July 3, 2025

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

AI-Generated Content

With this latest release, we’ve added AI-generated content to SOC Prime Platform, which enables security teams to instantly boost detection engineering efficiency. The AI-generated rules are marked by the corresponding AI icon to distinguish them from other detection algorithms. AI-generated content is stored in a new SOC Prime AI Rules repository and can be selected from the Platform Repositories drop-down:

On the Search page in Threat Detection Marketplace (using the Standard search mode)

When choosing the Light Search mode

In Uncoder AI, when searching for relevant detection content

AI Rules Tab

On the Active Threats page, a newly added AI Rules tab displays AI-generated content for the selected news item.

Note: If there are no AI-generated rules for the specific news item, the corresponding pop-up shows up with the following text: “There are no AI-generated rules to detect this threat. You can try to do it in Uncoder AI.”

Bear Fence for Microsoft Defender for Endpoint

SOC Prime has launched Bear Fence, a purpose-built threat detection layer for Microsoft Defender for Endpoint (MDE) focused on tracking Fancy Bear (APT28) and 48 more russian nation-state actors. Automatically hunt for Fancy Bear and its siblings through an exclusive Attack Detective hunting scenario using 242 hand-picked behavior rules, over 1 million IOCs, and a dynamic AI-driven TTP feed.

This plug-and-play, always-on service is designed for individual researchers and organizations and is available in the following pricing options:

Solo: Self-service pack to upgrade your Microsoft Defender for Endpoint with automated threat-hunting for bear APTs available for instant purchase via Stripe
Enterprise: Enterprise-grade solution to build quick protection from Bear APTs with an expanded set of rules and intelligence

Note: To start detecting bear actors, security engineers need to create an account at the SOC Prime Platform, set up a Data Plane for their Microsoft Defender for Endpoint, and set a scanning schedule.

As part of these subscription updates, we have also created the Bear Fence IOC repository.

Also, to reflect all the subscription details, we’ve launched the corresponding landing page at https://my.socprime.com/bear-fence/ and added the Enable Bear Fence to Your MDE to the Use Cases tab in the main website navigation.

Microsoft Sentinel YAML Rule Support

With this latest SOC Prime Platform release, we’ve added support for the Microsoft Sentinel YAML Rule format. This content type is now available for the following Platform functionality:

In Expert Filters > Platform on the Search page

In Uncoder AI, as the target language format for content translations (Microsoft Sentinel > Rule (YML))

On the Create New Job pop-up, when selecting Microsoft Sentinel and then choosing the corresponding content type. For an improved user experience, we’ve also added the following message: “Note that by its nature YAML content can only be pushed to GitHub and Azure DevOps.”
On the content item page, the newly added Microsoft Sentinel Rule (YAML) tab now includes the Push to Repository button, which allows content to be pushed to the GitHub and Azure DevOps repos.

Note: This tab and button will be visible for the SOC Prime user only if they have selected the Microsoft Sentinel YAML Rule content type in the Data Plane settings.

Semgrep Rule Support

We're always working to broaden SOC Prime Platform compatibility with diverse SIEM, EDR, and Data Lake language formats. With this release, we’ve introduced Semgrep to the list of supported cybersecurity solutions, a fast, open-source static analysis tool that helps find bugs detect vulnerabilities, and enforce secure coding practices across 30+ languages.

The Semgrep Rule content type is now supported for Threat Detection Marketplace (TDM) and Uncoder AI, and can be selected as follows:

In Expert Filters > Platform on the Search page
On the Code tab on the content item page
In Uncoder AI, as the target language format for content translation from the majority of supported platforms

Coralogix Query Support

We're constantly expanding support for SIEM, EDR, and Data Lake platforms, along with various language formats. With the SOC Prime Platform release 5.16.3, we've introduced support for the Coralogix Query format. This new content type is now available across the Threat Detection Marketplace (in Expert Filters and on the content item page) and Uncoder AI. Coralogix Query detections can also be stored in custom repositories in the Threat Detection Marketplace.

Tanium Query Support

With this latest release, we’ve added support for Tanium Autonomous Endpoint Management (AEM) Platform. The newly supported Tanium Query content type is now available for the following SOC Prime Platform functionality:

In Threat Detection Marketplace: In Expert Filters > Platform and on the Code tab on the content item page
In Uncoder AI: Can be selected as a target language format for content translation

In addition, detection content in the Tanium Query format can be stored in custom repositories within the TDM.

Content Quality Improvements

As part of the 5.16.3 SOC Prime Platform release, we've introduced a series of enhancements focused on improving the quality of detection content. These updates are part of our ongoing commitment to delivering best-in-class detection rules and queries.

Google SecOps Updates

In the latest release, we’ve enhanced handling of escape/characters within regular expressions and introduced support for log sources to Google SecOps content translations.

Microsoft Sentinel Updates

In the SOC Prime Platform release 5.16.3, we improved how MITRE ATT&CK® tactics and techniques (TTPs) are handled when deploying Microsoft Sentinel rules (API, UI, etc). TTP metadata is now preserved and visible in the SIEM, helping users maintain clear visibility into threat behavior.

Also, during this release, we’ve implemented a set of improvements for Uncoder AI to ensure the highest quality of Microsoft Sentinel translations. SOC Prime Platform now supports an extended set of entity mappings for Microsoft Sentinel. Additionally, Uncoder AI is now capable of rendering and parsing entity mappings in JSON and YAML formats.

Elastic DSL Query Updates

With the latest release, we’ve added support for modifiers in Elastic DSL queries by updating the existing Sigma backend. The translation process now wraps escaped Lucene queries in a DSL constructor, effectively generating DSL templates with embedded Lucene logic.

Company Website Updates

SOC Prime Blog Updates

With this latest SOC Prime Platform release, we’ve launched the multi-language version of the SOC Prime blog, with around 80% of existing articles already translated. The remaining ones are being processed manually and will be added over time. Currently, the following languages are supported:

🇬🇧 English
🇪🇸 Spanish (Español)
🇵🇹 Portuguese (Português)
🇯🇵 Japanese (日本語)
🇩🇪 German (Deutsch)
🇰🇷 Korean (한국어)
🇫🇷 French (Français)
🇮🇹 Italian (Italiano)

Also, as part of the SOC Prime blog UX updates, we’ve added a Save state for the dark mode on the blog pages.

Data Sheets Page

With this release, we’ve launched a new Data Sheets page at https://socprime.com/data-sheets/ that aggregates our most up-to-date data sheets, offering in-depth insights on SOC Prime products and services. This page is designed to help customers see at a glance and explore in more detail how a unique fusion of technologies within our SOC AI Ecosystem can elevate the organization’s cybersecurity strategy. The new page is located under the Resources tab on the main navigation menu.

Events Page Updates

To reflect the latest updates on SOC Prime webinars, we have added the following changes to the Events page:

Added the latest webinar, “Practical Use Cases: Mastering Detection Engineering With AI”, which leads to the corresponding registration page
Moved the “SOC Prime Ecosystem | SOC Prime Webinar” and the “SOC Prime at GISEC Global 2025” event to the archive
Updated the “SOC Prime Ecosystem | SOC Prime Webinar” registration page with a link to the webinar recording

Threat Detection Marketplace

MITRE ATT&CK® Coverage

As part of the Platform release 5.16.3, we've delivered key improvements to the MITRE ATT&CK Coverage page, offering better visibility into how detection content aligns with MITRE ATT&CK tactics, techniques, and sub-techniques. This enhancement helps users track the coverage of detection rules they've explored, downloaded via API, or deployed from the Threat Detection Marketplace.

Users can now drill down directly from the MITRE ATT&CK Coverage page to detailed detection content search results in TDM. Here's how it works:

Click on a specific ATT&CK tactic tab on the left side of the page.
Select the desired technique, then click on the rule count displayed in the technique tab.
Upon clicking, users are redirected to a Lucene Search Results page displaying all detection content items related to that technique, including content from both SOC Prime and Custom repositories.

Note: Drilldown functionality is available only when no filter by Tenant or Data Plane is applied. If such filters are active, the rule count becomes non-clickable, and a drilldown is disabled.

Notably, detection content from Custom repositories is now fully synchronized with both the MITRE ATT&CK Coverage and Log Source Coverage pages. This ensures accurate aggregation and representation of all relevant content. Also, we’ve introduced several enhancements to improve the visibility and usability of custom content:

Users can now mark custom detection content as deployed.
Deployed custom content now appears on both the MITRE ATT&CK Coverage and Log Source Coverage pages.
Fixed an issue where incorrect custom content counts were shown after drilldown to the Search page.

Active Threats

With this Platform release, we have introduced a set of improvements to the functionality of the Active Threats page, acting as a single source for real-time CTI, relevant detection rules, and AI-enriched context ,allowing security teams to identify and address threats within minutes.

With this release, the Active Threats page is now the default homepage for all users of the SOC Prime Platform, regardless of their subscription tier. This ensures immediate access to the most critical and timely threat intelligence and rules upon login.

