October 6, 2021
© 2021 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Content Quality Enhancements
At SOC Prime, we’re constantly striving to improve the content quality when translating Sigma behavior-based detections to various SIEM, EDR, and NTDR language formats.
Azure Sentinel Translation Improvement
To ensure correct translation into Azure Sentinel Rule and Query language formats, we've updated the operators to handle empty values:
isnull()was replaced withisempty()isnotnull()was replaced withisnotempty()
Chronicle Security Translation Improvement
To improve translation into Chronicle Security language format, we've enhanced the handling of AND NOT operator. This update is intended to prevent incorrect parsing of Sigma detections with this operator.
Continuous Content Management Module Updates
New Option in Content List Creation
To give content list authors more control over their lists, we've introduced a new option in the Add Content List pop-up. By selecting the corresponding checkbox, the author can allow other people from their company to edit the new list.
Option Filtering Depending on Platform
To improve the user experience, we've introduced automatic filtering for drop-down options in the Custom Field Mapping, Config, and Rule Presets fields on the Create Job pop-up. Now, the drop-downs show only those options that are related to the currently selected platform.
Drilling down to Techniques and Sub-Techniques
To enable security professionals to instantly check information about MITRE ATT&CK® techniques and sub-techniques, we've added the ability to drill down to these elements on content item pages and in Quick Hunt.
Clicking on a MITRE ATT&CK element opens a pop-up with the same information that is available in the MITRE ATT&CK visualization.
Exclusion in Content Action State Filter
With this release, we've added the Exclude or Include feature to the Content Action State filter on the Advanced Search page.
This new functionality makes filtering even more powerful, helping security professionals see exactly what they need. Now, using the Exclude or Include toggle switch, you can exclude from your search results the content that you have viewed, deployed, or downloaded manually or via API.
Interactive Tours
To introduce the core SOC Prime Platform functionality to the users, we've added quick interactive tours that start when you open the home page or one of the elements for the first time. With these concise yet informative tours, you can get the basic idea of the main Platform elements in several clicks.
For example, the interactive tour for Quick Hunt starts with the following message:
CTI.Uncoder.IO
This release introduces a public version of Uncoder CTI, a unique tool for generating IOC queries on the fly, which is available for free and without registration.
With this public version, cybersecurity professionals now can easily gain the comprehensive experience of the tool and see its value. To gain access to more extended capabilities of Uncoder CTI, for example to seamlessly drill down to hunt for threats in your organization's environment, explore the tool within the SOC Prime Platform.
Localization Updates
To improve the user experience, we've replaced the API Downloaded label with Downloaded via API across the SOC Prime Platform.
Log Source Coverage and MITRE ATT&CK® Coverage Improvements
UI Improvements in Log Source Coverage
With this release, we've made some UI improvements to the Log Source Coverage page:
Removed the Event ID pill from services without defined event IDs
Replaced the Not Defined label with a dash for not defined event IDs
Drilling down to Unexplored Content Items
We've added the ability to drill down to unexplored content on both the Log Source Coverage and MITRE ATT&CK Coverage pages.
By clicking the number of unexplored content items, you can go to Advanced Search and see all the corresponding detections.
Quick Hunt Improvements
To expand the capabilities of cybersecurity professionals, with this latest release, we've added content sorting with the following options:
Updated — by the content update date
Released — by the content release date
Trending Now — by the content popularity across the community
Search Profile Sharing Improved
We've improved the logic of the Search Profile sharing functionality. Now, if a user changes their company, their Search Profiles shared with the previous team automatically become personal and are removed from other users.
SOC Prime Website Updates
To keep consistency with https://socprime.com/ and my.socprime, in this release we’ve added the Industry Recognition page link to the header and footer navigation at:
Sub-Technique IDs in Filter
To make references to MITRE ATT&CK sub-techniques even more specific, we've added their IDs in the Techniques filter on the Advanced Search page. We've introduced this change since there are some sub-techniques in MITRE ATT&CK that have the same names but refer to different techniques. Therefore, to avoid this confusion, we've added the sub-technique IDs to the filter.
Uncoder CTI Improvements
New Supported Platform
As part of our continuous effort to expand the range of security technologies supported by the SOC Prime Platform, we've expanded Uncoder CTI with the ability to generate queries for Chronicle Security and drill down to the corresponding environment.
Improved IOC Recognition
To make sure that IOCs of different types can be identified in content regardless of what surrounds them, with this release, we've improved the procedure of IOC recognition.
New Option
To make the IOC recognition capabilities even more powerful, we've added a new option called Exclude Private & Reserved Networks to Uncoder CTI. With this option, security professionals can make Uncoder CTI ignore the private and reserved IP addresses like 224.0.0.0/4 or 127.0.0.0/8 during IOC recognition.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements:
Fixed a layout bug on the MITRE ATT&CK Coverage page. Previously, adaptivity for charts under the Overview section did not work correctly on large resolutions.
Resolved the issue that hindered correct displaying of the Severity and Status metrics for content.
Fixed an alignment bug on the Advanced Search page. Previously, the sorting drop-down was not aligned at the right side on some tablet resolutions.
Resolved an issue in Advanced Search. Previously, the search type and the number of content items on the page were reset to default after drilling down to a content item.
Fixed the bug with drop-downs on the Create Search Profile and Rule Presets pop-ups. Previously, two empty areas were displayed over the options of the drop-downs, making selection difficult.
Made the name of the MITRE ATT&CK Coverage page display in full on the home page. Previously, it was truncated to MITRE ATT&CK, which could be confusing, since the Discover category includes another MITRE ATT&CK page with a different purpose and value.
Updated font styles for the Overall Coverage Over Time chart on the Dashboard page and the Top Authors chart on the Leaderboards page to keep fonts consistent across the SOC Prime Platform.
Improved position of the pagination block in the Author Statistics section of the Leaderboards page. We aligned this block with the bottom edge to keep the design consistent across the SOC Prime Platform.
Fixed the bug with the anchor links to the Platform Guide. Previously, they did not work correctly and opened the default page of the Guide.
Repositioned the iFrame element of the chat button, which previously was offset and hindered interaction with the Platform.
Fixed the destination of the link within the Information button under the API Access section of the Automate page. Previously, the link led to the default page of the Platform Guide instead of its API section.
Corrected the style of the header navigation elements in the hovered state on the Quick Hunt page.
Added background for the Role and Platform icon in the header navigation.
Fixed the footer layout on the SOC Prime Consent page.
Resolved the issue with the hash type validation feature in Uncoder CTI. Previously, the IOC query generation did not work correctly if the uploaded content did not contain any hashes.
Corrected the Team Members page name in the breadcrumbs.
Fixed sorting in the Timeline of content items. Previously, the elements of the Timeline were not always displayed in the time-based order.
Fixed alignment of the validation error message in Uncoder CTI. Previously, the message was offset to the right.
Resolved a bug in Uncoder CTI. Previously, if the Generate Queries by IOC Types field was empty during the first generation attempt, it resulted in a validation error which persisted during the following attempts even after the correct values had been selected in the field.
Fixed the footer height on the Dashboard page. Now, the footer stays at the bottom even on large screen sizes.
Fixed the Uncoder CTI bug with search in Splunk. Previously, when the Search button was clicked to send the generated query to Splunk, a pop-up appeared prompting to configure the deploy server even when the Splunk environment had been set up correctly. Clicking the link to the Environments page available in the pop-up resulted in opening the page without the Splunk tab selected.