May 14, 2025
© 2025 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
OpenTIDE Support
With the latest SOC Prime Platform release, we have introduced support for Open Threat Informed Detection Engineering (OpenTIDE). OpenTIDE is an open-source project initiated by the European Commission that acts as a reference for starting and advanced Detection Engineering teams looking to adopt Detection-as-Code, Threat & Detection Modelling, and modern DevOps workflows.
OpenTIDE includes a GitHub-based repository containing three instances representing the entire automated flow of the use case management lifecycle – how the rules are generated, documented, and operationalized:
TVM – the raw description of an emerging threat
CDM – the context-enriched description of a threat with available log sources
MDR – the rule itself addressing a specific threat
Rules are created, documented, and automatically pushed to multiple SIEM, EDR, and other instances, ensuring version control and consistency. This approach is designed to address emerging threats while establishing a standardized and scalable reference for detection engineering and threat hunting.
OpenTIDE Translation Generation
As part of this latest release introducing OpenTIDE support, we have enabled security professionals to translate Sigma rules to the OpenTIDE MDR format using Uncoder AI. To enable this functionality, we have implemented the following:
Added TVM, CDM, and MDR to the Templates drop-down menu in Uncoder AI as three supported OpenTIDE instances.
Added autocomplete for the OpenTIDE MDR fields in Uncoder AI for a better user experience.
Note: Currently, Uncoder AI supports the generation of OpenTIDE MDR only from Sigma rules.
To generate OpenTIDE MDR from Sigma rules, security engineers need to make sure that Sigma is selected as the source language format and then take the following steps:
Select OpenTIDE MDR as the target language format.
Click Translate.
On the Generate OpenTIDE MDR pop-up, enter the following data:
Select the Stage from the list of available options.
Fill out the CDM UUID field to indicate the parenting structure for the generated OpenTIDE MDR rule. Alternatively, select CDM UUID from the suggested list of CDM rules in your OpenTIDE repository.
Note: MDR will include the translations for the following formats based on the selected options:
Select Platform.
Note: Currently, Microsoft Sentinel Rule (Kusto), Splunk Alert (SPL), VMWare Carbon Black Query (Cloud) are supported.
Select the Data Schema.
Select Custom Field Mapping.
To add more platforms, click Add More Translations, and adjust the platform, data schema, and custom field mapping once again.
Note: For now, one to three platforms can be selected for translation.
Click Generate, and the OpenTIDE MDR translation will appear in the left panel.
Saving OpenTIDE MDR Translation
After generating an OpenTIDE MDR translation, security professionals can save it as:
A new rule in the OpenTIDE repo
As a file in the
.ymlformat
Click Save as, and select one of the available options.
By selecting to save the translation as a new rule, security engineers will see the pop-up with the pre-populated details that have been filled out when generating the OpenTIDE MDR translation:
The OpenTIDE repository selected in the Repository field
The corresponding Stage
The CDM UUID details
Content Name – the name of the rule, which has been converted into the OpenTIDE MDR format.
To proceed, click Save, and the OpenTIDE MDR translation will be saved to the OpenTIDE repository.
Note: If the SOC Prime user has no OpenTIDE repository, they will see the Contact Us button instead of Save.
OpenTIDE Repo Display in Uncoder Search Bar
With this release, all the OpenTIDE MDR rules saved to the organization’s OpenTIDE repository can now be searched from the Uncoder AI search bar.
Within the content list included in the OpenTIDE repo, each content item includes the following details:
Content name
OpenTIDE content type (MDR, TVM, CDM)
The content update date
Note: The filters for the OpenTIDE repo are the same as for other custom repositories. However, no filter is applied to the OpenTIDE content.
When clicking a certain content item, it opens in the left-hand editor, and the source language drop-down displays the content type.
GitLab Repository to Manage OpenTIDE Content
Organizations with GitLab integration enabled can now create a dedicated repository to store and manage OpenTIDE content. This repository functions as a separate GitLab project synchronized with the SOC Prime Platform.
Note: Access is automatically available to all members with GitLab permissions on the Platform.
To create the OpenTIDE GitLab repository:
Navigate to the CI/CD drop-down in the upper-right corner of the screen.
Select Repositories.
On the Repositories page, click Add Repository.
In the GitLab Synchronization section, enable the OpenTIDE Integration toggle.
