November 21, 2025
© 2025 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
New SOC Prime Logo
With this latest SOC Prime Platform release 6.1.1, we’ve updated the company logo and made the corresponding changes across the entire SOC Prime Platform functionality, including the main navigation and the Login and Signup pages.
In addition, we’ve updated the SOC Prine logo across the company website, including the header and footer functionality:
On the mycsocprime.com domain
On the socprime.com domain
Company Website Updates
As part of the latest release, we’ve implemented a set of updates to the SOC Prime website, specifically:
Updated the SOC 2 Type II Compliance section of the website to reflect our continued commitment to security and industry best practices. Having achieved SOC 2 Type II compliance for the fifth consecutive year, we have added the most recent report, detailing how SOC Prime meets this rigorous security standard. Users can access the updated report by selecting the Get Full Report button and completing the brief form.
Released a new landing page detailing how SOC Prime provides a fully supported, enterprise-grade Shift-Left Detection solution based on Confluent Sigma.
Resolved issues with the dark mode that caused UI inconsistencies on landing pages when navigating away from the SOC Prime blog.
Implemented updates across various sections, including the addition of new content, revisions to existing resources, and adjustments to dates and other relevant information.
Content Quality Improvements
With this release, we’ve made the following enhancements to improve the quality of content translations across multiple SIEM, EDR, and Data Lake language formats:
Added validation to reject Sigma rules where the tag field has values with spaces.
Added MITRE ATT&CK® tags to the Coralogix Alert render, including tactics, techniques, and sub-techniques.
Improved Custom Field Mapping settings and management for Elastic ES|QL Queries. Specifically, we have introduced a Custom Field Mapping drop-down, now available from the Detection Code section of each rule page. Additionally, SOC Prime Platform users can choose, create, or edit Filters to ensure the best Elastic ES|QL Query performance in the organizational environment.
Google SecOps API Data Plane for Attack Detective
With the previous SOC Prime Platform release 6.1.0, we redesigned the Data Plane profile configuration for Google SecOps to ensure a more intuitive user experience aligned with the latest API updates.
With this latest release, we’ve implemented the new version of Google SecOps API Data Plane specifically for Attack Detective. SOC Prime users can seamlessly switch between the new and the old API versions via the Environment type options:
Cloud Back Story API (old API that will soon be deprecated)
Cloud Chronicle API (new API that users will be switched to gradually)
We’ve also implemented API aggregation, streamlining data retrieval from multiple sources into a unified interface. If the user request doesn’t return anything or is followed by an error, users will see the corresponding issue when performing a Data Audit.
Additionally, we’ve added logging for the Google SecOps Data Plane to provide greater transparency and operational insight.
Threat Detection Marketplace
Saved Search Updates
With the SOC Prime Platform release 6.1.1, we’ve redesigned Search Profiles located in Platform Settings to ensure consistency across the entire Platform functionality. As part of UX improvements, we’ve also added the Shared column and updated the Create Search Profile and Edit Search Profile pop-ups.
Create Search Profile Updates
On the Create New Search Profile page, we’ve added the following changes:
All the existing fields from the previous layout version are available in the new one and cannot be removed:
PlatformLog Source ProductToolActorTechniqueData ComponentEvent IDCVE ID
All new fields are unavailable by default. They can be added or removed using the drop-down menu with checkboxes.
All the new fields function similarly to the old ones, except for the following three fields:
Excluded in Scans
Content Action State
Show Hidden (the behavior of the Show Only Hidden Content toggle switch depends on the Show Hidden Content toggle switch)
When the user turns Show Only Hidden Content ON, the Show Hidden Content is automatically enabled
When the user turns Show Only Hidden Content OFF, the Show Hidden Content is automatically disabled
In addition, for a better user experience, we’ve added an updated Import ATT&CK Navigator pop-up that appears by clicking the Import ATT&CK Navigator button. Two consecutive pop-ups from the previous version have been consolidated into a single, streamlined experience, reducing user interaction steps and improving workflow efficiency.
Expert Filters
As part of Search Profiles improvements, we’ve added the fields that match all the Expert Filters on the Search page. The updated Search Profiles will be used to save the Expert Filters.
Also, we’ve added the new Search context pop-up to the Search page when the Expert Filters are applied. This menu includes the Save as Search Profile option and the Clear Filters button.
Note: When the Search Profile is open, all filters it stores will be applied.
Unified MITRE ATT&CK Tag Handling for SIEM Integrations
With this release, we’ve introduced a major enhancement to ensure MITRE ATT&CK tactics and techniques are properly retrieved, processed, and stored in both Inventory and Custom Repositories when content is pulled from supported SIEM platforms.
Detection rules now pass all tags received from the SIEM. A new Jobs validation mechanism identifies which of these tags represent legitimate MITRE ATT&CK mappings. To maintain data accuracy, repository tags are updated only when a rule’s tags have changed. This is backed by additional improvements in content management to store and track tags reliably.
