)

By SOC Prime Inc.

sans
SANS Webcast on MITRE ATT&CK and Sigma

The SANS webcast on Sigma contains a very good 20 min introduction to the project from minute 39 onward

By Justin Henderson and John Hubbard

jordan_1
Sigma rules Guide for ArcSight

A value analysis and step-by-step deployment of Sigma rules to ArcSight ESM & Logger

By Jordan Camba, SOC Prime Inc.

florian
How to Write Simple but Sound Yara Rules

An article on how to build optimal Yara rules with a minimal chance of false positives

By Florian Roth, Nextron Systems

canary
Using Atomic Red Team to test your security

Atomic Red Team tests are small, highly portable detection tests mapped to the MITRE ATT&CK Framework

By Red Canary, Atomic Red Team

hero-43

EXAMPLES OF THREAT DETECTION CONTENT

With Developer program for TDM you can get your content in front of 5000+ users from 2700+ organizations from 128 countries. We have created the 1st cross-platform cyber threat detection security marketplace in the world so that defenders can fight the adversaries together. SOC Prime has proven its capabilities many times by sprinting the cutting-edge detection content for threats like WannaCry, NotPetya as well as leveraging MITRE ATT&CK™ since 2016 for threat actor attribution. We know exactly how much hard work it goes into making the good rules, testing them and hunting for the next threat or exploitation technique.

Our mission is to help the security researchers with reaching to global customers and get rewarded for their work on regular basis. While SOC Prime handles the QA and sales, we want you to help us with content! If we talk numbers we get 2000+ content views and 700+ downloads per months. Top authors on TDM have 1000+ views and downloads of their content and receive special spotlight at the Leaderboards. Over 95% of the content is tagged with ATT&CK using the marketplace engine so that clients can see both technical and strategic value of the rules. See the most popular rules below.

You are eligible to participate in the Program if you meet all of the following criteria:
  • You are 16 years of age or older. If you are at least 16 years old but are considered a minor in your place of residence, you must obtain your parent's or legal guardian's permission prior to participating in this Program; and
  • You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer's rules for participating in this Program..
Content that you personally developed for the purpose of threat detection, threat hunting, and incident response.
In SIEM terms, we are talking about correlation rules, queries, dashboards, parsers. In terms of EDR & Endpoint Protection – YARA Rules, Network-Based detection – Snort Rules. Attack simulation content for open-source instruments is also supported. Content types examples:
  • Sigma Rules
  • YARA Rules
  • Snort Rules
  • RED tests (such as Atomic Red Team)
  • SIEM Rule Packages (archives such as .arb, .gzip, etc.)
  • Parsers (Logstash configs, Flex connectors, technology add-ons, DSMs, etc.)
  • Data Enrichers and response actions (e.g., Python, Bash, PowerShell scripts)
  • Incident Response Playbooks
Sigma is a generic rule format for SIEM systems:https://github.com/Neo23x0/sigma
Just like YARA for binaries and Snort for the network. In 2018 Sigma was acknowledged by MISP to be a de-facto standard for SIEM queries. In 2019 SANS has recommended Sigma for threat hunting with MITRE ATT&CK. Read more here:
https://github.com/Yara-Rules/rules
https://github.com/VirusTotal/yara
https://github.com/Cisco-Talos/snort-faq
https://github.com/redcanaryco/atomic-red-team
Pay attention to the Wanted List – here we are posting feedback from the SOC Prime Threat Detection Marketplace (“TDM”) users. Facing the flood of fraudsters’ activities, sometimes the TDM users can’t find the content that would cover their security needs. All the requests are verified by the TDM admins.
However, the Wanted List doesn’t set any limits. Good, high-quality tested content that finds cyber threats! Compliance-centric content is highly welcome!
As of April 2020, TDM is used by 3800+ companies, 8000+ users from 147 countries. Most of them need more content. A LOT more content.
Sure thing. Automatic tests are done as you upload content at various stages, from spellcheck to IOC lookups and metadata tagging. Yes, we will actually auto-tag content with ATT&CK if it looks like it has the reference. Manual review is also done by the dedicated Content Team.
By metadata we mean useful tags which assist users in finding content and realizing its applicability and value for their environment. It is always a good idea to accurately tag your content with MITRE ATT&CK Techniques, Tools and Actors as well as Log sources, Compliance tags, etc.
Yes, as part of the publishing process *it is necessary to review*, your content is reviewed only by the dedicated SOC Prime Content Team. The Content Team are experienced content authors and DFIR practitioners themselves operating under the strict NDA, code of ethics, and professional guidelines.
SOC Prime's goal is to develop a global marketplace where vetted content can be bought online by clients worldwide. It is not our goal to keep developing content ourselves, thus we count authors as part of our worldwide team. The Marketplace is our core business, we are not a SIEM or EDR vendor. SOC Prime's role is to assist the community, make things more secure and simple while ensuring the highest quality possible for each rule and parser available at Threat Detection Marketplace.
Content marked as "SOC Prime Verified" means that it has passed the Content Team's reviews and was tested in our lab on real SIEMs and datasets. All such processes are semi-automated.
The author! We will keep your author name or nickname, sign each content file with SHA-256 hash, and can even attach your own license (if it does not contradict our license, though). This also helps to avoid Plagiarism and “load balance” the rule creation. If you’re creating rules online, we will add automatic Plagiarism checks per every line of a rule developed (like URL, event ID, etc.). If you’re more comfortable developing offline, Sigma or Sigma UI work just as great.
Still have doubts what name to choose for authoring your content? Just follow our best practices – try to choose one name for all your developed content and stick to it whenever you fill in the Author field in Sigma. You may choose your real first name, a full name, or a nickname, whatever, but try to avoid special symbols or characters used in languages other than English. All this will help the TDM users to easily find your content when filtering by Authors.
AES-256 block-level encryption, AWS hosting, replication and backup testing, full-stack hardening, a strong password policy with reCAPTCHA, continuous vulnerability testing, in-house red team testing monitored by our own SOC Team. 2FA support in 2019 – just some examples of how we care about security. Suggestions are welcome.
SOC Prime Threat Bounty Program manager will email you personally when your content gets traction. By the end of each month, we will email the award and if all payment details are set correctly, schedule a payout.
Effective July 1st, 2019 Payment is based on the Rating system applied monthly. Individual Payout information will be emailed to you personally. New rules, downloads, views, following the Wanted List and long-term contribution – all help to increase your rank. We want to make sure that every bit of your work counts, both on the day of release and on a long-term basis! We will be sharing more information as the program matures. Initial key-based system was inefficient and too difficult for the Enterprise, so even for the first month we provided Payouts that exceeded the number of unlocks. We want to extend our gratitude to the most active developers, thank you for making Threat Bounty a reality!
The payment schedule will be negotiated individually as payment terms vary per customer - from 30 days (often) to 120 days (very rarely).
We will email you asking about your preferred payment method. Available payment methods are: Bank wire transfers and PayPal. You will need to ensure that your payment and tax information is up-to-date to avoid any delays in payments. No Blockchain! Not yet. ;)
If your payment information is up-to-date, you will be paid no later than the last day of the month in which you were notified that your content got traction.
If you do not provide your payment and tax details within 120 days from when you were notified by email that your content got traction, you will forfeit the reward.
We count the meaningful TDM clients’ actions on the website with a certain weight assignment of each action and each published content type using the internal rating system.
In the Developer cabinet, non-personal content usage statistics are visible to the developer. You can also see the content View, Download, Update, Rating & Review statistics on the Search page as any regular user of Threat Detection Marketplace. Top content sortable by Release, View, and Download counts is also visible on the Leaderboards page.
It depends on your content type – free or paid. All clients can view free content, while the paid content code is available only for clients with Premium subscriptions. Still, clients can preview your paid content and see metadata or promotional screenshots of your choosing to understand the content value.
Email support@socprime.com if you have any questions or concerns.
There are 2 possible scenarios for content deletion: by author request or deprecation. The first will be fulfilled within 2 business days if content gets no traction. In case this happens, we will try to discuss possibilities on how to continue support for clients. The second scenario is automatic deletion of content if it had no traction over the last 24 months. In such a case, we will get in touch with you in advance and do our best to change the situation as we are highly committed to promoting valuable content.
We do not buy exploits or malware binaries, those are different kinds of businesses. Good examples of tests are Red Canary or Nextron APT Simulator.
The SOC Prime Threat Detection Marketplace API is available under certain Subscriptions The TDM API allows advanced rule management and automated streaming of detection algorithms to on-premise, hosted and cloud-native SIEM and SOAR platforms.
With API access, you can get the list of all Sigma rules:
  • Without any specified platform
  • With the specified ID without any specified platform
  • With both the specified ID and platform
  • For all platforms or other specified filtering parameters
Yes.
SOC Prime determines the quality of content. For the following reasons, content publication can be rejected:
  1. There exists a rule with similar logic at Threat Detection Marketplace https://tdm.socprime.com/ ;
  2. The rule has syntax errors
  3. The rule logic is wrong
  4. The rule logic does not conform with the rule name
  5. There are no attached screenshots containing the confirmatory data evidence (applicable to the paid rule types)
  6. The rule has no tags
  7. There is no link attached to the original source of data (reference)
  8. The content author is not specified

Do research, write and submit rules, earn money while you sleep

Join Now or learn more About TDM