September 19, 2025
© 2025 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Active Threats
With the 6.0.1 Platform release, we have introduced a new Active Threats Add-On, enabling proactive defense against zero-day and fast-moving threats by learning about them and getting relevant detections within minutes of intelligence publication. By purchasing this add-on, enterprise customers can get access to all advanced AI-powered capabilities of Active Threats, including:
AI Summary. Access a comprehensive AI-generated summary with full CTI to understand threat context in minutes, not hours.
Attack Flow. Visualize the Attack Flow in diagram and matrix view to prioritize threat detection efforts.
Behavior Rules. Get up to 500 expert-curated behavior rules to detect the most pressing threats.
IOC Queries. Hunt with queries to quickly check for IOCs.
AI Rules. Use any AI-generated content to immediately address TTPs across the incidents and attacks covered in Active Threats.
Simulations: Test and validate the detections to ensure they don't miss the signal.
Customers interested in purchasing the Active Threats Add-On might get more information by pressing the Contact Us button in the Add-On section of the Pricing page.
Coralogix Support
In the SOC Prime Platform release 5.16.3, we added support for the Coralogix Query format. With this latest SOC Prime Platform release, we’ve extended the Coralogix integration with one more content type, Coralogix Alert (coralogix-lucene-rule).
The newly supported Coralogix Alert content type is now available for the following SOC Prime Platform functionality:
In Threat Detection Marketplace
In Expert Filters > Platform
On the Code tab on the content item page
On the Inventory and Jobs pages
In Uncoder AI: Can be selected as a target language format for content translations
In addition, detection content in the Coralogix Alert format can be stored in custom repositories within the TDM.
Data Plane Configuration
To set up content deployments for Coralogix Alerts, SOC Prime users need to configure the integration on the Data Plane page:
Click Add Data Plane.
In the Profile Details section, fill out the profile name and select Coralogix from the Platform options.
In the Configuration section, fill out three required fields:
Select the option from the Region drop-down with the values like EU1.
Enter the API Key ID and API Key.
Optionally select the Custom Field Mapping(s) you would like to assign to this Data Plane.
Click Apply to complete the integration settings.
Content Deployment
Detection content in the Coralogix Alert format can now be deployed manually or automatically via Jobs. To support Jobs functionality, we’ve changed the SIEM type to alert.
For manual content deployments directly to the customer’s Coralogix instance, we’ve updated the Check Connection process, ensuring a smoother and more reliable deployment experience.
Custom Field Mapping & Presets Support
We’ve also added support for the Custom Field Mapping and Presets for the Coralogix Alert content type. On the content item page, SOC Prime users can now select the Custom Field Mapping and Preset profiles from the corresponding drop-downs for further content customization.
Company Website Updates
As part of the latest release, we’ve implemented a set of improvements to the SOC Prime website, more specifically:
Updated Enable Bear Fence for Your MDE title in website header and footer for better consistency
Introduced improvements to ensure consistency across blog articles' translation URLs
Events Page Updates
To reflect the latest updates on SOC Prime webinars, we have added the following changes to the Events page:
Moved the "Real-time Data Control for Modern SOC: Insights from SOC Prime & Onum” event to the archive
Updated the "Real-time Data Control for Modern SOC: Insights from SOC Prime & Onum” registration page with a link to the webinar recording
Content Quality Improvements
FortiSIEM Rule Updates
With this latest Platform release, we’ve updated the render to generate the rules in a new XML rule format, improving the content translation experience for FortiSIEM users. We’ve also added the Download button to the content item page on the Rule tab to ensure FortiSIEM customers can smoothly download the detection code in the corresponding XML file format when needed.
Microsoft Sentinel Rule (YAML) Updates
With this release, we’ve enhanced the Microsoft Sentinel content translation quality to ensure consistent behavior between original and alternative YAML rules. Previously, certain AWS CloudTrail rules incorrectly referenced the union function in the original configuration instead of the AWSCloudTrail table. With this update, the original YAML configuration now correctly references AWSCloudTrail, while alternative translations (e.g., MDATP) may still use the union function where valid.
Elastic Translation Updates
As part of content quality enhancements, we’ve also improved translation capabilities between Elastic and other platforms, including such language formats as Elastic TOML, Elastic Rules, and Elastic Queries.
Spunk Translation Improvements
With this release, we’ve also added a new data model to support the Splunk parser and improve Splunk translations via Uncoder AI.
Threat Detection Marketplace
Bulk Unlock for Premium Rules in Dynamic Lists
This release introduces a faster way to manage Premium Rules by enabling bulk unlocking for a selected List. To unlock Premium Rules in bulk for a chosen list using the team’s current balance, follow the steps below:
Navigate to the Lists section and select the desired content list.
Press the Unlock All Premium Rules button on the right-hand side panel.
Review all rules to be unlocked in the confirmation pop-up and press Unlock.
Note: Premium rules unlocking in bulk is available only to users with the Unlock Content permission enabled in Content Management settings.
Rule Availability Counter in Dynamic Lists
This release introduces a UI enhancement to the Lists page, designed to give teams better insight into available and locked content items. The navigation menu now displays a Total Rule Count for the selected list, shown as Available / Total. This allows users to review how many rules the team can access compared to the full number of rules in the list.
