July 30, 2025
© 2025 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Attack Flow
With the latest 5.6.14 Platform release, we introduced support for Attack Flow v3.0.0, powered by RAG LLM model using the latest MITRE ATT&CK framework v17.1. Also, we have significantly extended the Attack Flow functionality by adding a set of new features to ensure a smoother user experience:
New visualizations, including custom ATT&CK matrices
Light Mode, Dark Mode, and new “Blog Mode” for clean presentations
Smarter copy/paste and object manipulation
Expanded example flows and schema enhancements
Open-source training resources and use cases
Users can generate Attack Flow v3.0.0 diagrams from raw threat reports via Uncoder AI:
Go to the Generate mode in Uncoder AI
Select Threat Report/IOCs as the input type
Paste or upload the threat report and select Attack Flow as the output
Also, cyber defenders can dive into the context of news items listed in the Active Threats feed. Follow these steps to review the Attack Flow for the chosen Active Threats news item:
Click on the title of the selected item to expand its details.
Navigate to the Attack Flow tab on the left side of the update pop-up.
The Attack Flow diagram is interactive, including the following capabilities:
Drag blocks while preserving the initial connection
Change scale
Open the visualization in full screen
Return to the starting point
Export Attack Flow as MMD or JSON
With the 5.16.4 release, we have added Matrix View support in Active Threats, alongside the standard Attack Flow diagram.
Cribl Support
With this latest release, we’ve added support for the Cribl platform, which is currently available for Threat Detection Marketplace and Uncoder AI functionality. The Cribl Search Query (KQL) format can now be selected:
As a preferred platform during the Platform Onboarding process
In Expert Filters > Platform and on the Code tab on the content item page
As a target language format for content translation in Uncoder AI
Detection content in the Cribl Search Query format can be stored in a custom repository, with the Custom Field Mapping supported to enable content customization.
Preset and Config for Microsoft Sentinel YAML Rule Support
With the SOC Prime Platform release 5.16.4, we’ve added support for the Microsoft Sentinel YAML Rule format. This latest Platform release also adds entity mappings to the alternative translations in the Microsoft Defender for Endpoint (MDATP) format for Microsoft Sentinel content. In addition, we’ve added the Presets and Config functionality to enable content deployment customization capabilities for the Microsoft Sentinel YAML Rule.
Presets for Microsoft Sentinel YAML Rules
We’ve added Presets for the Microsoft Sentinel YAML Rule format to customize parameters of content deployed to the organization's SIEM instance and streamline content management operations while reducing the risks of manual content deployment errors. Presets for this content format can now be configured on the Presets page and selected:
On the Create Job pop-up
On the content item page, prior to individual content item deployment
In Uncoder AI (available for both the default data schema and MDE)
Note: The Suppression Duration and Suppression Enabled parameters are irrelevant to the Presets for the Microsoft Sentinel YAML Rule format.
Config for Microsoft Sentinel YAML Rules
SOC Prime users with an alternative data schema can now select their schema type in the Config drop-down on the content item page for the Microsoft Sentinel YAML Rule format, and instantly get the translation tailored to their environment.
Note: Currently, MDATP is a single option in the Config drop-down list for the Microsoft Sentinel YAML Rule format.
Content Quality Improvements
We are constantly working on enhancing the quality of detection content translations. With the SOC Prime Platform release 5.16.4, we’ve introduced a set of improvements for various supported platforms:
Improved handling of escaping of double quotes in the SentinelOne language format to ensure content translation quality and prevent potential parsing errors.
Fixed the issue with the KQL Query generated from IOCs, which wasn’t appropriately translated to the Splunk format.
Resolved an issue where certain SentinelOne and Tanium content items incorrectly permitted comments to be added within translated sections of the detection code.
Company Website Updates
Main Page Update
As part of the latest release, we’ve updated the UI of the main company page at https://socprime.com/ by adding a block to the first screen describing key SOC Prime Platform use cases. New users can now instantly sign up for SOC Prime Platform for free via the corresponding button from this block.
