Skip to main content

SOC Prime Platform Product Release Notes 6.1.2

Written by Eugene

November 27, 2025

© 2025 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Active Threats

With the 6.1.2 Platform release, we’ve redesigned the Active Threats functionality and improved logic for a more intuitive and consistent user experience.

List View Updates

As part of the Active Threats UX improvements, we’ve updated the look and feel of the page displayed as a list view according to the new design. All news items display the following details on the Active Threats list:

  • The background image (optional)

  • The news item title

  • SOC Prime Bias determined by the Severity tag and color-coded accordingly (Critical / High / Medium / Low)

  • The number of news item views

  • The publication date based on the date of the news item release and linked to the user time zone in the DD MMM YYYY format.

  • Type of Threat

  • Affected Industry

  • Affected Geography

  • The news item source

Note: If the news item has multiple values for Affected Industry or Affected Geography, the first value will be displayed, and other values will be displayed in brackets as (+N), with the tooltip uncovering all values on hover.

News Item Page

At the top of the page, SOC Prime Platform users can see the following news item details:

  • The news item title

  • SOC Prime Bias determined by the Severity tag (Critical / High / Medium / Low)

  • The number of news item views

  • The publication date based on the date of the news item release and linked to the user's time zone

  • The news item source

Each Active Threats news item page includes the following tabs:

  • AI Summary: Investigation, Mitigation, Response, Tag blocks:

    • Threat Type

    • Affected Industries

    • Affected Geographies

    • Actors

    • Sub-techniques

    • Tools

    • CVE

  • Attack Flow

  • Detections

  • Simulations

Below, each Active Threats news item page displays the following details:

  • Detection Stack tags, with four of them always visible. Depending on the content attached to the news item, some tags can be active (with green dots) or inactive (with grey dots).

  • Share: ability to share the news item.

We’ve also added contextual tooltips to the following fields to improve clarity and help users better capture the news item threat context at a glance:

  • Actors

  • Sub-techniques

  • Tools

  • CVE

  • Threat Type

  • Detection Stack

Other Updates

As part of other Active Threats updates, we’ve also implemented the following improvements:

  • Added Ukraine to the Affected Geography list.

  • Fixed the issue where the Summary and search results were not cleared when starting a new search or deleting the previous one. By clicking X in the Search bar, SOC Prime users will now see a list of relevant news items and a cleared Summary.

Ability to Choose the Custom Search App for Splunk Data Plane

With this latest SOC Prime Platform release 6.1.2, we’ve added the ability to choose the custom search app used when generating the link for browser search integration in the Splunk Data Plane for the SOC Prime Attack Detective App for Splunk. Before the update, the link automatically used the default search app.

To implement this client’s feature request, we’ve added the optional Сustom Search App field with the search placeholder on the Data Plane page for Splunk (both cloud and on-premises) to be used for Attack Detective and performing hunts.

  • If the Сustom Search App field is empty, the default search app will be used.

  • If filled out, the data provided in the Сustom Search App field will be used instead.

Note: If the parameter in the Сustom Search App is unavailable or the field is empty, the hardcoded search value will be used for hunts.

Google SecOps API Data Plane for Attack Detective

With the SOC Prime Platform release 6.1.0, we redesigned the Data Plane profile configuration for Google SecOps to ensure a more intuitive user experience aligned with the latest API updates. With this latest Platform release, we’ve updated the error message text when the permissions for the new Google SecOps API key are not sufficient: “Your credentials are valid, but permissions are insufficient. Ensure that the service account of the used key has at least the Chronicle API Viewer permission.”

Company Website Updates

As part of the latest release, we’ve implemented the following updates to the SOC Prime website, specifically:

  • Released a new landing page specifically for workshop attendees of our partner, Mjolnir Security.

  • Updated the header and footer on the main navigation panel across the entire SOC Prime website.

Threat Detection Marketplace

Rule Intelligence: Detection Stack

With this release, we’ve added the Detection Stack block to the Intelligence tab on the content item page, which displays four color-coded tags based on the detection content type:

  • Active (with green dots)

  • Inactive (with grey dots)

Each Detection Stack tag shows a tooltip on hover with the content type description to ensure an intuitive user experience with the Platform and the relevant content application:

  • Query:Search over data for hunting/triage; may not auto-alert.”

  • Alert: "Rule-triggered signal indicating activity to review or escalate."

  • ET:Data pipeline stage: extract, normalize, and load telemetry."

  • AIDR: "GenAI protection gateway that runs rule/similarity/code/ML/LLM checks to detect & block prompt-injection and harmful content before it hits AI apps."

Uncoder AI

New AI Tasks: Decision Tree

With this latest SOC Prime Platform release, we have added an AI-generated Decision Tree to the list of AI Tasks available in the New Uncoder mode. This AI task is used to explain how the selected query or rule logic works step by step, with all the embeddings, branches, and other intricate logic.

By choosing the Decision Tree task, Uncoder AI users are prompted to insert the detection rule into the editor to be processed by AI. They should also specify a language format for the request by selecting a certain Platform in the drop-down for the Decision Tree AI task and then clicking Confirm. If the input matches the detection content criteria, LLM will respond. If there is an issue, the following error message will be displayed: “It seems that your input is not detection content.”

Key Bug Fixes & Improvements

  • Fixed Unicode parsing when translating detection code from Sigma to the Microsoft Sentinel format.

  • Fixed the logsources issue when translating IOC content to the Sigma format.

  • Resolved the Active Threats issue when, in certain cases, the Source and Share links on the news item page didn’t work properly for Free Platform subscribers.

  • Made a minor UI improvement on the content item page by fixing the Mark As Deployed button text.

  • Fixed the Sigmac issue with content translation to several language formats that resulted in the display of a wrong error message in certain cases.

  • Resolved the EventID issue that occurred in some cases with Sumo Logic translations.

  • Resolved the issue where MITRE ATT&CK Coverage stats sometimes differed from detailed drill-down views.

  • Related to Uncoder AI improvements:

    • Improved date parsing from Roota to Sigma in Uncoder AI.

    • Fixed the issue when, in some cases, error messages were not properly displayed in the Debug Console on the frontend.

    • Resolved the issue when extra characters could appear during text input in certain cases.

    • Fixed the issue when, in some cases, content translation to the Microsoft Sentinel Rule YAML format was available only from Sigma or Roota rather than all supported platforms.

    • Resolved the issue with the wrong regular expression translation to the CrowdStrike format.

    • Fixed the issue with content translation from Roota to Sigma when license was embedded in the description field rather than being converted as a separate metadata field.

  • Related to Custom Field Mapping improvements:

    • Fixed the issue with saving custom values for Splunk mapping configuration on the profile Index tab.

    • Resolved the Google SecOps issue when, in certain cases, a new mapping value was incorrectly applied using the original field value.

Did this answer your question?