A corresponding tooltip provides additional detail, including:
Number of rules available to the team (free & unlocked)
Total number of rules in the content list
Number of Premium Rules not yet unlocked
Note: After unlocking rules in bulk, the count may take a short time to update.
Auto-Unlock Premium Rules for Dynamic Global Lists
This release adds a new parameter that allows users to automatically unlock Premium Rules in Dynamic Global Lists when deploying content through Jobs. When copying a Dynamic Global List, you can now enable the corresponding checkbox to automatically unlock Premium Sigma Rules using your team’s balance when Jobs deploy content. This ensures that the copied list retains full auto-unlock functionality, reducing manual steps.
Improved Visibility for Deployed Custom Content
This release introduces updates to the Deployed metrics functionality on the Log Source Coverage and MITRE ATT&CK Coverage pages to improve visibility for deployed custom content. When the organization has custom content, the first figure in the Deployed column refers to Platform content, and the second one refers to custom content. Other metrics, such as Explored, Unexplored, and Downloaded via API, currently refer only to the Platform content.
Exported CSV files now reflect these distinctions, and exported JSON for ATT&CK Navigator includes the total count of deployed content.
Note: Some custom content may be unavailable to the user (and not shown in Search after drilling down) if it resides in a non-shared repository created by a teammate within the same organization.
Other Improvements
With the 6.0.1 Platform release, we have introduced a set of improvements to the Threat Detection Marketplace functionality to ensure a smoother and more consistent experience for SOC Prime Platform users:
Implemented a series of UI/UX improvements to ensure consistency across styles and interface components, including fixes to table row heights, switcher alignment, clickable elements behavior, disabled input styles, and other visual elements.
Made improvements to the Hunt functionality within Light Search. When a user performs a hunt with a selected rule and a default Custom Field Mapping is enabled for the chosen Data Plane, the Default option is now automatically selected in the Custom Field Mapping selector. If no Custom Field Mapping is enabled for the chosen Data Plane, the selector defaults to None.
Uncoder AI
Chat Bot Improvements
In the previous SOC Prime Platform release, we introduced the new AI Chat Bot
mode, a dialog-based, user-friendly interface that lets users interact with Uncoder AI in plain language and perform detection engineering tasks end-to-end. With this release, we’ve made the corresponding improvements to this functionality, specifically related to the user prompts:
Improved error handling as a response to the user request when there are no results.
For an improved performance, added the ability to clear the Uncoder AI Chat Bot editor and close the Active Threats rendering panel (if open) as soon as the user clicks the Plus icon to create a new chat.
Also, for a better user experience using Uncoder AI Chat Bot, we’ve implemented the following updates:
Improved autoscrolling
Enhanced user experience with the Uncoder AI Chat Bot by displaying the execution steps in progress performed during the user request
Updated styles for the Apply and Copy buttons in the code blocks to prevent overlap with the text, ensuring a cleaner and more accessible layout
Updated the placeholder text in the field for entering the user request to the following: “Type a prompt to the AI or select a task. Paste any detection code or threat report in the editor on the right.”
In addition, with the latest SOC Prime Platform release, we’ve improved the stability and performance of the Uncoder AI Chat Bot by optimizing tasks and refining the logging functionality.
Filter Option for Microsoft Sentinel YAML Rule Translations
As part of the latest Uncoder AI updates, we’ve added the Filter drop-down to the content customization settings on the Translate tab of the Classic Uncoder AI mode when selecting Microsoft Sentinel Rule (YML) as a target language format for content translations.
Key Bug Fixes & Improvements
Resolved the log.event error that, in some cases, occurs when collecting events in the CCM App for Splunk.
Resolved a deployment issue caused by 'NoneType' object has no attribute 'get' error, in some cases, occurring during manual sumologic or sumologic-cse-rule update in Inventory.
Fixed the 400 INVALID_ARGUMENT error in some cases received during deploying Google SecOps Rules with an invalid region.
Improved custom content support in Dynamic Lists to resolve an issue, in some cases, leading to failed custom content deployment via Jobs.
Improved the Attack Flow interface to ensure that long text without spaces now wraps correctly and no longer overflows its container.
Resolved the issue on the Inventory page when, in some cases, after successful content deletion, an internal error occurred.
Resolved the issue on the Log Source and MITRE ATT&CK Coverage pages, when, in some cases, a service error occurred instead of displaying the analytics data.
Related to Uncoder AI:
Fixed an issue where, in some cases, the Generate button in Uncoder AI was unavailable for platforms that lack a parser.
Addressed an issue where, in some cases, Attack Flow could not display in full-screen mode.
Resolved an issue where, in some cases, Short/Full Summary generation for existing rules in Uncoder AI produced blank results.
Resolved an issue that, in some cases, caused the 422 error during the detection content deployment from Uncoder AI.
Related to Active Threats:
Updated the Active Threats workflow so that when the Detections (IOC/AI Rule) tab in Active Threats is empty and users opt for generating in Uncoder AI, it now opens the New mode instead of the Classic mode.