May 4, 2022
© 2022 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Content Quality Improvements
Microsoft Defender for Endpoint
We’ve enhanced Sigma rule translations into the Microsoft Defender for Endpoint format by ensuring that proper field mapping is used in the detection section with an aggregation function. This enhancement was made both in the SOC Prime Platform and Uncoder.io.
QRadar
To improve the quality of translations into the QRadar format, we've removed unnecessary % and \ characters that were previously used for escaping with the ILIKE operator.
Google Chronicle Rules
To make Google Chronicle rules more informative, we've added two fields to their meta section that will be present in all newly released rules:
severity– the severity of the activity detected by the rule. The values of this field in Sigma rule and Chronicle rule are mapped as follows:
Sigma rule | Chronicle Security rule |
low | LOW |
medium | MEDIUM |
high | HIGH |
critical | HIGH |
sigma_id– universally unique identifier (UUID) of the Sigma rule.
Continuous Content Management
Content Encryption
To ensure the total security of users' data, we've implemented encryption of content's code added to Inventory in Continuous Content Management (CCM). Encryption is applied to content that gets into Inventory through running the Inventory script, Static and Dynamic Content Lists, and manual deployment as well as to content that is added to Inventory Content Lists.
CCM API
As part of the regular enhancement of our API's functionality, we've added two endpoints for working with Dynamic Content Lists:
/v1/ccm/content-list(methodPOST) for creating Dynamic Content Lists/v1/ccm/content-list/{list_id}(methodPUT) for editing Dynamic Content Lists
Logo
We've updated the style of our logo with the Ukrainian flag colors to show our support to the Ukrainian nation.
Onboarding Wizard
To ensure quick access to the SOC Prime Platform for newly registered users, we've reduced the number of required steps in Onboarding Wizard. Now, to get started, a new user only needs to select their security platform and professional role.
All the other onboarding steps can be completed later. To access the Wizard, click the Open Wizard link in the reminder below the top navigation menu.
Quick Hunt
We've made limitation modals in Quick Hunt more functional and informative. Now, the modal informs the user why the content is not available and provides an opportunity to buy an On Demand or #sigma2savelives subscription:
Access to content expired:
Daily hunt limit reached:
Subscription Name Labels
To improve the user experience and make it more consistent, we've added Subscription name labels for the On Demand plan.
Tabs on Content Item Page
We've introduced a smart way of selecting which tab shows by default when the user with a Community, On Demand, or #sigmatosavelives subscription navigates to an Alert or Query page.
When the user first opens a content item page, the Intelligence tab shows by default. Then, during 1 hour, for all the other Alert or Query pages the user opens, the Code tab shows by default. When 1 hour passes, the Intelligence tab shows once again and the cycle repeats.
In this way, security experts who browse a lot of content in a row can see the code at once without making additional clicks.
Upgrade Page
We've updated the copy and style of some elements on the Upgrade page of the SOC Prime Platform and the Pricing page of our company's website:
Improved wording for the Enterprise card to make the value proposition more clear.
Updated one of the items in the Comparison table and the corresponding tooltip.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Fixed the bug that in some cases made unlocked Sigma rules unavailable for web search in Quick Hunt.
Fixed the issue that sometimes resulted in a mismatch between actor count on Dashboard and in the content search results in Advanced Search.
Fixed the behavior of the Code and Intelligence tabs on the Content Item Page. Specifically, the following issues are resolved now:
If the page was refreshed on the Intelligence tab, the Code tab would open only after it was clicked the second time
In some cases, the browser's Back button didn't work
Resolved issues in Continuous Content Management:
Fixed displaying Status and Last Update fields of Jobs with multiple Content Lists or Inventories.
Fixed displaying history after Debug Logs is clicked for Jobs with multiple Content Lists or Inventories.
Removed automated application of the lowercase register to Google Chronicle rule names via Presets. This function was introduced when Google Chronicle did not support the uppercase register in names. Now, the uppercase register is supported.
We’ve improved the deployment process for Jobs with alternative translations into the Humio Alert format. Before, when a config for alternative translations was selected in a Job, you couldn’t deploy any rule from the Content List in this Job if at least one of the rules didn’t have the selected alternative translation. Now, the content that has the alternative translations is successfully deployed, while the content without them is skipped. In History, Job Deploy is marked as Success with details on the number of deployed Alerts, and Content Deploy of a not deployed Alert is marked as Failure with details on the missing config.