Events Page Update
To reflect the latest updates on SOC Prime webinars, we have added the following changes to the Events page:
Added the latest webinar, “Real-time Data Control for Modern SOC: Insights from SOC Prime & Onum”, which leads to the corresponding registration page
Moved the “Practical Use Cases: Mastering Detection Engineering With AI” event to the archive
Updated the “Practical Use Cases: Mastering Detection Engineering With AI” registration page with a link to the webinar recording
Threat Detection Marketplace
Job Improvements
With this latest SOC Prime Platform release, we’ve improved the handling of a runtime error for a failed Azure DevOps deployment if the personal access token has expired and the system displays the Access Denied issue. For a better user experience, in the case of such a problem, the SOC Prime user will now be prompted to update their integration credentials.
Advanced Search
With the SOC Prime Platform 5.16.4 release, we have introduced a set of improvements to the Search functionality within Threat Detection Marketplace to improve accessibility and deliver faster, more relevant results for a smooth user experience.
Advanced Search Options Access for Free Subscription Tier
We have made the advanced search functionality available to Free subscription tier users. They can now perform searches in Standard or Lucene mode to find relevant CTI-enriched detection content in Threat Detection Marketplace.
Onboarding: Platform Selection Changes
As part of advanced search availability updates, we’ve also made changes to the onboarding process. The Onboarding pop-up must now be filled out for all SOC Prime users who have signed up for the Platform. The updated onboarding procedure now includes only two required steps to help us tailor the user Platform experience to their cybersecurity role and toolkit in use:
The platform selection
Note: Security professionals can select up to three platforms in use (similar to the logic in Account Settings)
The role selection (cybersecurity position)
Rule Page Update
For better consistency, the tab names on the content item page have been updated as follows:
Intelligence → AI Threat Intelligence
Code → Detection Code
The AI Threat Intelligence tab has certain limitations depending on the user’s subscription tier. Specifically, Platform users with an Enterprise or Solo subscription can instantly access all AI Threat Intelligence blocks. For the Free subscription tier, the following blocks are inaccessible:
Timeline
Audit Configuration
False Positives
Triage Recommendations
Relation Graph
Short Summary
Full Summary
Decision Tree
Binary
Tags
When Free-tier users try to access this functionality, a pop-up informs them that their current plan does not include the selected feature and recommends upgrading.
The Detection Code tab is also now accessible to Free-tier users with certain limitations: they can view code for community detection rules only, while Premium content remains restricted.
Additionally, Free-tier users can only see the source platform rule code (Sigma or Roota); translations are not available. However, Free users can leverage Uncoder AI to generate translations for a chosen platform or upgrade their subscription to access pre-generated ones.
Filtering by Industries
With the latest Platform release, we have restored and improved the Industries filter within the Standard Search functionality. Users can now refine their search results more effectively by selecting relevant industry categories, improving discoverability and search precision.
Bulk Translation
With this release, we’ve introduced significant improvements to the bulk translation workflow. Users can perform a Standard/Lucene search to retrieve a list of detection rules, select the desired rules from the results, and translate them in bulk into their chosen format.
Navigate to your Custom Repository.
Select the desired rules by ticking the checkboxes (✔) next to each item.
Click the Translate to button located in the upper menu bar.
A Bulk Translation Settings popup will appear. In this modal:
Choose the Content Type (from) and Content Type (to) formats.
Click the Translate button to execute the bulk translation.
Note: With the latest release, bulk translation functionality is available to all Platform users, regardless of their subscription tier. Bulk translation is available only for Content Types supported by Uncoder AI.
Light Search
To extend the availability of relevant CTI context to a broader cybersecurity community, we have removed limitations on viewing the Techniques and Sub-techniques sections of the MITRE ATT&CK Coverage block within each detection rule item in Light Search results. Now, these sections are visible to all Platform users regardless of their subscription tier.
Other Updates
With the latest Platform release, we have introduced a set of enhancements to the Threat Detection Marketplace functionality to ensure an excellent user experience. The list of the latest updates includes the following:
Added support for using Custom Field Mapping for Anomali Security Analytics Queries. Users can open the Custom Field Mapping configuration menu right from a rule's page and make all required settings.
Enhanced AI Threat Intelligence tab functionality by adding three new sections: Short Summary, Full Summary, and Decision Tree. This extends the availability of real-time CTI and context for the Platform users.
Implemented a mechanism that automatically creates a Stripe Customer Portal session immediately after a user logs into the SOC Prime Platform. This integration uses the Stripe Customer Sessions API to generate a session seamlessly, enabling users to manage their subscriptions without needing a separate Stripe login. Users are either redirected automatically to the Customer Portal or presented with the Manage Subscription button that opens the portal.
Improved Check Connection support for Google SecOps.
