April 6, 2022
© 2022 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
New Subscription Plans
With this release, we've launched pre-orders for two new subscription plans, On Demand and #sigma2savelives:
On Demand. Instant on-demand access to 50, 100, or 200 rules selected by you.
#sigma2savelives. Instant on-demand access to 500+ rules against russian APTs and 50 rules selected by you. 100% of each purchase for this plan is donated to the Come Back Alive Foundation that helps save the lives of Ukrainians and defend Ukraine.
Under both subscriptions, you get access to the selected rules for 1 year, with full support and all the updates. Moreover, there's no daily limit on using the selected rules in Quick Hunt.
With the new subscriptions, security practitioners can save hundreds of hours on threat research and rule coding while paying only for the selected number of rules.
Pre-orders can be made with a card via Stripe. To find out more about the subscriptions, see the Upgrade page that includes the Plan Comparison and FAQ sections.
Pricing Page on Website
To make the information about the subscriptions readily available outside the SOC Prime Platform, we've introduced a Pricing page on our website.
On this new page, you can find the full information about the currently offered subscriptions.
Security practitioners can log in to or sign up with the SOC Prime Platform right from this page. After registration, new users skip the Onboarding Wizard and go directly to the Upgrade page.
API Key Field
We've obscured the API key on the API page in Automation to prevent possible exposure of sensitive data.
Content Quality Enhancement
Microsoft Defender for Endpoint Translation Improvements
We've resolved the double escaping issue in translations into the Microsoft Defender for Endpoint format. Before, instead of @"example1/example2/example3" or "example1\/example2\/example3", escaping in detections translated from Sigma rules could have the following format: @"example1\example2\\".
Microsoft Sentinel Translation Improvements
In this release, we've improved the conversion of conditions in Sigma code into the Microsoft Sentinel format. Previously, in cases where a condition contained a selection with AND NOT operator followed by additional selections with different operators, such as OR or AND, translated fields corresponding to these additional selections could contain “!”
New Config for Humio
To extend the possibilities of conversion into Humio format, we've added a new alternative translations config: CIM. This option is now available in the Config dropdown on the Humio content pages.
Splunk Translation Improvements
To ensure a wider range of Sigma rules can be correctly converted into Splunk format, we've extended the logic supported for this platform with NOT and AND NOT operators.
Techniques in Microsoft Sentinel Rules
Since Microsoft Sentinel Rules have recently begun supporting a new field to specify MITRE ATT&CK® techniques, we've added this field to all Sigma rule translations into this platform's format. This ensures that the translated rules contain all available context.
Continuous Content Management Improvements
Multiple Content Lists
To improve automation capabilities and streamline the user experience, we've introduced support for multiple Content Lists in a single Job.
You can add multiple Content Lists both to new and existing Jobs.
Multiple Environments
To improve the Continuous Content Management functionality for security practitioners working with several environments, we've introduced the ability to add multiple environments to a single Job.
You can leverage this functionality both when creating new and editing existing Jobs.
Bulk Actions for Jobs
With this release, we've introduced support for bulk actions for Jobs. Using checkboxes on the right, select one or multiple Jobs to perform actions with the buttons that appear above the Job list after selection.
You can do the following actions:
Run Now. Run the selected Jobs. This option is available only for enabled Jobs that have not run for the last 5 minutes.
Enable/Disable. Enable or disable the selected Jobs.
Add Environment/Delete Environment. Add or delete one or multiple environments for the selected Jobs. For these buttons to be active, environments already linked to the selected Jobs have to belong to the same platform. In the modal that appears, select the environments you want to add/delete from the available options in the dropdown.
Custom Field Mapping Based on Log Source
We've enhanced the Job settings with a new checkbox Use Default Custom Field Mapping based on Log Source.
When this checkmark is set, Custom Field Mapping is applied to content based on the log source products the content is intended for. For example, if you have rules that use Nginx logs and rules that use Apache logs as part of a Content List linked to the Job, your Custom Field Mapping profile for Nginx will be applied to the former, and your Custom Field Mapping profile for Apache to the latter.
When this checkmark is cleared, a Custom Field Mapping dropdown appears. Use it to select a single Custom Field Mapping profile that should be applied to all content in the connected List, or leave the dropdown empty to apply no Custom Field mapping within the Job.
Devo Support
With the latest release, we continue to widen the range of available detection formats, meeting the needs of security experts. This time, we've added support for Devo SIEM (content type: query).
Now, security professionals can search for Devo content in Advanced Search and Detection Engineering views, create Custom Field Mapping profiles for this platform, and see its statistics on the Leaderboards page.
We've also added Devo support to Uncoder.IO, enabling on-the-fly conversion of detection content into this format.
Email Notifications
To extend customization capabilities, we've introduced a separate page for setting up email notifications about the latest detection content released and updated on the SOC Prime Platform. You can open this page from the main page or top navigation menu by selecting Personalize > Email Notifications.
It is also available through the Account Settings menu.
The Email Notifications page offers flexible settings to set up your preferences. Here you can select notification frequency and define what content is relevant to you.
Enable or disable notifications with the Send me content release notifications switch.
Set the frequency of notification with the Frequency dropdown.
Define the content you are interested in by selecting a Search Profile and/or Content List. These will be used to math the released and updated content to your preferences.
To set up advanced notification preferences, create a query with the Lucene Search to filter content by various attributes.
If you have no Search Profile or Content List configured, the corresponding dropdowns are disabled.
Note that for users with Limited Access subscriptions, the Content List and Lucene Search options are not available.
According to these changes, we've updated the Additional Settings section on the Account page, which previously included email notification preferences.
MITRE ATT&CK® Map
We've updated the MITRE ATT&CK framework version to 10.1 at MITRE ATT&CK® Map.
Platform Guide Update
In the new version of the SOC Prime Platform, we've updated the Platform Guide to keep it up with new and improved functionality.
Search Bar
To improve the user experience in the Advanced Search and Detection Engineering modules, we've moved the Search Bar from the header to the upper right corner of the current page.
We've also updated the design and functionality of the Search Bar. As before, standard search is enabled by default. Now, to switch to the Lucene query syntax, simply click the or Lucene button on the right (and click or Standard to switch back). To find out more about Lucene, click the question mark icon on the right of the Search Bar.
Threat Bounty Program Updates
As part of our Threat Bounty Program enhancement, we've updated and extended the developer rating calculation algorithms to align them to the new functionality and content use patterns on the SOC Prime Platform.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Resolved the issue that in some cases resulted in minor discrepancies between metrics on the Leaderboards page (Release Dynamics, Top Platforms, and Top Authors charts) and on the corresponding Advanced Search pages after drilling down.
Removed the Custom Field Mapping dropdown from the Apache Kafka ksqlDB content pages because custom mapping for this platform is currently not supported. Accordingly, we've also removed Apache Kafka ksqlDB from the list of available platforms in the Custom Field Mapping profile setup.
Introduced alphabetical order as a second-level sorting criterion for the top platforms with the same score on the Leaderboards page.
Fixed the bug with the loading icon that sometimes was overlapped by the Create Search Profile modal after clicking Save Changes.
Resolved the issue with the environment selection dropdown on the content deploy modal. Previously, if the user selected an environment and deployment failed, the dropdown won't open anymore.
Fixed the functionality of drilling down to search by a log source tag. In some cases, clicking a log source tag on the Intelligence tab of a content item page resulted in no search results.
Fixed the issue with content availability filtering. Previously, when the Available for Me option was selected in the Content Availability filter, the results included the content that would become available in 1 hour.
Updated the toggle switch style for the Consent for processing your personal data as described in our Privacy Policy item on the Account page.
Fixed sorting by name on the Advanced Search page. Before, some content items would show at the top of the list while starting with characters that are not at the beginning of the sorting order.
Fixed a search bar bug. If the search request contained a tab character, the search result page would not display the filter panel and icons.
Resolved the issue that caused problems check-marking Slack Community and Threat Bounty on the main page after they were visited.
Applied alphabetical sorting to items on the Content per Product chart in Log Source Coverage. It's the third level of sorting used to arrange items on the page.
Fixed the bug in Quick Hunt that sometimes resulted in a 500 error (Internal Server Error) when the user tried to search for content or sort it.