December 15, 2021
© 2021 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Community Collaboration Page
With this latest release, we've updated the Community Collaboration page, introducing Views balance in addition to Downloads.
This empowers security professionals with the Community subscription to explore more content on our Platform.
Additional views are earned together with downloads. For example, by inviting a friend, the user now gets 50 views and 50 downloads rather than just 50 downloads.
Also, we've updated the layout of the Community Collaboration page, enhancing its usability.
Content Quality Enhancements
At SOC Prime, we’re constantly striving to improve the content quality when translating Sigma behavior-based detections to various SIEM, EDR, and XDR language formats.
Alternative Translations
With this latest release, we’ve added datamodel as a new alternative translation for Splunk. Now, it can be selected from the Config drop-down list on the Code tab.
We've also enriched alternative translations for ArcSight, Humio, and Chronicle Security with the zeek option.
Chronicle Security Rule Translation Improvements
With this latest release, we've made several updates to improve translations into this platform format:
Improved conversion of NOT logical statements for cases where a field has multiple values.
Enhanced conversion of double mapping by putting parentheses around parts combined by the OR operator.
Resolved issues with cases where a dot or a backslash was not escaped with a backslash character.
QRadar Translation Improvements
To ensure that the Sigma detection translations into QRadar format are correct, we've improved the conversion of values in fields with the contains modifier. The update prevents adding a second backslash where only one is needed.
Azure Sentinel Translation Improvements
To avoid translations with a double (?i) condition in values defined as regular expressions, we've added a conversion exception for cases where the Sigma field already contains the (?i) condition.
Continuous Content Management Improvements
Filter Improvement for Chronicle Rules
With this release, we've improved the Filter functionality in Presets for Chronicle Rules. Now, it is possible to use the in operator when defining the filtering conditions, for example: field in %list.
Readability Improvements
With this release, we've improved text readability throughout the SOC Prime Platform:
Changed the color of the text elements that had insufficient contrast with the background.
Switched to the Inter font family specifically tailored to computer screens.
Threat Bounty Navigation
With this release, we've changed the destination of the Threat Bounty block that can be found on the home page and in the navigation menu.
In the previous versions of the SOC Prime Platform, the link led to the login page of the Threat Bounty Developer Portal. This made it impossible for security experts to apply for the Threat Bounty Program after clicking the menu item.
Now, the link opens the Threat Bounty Program landing page where those wishing to participate can apply, and the existing members can directly go to the Portal.
Threat Bounty Portal Improvements
With this latest release, we’ve made two improvements to the Threat Bounty Portal functionality:
Updated the Sigmac version to ensure correct conversion of Sigma rules into various target formats.
Updated the YAML parser that allows processing Sigma rules with comments. Before this update, Sigma rules that contained comments in the source code caused errors and couldn’t be saved properly.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Resolved the issue with the product tour pop-up overlapping the Boost Your Role-Based Platform Experience pop-up for existing users.
Resolved the issue with parsing regular expressions for Asure Sentinel translations. Previously, values in some regular expressions were enclosed in single quotation marks instead of double ones.
Fixed the application of Preset Filters to Chronicle Security detections based on Sigma rules with multiple log sources. Previously, there were cases where event names were not added to fields in the Filters during conversion.
Resolved several issues with the Continuous Content Management module:
Significantly improved performance of the Inventory script. Now it can retrieve large amounts of content from the target SIEM and does not return the error about the maximum limit being exceeded.
Fixed the issue with the Inventory script that sometimes resulted in the Socket closed error.
Fixed the issue with the Inventory Job on the History page. Previously the content count for the Job could be incorrect. Instead of showing the actual number, the count for each Job after the first one was just the count of the previous Job plus the count of the first Job.
Fixed the bulk update error that sometimes occurred when running a job with a preset.