Uncoder AI
Tanium Query Added as a Source Language Format
In the previous SOC Prime Platform release, we added support for Tanium Autonomous Endpoint Management (AEM) Platform with the ability to select Tanium Query as a target language format for content translation. With the latest release, we’ve enhanced the Uncoder AI capabilities with the Tanium Query support as a source language format under the Translate tab.
Content Deployment Improvements
To improve content deployment capabilities via Uncoder AI, we’ve implemented a set of improvements, specifically designed to resolve deployment issues for unsaved detection algorithms.
As part of UX improvements, if content is not saved, the content deployment icon now displays an inactive status and one of the corresponding tooltips:
If deployment into the specific platform is not supported yet, users will be notified of it.
If deployment for the specific platform is supported, but the content is unsaved, the user will be prompted to save their content before deployment.
UX Improvements
With this latest SOC Prime Platform release, we’ve added a set of UX enhancements to the Uncoder AI functionality:
Improved various UI style issues, including selector heights, disabled states, their responsive layout for narrow screens, and updated drop-down placeholders.
Added a responsive layout for the entire Uncoder AI solution to improve overall usability and user experience across different screen sizes.
Key Bug Fixes & Improvements
Made improvements to the Threat Detection Marketplace API functionality, ensuring that all API endpoint addresses support the slash “ /” symbol.
Made UI improvement for the Rule page to ensure the Show More button in the Detection Code tab left-hand sidebar is always visible.
Improved the Content Action State filter, which didn’t display deployed rules and worked improperly for any content state (“Viewed / Downloaded / Downloaded via API”).
Introduced a set of UI improvements to the List page, including new hover styles for buttons, new sort arrow styles, improved page paddings, and more.
Resolved the navigation issue that appeared when the user clicked Microsoft Sentinel in the Authors block or on the Relation Graph block on the content item page. Before the fix, the user was redirected to the Search page, but they saw a “No Matching Content Found” message.
Fixed the Azure DevOps and Microsoft Sentinel issue when, in some cases, content wasn’t deleted from Inventory and Repository after selecting the Delete content from SIEM option.
Fixed the Warden issue when the checker didn’t correct an error if Sigma had duplicate fields.
Fixed a Warden issue sometimes leading to the incorrect output in case the detection content items contained comments.
Resolved the issue with manual and automated deployments (via Jobs), which in some cases resulted in a failed content deployment to Google SecOps.
Fixed the issue sometimes occurring on the Hunt page when the Data Planes page was opened by selecting the Create New Data Plane option or clicking the Pencil icon to edit the existing Data Plane.
In Uncoder AI:
Added support for files and emails for IOC query generation
Resolved the issue with a Warning showing that the translation was unavailable for this content that appeared on the Generate and Improve tabs. After making an update, this Warning can only appear on the Translate tab as expected.
Fixed the issue with the IOC Field Mapping drop-down that was incorrectly displayed on the Generate tab > Threat Reports > IOC Query > Settings.
Fixed the issue with the incorrect value display on the Token counter if the number of tokens is zero.
Fixed the issue with no data for generating queries error displayed when switching from a Behavior Rule-Query to the IOC Query option and then clicking Generate.
Fixed the Platform auto-detect feature when selecting Detect platform with AI on the Generate tab > Rule/Query option, and then switching to the Translate tab.
Resolved the issue when, in some cases, the Roota code opened in the source language panel in Uncoder AI instead of Sigma.
Fixed the “Service Connection Error” that displayed in some cases in the Debug Console during reverse translation.
Related to Active Threats:
Fixed the issue with the tag display when opening the Attack Flow tab in full-screen mode and then returning to the AI Summary tab.
Updated the Discord link.
Fixed the Sumo Logic content deployment issues, which in some cases, resulted in failed deployments.
Resolved the search issue on the Overview page when, in some cases, selecting the CERT Toolkit tab and then clicking the See All button led to a wrong Lucene search query.
Fixed the layout issue on the content item page when drilling down from a custom repository.
Resolved a minor issue that, in some cases, caused Blog Search requests to be improperly redirected to an unintended URL.
Made improvements to certain posts with video content on the SOC Prime website.
Related to Custom Field Mapping:
Fixed the issue when, in some cases, the Custom Field value in the Mapping Configuration section was truncated after editing the profile.
Fixed the Custom Field Mapping issue for Microsoft Sentinel.