© 2022 SOC Prime Inc.

All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

In this release, we’ve made multiple updates, improvements, and changes to the functionality and the interface of the Cyber Threat Search Engine to boost its usability.

We’ve introduced the Author’s Page to show more information about the developers that contribute their rules. By making statistics visible to everyone, we encourage our contributors to cherish their personal brand while allowing other users to check every author’s information before downloading their content.

To see the summary of the author’s information, hover over their name. If you want to learn more and access the Author’s Page, click on the More Details button.

There are three groups of authors:

The Author’s Page offers you a variety of information about every contributor, such as:

Rewards are the indicators of the recognition and contribution level. Developers receive the badges based on the statistical data, such as the number of added Sigma rules, content popularity, MITRE ATT&CK tactics coverage, etc. You can see the meaning of each badge by hovering over the reward.

For now, the rewards are only available to the Threat Bounty Developers.

Thanks to the MITRE ATT&CK section on the Author’s Page, you can see what techniques every contributor has covered. A separate cell for every technique includes its ID and the number of rules that the author added to cover this technique. When you hover over any cell, you see a tooltip with a short description of the technique. By clicking on the More Details button, you will be redirected to the corresponding technique page on attack.mitre.org.

We’ve introduced the Binaries tab to the rules in the Cyber Threat Search Engine. If a Sigma rule contains Windows binaries, they are listed on the tab. When hovering over a binary, you see a tooltip with a summary and basic data, such as Top Paths, Top Network Ports, Top Parents, and Top Children. To get more details, click on the Echotrail.io button.

To empower security experts interested in penetration testing, we’ve added the synchronization with the Red Canary’s Atomic Red Team GitHub repository. Now, if a MITRE ATT&CK technique has an applicable simulation, you can check it in the newly released Simulations tab.

Techniques and Sub-Techniques fields in the Simulations tab are empty if there is no penetration testing content for the rule. If any technique or sub-technique is specified, hover over it to see its description. To check the simulation content, click on the View Simulations button that will redirect you to the Atomic Red Team GitHub repository.

With this release, we’ve added the capability of searching for domains in the Timeline links. When you type a specific domain, you get the search results that contain a corresponding link in their Timeline sections.

To simplify the usage of the Cyber Threat Search Engine in the MITRE ATT&CK view, we’ve added an option of hiding the techniques that don’t have any corresponding detections. To filter the search results, click on the Hide empty techniques icon.

We’ve moved the Share button to the title panel of a rule and made it available for all content items. Now, you can easily share any rule with your colleagues, team, friends, and community via social media (LinkedIn, Facebook, and Twitter).

To deliver a correct message, we’ve changed Techniques → Technique and Sub-Techniques → Sub-Technique in the tooltips with the (Sub-)Technique description.

We’ve updated three pages at my.socprime.com.

We’ve redesigned the timeline of the Sigma evolution to raise awareness about the usability of the Sigma language and all the benefits of having one common language for cybersecurity. You can find the page here or by going to my.socprime.com → Why SOC Prime → Sigma.

We’ve updated the Industry Recognition page to deliver SOC Prime's main milestones. In addition, there are several reviews from our partners and users. Check the page here or by visiting my.socprime.com → Company → Industry Recognition.

We’ve released a new Detection as Code Innovation Report with the most industry-relevant statistics data. Check it via this link or by going to my.socprime.com → Resources → Detection as Code.

To ensure the support of the most used security platforms, we’ve added the Snowflake integration into the SOC Prime Platform. In both Advanced Search and Detection Engineering views, you can select the Snowflake platform or its native content type, Snowflake Query.

We’ve also added the Snowflake integration to the Custom Field Mapping.

To improve the user journey and offer better value to our users with the Community subscription, we’ve introduced suggestions on the content item pages for the rules that aren’t available. In the suggestion list, you can see the top three accessible content items that are similar to the unavailable one.

To cover a greater variety of users’ needs, we’ve expanded the pricing options for the On Demand Subscription. Now, you can get a higher number of content items:

To simplify the purchase process, we’ve updated the On Demand Subscription Upgrade popup. Now, there are two payment options:

To avoid confusion, we’ve changed the name that appeared during the 2FA in Google Authenticator from Threat Detection Marketplace to the SOC Prime Platform. If you already use the app for 2FA on the SOC Prime Platform, rescan the QR code to see the new name.

We’ve improved the quality of translation into the Microsoft Sentinel format by solving the issue with the conversion of regular expressions. For example: (CommandLine matches regex @'(?i)selection') instead of (CommandLine m or CommandLine a or CommandLine t …

We’ve enhanced the quality of translation into the Splunk format by adding the double quote marks to the source field value. For example: source="WinEventLog:*".

We’ve improved the quality of alternative translations into the Splunk Query format by resolving the issues with the Datamodel config application.

To polish the quality of translations into the CrowdStrike format, we’ve fixed the conversion of logical operators AND/OR. For example: (EventLog="Security" AND "test1") → (EventLog="Security" OR "test1").

We’ve improved the quality of translations into the Chronicle Security Query format by reworking the conversion logic for the endswith and startswith modifiers. For example, the Sigma rule selection:

CommandLine|startswith:

- 'selection'

is now translated as target.process.command_line = /^selection.*/ instead of target.process.command_line = /selection.*/

While

CommandLine|endswith:

- 'selection'

is now translated as target.process.command_line = /.*selection$/ instead of target.process.command_line = /.*selection/.

To enhance the quality of translation into the ArcSight format, we’ve improved the conversion logic for the endswith, startswith, and contains modifiers while removing the unnecessary * symbol. Previously, in some cases, users could encounter the following behavior:

We’ve upgraded the Values setup in the Custom Field Mapping Configuration to fit any specific needs. Now, you can save multiple fields with the same New Value without it being considered a duplicate. Note: This only works if the Original Values are different.

In the case of adding several fields with the same Original Value, only the last created mapping with the New Value is saved.

To increase the value our users receive from the SOC Prime Platform, we’ve broadened the selection of the accessible content for Community and On Demand Subscriptions by making available the following content items:

To enhance the integration with Open CTI, we’ve introduced several changes:

Added MITRE ATT&CK links to the Latest Created Relationship section, including Techniques, Tools, Malware, Actors, etc.

With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform: