April 16, 2025

© 2025 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

With this SOC Prime Platform release 5.16.0, we’ve added Elastic ES|QL Query and Elastic ES|QL Rule support to the following Threat Detection Marketplace (TDM) functionality:

As part of UX improvements to the Elastic ES|QL Query and Rule support, we’ve added the “Remove trailing spaces after the rule name prefix and leading spaces before suffix” checkbox to the Presets functionality.

With the support of Elastic ES|QL Query and Elastic ES|QL Rule language formats, we’ve added a new Elastic parameter to Presets for the following content types to enable both manual and automated content deployments:

The Create New Preset Profile settings now include the additional Timestamp override field and the corresponding “Do not use @timestamp as a fallback timestamp field“ checkbox.

Also, as part of this Platform release, we’ve added a new Elastic Parameter to Jobs and the Rule Template service.

With the latest Platform release, we’ve also added support for AWS OpenSearch Detection Rule (opensearch-json-rule), which is now available in Uncoder AI and the Threat Detection Marketplace for the following functionality:

Detection content in the corresponding language format can now be saved in custom repositories in the Threat Detection Marketplace.

The OpenSearch Detection Rule format can be selected as the target language during automated content translation via Uncoder AI.

As part of our commitment to enhancing platform security, we’ve introduced a new feature that allows Managers to enforce Two-Factor Authentication (2FA) for all team members using the SOC Prime Platform.

Specifically, a new Enforce Two-Factor Authentication binary toggle has been added to the Team Management page. Managers now can choose between two options:

Once 2FA enforcement is enabled, all users within the team will see a screen with the 2FA setup prompt and a message: “Your manager has enabled mandatory two-factor authentication for the entire team, please set it up.”

After this step is completed, the users will then proceed to the Recovery Codes step to finish the setup.

Once all the routines are completed, users will be able to access the Platform normally.

Note: With Enforce Two-Factor Authentication enabled by the Manager, the Platform will block users from accessing their accounts until they have completed the 2FA setup.

We have recently released our Referral Program. When referring a peer or a friend to subscribe to TDM or Uncoder AI, they will receive 20% off their first Solo subscription, whether monthly or annual. Upon their successful subscription, the referrer will also receive 20% off their next Solo payment.

Just log in to the SOC Prime Platform, press the Refer a Friend button in the header menu, and share the referral link to your friend, or simply type their email for an invite.

Note: There are no limits on invitations—SOC Prime users can refer as many contacts as they want to get more rewards.

With this latest release 5.16.0, we’ve made changes to the following TOS documents on SOC Prime Platform to reflect the latest product updates, including:

We have released the AI SOC Ecosystem landing page, which is now available within a separate Ecosystem tab on the main navigation. Adding this new tab also affected a set of website navigation changes, including the removal of the Community tab from the main menu.

The Become a Partner button leads to the form that enables connecting with SOC Prime experts to explore partnership opportunities and drive the future of cybersecurity together.

With this latest release, we’ve updated the UI of the main company website page at https://socprime.com/ by adding the AI-Powered Cyber Defense block with three videos and summaries on the following AI/ML models we support:

By clicking the Explore More button on the first screen, SOC Prime users instantly drill down to the AI-Powered Cyber Defense for more details.

In view of two upcoming events, we have added the following information to the Events page, which leads to the corresponding registration pages/Pipedrive form:

With this Platform release, we've included the Bluesky icon across our social media sections—now visible on the SOC Prime blog, News section, and in the footer of the company website.

With the latest release, we have introduced a set of improvements to the Light Search page. Specifically, we have expanded the sorting options by adding the Severity parameter. Users can now filter detections based on threat severity directly from the Light Search Sorting Menu, enabling quicker access to the most relevant and critical results.

Note: Severity can not be chosen as a default parameter for sorting.

Additionally, the SOC Prime Platform now remembers the selected sorting option across user sessions to ensure a more consistent and personalized experience.

With the latest release, we have also enhanced the Light Search interface by adding new elements to the content table for better clarity:

The severity status for each rule is now visually represented using a colored arrow icon, enabling quicker threat prioritization at a glance.

With the latest release, we have improved the rules sorting by adding the Severity parameter to the Standard Search Sorting Menu.

Also, Standard Search is now automatically selected by default for all users with access to this feature under the TDM subscription plan.

In the latest release, we have improved Inventory page filtering and sorting options when working with detection content updates. This enhancement applies to both the Platform and custom detection content.

When the selected Data Plane contains updated rules, a notification banner now appears indicating the number of rules containing updates.

The Show button in the notification is clickable and triggers the Inventory view filtering by the Update Exists parameter to display only the detection content items with updates available.

If no updates are available, this notification is not shown.

Notably, a new column labeled “Update” has been added to the Inventory table. It displays:

The drop-down filter has been added to the Update column header, including the following options:

Selecting any of these filters dynamically updates the table content accordingly.

We’ve enhanced the Rule Intelligence section of each content item by introducing a new Relation Graph feature, designed to help users visually explore related detection content:

Note: Currently, Relation Graphs are available only for Platform-managed rules. Tag-based relations for custom content are not yet supported.

We’ve implemented synchronization of detection content from the official Splunk Security Content GitHub repository. All rules from the detections/ directory are now synced into TDM library under splunk/security_content repo, excluding deprecated content.

Deprecated rules are monitored continuously. If a rule is moved to the deprecated folder, it will be automatically marked as deprecated and hidden in TDM. This integration helps keep your threat detection library aligned with the latest Splunk security content updates.

We’ve implemented synchronization detection content from the official Elastic Detection Rules GitHub repository. All .toml rules from the rules/ directory are now synced into the TDM library under the elastic/detection-rules repo, excluding content from _deprecated, apm, and ml folders.

