December 10, 2025

© 2025 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

SOC Prime Platform release 6.1.3 introduces Active Threats, now also available on the SOC Prime website, to offer more possibilities for defenders to explore the latest threats deployed by malicious actors with attack flows, actionable detection rules, and simulation instructions continuously updated. To access the news feed, select Resources > Active Threats from the main website navigation.

With the latest Platform release, we’ve added the ability to pull curated detections from Google SecOps to Inventory, enabling SOC Prime customers using Attack Detective to perform Content Audits across the entire detection stack. The new Google SecOps API now supports this functionality.

Curated detections serve as a set of YARA-L rules created and managed by GCTI for Google SecOps customers. Rule sets act as a collection of curated detections, allowing Google SecOps customers to enable or disable them within their Google SecOps account and turn on or off alerts for these rules.

To implement the ability to pull curated detections from Google SecOps to Inventory, we've created a new API endpoint. The system pulls curated detections as Rule Sets, with each content item saved as a Google SecOps Rule with the following details:

Note: Rules as part of Curated Rule Sets are not used in Jobs and Attack Detective Scans. However, they can be applied in the Attack Detective Content Audits.

To enable pulling curated detections from Google SecOps to Inventory, we’ve added the Take Inventory of Curated Content toggle switch to the Google SecOps Data Plane. It is visible to the users ONLY IF Cloud Chronicle API, Automation, and direct deployment from a Sigma rule page are selected, and it is disabled by default. The Take Inventory of Curated Content toggle switch goes with the following tooltip for a better user experience: “Enable to allow pulling curated rule sets metadata when taking inventory to track MITRE ATT&CK coverage and run content audits in Attack Detective.”

To pull curated detections, ensure that the Take Inventory of Curated Content toggle switch is ON in the Data Plane settings.

As part of these updates for Google SecOps customers, we’ve also implemented the following:

In October 2025, MITRE ATT&CK v18 was released, with significant changes to the defensive side of the framework, including the shift from technique-level Detections to Detection Strategies, substantial revisions to Data Components, and the deprecation of Data Sources.

With this Platform release, we’ve updated ATT&CK to the current version 18.1 to keep up with the latest framework changes and improvements.

Due to the Data Components refinements in the major framework version update, we’ve also added Data Components to ATT&CK techniques and sub-techniques, more specifically:

To align with MITRE ATT&CK v18, where Data Sources are no longer supported, we’ve removed the Data Sources filter from Expert Filters on the Search page and updated the Data Components filtration.

In addition, as part of this major transition, we’ve implemented the following:

With the latest Platform release, we’ve published a new customer success story with Netox Oy, showcasing how the partnership with SOC Prime enabled the leading MDR provider to reduce detection engineering efforts by 70% while improving detection quality and achieving a 35% decrease in false positives.

We continuously enhance the accuracy and reliability of detection content translations across a wide range of SIEM, EDR, and Data Lake query and rule formats. With the SOC Prime Platform release 6.1.3, we’ve introduced a set of improvements for translations to the following supported platforms listed below.

To improve the experience for QRadar customers using the latest versions, we’ve made the alternative translation alias v7.4.3 the Original one. This change eliminates the need to switch to an alternative translation each time, reducing friction and streamlining daily workflows. The current Original translation has been replaced with an alternative translation pre-v7.4.3.

As part of the Microsoft Sentinel transition from Sigmac to Uncoder, we’ve added summarize and count to the parser to enable proper translation handling and avoid syntax errors.

We’ve improved the quality of ES|QL translations by fixing an escaping issue, ensuring the "." character is properly escaped, similar to Lucene’s case-insensitive syntax rules.

We’ve improved Sigma-to-Google SecOps (YARA-L) translations in Uncoder AI by fixing an issue where the generated code incorrectly used $event as the second parameter instead of the actual required parameter, ensuring accurate and reliable output.

As part of the latest Active Threats updates, we’ve updated the text on the limitation pop-up that is displayed to SOC Prime users who don’t have access to the Active Threats Advanced module when attempting to open content not available to them.

With this release, we’ve added support for JSON export from the Attack Flow tab in Active Threats. On the Attack Flow tab > Matrix view mode, SOC Prime users can now click the Download button to export the Attack Flow matrix visualization in JSON format. To enable this functionality, we’ve also fixed the MMD file syntax, which is used to export Attack Flow from Active Threats and Uncoder AI.

With this latest SOC Prime Platform release, we’ve added the ability to filter by a Custom Repository on the MITRE ATT&CK Coverage and Log Source Coverage pages.

To implement this functionality, we’ve added the Repositories drop-down menu, acting as an additional filtering option. For a more intuitive experience with the filtering functionality, we’ve added a tooltip on hover: “Filter the coverage by content in a specific custom repository.” If the Repositories filter is not applied, it will have an empty value. All Custom Repositories are now available to the current user to be used for filtering, including their own or shared across the company.

When selecting a specific Repositories filtering option, all the data is displayed for the selected Custom Repo.

As part of these changes, we’ve also performed the following improvements:

With this release, we’ve added the ability for SOC Prime users with the Company Manager role to invite other users into the Company, provided that their email domain matches an existing Company domain.

With this SOC Prime Platform release 6.1.3, we’ve added a set of UX improvements to the usage counters (e.g., for Attack Detective Audits and Scans), which were previously visible only when a user navigates across the Platform and opens the user profile menu. This update allows SOC Prime customers to see all relevant usage counters for each active product within their subscription in a centralized location.

In the Account Settings > Subscriptions, we’ve:

*Note: The counter, which displays the available number of Premium Rules for Attack Detective, doesn’t correspond to the Sigma rule balance available for Threat Detection Marketplace.

On the user profile menu, we’ve updated the styles and counter values to be consistent with the Account Settings styles and values. These values are now accessible to the users, no matter what product they are viewing at the moment.

To deliver an intuitive user experience and make sure the Help Center is in sync with the latest Platform changes, we’ve removed the following outdated items from its menu:

The updated Help Center now includes Resources to walk users through the Platform functionality, share expertise, and provide details about the latest updates, plus the Get Support section with options to reach out to us for questions, suggestions, or assistance.

With this latest release, we’ve made the following enhancements to the Threat Detection Marketplace to ensure an improved experience with the Platform functionality: