May 18, 2022

© 2022 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

We've launched a Cyber Threat Search Engine that empowers the entire cybersecurity community to discover context on cyber threats, relevant Sigma rules, ideas for Threat Hunting, guidance for Detection Engineering, and links to the latest Cyber Threat Intelligence.

The Search Engine is available for free and does not require registration. Anyone can access either the desktop or mobile version at socprime.com.

This Search Engine is intended to become a one-stop shop for threat intelligence and SOC content. Look up Sigma rules, CVEs, threat actors, log sources, exploits, and MITRE ATT&CK® attributes.

Start typing a search request, select a suggested option, and hit the search icon.

Use filters on the left to narrow down your search results. Filter by:

Each filter shows up to 5 top options. The counter on the right of each option shows the number of results that fall into it.

Most popular items are labeled Hot and the most recent are marked as New.

Expand a search result to see the context timeline of the threat, its mapping to the MITRE ATT&CK framework, rule details, and Sigma code.

Hover over a stage of the timeline to see references and research the threat's context.

Hover over a MITRE ATT&CK attribute to see its description. Click More Details to check out the full explanation at attack.mitre.org.

For some rules, the code is available right from the search result page. Click view more to see the entire Sigma rule code.

For other rules, the code is available only on the SOC Prime Platform. If you don't have an account, sign up directly from the page that opens after clicking explore more and enjoy a free Community subscription plan.

If the code is available on the search result page, select your security platform to see the detection translated into this platform's format.

If you need to fine-tune the code, edit it right in this panel using our convenient highlighting and suggesting features that create an IDE-like experience.

If the code contains the searched term, the term is highlighted.

With buttons on the right, you can copy the code to the clipboard, copy the page's link or directly share it on Twitter, Facebook, or LinkedIn, as well as close the code panel.

We've redesigned our socprime.com website, most importantly placing our Cyber Threat Search Engine on its main page. Other changes include:

With this release, we've terminated the Limited Access subscription. All users that still have a Limited Access plan can easily upgrade to a free Community plan by switching to their work email.

The Cyber Threat Search Engine launched recently covers and even exceeds the Limited Access subscription in functionality. Accordingly, anyone who wants to explore the core capabilities of the SOC Prime Platform without setting up a fully-fledged account can do so using our Search Engine.

We've enhanced the copy and design on the Upgrade page, making the layout cleaner and the user's choices more clear.

Additionally, we've introduced a separate flow for MDRs, MSSPs, and other intermediaries that wish to benefit from the On Demand subscription.

Now, after clicking Upgrade on the On Demand card, organizations that are not direct content consumers and intend to distribute the content, should select Distribution before clicking the Agree button.

To simplify content search and improve user experience, we’ve added a separate CVE ID field in the Tags section for Alerts and Queries both on the Intelligence tab of a content item page and in the expanded rule view in Quick Hunt.

For Yara rules, Snort rules, and Content Packs, the CVE ID tag is displayed in the Tags section of a content item page.

In addition, we’ve introduced the CVE ID filter in the Filters panel in Advanced Search and in Detection Engineering.

To improve the quality of translations into the Splunk format, we’ve ensured that the translations contain a log source field (index or source).

To improve long QRadar query performance, we’ve replaced ILIKE with = for the category field. For example:

CATEGORYNAME(category) ILIKE 'Successful Registry Modification' → CATEGORYNAME(category)='Successful Registry Modification'

We’ve enhanced the quality of the translation into the Humio format by making the following changes:

We’ve added an alternative translation crowdstrike for the Humio Platform that uses CrowdStrike mapping. You can select it in the config dropdown when available.

To avoid confusion and improve accuracy, we’ve updated the messages for users with no personal or company Custom Field Mapping. Now, instead of the No Mappings Available notice, you will see the following messages:

We’ve added the Sigma UUID to all of the Sigma rules in the SOC Prime Platform to ensure proper content identification.

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform: