September 14, 2021

© 2021 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

We are thrilled to announce the release of the SOC Prime Platform for collaborative cyber defense, threat hunting, and threat discovery! From now on, Threat Detection Marketplace becomes part of the recently released Platform, with new elements and capabilities added on top of it to take the cybersecurity experience to the next level.

The SOC Prime Platform is now enriched with new functionality enabling users to choose the exact direction tailored to the organization-specific security needs. All the platform capabilities, including the newly released Elements (Uncoder CTI, Quick Hunt, Log Source Coverage, and MITRE ATT&CK® Coverage) are placed under the corresponding categories based on the business and security needs they match.

Threat Detection Marketplace remains one of the core elements of the new SOC Prime Platform for collaborative cyber defense. It now appears under the Discover category as it is primarily used to discover the most relevant detection content.

Registered users can now easily access both new and existing elements from the redesigned and restructured home page. Its direction-based structure streamlines navigation to help security performers hunt for the latest threats, automate threat investigation, and measure the team's progress in threat detection with less effort.

The SOC Prime Platform offers core directions (or categories) that can be taken to address the organization's current cybersecurity needs. By choosing one of them, security performers can find all the relevant capabilities that will help make the platform experience more streamlined and intelligent:

Discover

Browse Threat Detection Marketplace, the world’s first and largest SOC content repository linked to security intelligence:

Hunt

Accelerate proactive and retrospective Threat Hunting with behavior-based detections, cyber threat intelligence, and AI:

Manage

Track the progress of the team in threat detection, measure ROI, and benchmark against industry peers and MITRE ATT&CK®:

Integrate

Connect the security tools to maximize efficacy and performance:

Automate

Continuously adapt cyber defense capabilities to the latest threats:

Collaborate

Stay connected to the worldwide cybersecurity community for a safer future:

Learn

Align security operations with the world's best practices:

Personalize

Customize the platform to the organization’s security needs for the most tailored experience:

We continue developing new elements and functionality to be included in future releases. The most exciting of them are displayed on the home page with a Coming Soon label. Hover over it and click Notify Me to get an email notification when the element is rolled out.

To ensure that the platform onboarding experience is as smooth as possible, after exploring an element of a certain category, you can see a checkmark next to its name on the home page. This way security performers can track explored and unexplored elements.

With breadcrumbs added at the top left corner of each page, navigation becomes even more easy and intuitive.

To make sure everyone is aware of the major update, we show a heads-up pop-up once they first log in to the Platform after this latest release 5.0.0.

With this release, we’ve added three new Platform elements aimed to enhance Threat Hunting capabilities, as well as the organization-specific stats on log source and MITRE ATT&CK® coverage.

Get insights into log source products, categories, and services your organization has covered based on the amount of content explored, deployed, and downloaded via API. This way, organizations can control how effectively the log source data is utilized within the environment.

The Overview page has two graphs:

Sort log source products by various criteria and drill down to the specific Event ID for more details, as well as monitor coverage trends over time for specific log source products to assess your progress.

Make sure to configure and apply a Search Profile to visualize data tailored to your organization-specific environment and get a clear idea of what is already done and which areas may need improvement. Statistics will be filtered according to the defined Platform and Log Source Product fields configured in the Search Profile. Other fields, like Actor, Tool, Technique, ATT&CK Data Source, Event ID, CVE ID will not be considered.

By clicking the pill with the number of event IDs for a particular service, you can open the list of corresponding event IDs with content metrics for each of them.

With these insights, SOC Managers and CISOs can make informed data-driven decisions and plan the way forward.

Get insights into the MITRE ATT&CK tactics, techniques, and sub-techniques your organization has covered based on the amount of content explored, deployed, and downloaded via API. With this newly added Platform element, security performers can track and audit their detection efforts in terms of the ATT&CK parameters.

The Overview page has two graphs:

Open particular tactics to dive deeper. Sort techniques by various criteria and drill down to the related sub-techniques to find all the ins and outs of the MITRE ATT&CK coverage.

By applying the Search Profile, you can personalize your coverage insights and get a clear idea of what is already done and which areas may need improvement. Statistics will be filtered according to the defined Platform and Log Source Product fields in the Search Profile. Other fields like Actor, Tool, Technique, ATT&CK Data Source, Event ID, CVE ID will not be considered.

With Quick Hunt, security performers with any skill level can easily and rapidly hunt for the latest threats in their SIEM and XDR. Aimed at both entry-level analysts and experienced security professionals, this tool is very powerful while extremely easy to use.

Before hunting, set up your environment and customize your Custom Field Mapping profile. Currently, Quick Hunt supports the following SIEM & XDR solutions:

Adding a Default Config for alternative translations is also currently available for these platforms:

After the setup, you can hunt in just one click without the need to dive too deep into content logic.

To get the relevant security intelligence related to the content item, you can view its metrics, context, and metadata.

Provide feedback on the outcome of your hunt to help us make the Platform even better. If you use the Community subscription, you can earn additional hunts by sharing your feedback with us.

Now the content item page where you can drill down to the rule code and metadata has two tabs for a more intuitive threat detection experience: Intelligence and Code.