Note: A single organization can create and manage only one OpenTIDE repository.
After creating the OpenTIDE GitLab repository in sync with the SOC Prime Platform, on the My Repositories page, users can access OpenTIDE wiki in the GitLab Sync section. The OpenTIDE wiki link redirects users to the dedicated page storing all related documentation for the OpenTIDE project of the organization.
Attack Detective
Pausing and Resuming On-Premises Scans
With this Platform release, we’ve added the ability to pause and resume on-premises Scans in Attack Detective. Now, once the on-prem Scan starts, the Scans table displays the action menu (...), which now includes the Pause Scan and Stop Scan options. By clicking Pause Scan, the icon and the action will change to Resume Scan. By clicking the latter, the system will proceed with the paused scanning process. The alternative option to pause the Scan is from the Scan status menu. The corresponding Paused status has also been added.
Note: Cloud platforms have only the Stop Scan option on the menu.
When the scan on the Data Plane starts and then pauses, and the user tries to start one more scan by clicking Start Scan and then choosing the same Data Plane, they will see an error: “There's a paused Investigation for the "Data Plane name" Data Plane. Please stop the Investigation or choose another Data Plane.”
For a better user experience, all the paused Scans will now have a tooltip reflecting the corresponding Paused scanning status: “The Scan has been paused. After 24 hours in the paused state, it will be stopped automatically.”
View and Run Investigation Permission Limits
Each company has four user roles that define access levels to certain SOC Prime Platform functionality:
Manager – Has full access to all Platform features and can manage other users and their permissions.
Detection Engineer – Has full access to all Platform features but can’t manage other users and their permissions.
Threat Hunter – Can perform actions with premium content and reverse translations. Not allowed to set up integration with the organization’s SIEM/EDR/Data Lake for automation features.
Analyst – Can only view and hunt using free and unlocked content. Restricted from making any changes or performing actions that could alter the system's configuration or data.
With this release, we have added View and Run Investigation permissions limits defining Attack Detective access levels that depend on the corresponding user role. If the Run Investigation permission is NOT enabled based on the user role, these Attack Detective users are NOT allowed to perform the following actions:
On the Select Your Use Case page, they cannot launch any use case (the corresponding button – Audit Content Plane / Audit Data Plane / Select Candidates / Start Threat Scan is disabled)
On the Data Audit Result page, the Setup Alerts button is disabled
On the Review Scan Results page, the Start Scan button is disabled
On the Scans and Audits tables, they cannot delete or rename a specific Scan or Audit, and the Start Scan/Audit button is disabled
On the Content Audit Result page, the Continue Data Audit button is disabled.
As for the default values, if the Run Investigation permission is enabled, the View Investigation permission is turned ON automatically. If only View Investigation permission is available, Attack Detective users can ONLY review the scan results. If both View & Run permissions are disabled, users won’t be able to access the Attack Detective functionality.
Here’s the table showcasing the corresponding Attack Detective access levels depending on the user role:
Name | Manager | Detection Engineer | Threat Hunter | Analyst |
Run the Investigation |
|
|
| |
View Investigations results |
|
|
|
|
Time Selection for Audit and Scan Period Customization
With this latest SOC Prime Platform release, we’ve added the ability to adjust the specific time (in hours and minutes) for Audits (Content and Data Audits) and Scans (Rules for Alerting and Threat Hunting) in addition to selecting the custom date. Now, SOC Prime Platform users can choose a time frame starting from 1 hour when setting up the start and end period of Scans or Audits.
Elasticsearch Cross-Cluster Search Support
With this latest SOC Prime Platform 5.16.2 release, we have added Cross-Cluster Support for Elasticsearch. During threat scans in Attack Detective, users can now search across remote clusters connected to the Elasticsearch local cluster.
Note: Each Elasticsearch cluster should have its own Data Plane configured to have Cross-Cluster Support enabled.
To start using this functionality:
Enable the Using Cross-Cluster Search toggle switch on the Create New Data Plane page.
Fill out the name of your remote cluster in the Remote Cluster Name field.
Optionally, you can add a Space Name in the corresponding field.
Optionally, you can add a Data View ID in the corresponding field.
Upload Data Audit Results from JSON
We have introduced a major upgrade to Attack Detective, which now supports Data Audit functionality for isolated, air-gapped Splunk environments. Users can download the JSON file from the Splunk instance and upload it to the Attack Detective to perform the Data Audit.
