May 18, 2026
© 2026 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Uncoder AI
With the latest SOC Prime release, we’ve redesigned the interface of Uncoder AI to improve usability and make detection engineering workflows more intuitive and efficient. This update is part of an ongoing redesign, with additional improvements and enhancements planned for upcoming releases.
Agentic Threat Research
As part of Uncoder AI redesign, the previous New mode has been renamed to Agentic Threat Research mode and it now provides enhanced AI-assisted workspace for threat analysis and research.
Agentic Threat Research allows users to create chats and projects, manage them as needed, and group chats into projects to define a shared context. Within a project, users can provide instructions which are automatically applied across all chats in that project. This ensures consistent AI responses and reduces the need to re-enter the same information.
To define a shared context across related conversations, users need to follow these steps:
Create a project – Start by creating a new project from the Projects section and defining a project name.
Set Instructions – Within each project, define Instructions in a dedicated field.
Start a chat – Start typing prompt in the chat directly in the project. All subsequent chats created within the same project will also automatically inherit and apply the provided instructions.
Users can provide input either through the chat for custom prompts or by pasting threat reports, detection rules/queries, or other long inputs in the Code Editor.
The Clear Editor button removes all content from the Code Editor in a single click.
To make navigation more efficient, we’ve introduced a search bar that allows users to quickly find both chats and projects.
In addition, the AI tools (e.g. Attack Flow, Short/Full Summary, Decision Tree etc) have been reorganized into three categories:
Generate
Discover
Analyze
Users can now access the AI tools by selecting one of those categories and then choosing a relevant tool within it.
New Agentic AI Tool
In addition to existing AI tools in Uncoder AI, we’ve introduced a new comprehensive AI-powered analysis tool – Deep Threat Research that provides complete threat intelligence in a single request. Users can paste the text of a threat report and receive comprehensive threat intelligence that includes:
Summary – Concise threat overview
Investigation – Recommended actions for investigating the threat
Mitigation – Recommended actions for mitigating the threat according to the best security practices
Response – Recommended response actions to minimize the risks of the threat
Actors – Threat actors related to the threat
Sub-techniques – MITRE ATT&CK techniques used by adversaries in this threat context
Detection Level – Detection type associated with the threat
Attack Flow – Visualization of the adversary activity
Found on TDM – Relevant detections from the SOC Prime Platform
Generated – Relevant AI-generated detections
Simulation – Simulations of malicious activity
To use this AI tool, users should follow the steps below:
Click Code Editor in the upper right corner of the Agentic Threat Research mode and paste the text of a threat report.
Select the Analyze button and select Deep Threat Research from the list.
Translation
As part of the Uncoder AI redesign, the previously named Classic mode has been renamed to Translation.
Additionally, for improved usability, the IOC Query option has been moved from the Generate tab to the dropdown menu in the Translation tab, where users can now convert IOCs from text or files into ready-to-use queries.
Threat Detection Marketplace
History for Custom Content
With this SOC Prime release, we’ve introduced the ability to monitor and track the history of custom content. A new History tab has been added to the Detection Rule page, providing visibility into the user who performed the action, the type of action performed on the rule (created, edited, deployed, downloaded, added to or removed from a Content List, etc.), timestamp, and the list of affected platforms.
Threat of the Month Block Update
With the latest release, we’ve enhanced the Threat of the Month block in Active Threats to provide more detailed threat information, making it easier for users to quickly understand a threat and navigate relevant content. The updated block now includes AI Summary, Attack Flow, Detections, and Simulations, along with counters showing the number of available items in each section. Clicking any section within the block takes users directly to the corresponding area on the Threat of the Month details page.
New Platform Header
With this release, we’ve rebuilt the platform header across all pages, introducing a standardized dropdown menu with a list of SOC Prime products to improve navigation and usability.
Detect Flow Landing Page
We’ve introduced a dedicated Detect Flow landing page accessible directly from the products dropdown in the platform header. The new page provides an overview of Detect Flow capabilities and includes the Ready for More? contact modal allowing users to submit their information and connect with our team regarding product offerings.
WIF Support for Google SecOps
We’ve extended WIF support for Google SecOps to include Attack Detective. To use this feature, users should select the Attack Detective option when configuring the Data Plane for Google SecOps to enable investigations in Attack Detective.
Website Updates
Improved Table Design
The latest SOC Prime release included the improvement of table design in the Blog articles to make them look consistent and unified, with a standard design and layout across all articles.
Content Quality Improvements
We’ve introduced a set of improvements to ensure more accurate translations across the platforms.
Google SecOps
Improved a translation from Google SecOps to Crowdstrike Endpoint Security by adjusting rule syntax for correct conversion.
Coralogix
Improved ECS alt translation for Coralogix by removing index condition from the query.
FireEye
Updated the date format used during FireEye Rule (XML) translation.
LimaCharlie
Improved the error message displayed when translating Sigma rules to LimaCharlie for cases where the Sigma rule contains an unsupported logsource product. The updated message now clearly lists the currently supported logsource products.
Microsoft Sentinel
Fixed an issue with Microsoft Sentinel where sometimes the KQL tokenizer did not correctly parse the | character which impacted reverse translation from Microsoft Sentinel to other platforms.
CrowdStrike Next-Gen SIEM Falcon LogScale
Improved error handling during translation from CrowdStrike Next-Gen SIEM Falcon LogScale to Sigma by adding a clearer error message that indicates when the query is missing and specifies the field where it is expected.
Fixed an issue in the alternative CIM Config for CrowdStrike Next-Gen SIEM Falcon LogScale where fields containing the
#character were translated incorrectly.
Other Improvements
Fixed an issue where incorrect informational messages were displayed in translation errors in cases where translation was not possible.
Key Bug Fixes and Improvements
Applied multiple UI fixes and consistency improvements in Advanced Search, Lists, Tenants, and Account Settings pages.
Improved the Log Source Coverage page by fixing the following issues:
Fixed an issue where, in some cases, content graphic was not displayed on the page without selecting Search Profile.
Fixed charts to correctly reflect the data in the Coverage, Content for Log Sources, and Explored and Deployed Trend sections.
Fixed an issue where sometimes two empty rows appeared in the exported Log Source Coverage CSV file.
Improved the Table of Content on the Blog page to enhance UI clarity. The Table of Content is now displayed only when an article contains multiple headings.
Fixed an issue where content deployment to Sumo Logic sometimes failed, resulting in the error “Name must be 100 characters or less”.
Fixed an issue where the chat widget on the website could disappear in some cases after page reload.
Improved error handling for cases when Check Connection flow fails during WIF authentication by adding specific, actionable error messages for each failure case.
Fixed an issue in Splunk query handling where sometimes applying a Preset could result in an “Invalid flatten separator” error.
Fixed an issue in Attack Detective scan where sometimes scans could run longer than expected and execute more queries than intended by preventing duplicate scan execution.
Fixed an issue where the Advanced Search sometimes incorrectly showed an empty result when relevant content was available, in cases where the search query included underscores (
_).Fixed an issue where sometimes the comment icon was not fully displayed on the Detection Rule page in the Comments section.
Added alt translation OCSF for AWS Athena.
Fixed an issue where tactic names were sometimes not displayed on the spider chart in Attack Detective.
Improved table substitution behavior in Microsoft Sentinel scans when using Custom Field Mapping, ensuring user-defined tables are correctly applied.
Corrected an issue where the link name displayed on the Active Threat details page was not shown correctly in some cases.
Improvements related to Custom Field Mapping:
Fixed an issue where sometimes new values were not applied to all fields in CrowdStrike query.
Fixed an issue where sometimes value mapping was not applied to fields using the
likeoperator in Hunters query.Fixed an issue where sometimes custom source wasn’t applied to QRadar query.