New Interactive Features

Also, with this release, we’ve introduced new interactive features to boost collaboration and visibility within the Platform users community:

Community Reactions: Each Active Threats update now includes a like counter, allowing users to see how the community is engaging with the content and provide their own reaction to the news item
Social Sharing: Users can easily share updates across major social platforms directly from the Active Threats page by copying the news item's direct URL
Platform Presence: Explore and follow SOC Prime across our supported social media channels:

Improved Search Experience

To improve usability and help users quickly locate relevant threat updates, we've introduced a dedicated Search Bar positioned just below the Visualization Dashboards. The search functionality includes intelligent prompt suggestions based on trending or recent threat topics, enabling users to initiate searches more efficiently and discover the most relevant content with ease.

Attack Flow Tab

Each news item on the Active Threats page now includes a dedicated Attack Flow tab, bringing deeper visibility into adversary tactics and progression paths. This feature helps defenders shift from viewing isolated threat behaviors to understanding the full sequence of actions adversaries take to achieve their objectives.

Follow these steps to review the Attack Flow for the chosen Active Threats news item:

Click on the title of the selected item to expand its details.
Navigate to the Attack Flow tab on the left side of the update pop-up.
Attack Flow diagram is interactive, including a set of interactive capabilities:
- Drag blocks while preserving the initial connection
- Change scale
- Open the visualization in full screen
- Return to the starting point
- Export Attack Flow as MMD

Other Improvements

Alongside major feature updates, the latest release also includes several UI and usability enhancements to improve the overall experience and consistency:

Updated tab names and icons within the Active Threats news item window to reflect newly added functionality (AI Rules, Attack Flow) and the removal of legacy features (“Expert Opinion”). This ensures clearer navigation and a more intuitive interface.
Improved the UI layout by fixing the minimum height for the blocks containing shorter news items on the Active Threats page.
Implemented minor improvements, enabling users to select and copy the title of the page.

Light Search

With the SOC Prime Platform release 5.16.3, we have introduced a set of UX improvements to the Light Search functionality to ensure a best-in-class user experience.

Hunt

To accelerate threat-hunting workflows, we have added the Hunt shortcut to each content item available from Light Search. This ensures users can instantly find required detection content and immediately use it for hunting in the chosen SIEM.

To use the Hunt functionality right from the Light Search page, users should do the following:

Click the Hunt button located in the tile of the desired detection content item.
The Hunt modal pop-up will appear, prompting users to configure the following settings:
- Data Plane. In the Data Plane field, users can select from existing Data Planes or create a new one by clicking the Create New Data Plane button within the modal. If the selected content item does not have a translation compatible with the Data Plane’s language, the Data Plane will appear disabled and cannot be selected.
- Custom Field Mapping. Once a Data Plane is selected, the Custom Field Mapping field becomes active. Users can select from existing mappings compatible with the selected Data Plane or create a new one by clicking the Create New Custom Field Mapping Profile button. This field remains inactive until a Data Plane is chosen.
- Query Type. This field lets users choose from SIEM type options that are compatible with the selected Data Plane. This field remains inactive until a Data Plane is chosen.
- Config. The Config field allows users to select from available Configs that support the selected Data Plane. This field remains inactive until a Data Plane is chosen.
Press the Hunt button to launch the hunting process.

Note: The Hunt button becomes active only after both the Data Plane and Custom Field Mapping fields are properly configured.

The Hunt button is now visible to all SOC Prime Platform users. However, access to the Hunt functionality depends on the user's subscription tier and configuration settings.

RBAC Permissions: Users must have the Hunt permission enabled in their Role-Based Access Control (RBAC) settings. If not, clicking the Hunt button will trigger the Access Denied modal pop-up.
Company-Level Access: The user's organization must have the Hunt module enabled. If this module is disabled, users will see the Feature Not Available pop-up upon clicking the button.
Premium Sigma Rule Access: To use Hunt with Premium Sigma rules, users must have a Premium Sigma Rules Count greater than 0. If this criterion is not met, the platform will display the No Unlock Keys Left pop-up.
Free or Solo Users: Users on Free or Solo subscription tiers can access the Hunt feature only for non-premium content items. Attempting to hunt Premium content will result in the Premium Content Unavailable message.

Add to List

To further streamline content management, we’ve introduced the Add to List shortcut to every detection content item available from the Light Search interface. This enhancement allows users to instantly search for relevant detection content and seamlessly add it to a desired content list for future use. To use the Add to List functionality right from the Light Search page, users should do the following:

Click the Add to List button on the tile of the desired detection content item.
The Add to List pop-up will open, displaying all content lists the user owns or has access to through sharing.
Use the search bar at the top-right side of the pop-up to easily locate a specific List by name.
Select the checkboxes next to the Lists where you'd like to add the content item.
If no appropriate List exists, click the Create New Content List button in the lower-left corner of the modal to create one instantly.
Click the Save button to confirm and add the content item to all selected Lists.

Note: The Add to List shortcut is also available from content item tiles within the Advanced Search in TDM.

Team Management: Export User List in CSV

Introduced UX improvements for the Team Management page, enabling SOC Prime Platform users with Manager roles to export a list of users in CSV format. To export the list of users, go to the Platform Settings > Team Management, and click the Export CSV button.

Note: This data can be downloaded only by users with Manager roles.

Other Updates

With the latest Platform release, we have introduced a set of enhancements to the Threat Detection Marketplace functionality to ensure an excellent user experience. The list of the latest updates includes the following:

Improved the deployment behavior for Microsoft Sentinel presets. The Create incidents from alerts triggered by this analytics rule parameter, previously applied only when deploying via Jobs, is now also correctly applied during manual rule deployment from the rule page.
Implemented a set of UI/UX enhancements for the Light Search, Advanced Search, Active Threats, and other Threat Detection Marketplace functionality, including improved hover effects and padding for tags, proper tooltip positioning for tags, improved buttons UI, updated style for tabs, excluded Industry filtering option, and more.
Added support for the US1 region for Sumo Logic content deployment, rule updates, and inventory.

Uncoder AI

Uncoder AI Modes

With this release, we’ve introduced three Uncoder AI modes to streamline the detection engineering flow when using our AI co-pilot:

Generate: Create detections from reports, get query logic explanation, visualize attack flows, generate performance-optimized custom IOC queries, and more.
Translate: Translate Sigma rules into dozens of different SIEM, EDR, and Data Lake languages and do cross-platform translations.
Improve: Use AI to validate query syntax and structure, optimize queries in more than 50 languages, and group query results by AI-selected fields using a newly added Results Aggregation feature.

These modes are displayed as three separate tabs, and the specific mode can be chosen from the Select the Mode pop-up. This pop-up acts as the Uncoder AI homepage. It is displayed at the initial user session and won’t be shown again by selecting the corresponding checkbox.

Note: Uncoder AI users can seamlessly change the previously selected mode later.

Switching Uncoder AI from GPT to Llama LLM

Uncoder AI customized for detection engineering and threat intelligence processing now uses Llama 3.3, which has replaced the GPT 4o LLM model. This transition is intended to streamline function handling during content translation.

Debug Console Updates

With this release, we’ve expanded the list of actions processed via the Debug Console in Uncoder AI. Beyond translation handling, the Debug Console is now also available for actions like content generation and validation, with results rendered from markdown directly in the console panel.

In response to these updates, it is now displayed not only for the Uncoder AI translation panel but also within the markdown rendering panel, the Attack Flow panel, and the AI-generated Validation panel.

OpenTIDE Support Updates

In the previous SOC Prime Platform release, we’ve added OpenTIDE support and enabled security professionals to translate Sigma rules to the OpenTIDE MDR format using Uncoder AI. As part of the current OpenTIDE translation enhancements, we’ve implemented the following:

Added the ability to save a rule in the MDR format as a YML file rather than the TXT format.
When processing TVM, CDM, or MDR translations via Uncoder AI, they are now output in the same OpenTide format as the original source.

Results Aggregation (Beta)

With this release, we’ve enhanced the Uncoder AI Tools functionality with Results Aggregation (currently available in beta). The newly added feature enables grouping query results by AI-selected fields to facilitate further analysis if the query returns a lot of results. The results are produced as markdown. This AI Tool is currently supported for the following content types:

IBM QRadar Query (only hostname)
Anomali Query
Athena Query
Elastic (EQL) Query
Falcon LogScale Query
Microsoft Defender for Endpoint Query
Microsoft Sentinel Query
Splunk Query
Sumo Logic Query

To apply this tool for a chosen rule, select the Improve tab from available Uncoder AI modes, then select Results Aggregation, and click the Improve button in the upper right-hand corner.

UX Improvements

With this latest SOC Prime Platform release, we’ve added the following improvements to the Uncoder AI functionality for a better user experience:

Update the order of the fields in the IOC Sigma rule template for an improved structure and readability.
Removed the ZIP format from the domain list when detecting IOCs for translation.
Removed markdown quotes and extra characters when generating rules or queries from a Threat Report.
Refreshed the UI components by applying updated styling.
Added support for Cyrillic characters for Predict ATT&CK Tags in the Sigma rule code.

Key Bug Fixes & Improvements

When autogenerated detection content is saved in Active Threats, the Sigma rule body now automatically populates the Reference field with the link to the original article that served as the source for the rule.

Resolved the ndjson formatting issue that sometimes occurred during saving Elastic Stack content translations (Lucene, EQL, ES|QL) from the Code tab on the content item page and Uncoder AI.
Fixed the issue that sometimes prevented users from closing the Cookies window overlay in incognito mode within the SOC Prime Blog.
Resolved the issue when the Intelligence tab could occasionally remain open if a rule was accessed from the search bar within Uncoder AI. This fix ensures the tab now closes properly in all navigation scenarios.
Fixed the issue that sometimes resulted in Custom Field Mapping not being applied by default on the content item page.
Implemented UI improvements for the Custom Field Mapping fullscreen pop-ups.
Introduced UI improvements for the Platform Settings pages.
Resolved a number of issues within Jobs:
- Fixed the issue where the content List name overlapped with the Schedule value on the Jobs page.
- Fixed the issue affecting proper Google SecOps rules search by name by ensuring proper synchronization during rules pulling from the SIEM.
- Fixed the issue sometimes resulting in Custom Field Mapping not beeing applied automatically during the content deployment via Jobs.
- Enhanced the check connection process in Jobs for improved content deployments to Google SecOps.
- Fixed the content deployment issue when not all content items within a specific Content List were deployed via Job.
Introduced a set of improvements for the Inventory:
- Resolved the issue that occasionally prevented detection content from being properly updated in Custom Repositories after Inventory.
- Fixed the issue that sometimes resulted in the “string indices must be integers” error during Update Content from Inventory.
- Resolved the issue that sometimes resulted in Google SecOps rules not being properly deleted from the SIEM and from the Inventory.
- Resolved the issue with Azure DevOps integration via Inventory that restricted proper synchronization to all available Microsoft Sentinel content types.
- Introduced improvements to the generation of CrowdStrike query URLs during the Hunt process.
Resolved the issue that occasionally led to the unintended removal of single quotation marks (') in the detection rule body during Predict ATT&CK Tags in Uncoder AI.
Fixed a minor UI issue that sometimes occurred during Data Plane selector scrolling within Hunt.
Fixed the issue that occasionally occurred in Uncoder AI and led to the Generate button being inactive for IOC Packs.
Resolved the issue with Push to Confluence functionality for use case documentation in Uncoder AI that occasionally led to Confluence pages not being properly generated. Now, integration with Confluence works as intended.
Improved the error handling for content deployment to Confluence via Uncoder AI. Now, if the content already exists, a clear duplication error message is displayed. Otherwise, users receive a success message confirming the deployment.
Resolved issues in some cases, leading to a runtime error when starting a Job.
Made UI improvements to the Log Source Coverage, Hunt, and Rule pages by removing legacy interface elements in the CI/CD dropdown menu scrollbar.
Fix a minor UI issue on several Platfrom pages where the Help Center menu was incorrectly rendered beneath the header menu. The Help Center menu now correctly appears above the header.
Resolved the issue where empty space was displayed in the tooltip on the History page.
Fixed the issue where items on MITRE ATT&CK Coverage and Log Source Coverage pages were overlapped by the Search Profile name, ensuring proper layout and visibility of all elements.
Fixed layout issues in the Supercharge mode, where a tag suggester drop-down menu was misaligned and appeared at the top of the page when saving the rule. The suggester now appears correctly near the active input field.
Double-checked rules and fixed tags in the Roota repository to ensure continuous content quality improvement.
Improved error handling for reverse translations.
Fixed the content count issue on the Lists page that resulted in a long-term delay displaying the number of content items in a newly created List. After implementing the fix, the SOC Prime Platform user can now see the up-to-date number of content items in the corresponding List right after its creation.
Fixed the bad request issue (“The request was not formatted correctly or is missing required parameters”) when, in some cases, pushing content to a Repository.
Fixed the issue that triggered a 500 error when, in some cases, deploying content to Sumo Logic from the content item page.
Fixed the search issue that occurred in some cases across several SOC Prime Platform pages with a search request containing brackets ().
Fixed the issue where the displayed rule count differed when sorting the Search page results by Name and by Recommended.
Resolved a minor UI issue within the content item page to prevent tooltips from hovering over the Refer a Friend button in the header.
Resolved the issue leading to the incorrect rule count value being displayed on Global Content Lists.
Active Threats UI improvements:
- Resolved the issue with the accordion UI component titles displaying the specific news item on the Active Threats page, which in some cases, were cropped.
- Fixed the issue with an icon within the IOC Queries button that, in some cases, didn’t change its color when in a hover or active state.

SOC Prime Platform Product Release Notes 5.16.3