To launch the Data Audit for isolated, air-gapped Splunk environments, users should follow the next steps:
Go to the Data Planes section under the CI/CD dropdown and click Add Data Plane button.
On the Create New Data Plane page, select Splunk in the Select Platform drop-down and choose Isolated in the Configuration section. This newly created Data Plane will be used to run the Data Audit for your isolated Splunk instance.
At this stage, users need to configure the Data Audit for isolated Splunk environments. On the Setup Data Audit page:
Select Isolated in the Data Plane Type section to indicate you're auditing in an environment disconnected from unsecured networks.
In the Data Plane section, choose the Data Plane you created in the previous step.
Finally, in the Upload Results section, upload your JSON file to view and analyze the Data Audit results.
Unlock Premium Sigma Rules in Attack Detective
With the latest release, we have added a more streamlined experience for unlocking Premium Sigma rules directly from the Scan Results page in Attack Detective. Users can now unlock Premium Sigma rules sourced from the Threat Detection Marketplace (TDM) directly within the Scan interface. This enhancement allows faster access to Premium content without navigating away from the Attack Detective.
Unlock With Available Sigma Rules Balance
If your organization has an available Premium Sigma rule balance, a confirmation modal will appear when attempting to unlock a rule. Upon confirmation, the selected Premium Sigma rule will be unlocked using the organization's balance. The unlocked rule, along with its translations, will become available across all SOC Prime Platform products for your team.
Unlock Limitations and Access Controls
No Remaining Balance: If the organization has no remaining Premium Sigma rule unlocks, the user is informed that the rule cannot be unlocked until the balance is replenished through a subscription upgrade.
RBAC Restrictions: If a user’s role does not permit unlocking Premium content, they are notified that their current role lacks the necessary permissions and are advised to contact their team manager to request access.
User Unlock Limit Reached: When a user has already used up their personal unlock limit, they are notified that their limit has been reached and that they should request an increase from their manager.
Bulk Selection with Locked Content: If a user selects multiple items for hunting and at least one of them is a locked Premium rule, they are notified that Premium content must be unlocked individually. The system prompts them to unlock each item separately by initiating the Hunt action on each one.
IBM QRadar Support for SOC Prime Attack Detective App
With the latest release, we have enhanced the integration support for the IBM QRadar platform in the SOC Prime Attack Detective App. Users can connect their on-prem IBM QRadar instances to Attack Detective to perform Data Audit, obtain Rules for Alerting, and perform Automated Threat Hunting.
To explore the scope of improvements for IMB QRadar Client within the SOC Prime Attack Detective App, visit a dedicated page here.
Content Quality Improvements
Microsoft Sentinel
We’ve introduced a set of quality improvements for the Microsoft Sentinel content sourced from the Microsoft Sentinel repository on GitHub. Specifically, the rule_type tag is now set to "alert" by default, and query parsing has been updated to preserve newline characters and comments.
Company Website Updates
As part of the latest release, a series of blog articles has been published to help users explore new Uncoder AI functionality. These resources provide step-by-step guidance on using the AI features of Uncoder across multiple supported SIEM, EDR, and Data Lake technologies.
To access the articles, visit SOC Prime Blog, navigate to the SOC Prime Platform section, and explore posts about AI-powered detection engineering with Uncoder.
Key Bug Fixes & Improvements
Fixed the AI translation issue when, in some cases, the translation failed by constantly displaying the preloader or showing an error in the Debug Console.
Resolved the issue where the Run Now button in some cases did not function correctly to launch Job execution.
Fixed the issue with the GitLab sync when the Push/Pull icon indicators weren’t highlighted when the Push/Pull option was available. After making the improvements, the Push icon is highlighted in green when there are updates to push, while the Pull icon is highlighted in blue when there are content updates for pulling.
Fixed the Azure DevOps deployment issues:
When, in some cases, content was marked as “Deleted” on the Inventory page after running the Job.
In some cases, formatting issues occurred when the ARM Templates option was enabled, which led to templates working during manual deployment but failing during deployment via Jobs.
Added validation on file extensions, which the Inventory script retrieves from the Repository. After making these updates, the Azure DevOps Inventory now retrieves the appropriate file formats ["txt", "json", "yara-l", "yaml", "yml", "yara"].