Skip to main content

SOC Prime Platform Product Release Notes 5.16.1

Written by Eugene

April 30, 2025

© 2025 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Generating and Storing AI-Assisted Translations

With this latest release, we have added the ability to generate and store the AI-assisted translations of all non-Sigma detection rules (e.g., Microsoft Sentinel, Elastic, Splunk native rules & queries) from GitHub repositories into all language formats currently supported by SOC Prime Platform. This is implemented via Uncoder AI, with the function translation performed using a local LLM. Each AI-generated translation now includes a field indicating that it was produced by AI, ensuring transparency about AI-powered content generation.

Content Quality Improvements

We are constantly working on enhancing the quality of detection content translations. With the SOC Prime Platform release 5.16.1, we’ve introduced a set of improvements for various supported platforms.

ElastAlert

We’ve made improvements to the quality of ElastAlert translations by resolving an issue with incorrect fields when translating detection code from Sigma to the ElastAlert format.

Elastic ES|QL

Improved Elastic ES|QL rule translation by ensuring the author field is now correctly returned as a single list, resolving the previous issue with nested lists.

ArcSight

We have improved ArcSight syntax handling and translation quality by introducing proper escaping for the following characters:

  • /

  • *

  • "

Microsoft Sentinel

We have improved the quality of cross-platform translations for Microsoft Sentinel rules & queries in Uncoder by replacing =~ with == for true/false fields.

Sigma

To enhance translation accuracy and support a broader range of use cases, Sigma rule translation processing now includes support for additional modifiers:

  • ne

  • not_contains

  • not_startswith

  • not_endswith

LinkedIn Authentication Support

With this latest release, we’ve added LinkedIn as a supported authentication option for the SOC Prime Platform. This option is now visible alongside other existing third-party authentication options, including Microsoft, GitHub, Google, Slack, and Atlassian, on both the Sign Up and Log In screens.

Note: If the LinkedIn account is new, the user registration should be completed automatically using the LinkedIn profile data.

Company Website Updates

With this latest release, we’ve implemented the following updates to the company website pages:

  • Added a link to the News section in the blog tabs panel on the SOC Prime blog

  • Updated the logos on the AI SOC Ecosystem page at https://my.socprime.com/ecosystem/ and fixed the anchor menu

Uncoder.IO Promo Pop-Up and Banners

SOC Prime introduced Uncoder.IO in 2018 as a fast, private, and easy-to-use online translation engine for Sigma rules, ensuring 100% privacy for its users. The latest SOC Prime Platform release introduces a major change to the Uncoder.IO tool. Uncoder AI, our more advanced version of Uncoder, which has evolved into a private non-agentic AI for threat-informed detection engineering, is now also available for free. With the launch of a free version, we’re encouraging security engineers to sign up for Uncoder AI as part of SOC Prime Platform to take their detection engineering to a new level and make the most of AI capabilities at scale.

To reflect these updates, we’ve released a promo pop-up at https://uncoder.io/ to inform SOC Prime users of the ongoing changes.

Threat Detection Marketplace

Updated Content Date in Lists

With this latest release, we’ve added the updated content date to the List functionality. For a better user experience, we’ve renamed the “Last Updated” column to the “List Updated” and added the “Content Updated” column, which indicates when the original detection content in the Sigma language format has been updated (rather than the content translation).

Also, the corresponding updates were applied when selecting the specific list for more details.

View Content Button Updates

With this release, we’ve updated the logic for the View Content button on the Inventory page. By clicking this button, SOC Prime users will now be redirected to the Intelligence tab on the content item page. When switching to the Code tab, they will instantly see the code in the corresponding language format.

Path to Upload and Download Path Field Validation for AzureDevOps and GitHub

With this release, we’ve added validation to the Path to Upload and Download Path fields on the 3rd Party Integrations page when setting up integrations for Azure DevOps and GitHub. This is designed to help SOC Prime users minimize input errors. The following permitted symbols are accepted: letters, numbers, spaces, underscores (_), slashes (/). In addition, we’ve updated tooltips for the corresponding fields for a better user experience.

Azure DevOps / GitHub Integrations Advanced Settings Changes

With the latest release, we have removed the File Formats field from the advanced settings (if the Show Advanced checkmark is selected) on the Create New Integration page for Azure DevOps and GitHub integrations.

Other UX Improvements

With the latest SOC Prime Platform release, we’ve implemented the following updates to the Threat Detection Marketplace (TDM) for an improved user experience:

  • Added a suggester that has similar functionality to the Search Engine and includes a field that is filled with the keywords from the document field to streamline the search experience

  • Added hover tooltips for the following TDM functionality:

    • Pages: Hunt, Log Source Coverage, MITRE ATT&CK Coverage, Inventory, Jobs, Lists, Repositories, Advanced Search, content item pages

    • Platform Settings pages: Integrations, Custom Field Mapping, Filters, Search Profiles

    • My Account in Account Settings

  • Updated table styles across TDM functionality, including the table header redesign, applying a dark background, a border around the table, and a bottom border for table rows

  • Hid the Clear button(X) if the search field is empty

  • Added the Environment Type block with the Cloud, On-Prem, and Isolated options on the Create Data Plane page

  • Updated the sorting drop-down styles on the Light Search page to make them look consistent with the same UI elements

Uncoder AI

Supercharging to Roota

During the latest release, we have significantly improved the process of Supercharging detection rules into the Roota format, focusing on enhanced metadata parsing and display.

