March 23, 2022
© 2022 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Onboarding Wizard
We are thrilled to announce the release of an onboarding wizard designed to make the experience with the SOC Prime Platform faster and simpler than ever. The newly released onboarding functionality has a modular structure and is aimed to drive more value to all SOC Prime users, more specifically:
Encourages customers to easily get started and understand the benefit of using core platform capabilities, like Environments integration, Hunt modules, Custom Field Mapping — which are intended to streamline user experience at once.
Enables a one-time setup of the most necessary functionality to make the platform experience even more tailored to the users’ security needs.
Provides step-by-step guidelines, video tips, and multiple options for help and support across the entire onboarding process.
The onboarding wizard is intended to deliver an improved user experience based on extensive customer feedback while boosting threat detection capabilities and increasing threat hunting velocity for each cybersecurity professional leveraging the SOC Prime Platform.
Note: The onboarding wizard is a one-time configuration process that you cannot skip, so we can make sure that the platform becomes a valuable tool for your organization-specific security needs ready to use once you complete the required setup. The number of obligatory steps depends on the platform in use. |
With this release, all new users who sign up for the SOC Prime Platform will be prompted to set up all required configurations after creating an account.
Security practitioners who have an existing account will see a notification at the top of each page prompting them to fill in the missing settings starting from the corresponding step. If you have already set up configurations required for proper platform use, they will be automatically populated on the wizard.
Here are the Onboarding Wizard steps depending on the selected security platform:
Platform name | Search Profile | Platform URL | Log Sources | Role | Integration |
ArcSight | Yes | No | Yes | Yes | No |
CarbonBlack | Yes | No | No | Yes | No |
CrowdStrike | Yes | Yes | No | Yes | No |
Microsoft Defender ATP | Yes | No | No | Yes | No |
QRadar | Yes | No | Yes | Yes | No |
Securonix | Yes | No | No | Yes | No |
Splunk | Yes | Yes | Yes | Yes | No |
Microsoft Sentinel | Yes | Yes | Yes | Yes | Yes |
Chronicle Security | Yes | Yes | No | Yes | Yes |
Elastic Stack | Yes | Yes | Yes | Yes | Yes |
Humio | Yes | Yes | No | Yes | Yes |
Sumo Logic | Yes | Yes | Yes | Yes | Yes |
FireEye | Yes | No | No | Yes | No |
Graylog | Yes | No | No | Yes | No |
LimaCharlie | Yes | No | No | Yes | No |
Logpoint | Yes | No | No | Yes | No |
RSA NetWitness | Yes | No | No | Yes | No |
SentinelOne | Yes | No | No | Yes | No |
Apache Kafka ksqlDB | Yes | No | No | Yes | No |
Microsoft PowerShell | Yes | No | No | Yes | No |
Qualys | Yes | No | No | Yes | No |
Regex Grep | Yes | No | No | Yes | No |
Sysmon | Yes | No | No | Yes | No |
Sigma | Yes | No | No | Yes | No |
AWS OpenSearch | Yes | No | No | Yes | No |
Welcome Screen: Platform Selection
The onboarding process starts with the welcome screen where security practitioners are prompted to select the platform in use. The default settings display the most widely used security solutions, including Microsoft Sentinel, Chronicle Security, Splunk, Humio, Sumo Logic, Microsoft Defender for Endpoint, Securonix, the Elastic Stack, and legacy SIEM solutions like QRadar and ArcSight.
By clicking Show Other Platforms, you can see the full list of supported platforms:
To choose the platform, click the tile with the solution in use, and you will move to the Search Profile step. You can always change these settings and return to the initial step by clicking Change. The previously selected platform will be highlighted in green.
