SOC Prime Platform Product Release Notes 5.14.1
December 25, 2024
© 2024 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
ArcSight Render
With this latest SOC Prime Platform release 5.14.1, we’ve created a new ArcSight Render to enhance the quality of content translations. The render is applied to the following functionality:
Threat Detection Marketplace (TDM)
Uncoder AI
Uncoder IO
In Uncoder IO, the specific content type based on the new render is called arcsight-query.
Password Validation Enhancement
As part of the regular password rotation flow in the SOC Prime Platform (every three months), we have added validation to ensure that the new password is not identical to the old one. If a user attempts to reuse their previous password, the system will reject it and display the following error message: "Please, use a new password that is not identical to the old one."
Inventory Page Improvements
In the latest release, we improved the content search on the History page and resolved issues related to missing content logs when navigating from the Inventory to the History page.
Embedded Private GitLab Integration
SOC Prime’s repositories serve as private, tri-encrypted containers to guarantee security, privacy, and IP protection of rules and queries that you use, no matter the source. To extend this privacy by the best-in-class CI/CD functionality, we released a dedicated per-account GitLab repository hosted at SOC Prime SOC 2 Type II AWS cloud. Each of GitLab’s native automation functions can be used to streamline CI/CD Detection-as-Code workflows, or simply, manage detection content.
For each company client with the GitLab integration enabled, a project (also known as a repository) is created in this group. The repo functions as a branch. Detection content is synchronized both from TDM to GitLab and vice versa. When a new GitLab project is created, we add stock files to it, i.e., client files (or scripts) for deploying detection content.
As part of these updates, the expiration date for the user in GitLab is the same as the expiration date for the company's GitLab access in SOC Prime Platform.
Note: If the user is blocked in TDM, they are also removed from the repository.
My Repositories Page Updates
On the My Repositories page, we’ve added the GitLab Sync column, which doesn’t support sorting. The column displays the following details:
The branch name in GitLab where the custom repository syncs.
Two gray cloud icons indicate that there are no updates on either end:
If there are updates, the icons are color-coded as follows:
Pull icon: Turns blue if updates are available for pulling.
Push icon: Turns green if updates are available for pushing.
If GitLab synchronization is disabled or the current user lacks permissions, a dash (-) is displayed instead of icons.
The context menu on the My Repositories page now includes two additional options:
Push to GitLab
Pull from GitLab
Note: These options are inactive if the repository is not set up for synchronization with GitLab or if there are no updates of the corresponding type (push or pull).
Create New Repository Updates
On the Create New Repository page, we’ve added a new GitLab Synchronization section.
Note: This section is available only for users where the Company Manager has activated access to embedded private GitLab.
When turning the Sync with GitLab automatically toggle switch ON, it enables both automatic and manual synchronization. When the toggle switch is OFF, it enables only manual synchronization.
Creating a GitLab Repo
By selecting Yes as an option under Synchronize content with GitLab? triggers the creation of a branch in the project and updates the repository status. It also saves the branch link in the table on the repository page in TDM.
Note: By default, No is selected.
When turning the Sync with GitLab automatically toggle switch ON, it enables both automatic and manual synchronization. When the toggle switch is OFF, it enables only manual synchronization.
Editing a GitLab Repo
Switching Yes -> No under Synchronize content with GitLab? prompts the user whether they want to delete the branch:
Yes: Stops synchronization and deletes the branch.
No: Stops synchronization but keeps the branch.
Switching Not -> Yes under Synchronize content with GitLab? triggers the creation of a branch in the project and updates the repository status. It also saves the branch link in the table on the Repository page in TDM.
Team Management Page Updates
On the Team Management page, added the GitLab Access column, which supports sorting. The column displays the following details:
On
Off (by default)
The context menu on the Team Management page now includes the following options:
GitLab Access: when the GitLab Access column displays Off.
Note: If the number of users with GitLab access has reached the limit, the option is displayed but is inactive.
Revoke GitLab Access: when the GitLab Access column displays On.
GitLab Synchronization Consent
When enabling content synchronization with the user’s custom repo at SOC Prime Platform and GitLab acting as a third-party service, a consent notification is added to ensure customers that Content storage and transmission which the synchronization involves are regulated by SOC Prime Terms of Service and GitLab Terms of Service. The consent text block is displayed under the GitLab settings, more specifically:
When Yes is selected on the Create New Repository page > GitLab Synchronization section
Resolve Conflicts
We've also added the ability to resolve merge conflicts related to push and pull actions, which follow the corresponding behavior:
If the user clicks Resolve Conflicts, it creates a merge request (with TDM changes) and returns a link. The frontend displays the link, and the Ready to Push status changes to “false”, with the Pull button available for the users.
If the merge request has already been created on the GitLab end, the Resolve Conflicts button is disabled.
If changes in TDM occur after creating a merge request, users need to create a new one without deleting the previous one.
If the merge request has been resolved on the GitLab end, the user will see the Ready to Pull button (similarly to the unresolved conflict).
If the automated update is enabled, a merge request is automatically created and performs a pull, syncing TDM with GitLab. In this case, users must resolve the merge request in GitLab if they want to apply TDM changes.
We've also added a Resolve Conflicts via a Merge Request pop-up that appears after clicking the Resolve Conflicts button. The pop-up includes a link to the created merge request.
Note: If the Resolve Conflicts option is active, the Push to GitLab option should be disabled.
Pricing Updates
With the latest release, we have introduced major changes to our pricing to include new time-limited offerings and updates to Uncoder AI subscriptions.
Detection Engineering & Threat Hunting Fast Start
Starting December 2024, we introduced two time-limited offerings to accelerate Detection Engineering and Threat Hunting efforts: Detection Engineering Fast Start and Threat Hunting Fast Start.
Detection Engineering Fast Start offers the best service-oriented tools, detection rules, and intelligence for advanced detection engineering. Designed for rapid implementation, it ensures seamless adoption and operational success.
Threat Hunting Fast Start offers multi-tenant capabilities powered by a data-driven approach and advanced MITRE ATT&CK® mapping within a Zero Trust framework. This solution is also optimized for swift deployment and impactful outcomes.
Available through January 31, 2025, the offerings are tailored separately for MSSP & MDR organizations and Enterprises to meet distinct needs. Purchases are available directly via our website with Stripe integration for seamless transactions.
For detailed information and to get started, visit: https://my.socprime.com/pricing/fast-start.
Company Website Updates
Homepage Updates
With this release, we’ve made a set of UI improvements to the homepage of the company website at https://socprime.com/, more specifically:
Changed the look and feel of the intro block
Added the button that leads to a new Knowledge Bits section on our blog
Made updates to the Sigma rules search engine
Professional Services Landing Pages & Navigation Updates
With this latest release, we’ve released new landing pages covering SOC Prime expert-driven professional services that ensure our trusted customers can drive maximum value from the SIEM, EDR, or Data Lake in use, have complete visibility into their data, collect and parse all necessary logs, and take the SOC Prime Platform experience to the next level.
The newly released landing pages are currently added under the Resources tab > Services on the main navigation menu, with the SOC Prime Professional Services item acting as a starting page for all the services delivered to our customers.
The following landing pages representing the dedicated professional services are released:
SIEM Migration Services (this existing landing page has been enriched with a new section and we’ve also added a link to the corresponding data sheet available for instant download)
We’ve also launched the Detection Engineering & Threat Hunting Training landing page dedicated to the delivery of hands-on sessions that are aimed at preparing teams to handle real-world scenarios with ultra-responsiveness and enhanced detection engineering and hunting maturity.