Key updates include:

  • During Supercharge, all existing intelligence fields are now visible when saving a rule in Roota format

  • Metadata is now parsed from these fields and stored accordingly

  • A new read-only field, TRAM Tags, has been added

  • Existing metadata fields are already supported and parsed in the content service

This improvement ensures full metadata visibility and consistency across detection content types.

Uncoder.IO Updates

With this release, we’ve added a promo to the Uncoder.IO page with a Buy Now button that leads to the Pricing page via SOC Prime Platform registration flow and prompts individual detection engineers and threat hunters to take advantage of an Uncoder AI Solo subscription to instantly learn about active threats, select content to detect them, and generate tailored translations.

Enhancement for Rule Generation With AI

As part of the latest Platform release, we have improved the underlying logic used by Uncoder AI to generate detection rules, resulting in more structured and consistent output. The following enhancements were made:

  • Refined the Sigma rule generation flow for clearer structure and logic.

  • Replaced static "SIEM data schema" references with dynamic {platform_name} variables for platform-specific rule creation.

  • Updated the AI guidance layer to enforce cybersecurity-only output, improving result accuracy and relevance.

Key Bug Fixes & Improvements

  • Renamed the “Detection Rule” to “Detection Rule (Lucene)” for Elastic content in Jobs on the content item page to avoid confusion with another language format – “Detection Rule (EQL)

  • Made improvements to the TDM API:

    • It can now correctly return 50 available content items per page.

    • Enabling users to access and manage Global Content Lists properly.

  • Fixed the issue where, in some cases, the overlay was not displayed as solid when deleting a Content List from the bottom of the list on the List page. The overlay is now correctly displayed as solid.

  • Resolved the issue where, in some cases, new and current Sumo Logic content items were presented in different formats in the Update Content window on the Inventory page. All content items are now displayed in a consistent format.

  • Fixed the issue where detection content would not synchronize after disabling and re-enabling repository synchronization with GitLab. Synchronization now works correctly when re-enabled.

  • Fixed issues with Azure DevOps, where in some cases, Content Names containing / were incorrectly replaced with %2F after inventory, and Content Names starting with a . were displayed as empty.

  • Resolved the issue with Azure DevOps, where in some cases, content items with double spaces (__) in the Content Name were not pulled from the repository in the Inventory.

  • Improved handling of Azure DevOps and GitHub content deployment errors—if the content item already exists in the corresponding repository, the status is now set to Success with the clear message "Content wasn’t pushed, because it already exists in the Repository."

  • Made UI improvements to ensure long repository names are properly displayed in the Repository selection drop-down lists across SOC Prime Platform.

  • Fixed a 500 Internal Server Error in TDM API endpoints when managing Content Lists. The issue occurred when the lucene parameter was used with input values exceeding the 1024-character limit.

  • Fixed the issue where Custom Field Mapping values containing / were, in some case,s truncated during editing. Such values now remain unchanged during editing.

  • Fixed the issue in the Threat Detection Marketplace where switching from Lucene to Standard search did not reload the page with updated results. The page now correctly reloads and displays results based on the selected search type.

  • Fixed layout issues in various SOC Prime Platform components that sometimes occurred when changing the browser font size.

  • Fixed the issue where some pop-up windows within SOC Prime Platform couldn’t be scrolled down when containing large text pieces. Now, the scrollbar appears if the text exceeds the pop-up window height.

  • Fixed the logo carousel slider layout issues occurring on some SOC Prime website pages.

  • Fixed the issue where user role descriptions were not displayed fully on the Roles page in the SOC Prime Platform settings section. Now, full descriptions are displayed in a tooltip.

  • Fixed the issue where a 500 limit warning window was displayed when creating a Content List with fewer than 500 available content items.

  • Made the following UX improvements on the Team Management page:

    • Fixed the issue with the wrong column alignment.

    • Resolved the issue where the User Name value overlapped with the adjacent Email column.

    • Fixed the table formatting after the search.

  • On the Inventory page:

    • Fixed the layout issue where the margin was missing in the Heads Up! and Success pop-ups triggered when deleting content from SIEM.

    • Fixed the issue where a Success pop-up was displayed when deleting content from Inventory and SIEM while the Data Plane was disconnected. Now, an Error pop-up is shown.

    • Fixed issues with searching by Content Name on the Inventory page, ensuring accurate and responsive search results.

    • Fixed the issue where the “rules have updates” notification was hidden after clicking the Show button. The alert will now only be hidden if there are no updates to the rules.

    • Fixed the issue where the count in "rules have updates" notification wasn't changed after the content updates. The count in the alert is now updated accordingly after the content updates.

    • Fixed a styling issue where tables lacked bottom padding when viewed in the Firefox browser.

    • Resolved the issue with the incorrect Search field position in some cases.

    • Fixed the issue with the incorrect table row labels for smaller screen sizes.

  • Fixed the issue in which, in some cases, detection content was not pulled from the connected GitLab repository into the TDM repository during GitLab sync.

  • Fixed the issue, in some cases, leading to the incorrect detection content display on the Content List page.

  • Fixed the issue where a 500 Bad Request error could sometimes occurr if the Path to Upload field in Azure DevOps integration settings contained spaces.

  • Resolved the issue with the rule count on the Lists page, which, in some cases, displayed a zero value for specific lists.

  • On the Create New Repository page, resolved the issue with the Share to Company toggle switch, which in some cases, once enabled, didn’t work properly after saving the repository.

  • Resolved the issue with displaying the target language name during content translation in Uncoder AI after changing the source language.

  • Fixed duplicated scrollbars appearing in the edit pop-up on the Inventory page.

  • On the Advanced Search page, fixed the hover state issue where the text on applied filters changed its color.

Did this answer your question?