Wizard Progress Bar
For a better user experience, the onboarding wizard displays the progress bar on the left on all screens following the platform selection:
The number of steps covered that depends on the selected platform and the percentage completed
Completed steps are marked in green and are indicated with a green checkmark
The step where you are right now is marked in grey and has a grey checkmark
Note: You can move to the next required step based on the predefined order of onboarding completion. |
Reaching Out for Help
Security practitioners can reach out to SOC Prime experts anytime they find challenges with the onboarding process in one of the following ways:
Click the Ask an Expert button in the bottom right-hand corner of the wizard and choose one of the options:
Slack Community — go to the Slack channel and ask the community members for help.
Help Request — send a prompt support request, which will automatically indicate the step at which you have got stuck. SOC Prime experts will reach out to you shortly by email.
Click the Intercom button and get in touch with the SOC Prime experts in real time
Also, we’ve provided the Tips section for each wizard step guiding SOC Prime users through the onboarding process. The walkthrough video guides and hints are at the customers’ disposal to make onboarding as simple as possible.
Search Profile
At this step, InfoSec practitioners are prompted to configure content search preferences based on the data sources available in their environment. For your convenience, these settings can be configured in two ways:
By adding log source products from the list of predefined options
By first selecting the categories of log sources monitored by the organization’s environment and then the products matching these categories
Log Source Product
Here security practitioners should add the specific log source products monitored by the environment. To add certain items, start typing the name of the log source product in use, and the search will automatically return its full name. Once selected, you will see all log source products added to the settings on the fly.
Log Source Category
Alternatively, the Search Profile step can be configured by first selecting the log source category from the list of predefined options, like “Access Management”, “Cloud (IaaS)”, “Cloud (SaaS)”, “Endpoint”, etc.
Once the category is selected, you can browse and add log source products that belong to it. Click the Plus icon next to the log source category, set the checkmarks against the items you monitor, and select Apply. You can select multiple log source categories with a number of log source products matching them.
All selected log source products will be automatically displayed next to the corresponding log source category.
Note: You can move to the Platform URL step after adding at least one log source product. However, we recommend adding multiple data sources to make your content search most relevant to your organization-specific needs. |
After finishing the setup with the onboarding wizard, you can find the resulting Onboarding Search Profile in the Search Profiles section of the SOC Prime Platform. You can enhance it with additional details to make your search even more relevant.
Platform URL
This simple step is required for setting up a hunting environment to enable the SOC Prime users to drill down to search for threats in their environment using the Quick Hunt and Uncoder CTI modules.
Note: This step is available only for platforms that support Quick Hunt or Uncoder CTI (or both). |
By entering the required web address in the corresponding field, you are all set to take advantage of on-the-fly hunting capabilities available with SOC Prime’s Hunt modules.
Newcomers to the SOC Prime Platform who might need help with properly configuring the Platform URL settings are welcome to watch a short video in the Tips section on the right. We’ve added a brief video tutorial for each platform making it easier for SOC Prime users to complete this step.
Log Sources
At this step, security practitioners should indicate the indexes or tables where the log source data of the products provided in the Search Profile step is stored. This information ensures that detection content available in the Threat Detection Marketplace will work correctly even if the target environment uses non-default log source data locations.
Depending on the selected security platform, we offer up to three ways to identify the log sources:
Lookup via API. Get the data locations automatically by requesting them via your security platform's API. We recommend using this option where available.
Collect with a Script. Pull the necessary information by downloading and running the dedicated stript. Then, upload the output CSV.
Map Manually. Click the Plus icon next to a log source product you've provided and type the name of the index or table where the data is stored.
After the onboarding setup is complete, you can find the mapping for each log source product as a separate profile in the Custom Field Mapping section of the SOC Prime Platform. In this profile, you can also add mappings for specific fields or even values.
Apply profiles manually on the Code tab of the content item page or set the Make Default checkmark in their settings to use them automatically.
Role
This step is needed to personalize the user experience of the SOC Prime Platform. Security practitioners are prompted to select one or two of their main roles in their organizations.
The step is skippable, but if the professional roles are not set up, some features of the SOC Prime Platform might not work properly.
Integration
This step is about setting up a full-fledged API integration with the target environment. The link to the environment (if any) is pre-filled using the URL provided at the Platform URL step. Security practitioners need to fill in the rest of their credentials.
This integration is used to deploy detection content directly to the target environment from the Threat Detection Marketplace or automate content deployment with Continuous Content Management.
Once the onboarding process is complete, teams will be notified with the corresponding success notification.
New Custom Field Mapping
We've significantly enhanced and redesigned the Custom Field Mapping module. Now, in addition to field names, it offers customization of table/index names and even field values.
Security practitioners can create mapping profiles that cover all possible customization needs related to non-default log source, field, and value names in the target environment. Such profiles ensure the proper work of the detection content from the SOC Prime Platform which is originally created for the default data schema settings.
Profile Details
In this section, you can name the profile and select the security platform for which it will be applied.
Share to Company: make the profile available to your teammates
Make Default: apply the profile by default to the content for the indicated platform.
Log Source
Select the log source product for which the profile will be applied.
Show Sigma Settings: enable this switch to check and edit the product, category, and service which should be indicated in the Sigma rule for the profile to be applied to the rule's translation into the target platform format. For now, this feature is supported only for a limited number of log source products.
Mapping Configuration
Provide custom names used in the target environment for log source location (indices, tables, etc.), fields, or values. Select the corresponding tab and indicate the default and custom names.
You can also import field mappings using a CSV.
Profiles Created During Onboarding
Custom data locations for each log source product provided during Onboarding are saved as a separate mapping profile.
The name of such a profile has the following pattern: security platform + log source product + (Onboarding)
To edit a profile, click the three-dot icon on the right and select Edit.
The information provided during Onboarding is pre-filled in the corresponding fields.
If, in addition to custom log source locations, you have non-default field names or need to customize field values, you can do it on the Fields or Values tabs.
Updates in Job Settings
In accordance with the updates in the Custom Field Mapping profile, Job settings in Continuous Content Management now show a checkbox Use Default Custom Field Mapping based on Log Source which is set by default.
To apply a different Custom Field Mapping, clear the checkbox and choose a profile in the dropdown that appears below.
LimaCharlie Support
Leveraging the SOC Prime Continuous Content Management (CCM) API, security engineers can stream detection logic directly into their LimaCharlie EDR/XDR environment. Using particular API queries and endpoints, teams can create Content Lists tailored to their security needs and automatically pull the most up-to-date detections from these lists. Detection algorithms can also be automatically optimized for operations by applying non-standard data schemas for scalable deployments and custom environment needs.
To take advantage of the automated content streaming capabilities, make sure the API access is enabled. For more details on how to set up relevant configurations and get started, download the guide for the latest version of the CCM API Integration Tool.
For more streamlined and intuitive content deployment, SOC Prime users can also take advantage of the FREE socprime add-on from LimaCharlie’s marketplace. SOC Prime users can leverage this add-on to choose pre-configured Content Lists to sync and enable them as D&R (detection and response) rules used to automate actions based on the real-time events in LimaCharlie.
First, security practitioners need to configure specific Content Lists via the SOC Prime’s CCM module so they can further pull detections from these lists to their LimaCharlie instance using the socprime add-on.
LimaCharlie users can leverage the following capabilities of Content Lists:
Manually add content items to statiс lists from the Code tab.
Create dynamic lists in CCM to continuously deliver the most recent and updated detection algorithms matching pre-configured custom filters.
After setting up Content Lists in the SOC Prime’s platform, log into your LimaCharlie account to finish the configuration between two platforms and enable content streaming.
Go to the socprime add-on page to explore brief guidelines on how to enable CCM configuration in LimaCharlie via the Integrations page. For more details on how to set up add-on configurations in the LimaCharlie environment, read our partner blog post.
Adding to Content List
With this release, we've made the functionality of adding a content item to a Static Content List from the Code tab available for all supported security platforms. This makes using Continuous Content Management equally convenient for security experts relying on different technologies.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Resolved the issue with access from allowed IPs being forbidden in the Continuous Content Management API.