Other Improvements
With the 6.1.1 Platform release, we have introduced a set of UI/UX improvements to the Threat Detection Marketplace functionality to ensure a smoother and more consistent experience for SOC Prime Platform users:
Search
The summary and search results are now automatically cleared when starting a new search or deleting a previous one.
When applying the Recommended filter on the Search page, IOC Rules stored in the Active Threats IOCs repository are now excluded from the search results.
Various UI and layout refinements have been introduced to the Advanced Search, including consistent spacing, alignment, and button styling to improve usability.
Help Center: User interface now features updated design elements with improved spacing, borders, and overall visual consistency.
Simulation (Validation Tab): Style and layout issues have been resolved to enhance clarity and usability.
CI/CD:
Custom Field Mapping: Text columns feature improved spacing for readability.
Filters: Selector widths have been aligned for a better user experience.
Integrations: Tooltips are now properly aligned with the corresponding text.
Uncoder AI
AI Features Availability via Uncoder API
With the latest SOC Prime Platform release, we’ve introduced enhancements that allow users to seamlessly access Uncoder’s AI functionality via API. Users can now leverage the following AI features using the API:
Behavior Rule: Generate behavioral rules based on a threat report, description of malicious activity, or the user’s custom input.
Short Summary: Instantly translate complex queries into clear, exec-level summaries.
Full Summary: Gain instant, human-readable logic explanations for your rules/queries.
Attack Flow: Convert a threat report or a description of malicious activity into a visual Attack Flow diagram.
Predict ATT&CK Tags: Enrich the Sigma rule with ML-predicted MITRE ATT&CK tags.
Query Optimization: Get detailed instructions on how to improve your query performance.
Validation: Leverage AI-assisted syntax validation for Sigma rules.
Results Aggregation: Group query results by AI-selected fields to facilitate further analysis if the query returns a lot of results.
Job Results: Instantly check the status of Jobs and review their performance results.
To start using AI functionality via API, users should follow these steps:
Go to the API tab in the CI/CD section of the Threat Detection Marketplace.
Edit an existing API key or create a new one for Uncoder AI, making sure to check the AI Features checkbox.
Note: Users can access Uncoder’s AI functionality via the API only if their subscription includes Uncoder AI.
JSON Validation for Custom Repo Rules
We’ve introduced JSON validation for rule translations generated in Uncoder AI and then saved to a user’s Custom Repository. This enhancement ensures that only valid JSON content can be saved, preventing potential deployment errors.
The validation applies to the following content types:
Elastic Lucene Detection Rule
Elastic EQL Detection Rule
Elastic Stack ES|QL Detection Rule
Elastic Stack Rule (Watcher)
Sentinel Rule (Kusto)
Falcon LogScale Alert
Sumo Logic Rule (CSE)
Note: Any attempt to save invalid JSON will be blocked, ensuring users can only deploy correctly structured rules.
New AI Tasks
With the 6.1.1 Platform release, we have expanded the list of AI Tasks available in the New Uncoder mode, powered by the AI Chat Bot interface and Model Context Protocol (MCP) tools. The following AI Tasks have been added:
MISP Search: Search a selected MISP server for threat intelligence events and obtain aggregated information about threats matching your prompt, including IOCs, malware families, and attack patterns.
Detections Search: Search for relevant detection rules within the SOC Prime Platform.
Note: With this release, we’ve significantly improved MISP Search to return the most recent MISP galaxies, ensuring users have access to up-to-date threat intelligence categories and data.
Key Bug Fixes & Improvements
Added an email notification to let the Company Manager know when a new SOC Prime Platform user is created within the organization via third-party login apps (SAML).
Resolved issues that could sometimes cause a 500 Internal Server Error when saving Presets for Splunk, Elastic Detection Rule, Elastic Watcher Alert, Falcon LogScale, Microsoft Sentinel, and Sumo Logic.
Resolved the issue where, in some cases, scheduled Jobs in Inventory returned an incorrect quantity of content.
Fixed the issue with the content counter related to the Lists functionality.
Implemented a set of UI/UX fixes for Active Threats functionality.
Fixed an issue where AI features on the Generate tab of Uncoder AI were, in some cases, not available for Free-tier users.
Improved UI for the Add/Edit API Key pop-up in the Platform’s CI/CD section.
Updated Splunk Alert to automatically add a filter at the beginning of the query, instead of appending it to the end as was previously done.
Fixed Custom Field Mapping issue where, in some cases, special characters (braces) caused the mapping to be applied multiple times. Now, all special characters are properly escaped during evaluation.
Resolved a set of issues for improved UI/UX and performance in Uncoder AI:
Updated the Uncoder AI Assistant so that it automatically expands after closing the Save menu or the Intelligence panel.
Fixed an issue where, in some cases, the Uncoder AI pre-loader was cut off when the Debug Console was opened.
Fixed an issue where the Uncoder AI pre-loader background, in some cases, covered the Debug Console text when it is fully expanded.