October 21, 2025
© 2025 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Publish & Share Detection Content via SOC Prime Platform
With the latest 6.1.0 release, we have introduced a major update to the SOC Prime Platform functionality, enabling every user to publish detection content developed on their own and share it with the broader community, driving collaborative effort.
Every SOC Prime Platform user can now publish detection content in the Community Repository to make it available to others without any restrictions. Additionally, users can easily share a link to the published content item’s page via X, LinkedIn, or direct message, expanding opportunities for knowledge sharing and community engagement.
However, this content is not included in Attack Detective’s default threat scan scenarios and can only be used in custom scenarios. Additionally, detections from the Community Repository are excluded from MITRE ATT&CK® Coverage and Log Source Coverage dashboards.
Note: When publishing rules/queries, please always comply with SOC Prime Platform Terms of Service and respect intellectual property laws, your organisation's restrictions on sharing detection content, and any other applicable rules. The Platform’s Terms of Service have been updated to reflect the new publish and share detection content functionality update.
Publish and Share Content
Once you've written a detection rule/query or generated it with AI, click the Publish button in Uncoder AI.
If the rule/query has not been saved:
Ensure the content name is provided. It can be parsed from rules, but for queries, you need to define it manually.
Ensure the platform has been recognized correctly. If not, select the right platform from the dropdown.
Select a custom repository to save the content item to. To be published, a content item has to be saved to a custom repository.
If the rule/query has been saved, just click Publish in the pop-up that appears. You can set the Don't show again checkbox to skip this modal during the current session and publish the saved rules/queries in one click.
Once the rule/query has been published, a pop-up appears where you can:
Share the link to the published rule/query's page on LinkedIn
Share the link to the published rule/query's page on X
Copy the link to the published rule/query's page
View the published rule/query's page in the Community repository on the Threat Detection Marketplace
You can always share the published rule/query later using the Share button:
In Uncoder AI:
In Threat Detection Marketplace:
Alternatively, you can publish content:
Right at the time of saving it in Uncoder AI. To do it, select Save & Publish after clicking the Save button.
Once the content is saved, from its page in Threat Detection Marketplace. To do it, click Publish.
Notes:
To enable users with the Free subscription plan to publish rules/queries, we grant each of them one custom repository. To create it, just save your first rule/query in Uncoder AI.
If a Sigma rule is published, we automatically translate it to all possible platforms and save translations together with the Sigma rule.
If you publish a rule/query that already has translations saved together with it as one group, all translations inside that group are published.
Users with an Enterprise-level subscription can publish content saved in their own or shared custom repositories. In this case, the owner of the repository can revoke the published rule/query.
If you update the version of the rule/query saved in your custom repository, the updates are automatically propagated to its published version.
If you delete the version of the rule/query saved in your custom repository, its published version is NOT deleted. To remove it from the Community repository, revoke it.
Revoke Published Content
To revoke a published rule/query, open it and click the Revoke button:
In Uncoder AI:
In Threat Detection Marketplace:
Notes:
The Revoke button is displayed both on the published rule/query and on its version saved in your custom repository.
If you've published a rule/query saved in a shared custom repository that was created by another user from your team, the user who created this custom repository will also be able to revoke the rule/query.
If a rule/query is revoked, it is removed from the Community repository and becomes unavailable to anyone. However, its version saved in your custom repository stays intact. You can publish this version again.
View Published Content
All published content is available in the Community repository. To access it, click the Community tab:
In the Threat Detection Marketplace's Search:
In Uncoder AI's Search:
To only view rules published by you, click the Published by me option in the Authors filter.
Community Content Availability in Lists
With the latest release, users can add content from the Community Repository to Dynamic Content Lists. The Community Repository is now included in the Platform Repos section available when configuring Lists. However, it is not automatically included during Dynamic Content Lists setup and must be added manually by the user if desired.
Additionally, Community Content is fully supported in CI/CD Deployment functionality, enabling seamless integration of community-provided content into automated workflows.
Simulations
With the 6.1.0 Platform release, we have enhanced the AI-powered capabilities of Active Threats functionality with Simulations, enabling security engineers to test and validate detections to ensure they don't miss the signal. This functionality is linked to the corresponding AI rule and is designed to simulate the malicious activity the rule is intended to detect.
AI Rule Details: Validation Tab
As part of the newly released Simulations functionality, we’ve enhanced the AI rules layout with the third Validation tab in addition to the Detection Intelligence and Detection Code tabs. The Simulations section on the Validation tab includes the following sections:
Executive Summary: Includes the detection rule logic summary, language format, target security environment, resilience score, and other metadata.
Simulation Environment & Context: Highlights TTPs under test, TTP context, relevance, and the target environment details.
Telemetry & Baseline Pre‑flight Check: Provides telemetry configuration instructions and ingestion & baseline validation.
Simulation Execution: Details the precise execution of the adversary TTP designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
Note: If the Validation tab contains no content, it is displayed as inactive.
