If you’ve been following our Release Notes or some of our recent blogs, you may have noticed mention of a new feature that we added to our product earlier this year, Content Packs. For example, the blog released by Bruce Snell highlights the usage of Content Packs to conduct threat hunting activities for Industroyer2, and our Log4j Content Pack blog discusses leveraging a Content Pack for forensics research.
But what exactly is a Content Pack? This blog answers that question, as well as shows you how to create and leverage them for your own organization.
What is a Content Pack?
As the Query and Reporting capabilities of our product have grown over the years, we’ve noticed that a lot of customers, prospects, and even our own personnel were asking for various reports to be created. Some wanted one type of report, others wanted another type, and certain people wanted the report to look a certain way, which conflicted with the feedback of others. The needs were clear: working together to create queries and reports would be a better solution than trying to make a one-size-fits-all report to address the market. So, we advanced our reporting engine to enable this, and laid the groundwork for the next step.
As our users began to employ the new Reporting and Query features, we wanted to be able to package the templates up into a single file, to distribute, share, improve upon, and re-use. This is particularly relevant for larger, more complex reporting requirements, such as becoming compliant to a government regulation, or hunting a specific threat. These types of outputs can leverage multiple reports and queries that need to be organized and transported across multiple systems, or even multiple customers.
To make it easier to collaborate as a team, we rolled out our Content Pack functionality, which enables users to build a single file which contains all the necessary information to complete the task. A single Content Pack could contain one or many Queries and/or Reports. The Content Pack uses a JSON file format, so it can be opened and easily read with a text reader. Additionally, the file is expandable, meaning you can add other JSON formatted information to the Content Pack, and if the Nozomi Networks product doesn’t understand or accept that data, it will ignore it and continue parsing the file. In other words, feel free to add data to a Content Pack that can be used in other systems.
Who can use Content Packs?
One of the requirements we had for Content Packs was that it be easy for anyone in our user community to create, import, and export. We wanted the process to be simple and intuitive enough to not add complexity but remain powerful enough to add value.
Anyone who can log into a Guardian can create a Content Pack. Our engineers, your engineers, you, or me, can create, share, and use a Content Pack.
How do I create a Content Pack?
After creating the reports and queries you want to add to a Content pack, it’s easiest to first place them into a dedicated report or query group.
To create the Content Pack:
- Log into a Guardian
- Navigate to Administration
- Select System
- Select Export
Next, choose the groups of Reports and Queries you want to add:
After clicking ‘Export data’, a .JSON file will be downloaded to your local machine. That file is your Content Pack.
How do I import a Content Pack?
Importing a Content Pack is even easier than creating one. Just below the Export button, you can find the import button. At the bottom of the screen you’ll find a box that you can drop the Content Pack file into:
After adding the Content Pack, a summary of what was imported will appear in the GUI:
What are some typical uses for a Content Pack?
When considering the added transportability and higher level of standardization one can achieve when using Content Packs, the possibilities are limitless. Here are just a few scenarios:
Acme Manufacturing, a large global organization, wants to become compliant to a specific government or industry regulation (for example, NIST, ISA/IEC, FDA, NERC, etc.). The company leverages data within the Nozomi Networks platform to summarize facts for their internal Compliance team. Various business units have the platform deployed within their production control systems in the factories, corporate building management systems, and other parts of their infrastructure. This can result in a large amount of information for a Compliance team to have to standardize before using.
Creating a single Content Pack for distribution across the Nozomi Networks enterprise enables a normalized set of data, regardless of where it originates from. Acme could create an internal ‘Acme Regulation X Content Pack’, to be circulated internally with the organization.
Acme Services, a systems integrator, service partner, MSSP, or other services-oriented firm, has several customers that run the Nozomi Networks platform in their sector or market. They would like to offer a standardized service to their customers, such as a safety or health check, using the Nozomi Networks solution implemented with their customers’ environments.
Acme could create an ‘Acme Services Health-Check’ Content Pack that contains a customer-facing report, multiple queries for the engineers to know what to focus on, and recommendations for reducing risk, in a standardized format. The Acme Service Health-Check Content Pack could be shared around within Acme to make servicing their customer base easier, more efficient, and predictable.
On the nightly news, Acme Corp. leadership learns about and becomes alarmed regarding a recently discovered and highly destructive attack being conducted on systems like those used by their own organization. They want a full inventory of all risks posed to operations as a result, across all business units.
The cybersecurity staff within Acme Corp. could collaborate to create a set of queries and reports for Guardian to:
- Identify vulnerable systems
- Highlight alerts that indicate early reconnaissance activity, active infections, lateral movement or other indicators of compromise
- Deploy threat hunting queries
- Assess operational anomalies to see if further inspection is needed
The organization could distribute the Content Pack to any Guardian, import it, run the queries and reports, and subsequently have consistent data that includes all technologies, from OT to IoT to BMS.
What else can I do with a Content Pack?
Since the Content Packs were designed to be expandable, creators can add other content that’s not specific to Nozomi Networks Guardian products, and when that Content Pack is imported into a Guardian, the unknown content will be ignored. This means that users can embed an image, URL, Notes, etc. into the JSON file, even use it in a different system, or for internal notes and references. The possibilities are limitless.
We have big plans for Content Packs. In the near future, we’ll reveal additional functionality for Content Packs, as well as release more Content Packs similar to the Log4j and Industroyer2 packs we recently published.