Knowledge Bits Category on SOC Prime Blog
We’ve recently launched our new Knowledge Bits category on the SOC Prime blog to share quick solutions to common questions across diverse SIEM, EDR, and Data Lake technologies, and beyond, crisp and precise from top SOC Prime experts. Acting as a Stack Overflow for cyber defenders, with the corresponding Discord channel, Knowledge Bits offers a trusted space for peers to connect and collaborate.
Uncoder IO: UI Updates
With this release, we’ve updated the punch line on the Uncoder IO page at https://uncoder.io/ to the following one “Be faster, write smarter with Uncoder AI, a private IDE just a Sign Up away!”
Threat Detection Marketplace
Elastic DSL Query Support
With this release, we’ve added support for Elastic DSL Query in Threat Detection Marketplace. Detection algorithms saved in the corresponding language format can now be saved in the custom repository in Uncoder AI. We have also generated translations for Elastic DSL Query for the existing detection content.
Emerging Threats Improvements
In the course of the latest Platform release, we have introduced major updates to the Emerging Threats page (beta version) acting as a single source for real-time CTI, relevant detection rules, and AI-enriched context to outscale cyber threats. Key improvements include the following:
AI-Generated News Headlines. Improved AI-driven headline generation for news items, ensuring greater clarity and relevance.
Contextual Mapping of Threat Intelligence. Enhanced mechanisms to identify relevant Actors, Tools, ATT&CK Techniques, and CVEs associated with each news item, based on related detection rules.
CERT-UA Report Parsing. Added parsing for CERT-UA reports, ensuring comprehensive coverage of all CERT-UA releases with corresponding detection rules and CTI, accessible via the Emerging Threats page.
Improved User Interface. Redesigned the UI for the Emerging Threats page to optimize user experience and reduce time-to-value. Detection rules are now displayed in an intuitive and organized format, with key threat details presented in a structured format of the left panel (Actors, ATT&CK Techniques, Tools, CVEs). Each highlight is supplemented with a tooltip providing detailed descriptions and context to help users quickly access critical threat information.
To maximize the value of the Emerging Threats page, start with the step-by-step guidelines in the Help Center.
Light Search Improvements
With the latest release, we have introduced significant improvements to the Light Search functionality. By using Light Search, SOC Prime clients have a broad range of options to customize their search and make it maximum precise:
Repositories. Users can choose the repositories they want to search across with a drop-down list available under the Repositories drop-down. Also, users can easily switch between Platform Repos and My Repos.
Sorting. We have introduced a new sorting option based on the updated content that can now be selected from the corresponding drop-down menu.
Open AI GPT
With the latest updates, we have introduced AI Boost allowing users to seamlessly convert any human language prompt into a keyword-enriched query to proceed with accurate and fast search across SOC Prime’s entire database.
Note: To enable Open AI GPT search functionality for your company please contact your dedicated customer success manager.
Security experts can instantly see the AI-generated search query and adjust it in real time, ensuring full transparency and maximum customization for more advanced search needs.
Note: When using AI Boost, your search query is sent to the external services, so make sure you are not entering any sensitive data.
New Data Planes Page
With this latest SOC Prime Platform release, we’ve changed the look and feel of the Data Planes page for an improved user experience.
As part of these updates, we’ve prohibited the choice of the cloud Data Plane in the Jobs settings if the on-prem Data Plane has been selected for the Elastic platform, or vice versa.
Dynamic Content List Pop-Up Updates
On the Lists page, when creating or editing a dynamic content list, we’ve introduced the following updates:
Added the ability to allow all platforms currently available in Threat Detection Marketplace for selection in the Content Platform field.
In the Select Repos filter, all platform repositories are already selected by default.
Integrations Page Updates
We’ve renamed the Humio Alert to Falcon LogScale Alert in the Content Platform field on the Integrations page.
Warden Check Updates
For a better user experience with our built-in tool for automated Sigma and Roota rule syntax and validation, we’ve made a couple of updates to Warden checks. As a result of updated validation with Warden, values should have no spaces with a hyphen allowed to be used instead for the following fields depending on the language syntax and based on the current Sigma specs:
For the
tagsfield within Sigma rulesFor the
mitre-attackfield within Roota rules
Translation Improvements
In the latest SOC Prime Platform release, we have introduced a set of translation improvements to ensure enhanced detection content quality.
Anomali Translation Improvements
In the latest release, we’ve significantly improved translation quality for Anomali. This was achieved through relevant field mapping updates and a complete re-generation of all translations.
Sentinel One PowerQuery Translation Improvements
We have improved Sentinel One PowerQuery translation quality through the implementation of strict mapping, including considerations for log source imitation. We have also improved the PowerQuery formatting and functionality by including additional characters.
Other Translation Improvements
Additionally, the following translation improvements were made during the latest release:
Fixed an issue with cross-platform translation from Microsoft Sentinel to Splunk Alert by updating field mappings.
Fixed with issue for QRadar when in some cases alternative translations were not available.
Fixed date and time fields for Microsoft Sentinel Rules.
Fixed the mapping issue with Splunk Queries related to the
EventIDmapping toEventCode.Regenerated alternative translations for Elastic Stack since some of them were missing.
Fixed the issue with a specific Microsoft Sentinel Query where the
c-urifield was not converted properly due to a syntax error.
Uncoder AI
With the latest SOC Prime Platform release we have introduced a set of Uncoder AI improvements to ensure enhanced user experience for our clients:
IOC-to-Sigma Conversion. Now users can seamlessly generate Sigma rules directly from parsed Indicators of Compromise (IOCs) in Uncoder AI by utilizing our converter service.
ArcSight IOC-to-Query Conversion Improvements. When generating ArcSight Query from IOCs in Uncoder AI, the values will now be enclosed in double quotes, aligning with the logic used for Sigma to ArcSight conversion.
Platform Name in Selector Field. When a user selects an option from the drop-down, the platform name currently remains displayed in the selector field. To improve usability, the field will now be cleared when the cursor is placed in it, allowing users to easily input a different platform name.
Prevent Saving Unsupported Rules in TDM. To ensure compatibility and prevent errors, rules not supported in TDM can no longer be saved. Correspondingly, the New Rule and Update to my Rule options have been removed from the Save menu, simplifying the interface and improving usability.
Charging Issue Linked to Cross-Platform Translation. Resolved an issue in Uncoder AI where translations were incorrectly charged when converting within the same platform group (e.g. Elastic Stack Detection Rule (Lucene) → Elastic Stack Query (EQL))
Key Bug Fixes & Improvements
Resolved an issue in Uncoder AI where platforms were not suggested unless the platform drop-down was in focus.
Resolved an issue where a success message was displayed in some cases even though the CSE Rule was not deployed in Sumo Logic.
Fixed an issue on the Platform Integrations page to ensure that only predefined values can be added as Content Platform options.
Improved UI on the Add Jobs page by adding an indent after the Data Plane field to improve spacing.
Resolved an issue in Custom Field Mapping where indexes, fields, and values were cleared when changing Log Sources. All values across tabs (e.g., Index, Fields, Values) now persist unchanged for all platforms.
Improved UI for Custom Repo drop-down selection to prevent it from auto-scrolling to the bottom.
Resolved an issue where the infinity scroll functionality did not work on the Emerging Threats page when using Safari.
Resolved an issue where a horizontal scroll bar was displayed in the Create/Edit Job sidebar on Safari.
Fixed the issue where the Download button in some cases was not displayed for Elastic Stack Detection Rules (ES|QL) on the Code tab in Threat Detection Marketplace.
Fixed the Elastic Stack issue on the Inventory page when new and current content was displayed in different formats on the Update Content pop-up.
Fixed the issue with the specific Elastic Stack Detection Rule (Lucene) content, which was downloaded in the original format from the Code tab rather than being displayed with the specifically applied Custom Field Mapping, Config, and Preset settings.