Skip to main content

SOC Prime Platform Product Release Notes 5.0.4

S
Written by Sergey Bayrachny

November 3, 2021

© 2021 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Content Quality Enhancements

At SOC Prime, we’re constantly striving to improve the content quality when translating Sigma behavior-based detections to various SIEM and XDR language formats.

Azure Sentinel Translation Improvements

To ensure correct conversion, we've enhanced processing of the EventID field in Sigma detections for Windows security events by changing the data type of the corresponding field in the Azure Sentinel language format.

Chronicle Security Translation Improvements

With this release, we've made the following enhancements to the translation into the Chronicle Security language format:

  • Improved conversion of logical operator combinations. This prevents incorrect use of parentheses in logical expressions, ensuring proper syntax for Chronicle Security Rules.

  • Introduced the following translation enhancements for Chronicle Security Queries:

    • Updated processing of multiple mapping for the ObjectName field to prevent incorrect syntax in the translation.

    • Removed quotation marks that had been used around values of the fields with modifiers like contains, startswith, or endswith to ensure correct interpretation by the target platform.

  • Updated the logic of escaping special characters in the translations. Now, escaping is applied only in the fields that include regular expressions, for example, where the source Sigma detection has modifiers like contains, startswith, or endswith.

  • Enhanced the mapping of the EventID field in Sigma detections where the log source product is windows and the service is sysmon. Now we use the following values for the indicated event IDs:

    • 1 — "Process Create [1]"

    • 2 — "A process changed a file creation time [2]"

    • 3 — "Network connection [3]"

    • 4 — "Sysmon service state changed [4]"

    • 5 — "Process terminated [5]"

    • 6 — "Driver loaded [6]"

    • 7 — "Image loaded [7]"

    • 8 — "CreateRemoteThread [8]"

    • 9 — "RawAccessRead [9]"

    • 10 — "ProcessAccess [10]"

    • 11 — "FileCreate [11]"

    • 12 — "Registry object added or deleted [12]"

    • 13 — "Registry Value Set [13]"

    • 14 — "Registry Key and Value Rename [14]"

    • 15 — "File Stream Created [15]"

    • 16 — "ServiceConfigurationChange [16]"

    • 17 — "Pipe Created [17]"

    • 18 — "Pipe Connected [18]"

    • 19 — "WmiEventFilter activity detected [19]"

    • 20 — "WmiEventConsumer activity detected [20]"

    • 21 — "WmiEventConsumerToFilter activity detected [21]"

    • 22 — "DNS query [22]"

    • 23 — "File Delete [23]"

    • 24 — "Clipboard changed [24]"

    • 25 — "ProcessTampering [25]"

    • 255 — "Error [255]"

  • Introduced an additional safeguard to avoid incorrect conversion. Now we do not generate translations into Chronicle Security if there is no field mapping.

Elastic Stack Translation Improvements

In the SOC Prime Platform v. 5.0.4, we've improved conversion of Sigma detections into the Elastic Stack Query format. Now, the queries do not contain the \*.keyword element, which was previously included in some content for this platform.

Parsing Configuration Improvements

With this release, we've improved parsing configuration files to enhance processing of parentheses and conditions. This will ensure there won’t be any log source duplicates in the future translations for such platforms as ArcSight, CrowdStrike, Elastic, FireEye Helix, Humio, Splunk, LogPoint, Logstash, RSA NetWitness, Microsoft PowerShell, QRadar, Securonix, and Sumo Logic.

QRadar Translation Improvements

To improve the conversion of the keyword field in Sigma detections, we've updated the structure of the corresponding field in the QRadar language format. This ensures that the keywords are correctly processed by the target platform.

Continuous Content Management Module Updates

Increased Content Limit for Dynamic Lists and Jobs

To strike a balance between the needs of security professionals and the capacities of their platforms, we've increased the limit of content items in a Dynamic List to 500. We’ve also extended the limit to the corresponding jobs to ensure all items in a Dynamic List can be deployed.

Logical Operator Selection in Dynamic Content Lists

To provide security professionals with a wider range of capabilities, we've added to the settings of a Dynamic Content List a new toggle switch that allows choosing the type of logical operator used to combine tags.

With OR, content matching any of the tags may be included/excluded, while with AND, the content has to match all the tags.

In the Content Lists created before the introduction of this functionality, tags were combined with the OR operator.

Platform Filter in Dynamic Content Lists

To enable security professionals to make Dynamic Lists more content-specific, we've added a new filter that allows selecting one or multiple platforms the content should be intended for.

Currently, we support the following platforms:

  • Azure Sentinel Rule

  • Azure Sentinel Query

  • Elastic Rule Alert

  • Elastic Watcher Alert

  • Chronicle Security Rule

  • Humio Alert

  • Splunk Saved Search

  • Sumo Logic Query

  • Sumo Logic CSE Rule

Updates to Continuous Content Management API

We've updated an API to reflect the following new functionality added to the Continuous Content Management (CCM) module with this release:

  • Added a platform filter

  • Increased the content limit for Dynamic Lists and Jobs to 500 items

  • Enabled logical operator selection for including and excluding tags

CTI.Uncoder.IO Improvements

With the latest release, we've enriched the CTI.Uncoder.IO page with the major information about functionality and its value, respect for privacy and ownership rights, as well as highlighted the extended capabilities available to the registered users who leverage Uncoder CTI as part of the SOC Prime Platform.

Localization Updates

We've updated the error message that appears in the Role and Platform section when no role or more than two roles are selected. Now it reads “Select one or two options that represent your main roles in your organization. This will boost your role-based platform experience.”

MITRE ATT&CK® Coverage Improvements

In the SOC Prime Platform release v.5.0.4, we've redesigned the architecture of the MITRE ATT&CK Coverage page, enhancing the process of data preparation and output.

The new architecture significantly improves the performance on this page, which may be especially important for organizations with large amounts of data. Increased data loading speed helps streamline the overall platform experience.

Platform Guide Updates

With this release, we've made some minor updates to the Platform Guide to improve grammar and make the references to the Threat Detection Marketplace more clear and accurate.

Uncoder CTI Improvements

We've improved the usability of search in Uncoder CTI, reducing the number of steps when there is no configured environment. Now, after clicking the Search on your platform button, the Environments pop-up appears where you can directly set up your environment.

User Settings Menu

With this release, we've updated the User Settings menu to simplify it, make the labels consistent throughout the UI, and remove navigation items that are available in other parts of the Platform.

Key Bug Fixes & Improvements

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:

  • Fixed the bug with the invited teammate status. Previously, if the user invited a teammate who had already been added to the user's company, the Platform showed the invited person with a Pending status in the Invite Your Team section. Now, the form shows a validation error with the message User exists.

  • Fixed the scrolling issue in the MITRE ATT&CK element. Previously, the page did not scroll up automatically after switching to another tab in the MITRE ATT&CK info pop-up.

  • Improved the scrolling bar functionality on the filters pane of the Advanced Search element. Now the bar can be controlled by dragging.

  • Removed empty areas that briefly overlapped the options after opening the preset selection drop-down in the Presets pop-up.

  • Resolved the issue with Presets for Azure Sentinel Rules as part of the CCM module. Previously, Presets linked to Jobs couldn't be applied during deployment to this platform.

  • Corrected wording in the Remove Content items marked as deleted? pop-up. Previously, the message mentioned Azure Sentinel/Elastic Cloud regardless of the actual SIEM environment selected at the moment.

  • Fixed the bug with opening EULA. Previously, clicking SOC Prime Platform EULA in the footer of the Cyber Library page could result in an error message.

  • Resolved the issue with scrolling the notification list.

Did this answer your question?