© 2022 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

We've introduced the MITRE ATT&CK view for the search results page. Enable it with the switch at the top left corner to see the results categorized by tactic, technique, and sub-technique they are mapped to.

Use this view to focus on results that match your defense priorities as per the MITRE ATT&CK matrix.

Now, you have the capability to export search results into an ATT&CK Navigator layer.

Click the Export Att&ck Navigator JSON button, and the layer showing techniques and sub-techniques addressed by the Sigma rules in your search results will be opened in a new window in ATT&CK Navigator.

Use this capability to compare the Sigma rules found to your tactical or strategic priorities.

With this feature, you can import a JSON layer created in ATT&CK Navigator to use it as an additional filter for search results in the Cyber Threat Search Engine.

Click the Import Att&ck Navigator JSON button and choose your file. After that, all your search results will be additionally filtered by the techniques and sub-techniques marked on the loaded layer.

To remove the layer, click the cross icon next to its name.

We've added the Latest Content Updates button on the main search page. Click it to see all content released during the last month sorted by release date.

We've introduced a Trending section with the top 10 search terms users entered recently.

This way, you can find out what topics are hot in the cybersecurity community, and explore them yourself.

To make threat intelligence even more useful, we've added mitigations as per MITRE ATT&CK framework.

Possible mitigations are displayed as tags. Hover over a tag to see the mitigation's description and techniques it addresses. Click More Details to view more on the MITRE ATT&CK website.

Now you can filter the search results by the authors of the Sigma rules. Select one of these options:

For compliance reasons, we've made accepting cookies obligatory for using the Cyber Threat Search Engine.

Click the cookie policy link to read the full text of the policy.

We’ve enhanced the quality of translation into the Microsoft Sentinel and Microsoft Defender for Endpoints formats by replacing , with or for the values of fields with the re modifier.

In this release, we’ve improved the quality of translations into the Elastic Query format by adding an extra escape character (\) to avoid the * character dropping from the query. For example, (* OR *\=\* OR *\(uid\=*) instead of (* OR *\=* OR *\(uid\=*).

To ensure the correct syntax of the Splunk content, we’ve improved the conversion logic for the endswith modifier to avoid duplicating the field value, which could be seen in some cases. For example, Sigma rule selection:

TargetUserName|endswith:

- $

is now translated:

(TargetUserName="*$") instead of (TargetUserName="*$$").

With this release, we’ve made the content sourced from the SigmaHQ repository available for all subscription plans without time limits. This content is marked with the Free Access label.

You can filter for it by selecting Available for me in the Content Availability filter. The filtered results include not only the rules from GitHub but also all the content available in your subscription plan at the moment and the unlocked rules (for the On Demand subscription).

These changes are applied to Advanced Search, Detention Engineering, and MITRE ATT&CK views. In addition, the GitHub content is also available for Quick Hunt, with the daily hunts limit preserved.

We’ve updated our recommendation logic to show the most relevant content at the top when the Recommended sorting option is selected. This sorting option can be found in Advanced Search, Detection Engineering, and Quick Hunt.

To deliver a clearer message, we’ve changed the warning text on the Upgrade page that shows after clicking the button to order the On Demand subscription.

To clarify the details of different subscription types, we’ve split the Content Streaming & API field into Content Streaming via UI and Content Streaming via API.

We’ve changed the color of the Upgrade button for consistency in the interface design throughout the SOC Prime Platform.

Now, the API functionality is available for the users with the On Demand subscription plan.

With this release, we’ve added Sigma UUID to the translations into the following security platform formats:

To simplify your personalized experience while working with the SOC Prime Platform, we’ve made the Filters panel in the Advanced Search visible by default. However, if you want to hide this panel, you can still do it by clicking the Hide Filters button.

We’ve introduced updates to the CCM Guide to deliver the most up-to-date information.

With this release, we’ve updated the Chronicle Security Rule settings on the Presets page by introducing the following changes:

To boost the effectiveness and usability of Continuous Content Management (CCM), we’ve redesigned the Environments Page in the Integrate module. The new interface allows you to see all of the previously configured environments on one page in addition to the most relevant information, such as Name, Platform, Created/Updated date, and Status.

You can switch between the My and Company tabs to clearly identify the environments shared within the company and created by yourself.

To edit or delete an environment, click on the three dots (⋮) icon.

To set up a new environment, click the Create Profile button that opens the Create New Environment Profile page.

In the Create New Environment Profile modal, name your profile, select the platform you want to create an integration with and choose if you want to share the profile with your teammates. Then, select the type of integration and set it up.

As part of the Environments page redesign, we’ve added a Status indicator that shows whether you are Connected or Disconnected to the configured environments. The check is performed once every two hours. By hovering over the value indicator, you can get additional information, such as:

We’ve added a possibility to create multiple environments for Splunk with the ability to share them within the company.

Additionally, we’ve improved the UI in Splunk environment settings by adding a reminder Set a default index for search on the Create New Environment Profile page.

We’ve improved the environment creation process for Elastic Stack by adding the Kibana Space Name field for both CCM and Hunt tabs. Now, you can set an Elastic Environment with the specific space or without it. Note that the Kibana Space Name field must contain only characters, digits, dashes, or underscore.

We’ve changed the text on the Search Profiles page to deliver an explicit message that Search Profiles can be applied in Advanced Search, Log Source Coverage, and MITRE ATT&CK® Coverage.

In addition, we’ve reworked the Search Profile tooltip text on the Advanced Search page.

For consistency purposes, we’ve added a description to the Custom Field Mapping page specifying the value of the mapping profiles setup.

To avoid misunderstandings and better reflect the functionality better, we’ve renamed the Write Review button into Submit when adding a Content Reviews on the content item page.

We’ve added the possibility of deploying Splunk Alerts directly into a Splunk instance through the CCM API Integration Tool.

To ensure the high quality of the uploaded content, we’ve introduced an obligatory Warden check for every rule added through the Threat Bounty Portal. The check runs automatically after pressing the Save button. Note that you can’t proceed unless there are no errors detected.

We’ve added an option to translate Sigma rules into Google Chronicle Query format in uncoder.io.

To avoid unnecessary wordiness, we’ve updated the text message on data usage in Uncoder CTI. The change covers both Uncoder CTI on the SOC Prime Platform and cti.uncoder.io.

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform: