April 20, 2022
© 2022 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
New Subscriptions Launched
With this release, we've launched two new subscriptions announced recently:
On Demand. Instant on-demand access to 50, 100, or 200 rules selected by you.
#sigma2savelives. Instant on-demand access to 500+ rules against russian APTs and 50 rules selected by you. 100% of each purchase for this plan is donated to the Come Back Alive Foundation that helps save the lives of Ukrainians and defend Ukraine.
You can buy either of the new subscriptions with a card via Stripe. Note that, with the official launch of the subscriptions, discounted pre-orders are no longer on offer.
The new subscriptions are intended for direct end users and are not supposed to be utilized by MDRs, MSSPs, and other types of intermediaries. To emphasize this, we've added a corresponding warning on the modal that precedes redirection to Stripe.
Updates to Support New Subscriptions
To implement the new subscriptions, we've introduced some new features and mechanics:
Now, when the Community or On Demand user opens a rule page from Detection Engineering, MITRE ATT&CK®, or Advanced Search, the Intelligence tab is always shown.
Unlocked rules are marked with the Unlocked label. In #sigma2savelives, all 500+ rules against Russian APTs are already unlocked and marked with this label.
The on-demand Sigma rule balance is displayed on the counter on any content item page, in Quick Hunt, and in the Account menu.
The balance is decreased by one each time you unlock a Sigma rule that is currently not available to you (the rule has just been released or your access has already expired). The first time you unlock a Sigma rule, a confirmation modal is displayed notifying that you are going to use your on-demand Sigma rule balance. Later, the selected Sigma rules are unlocked automatically.
There are two ways to instantly unlock a Sigma rule:
Open the Code tab on the rule page
Click the Hunt button for the query based on the Sigma rule in Quick Hunt
Either of these actions instantly gives you full access to the Sigma rule and all its translations.
If you use all your on-demand Sigma rules and buy a new On Demand subscription, all content unlocked under your previous subscription remains unlocked until your previous subscription expires.
More Opportunities for Upgrade
We've added the opportunity to upgrade to On Demand or #sigma2savelives from a content item page if the content item is currently not available.
For Queries and Alerts:
If the rule is not accessible yet, the user sees upgrading options and the time in which the content item will become accessible to them under their current subscription.
If the access to the rule has already expired, the user sees upgrading options and a message that the content will not be accessible to them.
For other types of content:
If the content item is not accessible yet, the user can go to the Upgrade page and sees the time in which the content item will become accessible to them under their current subscription. With the Notify Me! button the user can get an email notification when the content item becomes available.
If the access to the content item has already expired, the user can go to the Upgrade page.
CCM API Update
We've introduced some improvements in the Continuous Content Management (CCM) API:
Updated the CCM API to ensure that security professionals can use it to work with the new version of Custom Field Mapping.
Added three new endpoints to work with Jobs via API:
/v1/ccm/jobs– returns a list of available Jobs, including the following parameters: ID, name, status, created date, last updated date./v1/ccm/jobs/{job_id}– returns details of a specific Job./v1/ccm/jobs/{job_id}/get-content– returns content from the Content List(s) linked to a specific Job. The Custom Field Mapping profiles, Presets, Filters, and other configurations of the Job are applied to the output content.
Content Quality Enhancement
Microsoft Defender for Endpoint Translation Improvements
We’ve improved translations into Microsoft Defender for Endpoint format by eliminating the issue with doubled backspace characters. For example: @":\temp\\" instead of @":\temp\".
Microsoft Sentinel Translation Improvements
We’ve improved translations into Microsoft Sentinel format by eliminating the issue with redundant backspace characters. For example: @":\temp\" instead of @":\temp".
Hide Filters in Advanced Search
To avoid visual overload and help focus on the content, we've hidden the filter block by default. If you want to refine your search, tap on the Show Filters icon in the upper left corner of the page.
Improved Content Recommendations
We've introduced improved recommendation algorithms to ensure the most relevant content suggestions for the SOC Prime Platform users.
Accordingly, we've made the key sorting options consistent across the SOC Prime Platform modules. Now, in Quick Hunt, instead of Trending Now, you can sort the content by Recommended, Microsoft, and Google Chronicle.
Open Distro to AWS OpenSearch in Uncoder.io
We've renamed Open Distro to AWS OpenSearch in Uncoder.io to keep consistency with the security technology naming on the SOC Prime Platform.
New Home Page on Website
We've completely redesigned the home page of our website. Check it out to learn how SOC Prime contributes to Sigma and enables the power of global industry collaboration to transform threat detection.
Number of Hours Saved
We've specified the number of hours saved on threat research and rule writing for each On Demand subscription option to simplify the choice of the number of rules on the Upgrade page.
Quick Hunt Improvements
With this release, we've introduced the following improvements:
Made the Content button available to all users who have access to Quick Hunt. This button opens the content item page where security professionals can dive into the content's intelligence and metadata.
Made the Expand and Collapse icons consistent across subscriptions.
Raw Data Export
To help organizations comply with specific industry requirements, we've introduced the possibility to export raw data about actions with content. To take advantage of this new feature, open Dashboard, choose the desired period, and click on the Download Raw Data button.
The data is packed into a zip archive that contains the following .csv files:
All_Logs.csv: This file includes the following data: date, content name, content type, and action
Content_Viewed_but_not_Downloaded.csv
Fresh_Viewed_Content.csv
Statistics.csv: This is a complete file of the activity for the selected period. It includes the following information: date, user info, ID email, viewed, downloaded, and deployed content, fresh views, logins, searches, TDM time, and the viewed but not downloaded or deployed content
Top_10_Search_Queries.csv
Search Profile Dropdown in Advanced Search
To facilitate and speed up the search process on the SOC Prime Platform, we've replaced the Search Profile switch, which enabled the default Search Profile, with a selection dropdown. This allows security professionals apply different Search Profiles directly from Advanced Search without the need to go to the Search Profiles page.
The dropdown options include already configured Search Profiles. To access the Search Profiles page for configuration, click the gear icon.
If you don't wish to use a Search Profile, choose the None option from the dropdown menu. In case you have no Search Profiles configured yet, None is applied by default.
SOC Prime Platform Access Improvement
We've enhanced the 2-factor authentication and logging in with an OTP processes on the SOC Prime Platform. Now, if you enter a wrong code, the input field clears automatically to avoid further access issues.
Uncoder CTI Improvements
Hot OSINT Indicators
With this release, we've added a new feature called Hot OSINT Indicators. It allows security professionals to get instant access to packages of the hottest and most widespread IOCs from open-source intelligence. Choose a package and send queries to your security platform in a matter of several clicks to check if your systems have been compromised.
Click Hot OSINT Indicators to open the list of currently available IOC packages.
Packages released or updated during the last 7 days are marked with a red dot. The overall number of such packages is shown on the red badge on the button.
For each package, you can see a release/update date and sources of IOCs. If there is more than one source, select the gear icon to choose which sources to use.
You can use the search bar to quickly find packages that are relevant to you. The search covers both names and sources of the packages.
After you select a package, the IOCs it contains are automatically pasted into the IOCs pane. Now, simply generate the queries and check your systems for compromise.
Automatic Replacement Improvement
To enhance the functionality of the Uncoder CTI, we've improved automated value replacement for http. Now, you can automatically replace hXXp, HXXP, HXXp, and hXXP with http. This feature is enabled by default. If you want to deactivate it, uncheck the Replace hxxp with http box.
URL Parsing
To improve IOC recognition, we've updated the parsing logic to ensure that URLs that contain IPs are always identified.
MITRE ATT&CK® Framework Update
To keep up with the latest cybersecurity insights, we've updated the MITRE ATT&CK framework version used on the SOC Prime Platform to 10.1. The new version introduces one Enterprise Technique update and minor changes to various Data Sources, Data Components, Groups, Software, and Techniques. You can find the list of changes here.
Tooltips with Content Names
To make sure that even long content names can be read without drilling down to the content item page, we've added tooltips with the name that appear upon hovering over the content item. They are displayed in Advanced Search, Detection Engineering, MITRE ATT&CK, and Quick Hunt.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Fixed late style application and truncation issues in the text displayed on the loading screen in the mobile version.
Resolved issues with suggested results in the Search Bar:
Improved displaying of suggested results. Now, the results are not truncated if there's enough space to show them in full.
Fixed the categorization of the suggested results. Previously, if a match was found in a rule description, the corresponding result could be displayed under Tags rather than under Description.
Fixed the issue with the question mark icon on the right side of Techniques in the search result metrics. Before, in some cases the icon was unclickable.
Fixed a bug with applying Presets to Chronicle rules through Jobs in Continuous Content Management. Previously, if Rule Metrics was set to Enabled in a Preset, Chronicle rules deployed via a Job with this Preset still had a Disabled status.
Resolved the issue with displaying values of the Author and Technique fields in Dynamic Content Lists added via CCM API. While the values were applied to select content, they did not show in the Edit Content List modal.
Fixed displaying of the block with the search bar and filters on the MITRE ATT&CK® page. Now, the block is shown even when there's only one detection available for the selected technique.
We've made the email field on the Log In page case insensitive. Before, you could face the issue with the OTP acceptance while using uppercase letters in your email address.