Rules located in the _deprecated folder are continuously monitored and automatically marked as deprecated and hidden in TDM. This integration helps keep your detection library aligned with the latest updates from Elastic’s open-source content.

We’ve integrated a new public detection feed from HijackLibs into the SOC Prime Platform. Now, users can access the corresponding Sigma rules by choosing the HijackLibs repo in the Platform Repos drop-down list. This integration helps keep your detection library aligned with the latest updates from HijackLibs.

We’ve unlocked all AI-powered features in Uncoder AI for every user across all subscription tiers. These capabilities are now available without token limits, ensuring everyone—Free, Solo, or Enterprise—can fully benefit from AI-assisted detection engineering.

The list of AI-powered features now available for free includes the following:

As part of this major Uncoder AI release, we have enabled SOC Prime users to accept their agreement before using external AI. This pop-up appears only once. We’ve changed the pop-up text as follows: “Only correlation functions, such as aggregation functions, are sent to OpenAI API. The core detection logic and translations are done locally at SOC Prime SOC 2 Type II private AWS cloud segment, so no sensitive data ever leaves our cloud.” By clicking Allow, Uncoder AI users proceed with enabling external AI translation enhancement.

Once allowed, the Translate functions {model name} in the top right-hand corner toggle switch is automatically enabled.

For a better user experience using Uncoder AI, we’ve added a pop-up warning users of an AI task in progress that will not be able to complete and display the results if the user closes the page: “You have an AI-powered content generation task in progress. If you close this page, you won’t be able to view the generation results. If you still want to leave, just click the x icon on the tab again.”

When a user initiates one of the AI Tools options, the close ("X") button on the results panel will be disabled while waiting for the service response.

With this release, we have generated the translation of all non-Sigma detection rules (e.g., Microsoft Sentinel, Elastic, Splunk native rules & queries) from GitHub repositories into all language formats currently supported by SOC Prime Platform.

Note: AI-powered content translations were generated only for non-Sigma rules present in the SOC Prime Platform repositories. Custom repositories remain unchanged.

Every AI-generated translation now includes a field indicating that it was produced by AI, ensuring transparency about AI-powered content generation. To enhance visibility, an AI-generated icon has been added to indicate AI-assisted translations. This icon will be displayed next to the platform name and all language format names within the chosen platform.

Note: AI-assisted translations are NOT included in Dynamic Content Lists and are NOT used for Attack Detective scans.

For a better UX experience using Uncoder AI, the right tab for the selected target language now applies an icon (if applicable) to indicate a specific translation status:

With this latest release, we’ve enriched Uncoder functionality with descriptions of supported functions that can now be received from AI. This is an additional Uncoder AI-powered enhancement since descriptions were available only for unsupported functions before this release.

As part of the latest Platform release, we’ve added the AI Tools functionality to the interface, which is designed to generate an AI summary of detection code for a better understanding of its logic. Available options are as follows (with the corresponding tooltips):

Note: This option is available only when Sigma is selected as the language format.

By clicking the Gear icon, Uncoder AI users can now see a list of models to choose from. To confirm the selection, click Apply.

Note: Currently, a private LLM (llama3.3:70b) is used. In future updates, users will be able to select a private or public model from the options below:

Added the following sections to the rule intelligence from the Platform Repo displayed in Uncoder AI:

They are now displayed at the top above the other sections with intelligence.

As part of the SOC Prime Platform 5.16.0 release, we’ve introduced new AI-assisted syntax validation for native detection rules and queries, extending beyond traditional Sigma and Roota support.

The Validate button is now available for all supported source types in the source language drop-down, excluding Threat Report and Custom Prompt. To validate, simply paste your rule into the left-side Uncoder AI panel and click Validate. The AI-generated results will appear on the right panel.

Note: AI-assisted syntax validation is not available for Sigma and Roota. For these formats, the validation that was available before this release is applied.

For full transparency and privacy at every step, when AI is involved in the validation, the result panel includes the following tooltip: “This text has been generated in our secure, privately hosted LLM based on the input detection. Your data did not leave SOC Prime’s infrastructure.”

In the SOC Prime Platform 5.16.0 release, we've introduced major enhancements to the Uncoder AI layout and functionality to support AI-powered rule generation from threat reports and custom prompts.

Correspondingly, new source options have been added to Uncoder AI:

Depending on the detected or selected source input, Uncoder AI now displays dynamic options:

Also, Uncoder AI now intelligently detects if the input is a detection rule code, IOC set, or free-form prompt to dynamically present the right generation options.

To improve the user experience in view of the new Uncoder AI functionality, a set of UI improvements has been made:

Note: When choosing the Data Schema, please consider the gap between the data schema applied for translation/generation and the one you are using. To remap, select an alternative schema in the Data Schema drop-down menu or configure and apply a Custom Field Mapping profile under the Gear icon to the right.

With this latest release, we’ve added a Debug Console that displays the following:

By default, the Debug Console panel opens in a semi-collapsed state only when it contains content and clears when the Translate button is clicked or the page is reloaded.

The panel header contains:

After establishing synchronization with new detection content sources, including the official Splunk Security Content GitHub repository, the official Elastic Detection Rules GitHub repository, and public detection feed from HijackLibs, Uncoder AI users can filter out detection rules for listed sources by choosing a corresponding Platform Repo in the drop-down list.

With the latest release, Uncoder AI has been enhanced with the functionality designed to unlock rule translation within the same vendor using different field mappings. This update removes previous limits and lets users switch between mapping profiles without issues.

With the latest Uncoder AI updates, the target language editor panel now has two tabs:

Other UI/UX enhancements as part of the major Uncoder AI update include the following:

With the latest release, we have introduced the following changes to the Threat Detection Marketplace Solo and Uncoder AI Solo subscriptions that involve: