Skip to main content

SOC Prime Platform Product Release Notes 5.0.1

S
Written by Sergey Bayrachny

September 22, 2021

© 2021 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Content Quality Enhancements

At SOC Prime, we’re constantly striving to improve the content quality when translating Sigma behavior-based detections to various SIEM, EDR, and NTDR language formats.

Elastic Stack Translation Improvements

To enhance the quality of Sigma translations into the Elastic Stack format, we’ve fixed the way the AND NOT operator is processed. Previously, as a result of parsing this operator, the generated syntax was not consistent with the intended logic. Now, AND NOT behaves as expected in all Elastic Stack translations.

Microsoft Defender ATP Translation Improvements

In this release, we've introduced two improvements for translations into this security technology format:

  • Resolved the issue with mapping of the User field in Sigma detections to the AccountName field when converted to the Microsoft Defender ATP format. Now the mapping works correctly, which ensures the accurate translation.

  • Updated the config for Microsoft Defender ATP in Sigmac with a new structure to ensure successful translation.

Continuous Content Management Module Updates

In the new version of the SOC Prime Platform, we've improved the UI of the Continuous Content Management. In particular, we've resolved an issue with the Rule Presets pop-up. Previously, both the pop-up and the page it appeared on could have scroll bars. We've removed the redundant scroll bar on the pop-up.

Continuous Content Management Guide Updates

To make sure that all users are aware of the new functionality and can make the most of it, we've added information about inventory content lists to the Continuous Content Management Guide.

Log Source Coverage and MITRE ATT&CK Coverage Improvements

In this SOC Prime Platform release v.5.0.1, we've improved functionality and user experience for the Log Source Coverage and MITRE ATT&CK Coverage elements, which were introduced in the previous release.

Default Search Profile Applied

With this release, both the Log Source Coverage and MITRE ATT&CK Coverage pages are loaded with the default Search Profile applied.

With this feature, security professionals can see data coverage relevant to their organization, directly upon opening the page. If you want to see the log source and ATT&CK coverage for another Search Profile, simply choose it from the drop-down list.

The default profile has the toggle switch ON next to its name under the DEFAULT column on the Search Profiles page (previously this column was named USE FOR SEARCH).

Quick Hunt improvements

With this SOC Prime Platform v.5.0.1 release, we've made improvements to Quick Hunt, which was introduced in the previous release:

  • Updated some localizations, including the text on the feedback prompt.

  • Resolved the issue with result percentages, which were not updated after receiving the user feedback.

  • Improved the user experience when clicking the Content button. Previously, the button opened the Intelligence tab of the selected content item, and now it leads to the Code tab. This makes more sense since the intelligence metrics are also available on the Quick Hunt page itself.

Terms of Use Renamed to Terms of Service

In this latest 5.0.1 release, we've updated the full title of our Terms to SOC Prime Platform Terms of Service. This makes the title more clear, concise, and consistent with the established practice.

Revisit the document if you'd like to find out more about the Terms or just revise the content to stay always compliant.

Uncoder CTI Improvements

As part of our continuous effort to expand the range of security technologies supported by the SOC Prime Platform, we've expanded Uncoder CTI with the ability to generate queries for CrowdStrike and drill down to the corresponding XDR environment.

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements:

  • Fixed a bug with content deployment to Elastic. Previously, the deployment failed if the Kibana Host field on the Environments page contained a link. Now, this is no longer a stumbling block to correct deployment.

  • Resolved the issue with copying Global Custom Field Mappings. Before the update, security performers were unable to copy Global Custom Field Mappings that hadn't been created within their company.

  • Fixed a Humio integration issue. Previously, while configuring a Humio environment, clicking the Save Changes & Check button resulted in a failed credential validation, even though API Token and other required data were entered correctly.

  • Resolved a problem with updating and setting status for the Detection Rules on the Inventory page in CCM. Now, the functionality works correctly.

  • Removed Severity and Status metrics for all content types they are not related to. Now these two metrics appear only for Alerts and Queries.

Did this answer your question?