Active Threats New Tab
Simulations are currently available in the corresponding tab for the Active Threats news feed items. The separate Simulations tab displays all Simulations linked to the corresponding AI rule. It includes the date of the Simulation updates and the related rule title.
By clicking the View button, SOC Prime users will be redirected to the Validation tab on the page of the rule linked to the corresponding Simulation.
Note: If there are no available Simulations, the following message will appear: “We could not create simulations of activities described in this news item.”
Company Website Updates
Homepage Update
With this latest release, we’ve rolled out the new homepage for the SOC Prime website. The latest update introduces a redesigned interface and refined messaging that reflect the company’s strategic shift toward a vendor-agnostic platform for real-time cyber defense, empowering SOC teams with AI-native detection intelligence. Also, to highlight the transformative change, we introduced a refreshed SOC Prime logo.
Content Quality Improvements
ArcSight Parser
As part of content quality improvements, with this latest Platform release, we’ve updated the following to improve the quality of content translations in the ArcSight Query format:
Added an ArcSight parser for handling ArcSight Query errors and translating queries across different SIEM platforms, and connected it to the Threat Detection Marketplace and Uncoder AI.
Added the ArcSight Query parser to the drop-down with the source language formats on the Translate tab in Uncoder AI.
Resolved the translation issue from ArcSight to Roota, which, in certain cases, displayed an error message with the unsupported language format.
FortiSIEM XML Rule Updates
With this release, we’ve also implemented the following improvements to enhance the content translation experience for FortiSIEM users:
Updated the render to generate the rules in a new FortiSIEM XML rule format and resolved the issue with failed translations into the corresponding language format
Added support for brackets in the
event_typecode block to enable syntax flexibilityImproved the ForiSIEM rule quality by deleting detections in the old format and generating rules once again to prevent parsing errors
New Google SecOps API Data Plane
With this latest SOC Prime Platform release, we’ve redesigned the Data Plane profile configuration for Google SecOps for a more intuitive user experience aligned with the latest API updates. More specifically, the updated Create New Data Plane page for Google SecOps now includes the following:
The ability to switch between the new and the old API versions via the Environment type options:
Cloud Back Story API (old API that will soon be deprecated)
Cloud Chronicle API (new API that users will be switched to gradually)
Note: All existing Google SecOps Data Plane profiles will be displayed in the old format.
The Data Plane will be used in checkbox is currently deactivated
Added new fields to the new profile options:
instance_idfilled out manually by the users (string)universe_domainparsed from JSON (string)
Updated the values for the Region drop-down
Made UX improvements for the position of fields for both the old and new profile versions
Note: The Google SecOps URL field appears only if the SOC Prime user has selected the Quick Hunt or Attack Detective checkboxes (for both Google SecOps Data Plane profile versions).
Threat Detection Marketplace
Active Threats Update
Basic & Advanced Tiers
With the 6.1.0 Platform release, SOC Prime introduces two tiers of Active Threats — Basic and Advanced — designed to give organizations flexibility in enhancing their cyber defense capabilities.
The Basic Active Threats module is now included by default with every Enterprise Threat Detection Marketplace subscription, providing access to the following features:
AI Summaries for quick context on emerging threats
IOC Queries to instantly hunt for indicators of compromise
Behavior Rules by the SOC Prime team to detect emerging threats
The new Active Threats Advanced Add-On builds upon the basic functionality to strengthen cyber defenses with AI-driven detection, full attack flow visibility, and advanced simulations that prepare security teams for modern threats. By purchasing this add-on, enterprise customers can get access to all advanced AI-powered capabilities of Active Threats, including:
AI Summary: Access a comprehensive AI-generated summary with full CTI to understand threat context in minutes, not hours.
Attack Flow: Visualize the full chain of attack techniques with enriched intelligence, helping threat hunters understand and disrupt adversary tactics.
Rules: Access a large collection of behavior-based rules, IOC queries, and AI-generated detections.
Behavior Rules: Get up to 500 expert-curated behavior rules to detect the most pressing threats.
IOC Queries: Hunt with queries to quickly check for IOCs.
AI Rules: Use any AI-generated content to immediately address TTPs across the incidents and attacks covered in Active Threats.
Simulations: Run advanced attack simulations to test defenses, validate detections, and train teams against modern adversary methods. This tab and the corresponding functionality were added with the latest 6.1.0 Platform release. For more details, read the Simulations section.
Customers interested in purchasing the Active Threats Advanced Add-On might get more information by pressing the Contact Us button in the Add-On section of the Pricing page.
Tabs Improvement
The Active Threats interface has been enhanced to improve visibility and usability through updated tab labeling and loading behavior. Now, each Active Threats tab displays the number of available objects in parentheses next to its title.
Attack Flow tab: Displays the total count of available objects, counting both Flow and Matrix views as a single object.
Detections tab: Horizontal tabs within this section now also show object counts for quick reference.
Simulations tab: A preloader has been added to display while the simulation count is being retrieved, ensuring users see real-time data without confusion caused by loading delays.
Active Threats Siri Shortcut
With the 6.1.0 Platform release, we’ve introduced the Active Threats Siri Shortcut, enabling users to access real-time threat intelligence using voice commands or a single tap on iPhone, iPad, Mac, or Apple Watch.
The Active Threats Siri Shortcut seamlessly integrates with the Threat Detection Marketplace, delivering precise, quantifiable insights per user’s prompt. Specifically, it provides the exact number of news items and detection rules available on the SOC Prime Platform, along with a concise summary of the relevant threats.
This feature accelerates situational awareness, streamlines operational workflows, and delivers actionable cybersecurity insights directly to the user’s preferred Apple device in a seamless, low-friction manner. By simply asking Siri, users can access tailored threat intelligence, making monitoring and responding to active threats faster, more interactive, and highly efficient.
To install the Active Threats Siri Shortcut, users should follow the instructions below:
Open and install the shortcut:
Navigate to the Active Threats page on your MacBook or iPhone.
Click the Apple Shortcut icon in the upper-right corner.
A modal will appear with instructions. Press the Install Shortcut button.
Note: If installed on your iPhone, you can also access the shortcut later on your Apple Watch.
Configure your API key:
Double-click the installed shortcut to open editing mode.
Locate the placeholder text PUT_API_KEY_HERE and replace it with your Threat Detection Marketplace API key. To find your API key, go to Platform Settings → API page, where all your keys are listed.
Close the editor once your key is entered.
Run the shortcut:
Ask Siri to launch the Active Threats shortcut and specify your query (e.g., “Latest cyberattacks against NATO countries”). Siri will read a summary of matching active threats.
Alternatively, you can run the shortcut manually by clicking the Play icon, entering your query, and receiving a text-based summary.
Note: Voice mode is recommended for a more seamless experience.
Other Improvements
With the 6.1.0 Platform release, we have introduced a set of improvements to the Threat Detection Marketplace functionality to ensure a smoother and more consistent experience for SOC Prime Platform users:
Renamed the AI Threat Intelligence tab to Detection Intelligence, aligning the name with its finalized function.
Improved the Search functionality to ensure that the Import Content button is only available within the My Repos view.
Implemented a series of UI/UX improvements to ensure consistency across styles and interface components, including tables, menu items, buttons, and other visual elements.
Uncoder AI: Chat Bot UX Improvements
With the latest SOC Prime Platform release, we’ve introduced the following improvements to the new AI Chat Bot mode, which enables users to interact with Uncoder AI in plain language and perform detection engineering tasks end-to-end. More specifically, these enhancements include:
A refined Short Summary and Full Summary functionality, which now includes a check for the platform availability.
When generating the data output in the left panel of Uncoder AI, we’ve removed autoscrolling for an improved user experience.
We’ve made improvements to ensure a smooth and intuitive user experience when drilling down to Uncoder AI from Active Threats. If there is no content available for the relevant news feed item, clicking the Generate button now opens the source article in the same Uncoder AI mode rather than switching to a different mode.
We’ve enhanced error visibility and user experience by displaying all Debug Console errors from the Classic Uncoder version directly in the New Uncoder AI Chat Bot. Errors now sync seamlessly between the Classic Debug Console and New Chat Bot modes, and are cleared when switching to another chat from history.
When sending the empty message in Uncoder AI, the task name will be displayed in the chat history.
Note: For a Custom Prompt, the button for sending a message will be disabled if the user input is empty.
Key Bug Fixes & Improvements
Fixed the issue with the Free subscription related to Active Threats, which resulted in the wrong zero count display of Attack Flow, Detections, and Simulations for news not available to users.
Fixed a "500 Internal Server Error" issue, which displayed in the console after clicking the Speak With Sales button.
Resolved the SOC Prime website layout issue, which caused inconsistencies and confusion between light and dark themes.
Fixed the Quick Hunt "500 Internal Server Error" issue, which, in some cases, occurred when selecting the Microsoft Defender for Endpoint platform.
Resolved the issue with the Send button on the Contact Us form, which remained active after the user’s first click on it.
Fixed the issue with the video display at https://tdm.socprime.com/ccm-inventory/ for Free subscribers, enabling all SOC Prime users to explore the corresponding platform functionality in action and at their own pace.
Fixed the issue with the Accept and Close button responsible for the user’s choice regarding cookies, which in certain cases was not clickable on website pages.
Fixed a minor UX issue with the Select Authors drop-down padding on the Light Search page, reproduced in the Firefox browser.
Resolved the issue on the Log Source Coverage dashboard, when, in some cases, the Explored and Deployed Trend displayed incorrect data.
Resolved the broken layout issue on the Content Usage chart on the Overview page.
Fixed a minor UX search bar issue.
In Uncoder AI:
Fixed the issue with the AI task switching.
Resolved the linebreak issue in the results markdown, which are now rendered correctly.
Resolved the issue with the Short and Full Summary display on the Generate tab in the Firefox browser.