January 26, 2022
© 2022 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Content Quality Enhancements
SentinelOne Events Query Translation Improvement
To ensure correct conversion of Sigma detections into this platform's format, we've improved the syntax for the in contains anycase operator. Now, its value is enclosed in parentheses. For example:
TgtProcImageSha256 in contains anycase ("56a8d4f7009caf32c9e28f3df945a7826315254c")
Continuous Content Management
New Pagination Option
We've increased the maximum number of items that can be displayed on the Content Lists, History, and Inventory pages to 300.
The user's choice is remembered across sessions.
Retaining Customized Settings
In the SOC Prime Platform v. 5.0.10, we've added remembering the tab and pagination choice made by the user on the Content Lists page. These customized settings are retained even across sessions.
Sorting on Content Lists Page
To improve usability, we've introduced sorting by column values on the Content Lists page. Sorting is available for the following columns:
Type
List Name
Author
Rule Count
Last Updated
Selected sorting settings are remembered, further improving the user experience.
Environments Improvements
With this release, we've introduced several improvements on the Environments page:
Made the design of all platform tabs consistent. Now, the CCM (API Deploy) sub-tab is displayed on all platform tabs but grayed out where the platform does not support API integration.
Made the tab name selected from the More menu visible on the page.
Removed the Chronicle Security URL field from the CCM (API Deploy) sub-tab. After splitting the environment setup, this field became redundant.
Renamed the tab Elasticsearch to Elastic Stack, covering the support of Kibana integration.
Filtering by Technique ID
We've added MITRE ATT&CK® technique IDs to technique filters in Advanced Search and Detection Engineering.
Now, security experts can enter a technique ID into the filter search field to look up content aligned to the respective techniques and sub-techniques.
Guide Updates
To keep up our documentation with constant SOC Prime Platform improvements, we've substantially updated the Continuous Content Management guide and added new information into the API section of the Platform guide.
Leaderboards
In the SOC Prime Platform v. 5.0.10, we've improved and optimized the Leaderboards page design for various screen sizes and resolutions.
Localization Improvements
With this release, we've updated the localizations for requesting content which is still on the R&D stage.
With the new wordings, the suggested flow is more clear and simple.
Microsoft Product Name Changes
According to official name changes, we've updated the following supported platform names throughout the UI:
Azure Sentinel → Microsoft Sentinel
Microsoft Defender ATP → Microsoft Defender for Endpoint
Quick Hunt
ArcSight Support
As part of our constant effort to extend the range of supported platforms, with the latest release we've added the capability to send queries to ArcSight from Quick Hunt.
Now, security professionals who use ArcSight can experience the full power of Quick Hunt.
Custom Field Mapping Selection
To enhance the usability and improve the UI, we've added the Custom Field Mapping selection dropdown to the Quick Hunt page.
The page loads with the default Custom Field Mapping set up for the current environment (or original mapping if no custom one is set up). With the new dropdown, security professionals can change the applied mapping profile on the fly. This makes the hunting process even more flexible.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Resolved the issue with filtering by use case. Previously, applying some filter parameters could lead to no results shown while the relevant content was present on the Platform. To prevent such situations, we've improved the mechanism of defining whether a content item belongs to a use case.
Fixed the bug with Sigma rules created on the Threat Bounty Portal. In some cases, during editing a rule it was impossible to generate content for other platforms and the Parse Sigma Content Tags button did not work.
Fixed the bug with Microsoft Sentinel translation. Previously there were cases where a slash between single quotes in a Sigma rule was incorrectly converted and removed from the Microsoft Sentinel translation.
Fixed the Environments page layout. Previously, the page did not display in full.
Resolved the issue with the rule count mismatch for Dynamic Content Lists in Continuous Content Management. Before, there were cases where due to the calculation method the rule count shown on the Content Lists page could differ from the number of rules shown in the List.