November 17, 2021
© 2021 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Continuous Content Management API Integration Tool
With this release, we've renamed the “Threat Detection Marketplace API Integration Tool” to “Continuous Content Management API Integration Tool”, highlighting that the Tool is intrinsically related to the Continuous Content Management (CCM) module of the SOC Prime Platform. We've also significantly refactored the Tool's script to improve its usability:
Updated the configuration file structure
Added capability to define a separate Custom Field Mapping for each output without creating several script instances
Removed Kafka output
Changed parameters for existing inputs and outputs, for example, added the ability to skip failed rules to all outputs
Hid traceback for exceptions
Continuous Content Management API Updates
In the latest version of the SOC Prime Platform, we've made several updates to the Continuous Content Management API:
Removed the ability to download Sigma detections from all endpoints in new subscriptions. Existing users with access to the API will still be able to do this until their current license expires.
Removed
/sigmaand/sigma/{id}endpoints.Added two service endpoints:
/mark-rules-as-deployed/rule-trigger-metrics
Continuous Content Management Module Updates
Inventory
With this release, we've made the ability to run the Inventory script optional. If this script is disabled, content from the organization's SIEM or other security tool in use is not pulled to the Inventory via the CCM module. This way, security professionals can limit the content managed in CCM to detections downloaded from the Threat Detection Marketplace.
Accordingly, successful running of the Inventory script during the last 24 hours is no longer required to run a job. However, content from the SOC Prime Platform is still checked for updates, and availability of a newer version is indicated with a green arrow icon:
Bulk Update
We've changed the procedure of applying a Preset to content items from the related Job. Now, content items are updated in bulk instead of updating them one by one. This speeds up deploying the content to the organization's SIEM.
Log Source Coverage Improvements
To further empower security experts by enabling them to work with coverage data in external tools, we've added the capability to export data in the CSV format. To enable the export feature, security professionals need to apply a Search Profile.
MITRE ATT&CK® Coverage Improvements
We've added the ability to export coverage data in CSV or JSON. The format of the JSON files is consistent with the ATT&CK® Navigator tool for annotating and exploring ATT&CK matrices. Now, security professionals accustomed to this tool can use it to view coverage data that has been exported.
JSON files support the same color-coding for the deployed, downloaded via API, explored and unexplored content that is used in the MITRE ATT&CK Coverage visualization.
To enable the export feature, security professionals need to apply a Search Profile.
MITRE ATT&CK® v.10
With this release, we've implemented support for the latest ATT&CK version, recently released by MITRE. The new framework features enhancements to data sources and data components, as well as new content and improvements to techniques, sub-techniques, groups, and software.
To reflect these important updates and enable security professionals to leverage them, we've aligned content on the SOC Prime Platform with the latest version of MITRE ATT&CK and introduced some new features:
New Data Components filter on the Advanced Search and Detection Engineering pages. Now you can filter the content by data components (specific properties/values of a data source) to find detections aligned with them.
New Data Sources tab in the MITRE ATT&CK Info pop-up. Here you can find details about the data sources and data components related to the selected tactic or technique.
The Data Components field in the Search Profile. It replaces the ATT&CK Data Sources field that was used previously.
New Data Components column on the Detection Engineering page. With this column, you can instantly see what data components are aligned with a given content item.
Data component tags on the Intelligence tab.
Quick Start Tour Usability
We've improved the usability of the Quick Start walk-through tour by adding an exit option to every step. Now you can close the pop-up at any moment without having to finish the tour.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Resolved the issues with Custom Field Mapping for Community subscription:
Fixed cases where Community users could not create a Custom Field Mapping on the dedicated page under the Integrate category or apply it on the Code tab of a content item page.
Fixed sharing a Custom Field Mapping with the team which didn't work properly in some cases.
Fixed scrolling on the notification pane. Now, you don't have to click on the pane to activate the scrolling feature.
Fixed the issue with Lucene search on the Advanced Search page. Now, all types of Lucene queries work properly.
Fixed the bug with background blurring in the CCM module. Previously, pagination elements were not always blurred properly when showing a pop-up.
Updated the GIF showcasing the capabilities of Presets to Users with the Limited Access subscription.
Resolved the scrolling issue on the Detection Engineering page. Previously, the scrolling wouldn't work if the user tried to drag the scroll bar.
Updated labels for Uncoder CTI on the Upgrade page to keep consistency with localizations for other modules.
Updated the logic of selecting what tab is displayed after reloading an Alert or Query page. Now, the tab that displayed before reloading shows up as expected. This improves usability on the Code tab since the user doesn't have to repeat their previous actions, for example, selecting a platform or Custom Field Mapping.