Intelligence contains the selected content item name, description, as well as stats on content views and downloads. It also provides threat context and delves into the detection details to get a full picture of the content item and streamline threat discovery:

Code contains the Sigma detection code and its translations available for various environments. Depending on your environment and subscription tier, with icons in the upper right corner of the tab you can do the following:

From now on, all users with a corporate email will have free access to the new and existing Platform elements, on threshold-based availability depending on their active subscription plan. This way, each security professional can have a comprehensive experience of our Platform with a Community subscription.

Accordingly, we no longer offer trials of the Platform's elements and have removed all features related to trials from the UI.

The new access model is applicable to all elements of the Platform, including the Continuous Content Management (CCM) module. From now on, security professionals registered with a corporate email address can automate the content deployment and update processes with content lists, jobs, presets, and other CCM features.

With this new release, we continue expanding our support of security technologies to make our Platform more versatile and cover broader needs of security professionals. This time, we've added the support for Chronicle Security Queries. Now you can access the corresponding content type and set up a Custom Field Mapping for its deployment.

For your convenience, to reach the most relevant search results, content can now be filtered by the Chronicle Security Query by selecting the corresponding Platform option from the filtering functionality on the Advanced Search page.

At SOC Prime, we’re constantly striving to improve the content quality when translating Sigma behavior-based detections to various SIEM, EDR, and NTDR language formats.

With this release, we've fixed the issue where commands like cmdline or regmod were doubled in Sigma translations into the Carbon Black language format. Now, only one command is produced after conversion, which ensures the proper parsing of the content item.

To prevent incorrect Sigma parsing, with this release we've added escaping of \ and \n special characters with an additional \ character. This change applies to the following fields of the meta section in the content for Chronicle Security:

To improve translation of Sigma detections into the Microsoft Defender ATP language format, backslashes in the target language are now preceded by the escape characters (@). This ensures correct character processing.

To prevent the customer’s platform overload, all dynamic lists have a limit of 200 most recent content items. To enhance the content deployment, we’ve extended the limit to the corresponding jobs as well. Previously, without this restriction, running a job to deploy content from a dynamic list could result in handling thousands of content items, which led to excessive usage of system resources. Now, with no more than 200 content items deployed, we’ve reached improved performance and jobs related to dynamic lists can now seamlessly deploy content.

To improve the content streaming experience, we’ve accelerated the logic of choosing the default environment in the Inventory section.

If the user has set up only one environment, it is selected by default when the Inventory section is opened (even for the first time).

If the user has configured multiple environments, the default environment after opening the Inventory section is automatically set to the one used the last time. In the previous Continuous Content Management (CCM) module versions, the first platform from the list was selected even when there was no environment set up for it.

To improve user experience and prevent naming issues, we've introduced a validation feature on the Create New Custom Field Mapping pop-up. The feature checks if the entered profile name already exists within the user's organization and shows a warning message if a match is found.

To reflect the latest changes made to our platform, new improvements, and additional functionality, we've updated the following user guides:

This major release v.5.0.0 drives innovation for collaborative cyber defense introduced by the launch of the new SOC Prime Platform. To reflect all the undergoing changes, we’ve made the corresponding improvements to the company website at https://socprime.com/ and other webpages introducing our products, tools, and related functionality to deliver a consistent experience to our customers. More specifically, these latest enhancements are as follows:

As part of these updates, we’ve updated the header and footer with the restructured navigation for the following webpages affected by this release:

Moreover, with this latest release, we’ve made the following user experience improvements:

To improve user experience and make our Platform UI more consistent, we’ve revised some labels and other localizations. More specifically, we’ve made the following updates:

As part of these updates, we've also improved the spacing and font size of some UI elements.

With this release, we've split Sigma rules into two different content types:

As it takes a significant amount of time to analyze the high volume of alerts, security practitioners can choose to deploy only Sigma rules that are fully tested and are much less likely to generate false positives.

This new rule categorization minimizes the ambiguity around the intended purpose of content, reduces analyst workload, and helps in streamlining security operations overall.

With this major release v.5.0.0, we've updated the Subscriptions page in accordance with the new access model and updated Platform structure. Here you can find all the details about access to all core elements under each category for our three subscription tiers:

To avoid scenarios where content retrieval leads to resource overuse, we've changed the maximum page size limit to 50 rules for /sigma and /search-sigmas endpoints.

To reflect the structure of the Discover category, we've updated the search scope options in the Detection Engineering and Advanced Search elements. The All and MITRE ATT&CK® options have become redundant and we’ve removed them. Now, using the updated menu, you can select one or multiple fields to search for content.

In one of the previous Threat Detection Marketplace updates, we released the beta version of Uncoder CTI, a unique tool for generating IOC queries on the fly and seamlessly drilling down to hunt for threats in the customer’s environment.

With this latest Platform update, we introduce the final release of the Uncoder CTI functionality. Still, we are continuously working on its improvements to enhance the overall performance and user experience.

With this release, we’ve broadened the support for Uncoder CTI with the following security solutions:

Also, we've added the capability to send queries to the Azure Sentinel environment right from Uncoder CTI.

With this latest release, we've updated the content metrics that previously included five parameters:

We’ve recently made these metrics more user-friendly and intuitive by reducing them to two parameters:

These metrics are displayed on the Intelligence tab when viewing the specific Query/Alert and on the Advance Search and Quick Hunt pages.

With this release, we’ve made the following key bug fixes and improvements: